IT risk management

Last updated November 06, 2024

IT risk management is the application of risk management methods to information technology in order to manage IT risk. Various methodologies exist to manage IT risks, each involving specific processes and steps.^[1]

Definitions
Methodology
Context establishment
Risk assessment
Risk identification
Risk estimation
Risk evaluation
Risk mitigation
Risk communication
Risk monitoring and review
IT evaluation and assessment
Integration into the system development life cycle
Security in the SDLC
Critique of risk management as a methodology
Risk management methods
Standards
See also
References

An IT risk management system (ITRMS) is a component of a broader enterprise risk management (ERM) system.^[2] ITRMS are also integrated into broader information security management systems (ISMS). The continuous update and maintenance of an ISMS is in turn part of an organisation's systematic approach for identifying, assessing, and managing information security risks.^[3]

Definitions

The Certified Information Systems Auditor Review Manual 2006 by ISACA provides this definition of risk management: "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization."^[4]

According to the NIST, " Risk management allows IT managers to balance the operational and economic costs of protective measures with mission goals by securing IT systems and data."^[5]

The American National Information Assurance Training and Education Center defines risk management in the IT field as:^[6]

The total process to identify, control, and minimize the impact of uncertain events. The objective of the risk management program is to reduce risk and obtain and maintain DAA approval. The process facilitates the management of security risks by each level of management throughout the system life cycle. The approval process consists of three elements: risk analysis, certification, and approval.
An element of managerial science concerned with the identification, measurement, control, and minimization of uncertain events. An effective risk management program encompasses the following four phases:
1. Risk assessment, as derived from an evaluation of threats and vulnerabilities.
2. Management decision.
3. Control implementation.
4. Effectiveness review.
The total process of identifying, measuring, and minimizing uncertain events affecting AIS resources. It includes risk analysis, cost benefit analysis, safeguard selection, security test and evaluation, safeguard implementation, and systems review.
The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. lt includes risk analysis, cost benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review.

Methodology

While specific methods may vary, risk management processes generally include establishing context, conducting risk assessments, and managing risks. Risk management methodologies from standards such as ISO/IEC 27005, BS 7799, NIST SP 800-39, and Risk IT emphasize a structured approach to these processes.^[1] The following table compares key processes across leading frameworks:

Risk management constituent processes
ISO/IEC 27005:2008	BS 7799-3:2006	NIST SP 800-39	Risk IT
Context establishment	Organizational context	Frame	RG and RE Domains, including IT risk tolerance and risk practices
Risk assessment	Risk assessment	Assess	Processes for risk analysis and evaluation
Risk treatment	Risk treatment	Respond	Selection of risk response options and treatment plans
Risk acceptance	Not specified	Not specified	RG3.4 Accept IT risk
Risk monitoring	Ongoing management activities	Monitor	Independent assurance of IT risk management

Context establishment

The first step in the ISO/IEC 27005 framework is context establishment. This step involves gathering relevant information about the organization and defining the criteria, scope, and boundaries of the risk management activities. This includes complying with legal requirements, ensuring due diligence, and supporting the establishment of an information security management system (ISMS). The scope can encompass incident reporting plans, business continuity plans, or product certifications.

The key criteria include risk evaluation, risk acceptance, and impact assessment, influenced by:^[7]

Legal and regulatory requirements
The strategic value of information processes for the business
Stakeholder expectations
Negative consequences for the organization's reputation

Establishing the organization’s mission, values, structure, strategy, locations, and cultural environment is crucial, along with documenting constraints such as budgetary, cultural, political, and technical factors that will guide the risk management process.

Risk assessment

Risk assessment, a critical component of IT risk management, is performed at specific points in time (e.g., annually or on-demand) and provides a snapshot of assessed risks. It forms the foundation for ongoing risk management, which includes analysis, planning, implementation, control, and monitoring of security measures.

Risk assessments may be iterative, beginning with high-level evaluations to identify major risks, followed by more detailed analysis in subsequent iterations. The following steps are typically involved:^[6]

Risk identification – Recognizing potential loss sources such as assets, threats, vulnerabilities, and business processes.
Risk estimation – Evaluating the likelihood and impact of identified risks, often using either quantitative or qualitative methods.
Risk evaluation – Comparing risk levels to predefined acceptance criteria and prioritizing risks for treatment.

The ISO 27005 framework divides the process into the following stages:^[7]

Risk assessment constituent processes
ISO 27005	Risk IT
Risk analysis	RE2 Analyse risk, including risk scenario development and peer review
Risk identification	Included in RE2.2 Estimate IT risk
Risk estimation	RE2.2 Estimate IT risk
Risk evaluation	RE2.2 Estimate IT risk

Risk identification

This process identifies the assets (both primary and supporting), threats, and vulnerabilities that may affect the organization. Additionally, it involves identifying business processes and existing or planned security measures. The result of this step is a list of risks, threats, and potential consequences related to the assets and business processes.^[7]

OWASP: relationship between threat agent and business impact 2010-T10-ArchitectureDiagram.png — OWASP: relationship between threat agent and business impact

Risk estimation

Risk estimation assesses the likelihood and consequences of the identified risks. Two common approaches are:

Quantitative risk assessment – A mathematical calculation based on security metrics, such as Single loss expectancy (SLE) and Annualized Loss Expectancy (ALE).
Qualitative risk assessment – Descriptive methods, such as interviews and expert judgment, which are faster and less data-intensive but less precise.^[8]

For both methods, risk values are calculated for each asset and the output is documented in a risk register.

Risk evaluation

In this step, the results from the risk analysis are compared against the organization's risk acceptance criteria. The risk list is prioritized, and recommendations are made for risk treatment. Risks that are too costly to mitigate may be accepted or transferred (e.g., through insurance).

Risk mitigation

Risk mitigation involves prioritizing and implementing risk-reducing measures recommended during risk assessment. Since eliminating all risk is impractical, organizations must apply the most cost-effective controls to reduce risk to an acceptable level while minimizing the impact on other operations.

The following strategies are typically considered:^[5]

Risk assumption – Accepting the potential risk and continuing operations.
Risk avoidance – Eliminating the risk by avoiding risk-prone activities.
Risk limitation – Implementing controls to minimize the impact of risks.
Risk transference – Using other options, such as purchasing insurance, to transfer the risk.

Residual risks, those remaining after treatment, are estimated to ensure adequate protection, and further measures may be taken if necessary.

Risk communication

Risk communication is a continuous, bidirectional process that ensures a common understanding of risk among all stakeholders. Effective communication influences decision-making and promotes a culture of risk awareness across the organization. One method to achieve this is the Risk Reduction Overview method,^[9] which presents risks, measures, and residual risks in a comprehensible manner.

Risk monitoring and review

Risk management is an ongoing process that requires regular monitoring and review to ensure that implemented security measures remain effective as business conditions, threats, and vulnerabilities change. Regular security audits and reviews are essential to validate security controls and assess residual risks.^[1]

New vulnerabilities, such as zero-day attacks, must be addressed through continuous monitoring, patch management, and updating of controls. Benchmarking against best practices and engaging in professional development activities are important for maintaining state-of-the-art risk management practices.

IT evaluation and assessment

To ensure the effectiveness of security measures, controls should be continuously tested and validated, including both technical systems and procedural controls. Penetration tests and vulnerability assessments are common methods for verifying the effectiveness of security controls. Regular reviews and reauthorization of systems are necessary when significant changes are made.^[5]

Risk management should also be integrated into the Systems Development Life Cycle (SDLC) to ensure that risks are addressed throughout the life cycle of IT systems. Each phase of the SDLC benefits from specific risk management activities, from initial planning to system disposal.^[10]

Integration into the system development life cycle

Effective risk management is fully integrated into the Systems Development Life Cycle (SDLC). The SDLC typically involves five phases: initiation, development or acquisition, implementation, operation or maintenance, and disposal. Risk management activities remain consistent throughout these phases, ensuring that potential risks are identified, assessed, and mitigated during each stage.^[11]

**Integration of Risk Management into the SDLC**
SDLC Phase	Phase Characteristics	Risk Management Activities
Initiation	Defines the need for an IT system and its scope	Identified risks support the development of system requirements, including security needs and concept of operations.
Development or Acquisition	System design, purchase, or construction	Risk assessments help guide security decisions during the system's development, influencing architecture and design trade-offs.
Implementation	System is configured, tested, and verified	Risk management ensures that security requirements are met and assessed before system operations begin.
Operation or Maintenance	The system is operational and updated	Continuous risk assessments are performed whenever significant changes occur or at regular intervals for reauthorization.
Disposal	The system is decommissioned	Risks are managed to ensure secure disposal, including data sanitization and system migration where necessary.

Security in the SDLC

Incorporating security into the SDLC is essential to prevent costly vulnerabilities from emerging later in the system’s life. Early integration of security measures during the initiation and development phases can significantly reduce the cost of mitigating security vulnerabilities. It also enables the reuse of established security strategies and tools, resulting in improved security and cost efficiency.^[12]

The following security considerations are integrated into the SDLC:

Security requirements for information systems: Security needs are incorporated into the system's design from the start.
Correct processing in applications: Protecting against errors and ensuring the integrity of data.
Cryptographic controls: Ensuring that data is encrypted both at rest and in transit to prevent unauthorized access.
Security of system files: Implementing version control, access restrictions, and thorough testing of system files.
Technical vulnerability management: Monitoring for vulnerabilities and applying timely patches to protect against emerging threats.

By incorporating these practices, organizations can ensure that their IT systems are secure from the outset, reducing the likelihood of vulnerabilities and costly security incidents later in the system's life cycle.

Critique of risk management as a methodology

Risk management as a methodology has been criticized for its subjectivity, particularly in assessing the value of assets and the likelihood and impact of threats. The probabilistic models often used may oversimplify complex risks. Despite these criticisms, risk management remains an essential tool for managing IT risks.^[1]

Risk management methods

Various methods support the IT risk management process. Some of the most widely used include:^[1]

CRAMM – Developed by the British government, compliant with ISO/IEC 17799 and other standards.
EBIOS – Developed by the French government, compliant with major security standards.
Factor Analysis of Information Risk (FAIR) – A rigorous approach to defining and analyzing IT risk factors.
Octave – Developed by Carnegie Mellon University, it is widely used for risk-based security assessments.

Standards

Various standards provide guidance for IT risk management, including ISO/IEC 27000-series and NIST SP 800-30.

Related Research Articles

Security management is the identification of an organization's assets i.e. including people, buildings, machines, systems and information assets, followed by the development, documentation, and implementation of policies and procedures for protecting assets.

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

Software assurance (SwA) is a critical process in software development that ensures the reliability, safety, and security of software products. It involves a variety of activities, including requirements analysis, design reviews, code inspections, testing, and formal verification. One crucial component of software assurance is secure coding practices, which follow industry-accepted standards and best practices, such as those outlined by the Software Engineering Institute (SEI) in their CERT Secure Coding Standards (SCS).

Information security standards are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

Information Technology Security Assessment is an explicit study to locate IT security vulnerabilities and risks.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information security, cybersecurity and privacy protection — Information security controls.

The ISO/IEC 27000 family comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

MEHARI is a free, open-source information risk analysis assessment and risk management method, for the use of information security professionals.

ISO/IEC 27005 "Information technology — Security techniques — Information security risk management" is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) providing good practice guidance on managing risks to information. It is a core part of the ISO/IEC 27000-series of standards, commonly known as ISO27k.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

NIST Special Publication 800-53 is an information security standard that provides a catalog of privacy and security controls for information systems. Originally intended for U.S. federal agencies except those related to national security, since the 5th revision it is a standard for general usage. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to the operation of security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

The Risk Management Framework (RMF) is a United States federal government guideline, standard, and process for managing risk to help secure information systems, developed by the National Institute of Standards and Technology (NIST). The RMF provides a structured process that integrates information security, privacy, and risk management activities into the system development life cycle.

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. A SWOT analysis of the ISO/IEC 27001 certification process was conducted in 2020.

The Open Trusted Technology Provider Standard (O-TTPS) is a standard of The Open Group that has also been approved for publication as an Information Technology standard by the International Organization of Standardization and the International Electrotechnical Commission through ISO/IEC JTC 1 and is now also known as ISO/IEC 20243:2015. The standard consists of a set of guidelines, requirements, and recommendations that align with best practices for global supply chain security and the integrity of commercial off-the-shelf (COTS) information and communication technology (ICT) products. It is currently in version 1.1. A Chinese translation has also been published.

The NIST Cybersecurity Framework (CSF) is a set of voluntary guidelines designed to help organizations assess and improve their ability to prevent, detect, and respond to cybersecurity risks. Developed by the U.S. National Institute of Standards and Technology (NIST), the framework was initially published in 2014 for critical infrastructure sectors but has since been widely adopted across various industries, including government and private enterprises globally. The framework integrates existing standards, guidelines, and best practices to provide a structured approach to cybersecurity risk management.

A cyber PHA or cyber HAZOP is a safety-oriented methodology to conduct a cybersecurity risk assessment for an industrial control system (ICS) or safety instrumented system (SIS). It is a systematic, consequence-driven approach that is based upon industry standards such as ISA 62443-3-2, ISA TR84.00.09, ISO/IEC 27005:2018, ISO 31000:2009 and NIST Special Publication (SP) 800-39.

Cybersecurity engineering is a tech discipline focused on the protection of systems, networks, and data from unauthorized access, cyberattacks, and other malicious activities. It applies engineering principles to the design, implementation, maintenance, and evaluation of secure systems, ensuring the integrity, confidentiality, and availability of information.

References

1 2 3 4 5 Katsicas, Sokratis K. (2009). "35". In Vacca, John (ed.). Computer and Information Security Handbook. Morgan Kaufmann Publications. Elsevier Inc. p. 605. ISBN 978-0-12-374354-1.
↑ "ISACA THE RISK IT FRAMEWORK (registration required)" (PDF). Archived from the original (PDF) on 2010-07-05. Retrieved 2010-12-14.
↑ Enisa Risk management, Risk assessment inventory, page 46
↑ ISACA (2006). CISA Review Manual 2006. Information Systems Audit and Control Association. p. 85. ISBN 978-1-933284-15-6.
1 2 3 Feringa, Alexis; Goguen, Alice; Stoneburner, Gary (1 July 2002). "Risk Management Guide for Information Technology Systems". doi: 10.6028/NIST.SP.800-30 – via csrc.nist.gov.{{cite journal}}: Cite journal requires |journal= (help)
1 2 "Glossary of Terms". www.niatec.iri.isu.edu.
1 2 3 ISO/IEC, "Information technology -- Security techniques-Information security risk management" ISO/IEC FIDIS 27005:2008
↑ Official (ISC)2 Guide to CISSP CBK. Risk Management: Auerbach Publications. 2007. p. 1065.
↑ "Risk Reduction Overview". rro.sourceforge.net.
↑ Gulick, Jessica; Fahlsing, Jim; Rossman, Hart; Scholl, Matthew; Stine, Kevin; Kissel, Richard (16 October 2008). "Security Considerations in the System Development Life Cycle". doi: 10.6028/NIST.SP.800-64r2 – via csrc.nist.gov.{{cite journal}}: Cite journal requires |journal= (help)
↑ Feringa, Alexis; Goguen, Alice; Stoneburner, Gary (1 July 2002). "Risk Management Guide for Information Technology Systems". NIST. doi: 10.6028/NIST.SP.800-30 – via csrc.nist.gov.{{cite journal}}: Cite journal requires |journal= (help)
↑ Gulick, Jessica; Fahlsing, Jim; Rossman, Hart; Scholl, Matthew; Stine, Kevin; Kissel, Richard (16 October 2008). "Security Considerations in the System Development Life Cycle". NIST. doi: 10.6028/NIST.SP.800-64r2 – via csrc.nist.gov.{{cite journal}}: Cite journal requires |journal= (help)

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Vacca-1] 1 2 3 4 5 Katsicas, Sokratis K. (2009). "35". In Vacca, John (ed.). Computer and Information Security Handbook. Morgan Kaufmann Publications. Elsevier Inc. p. 605. ISBN 978-0-12-374354-1.

[RISKITW-2] "ISACA THE RISK IT FRAMEWORK (registration required)" (PDF). Archived from the original (PDF) on 2010-07-05. Retrieved 2010-12-14.

[ENISAFULL-3] Enisa Risk management, Risk assessment inventory, page 46

[4] ISACA (2006). CISA Review Manual 2006. Information Systems Audit and Control Association. p. 85. ISBN 978-1-933284-15-6.

[SP80030-5] 1 2 3 Feringa, Alexis; Goguen, Alice; Stoneburner, Gary (1 July 2002). "Risk Management Guide for Information Technology Systems". doi: 10.6028/NIST.SP.800-30 – via csrc.nist.gov.{{cite journal}}: Cite journal requires |journal= (help)

[NIATEC_Glossary_of_terms-6] 1 2 "Glossary of Terms". www.niatec.iri.isu.edu.

[ISO270052-7] 1 2 3 ISO/IEC, "Information technology -- Security techniques-Information security risk management" ISO/IEC FIDIS 27005:2008

[CISSP-Guide-8] Official (ISC)2 Guide to CISSP CBK. Risk Management: Auerbach Publications. 2007. p. 1065.

[9] "Risk Reduction Overview". rro.sourceforge.net.

[NIST800642-10] Gulick, Jessica; Fahlsing, Jim; Rossman, Hart; Scholl, Matthew; Stine, Kevin; Kissel, Richard (16 October 2008). "Security Considerations in the System Development Life Cycle". doi: 10.6028/NIST.SP.800-64r2 – via csrc.nist.gov.{{cite journal}}: Cite journal requires |journal= (help)

[SP800303-11] Feringa, Alexis; Goguen, Alice; Stoneburner, Gary (1 July 2002). "Risk Management Guide for Information Technology Systems". NIST. doi: 10.6028/NIST.SP.800-30 – via csrc.nist.gov.{{cite journal}}: Cite journal requires |journal= (help)

[NIST800643-12] Gulick, Jessica; Fahlsing, Jim; Rossman, Hart; Scholl, Matthew; Stine, Kevin; Kissel, Richard (16 October 2008). "Security Considerations in the System Development Life Cycle". NIST. doi: 10.6028/NIST.SP.800-64r2 – via csrc.nist.gov.{{cite journal}}: Cite journal requires |journal= (help)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]