IT Examiner School eBook May 2025

Risk Appetite: The level of risk an organization is willing to accept in pursuit of its objectives, balancing potential benefits with possible losses.

IT Risk Assessment Overview Risk Assessment Lifecycle

Risk Identification: The process of finding, recognizing, and documenting risks that could impact the organization’s objectives or operations.

Risk Assessment: The evaluation of identified risks to understand their potential impact and likelihood, prioritizing them for action. Risk Response: The development and implementation of strategies to address identified risks, including mitigation, transfer, acceptance, or avoidance. Risk Monitoring: The ongoing process of tracking identified risks, assessing new risks, and evaluating the effectiveness of risk mitigation strategies.

Risk Terms Level Set

• Asset : Anything of value to the organization • Vulnerability : A weakness, abscess of a safeguard (control). • Threat : Something that could pose loss to all or part of an asset. • Threat Agent : What carries out the attack. • Exploit : An instance of compromise • Risk : The probability of a threat materializing.

• Controls : Physical, Administrative, and Technical protections. • Safeguard – Deterrents or Preventives. • Countermeasures- Detective or Correctives. • Inherent Risk : The risk before any control is implemented. • Residual Risk : Leftover risk after applying a control. • Secondary Risk : When one risk response triggers another risk event.

23