IT Examiner School eBook May 2025

1. Identify and Value Information Assets Catalog all critical information assets, including data, applications, and systems, and assess their importance to business operations and regulatory compliance. 2. Identify Threats and Vulnerabilities Recognize internal and external threats that could exploit weaknesses in information assets, including cyber-attacks, system failures, and human errors. 3. Analyze Risk, Likelihood and Impact Evaluate the probability of identified threats exploiting vulnerabilities and determine the potential impact on business Decide how to address each risk—whether to accept, reduce, transfer, or avoid—and implement appropriate security measures to minimize impact. 5. Evaluate and Monitor Controls Continuously assess the effectiveness of security controls, monitor for emerging risks, and adjust measures as needed to maintain protection. operations and data integrity. 4. Risk Response and Mitigation

Risk Assessment Process & Walkthrough

Step 1 – Identify and Value Assets Objective: Ensure the organization has a clear understanding of its critical information assets, their value, and where they are located. • Examiner Validation: • Request asset inventory lists and data classification documentation. • Confirm regular updates to the inventory and alignment with business criticality. • Verify that high-value assets are prioritized for security controls. • Additional Checks: • Review network diagrams to verify asset mapping and segmentation. • Request fixed asset lists from Accounting to cross check physical devices and systems.

Network Diagram