Expert Advice Community

Guest

Inquiry on IT Risk Assessment and IS Risk Assessment

  Quote
Guest
Guest user Created:   Aug 06, 2022 Last commented:   Aug 06, 2022

Inquiry on IT Risk Assessment and IS Risk Assessment

I was assigned to do a review on company (financial institution) IT and IS Risk Assessment. However, i am confuse about the difference of both assessment? how will I start? And what about IT Risk Policy Manual and IT Risk management Framework is same?  how is this related on both ISRA and ITRA?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 06, 2022

1 - I was assigned to do a review on company (financial institution) IT and IS Risk Assessment. However, I am confuse about the difference of both assessment? 

I'm assuming that by ISRA you mean "Information security risk assessment", and that by ITRA you mean "Information Technology risk assessment".

Considering that, although they have an overlap, IT risk assessment and IS risk assessment focus on different things. IS risk assessment focuses on impacts related to the loss of confidentiality, integrity, and/or availability of information, while IT risk assessment focus on impacts that affects information technology assets and/or provided information technology services.

The overlap is that part of IS risk assessment covers information and communication technologies, and part of IT risk assessment covers information related to provided information technology services.

2 - how will I start? 

Although these are independent assessments, since information in many situations relies on information technology assets, starting with the IS risk assessment review may provide you with a better understanding when performing the IT risk assessment review because as part of IS risk assessment you need to list all information related assets - and for IT assets you will perform the IT risk assessment.

3 - And what about IT Risk Policy Manual and IT Risk management Framework is same?  how is this related on both ISRA and ITRA?

The IT Risk Policy Manual and IT Risk management Framework are not the same.

An IT Risk management Framework provides the general elements for a risk management process (e.g., risk assessment, risk treatment, etc.), while an IT Risk Policy Manual defines the specific rules defined by the organization to be applied to the risk management process.

Risk management framework and risk policy should be developed for information security, and potentially include a further explanation for IT.

This article will provide you with a further explanation of ISO 27001 information risk assessment:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 06, 2022

Aug 06, 2022

Suggested Topics