An IT risk is any IT-related event or action that could stop an organization from achieving its goals or business objectives. Risks can be managed using one or several of the following techniques:
- Avoidance
- Prevention
- Reduction
- Transfer
- Retention
For those risks where the risk management decision is to apply appropriate controls, the controls should be selected and implemented to meet the requirements identified by a risk assessment exercise. Controls should ensure that risks are reduced to an acceptable level taking into account:
- requirements and constraints of national and international legislation and regulations
- organizational objectives
- operational requirements and constraints
- cost of implementation and operation in relation to the risks being reduced, and remaining proportional to the organization’s requirements and constraints
- the need to balance the investment in implementation and operation of controls against the harm likely to result from security failures.
Risk Management Resources
- Software Risk Management
- Managing Information Security Risk
- Risk Management Guide for IT Systems
- Guide for Conducting Risk Assessments
- ISO 31000:2009: Risk Management Principles and guidelines
