IT Examiner School - Oct 2025

Internal Use Only

Step 4 – Risk Response and Mitigation Objective: Determine how the organization addresses identified risks—whether by accepting, transferring, reducing, or avoiding them. • Examiner Validation: • Request risk response plans and incident response documentation. • Verify the implementation of controls (e.g., encryption, firewalls, MFA). • Confirm that risk acceptance decisions are documented and approved by management. • Additional Checks: Accept Transfer

Accept: Acknowledge the risk without further mitigation, typically when the cost to address it is greater than the potential impact . •Example: A company stores low-sensitivity public information on a web server. Although there is a minor risk of exposure, the potential impact is minimal, so the organization chooses to accept the risk. Transfer: Shift the financial impact of the risk to a third party, such as through insurance or contractual agreements. •Example: An organization purchases cyber insurance to cover potential financial losses from data breaches, effectively transferring the risk to the insurance provider. Reduce: Implement security measures to minimize the impact or likelihood of a risk. •Example: A company introduces Multi-Factor Authentication (MFA) and encryption for remote access to reduce the risk of unauthorized access to its systems. Avoid: Eliminate the risk entirely by stopping the activity or changing business practices. •Example: After identifying high risk in using outdated legacy software, the company decides to decommission the system and migrate to a cloud-based solution to avoid vulnerabilities.

Reduce

• Review the CISO's Annual Report to the Board for documented risk acceptance decisions and their justifications. • Ensure risk mitigation measures are reflected in policies and procedures , and that they align with the Risk Assessment (RA).

Avoid

Internal Use Only

Step 5 – Evaluate and Monitor Controls

Objective: Continuously assess the effectiveness of controls and adjust to emerging risks. • Examiner Validation: • Request audit reports, control assessments. • Verify that control evaluations are performed regularly, and findings are addressed. • Review evidence of continuous monitoring for evolving threats such as metrics reporting to evidence conformance with policies and procedures. • Additional Checks: • Inspect Board and Management Reporting. • Check Risk and Control Self-Assessments (RCSA). • Risk Register is current and regularly updated to reflect changes in risk status or mitigation efforts.