Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  4. Information risk assessment and risk management

Information risk assessment and risk management

Skill Definition

Information risk assessment and risk management identifies and evaluates security risks to information, systems, and processes owned by the organisation, and proactively provides appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels

Awareness

Awareness

Demonstrates knowledge of risk assessment and risk management theory and approaches

Understands how risk management supports business or organisational objectives

Understands and can follow routine organisational governance processes for security and risk management

 

 

Working

Working

Supports security professionals in carrying out risk assessments and developing mitigation strategies for relatively common and well-understood scenarios

Has an understanding of, and can apply, the fundamental principles of risk assessment, risk management processes and decision-making

 

 

Practitioner

Practitioner

Understands the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning

Delivers or reviews risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems

Inspects and reports on the security characteristics of systems with straightforward scope

Has a good understanding of how assessed risks are addressed as part of an approach to risk treatment

 

 

Expert

Expert

Enables the organisation to deliver balanced and cost-effective risk management decisions on situations with complex scope or significant risk. Ensures that risk is embedded into corporate governance processes

Integrates risk management processes into appropriate business activities such as system development, security architecture or procurement

Develops approaches to effectively report risk (including through system life cycles) to management who are responsible for risk to a given system or capability. This includes the ability to interpret management risk direction to others (such as developers or other security professionals)

Delivers comprehensive risk assessments for complicated or novel scenarios, using methodologies appropriate to the situation. Understands in detail how the risk assessment output dovetails into the risk management process

Determines and understands the security characteristics of complicated or novel systems

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now