IT Examiner School eBook May 2025

Step 2 – Identify Threats and Vulnerabilities

Objective: Recognize internal and external threats that could exploit weaknesses in information assets. • Examiner Validation: • Request evidence of vulnerability scans and threat modeling (e.g., Nessus, Qualys reports). • Review incident logs for past vulnerabilities and how they were managed. • Verify that identified threats are actively tracked and remediated. • Additional Checks: • Review organizational policies that outline how threats are identified and managed. • Cross-check outstanding audit and examination findings to identify any known vulnerabilities.

Step 3 – Analyze Risk, Likelihood, and Impact

Objective: Evaluate the probability and potential impact of threats exploiting vulnerabilities. • Examiner Validation: • Request risk assessment reports that outline impact and likelihood ratings. • Review Business Impact Analysis (BIA) documentation. • Verify the use of risk matrices for prioritization and severity mapping. • Additional Checks: • Review policies and guidelines on risk management and assessment. • Evaluate other risk assessments , such as Third-Party Risk Assessments and Audit Risk Assessments , to ensure they align with organizational risk analysis. • Review clear definitions of severity levels (e.g., High, Medium, Low) to ensure consistency in evaluation.