IT Examiner School - Oct 2025

Internal Use Only

Step 5 – Evaluate and Monitor Controls

Examples of Monitoring & Continuous Improvement • Track vulnerability scan cadence & patch SLA compliance

• Monitor incident metrics (time to detect/respond) • Use threat intelligence feeds for emerging risks

• Test controls via penetration testing and control reviews • Update RA with new findings, incidents, or system changes

Internal Use Only

Examination Takeaways: Risk Assessment How much time should I spend on the Risk Assessment?

Plan to expand the depth of review when: • Not been reviewed at least annually. • Changes in management and/or environment. • Risk assessment completed with limited input from other stakeholders. • Discrepancies in the identified process. • Audit & Exam findings are evident. • You are not confident in management's responses.

Plan to reduce the depth of review when: • The risk assessment was recently reviewed by a qualified auditor and found to be adequate. • There have been no changes in management or the environment since the last examination. • The quality of the risk assessment process has been validated.