Risk understanding and mitigation

Skill definition

Risk understanding and mitigation identifies and evaluates security risks to information, systems and processes owned by the organisation, and proactively provides appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels. Principles of the skill include developing cyber and information security risk management strategies and controls, taking into account business needs and risk assessments, and balancing technical, physical, procedural and personnel controls.

Awareness

Describes the basic principles of risk understanding and mitigation
Supports security professionals in carrying out risk assessments and developing mitigation strategies
Follows documented principles and guidelines for risk understanding and mitigation

Working

Develops basic cost-effective risk management plans
Supports risk assessment and mitigation plan development
Follows documented principles and guidelines for risk understanding and mitigation
Relates risk to corporate governance, organisational strategic direction and planning

Practitioner

Develops complex and innovative risk management plans, enabling the organisation to deliver balanced and cost–effective risk management decisions based on advanced threat principles and concepts
Leads risk assessment and mitigation plan development
Ensures that risk is embedded into corporate governance processes and integrates risk management processes into appropriate business activities

Expert

Leads risk management within an organisation, enabling senior leadership to make effective risk-based business decisions
Leads on the provision of top-end risk understanding and mitigation advice
Integrates risk understanding and mitigation processes into appropriate business activities
Develops approaches to effectively report risks and delivers comprehensive risk assessments