By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
The process of IT risk management is most reliably effective when it follows a structured methodology based on good practices and a desire to seek continuous improvement. The risk practitioner should begin a new risk management effort by reviewing current practices of the organization in the identification, assessment, response, monitoring and reporting of risk. On the basis of this initial evaluation, the risk practitioner can gain valuable insight into how the organization views risk management and identify areas in which the current program may incorporate or deviate from recognized good practices, which can facilitate the development of a consistent program.
Where good practices are not already in place, the risk practitioner may find it beneficial to either formally adopt or informally draw upon one or more well-established standards or frameworks, which can help to ensure that the risk management program is complete and authoritative.
Examples of standards and frameworks that may be useful sources of good practices include:
- COBIT® 5 for Risk - Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management – Integrated Framework - Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) - International Organization for Standardization (ISO) – ISO/IEC 27005:2011 – Information technology – Security techniques – Information security risk management – ISO 31000:2009 – Risk Management Principles and Guidelines - US National Institute of Standards and Technology Special Publications (NIST SPs) – SP 800-30 Revision 1: Guide for Conducting Risk Assessments – SP 800-39: Managing Information Security Risk
Risk Identification and Classification Standards and Frameworks provides further information on each specific standard and framework.
The IT risk management program should be: - Comprehensive (thorough, detailed) - Complete (carried through to the end) - Auditable (reviewable by an independent third party) - Justifiable (based on sound reasoning) - Compliant (with policy, laws and/or regulations) - Monitored (subject to review and accountability) - Enforced (consistent, mandated and required) - Up to date (current with changing business processes, technologies and laws) - Managed (adequately resourced, with oversight and support)
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.