ISRM – Information Security Risk Management

Information security risk management is an ongoing process of identifying, assessing, and responding to security risks to the confidentiality, integrity and availability of information assets. The real objectives in managing risk effectively should not be completely eliminating all risk, but rather, mapping out, classifying and achieving a suitable risk level in the organization.


Risk Identification

  • Identification of core information assets and systems in the organization.

  • Identification of vulnerabilities in infrastructure, systems, software and processes that put the organization at risk.

  • Identification of potential threats that may damage the information assets.

  • Securing information assets and systems by mapping the current situation.

Risk Assessment

The assessment stage is the process of integrating the information collected during the identification of assets, threats, and controls in order to identify and define the risks to which the organization is exposed.

Risk Treatment

  • Risk Remediation: Integration of control processes that fully resolve or block the risk.

  • Mitigation: control processes that reduce the effect of the risk, but do not resolve it.

  • Transfer of risks to another entity in order to recover from incurred costs of the risk being realized.

  • Risk acceptance: When analyzing and assessing the risk shows that the benefit-cost ratio is low.

  • Risk avoidance: Removal of the overall exposure to identified risks.


The risk management process must be carried out in full transparency with the organization in order to understand the risks and make decisions that will depend on a full understanding of risk treatment in comparison to the costs of potential damage.

Rinse and Repeat

The risk management process is a long process that requires commitment and perseverance. An effective work plan should be created to deal with the risks and apply the controls effectively, which will drive continuous improvement over time