Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  4. Information risk assessment and risk management

Information risk assessment and risk management

Skill definition

Information risk assessment and risk management identifies and evaluates security risks to information, systems, and processes owned by the organisation, and proactively provides appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels

Awareness

  • Demonstrates knowledge of risk assessment and risk management theory and approaches
  • Understands how risk management supports business or organisational objectives
  • Understands and can follow routine organisational governance processes for security and risk management

Working

  • Supports security professionals in carrying out risk assessments and developing mitigation strategies for relatively common and well-understood scenarios
  • Has an understanding of, and can apply, the fundamental principles of risk assessment, risk management processes and decision-making

Practitioner

  • Understands the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning
  • Delivers or reviews risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems
  • Inspects and reports on the security characteristics of systems with straightforward scope
  • Has a good understanding of how assessed risks are addressed as part of an approach to risk treatment

Expert

  • Enables the organisation to deliver balanced and cost-effective risk management decisions on situations with complex scope or significant risk. Ensures that risk is embedded into corporate governance processes
  • Integrates risk management processes into appropriate business activities such as system development, security architecture or procurement
  • Develops approaches to effectively report risk (including through system life cycles) to management who are responsible for risk to a given system or capability. This includes the ability to interpret management risk direction to others (such as developers or other security professionals)
  • Delivers comprehensive risk assessments for complicated or novel scenarios, using methodologies appropriate to the situation. Understands in detail how the risk assessment output dovetails into the risk management process
  • Determines and understands the security characteristics of complicated or novel systems

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now