We've received the following questions:
1. I would like to know difference between Risk Assessment and Incident Management
2. During risk assessment, we consider Disaster as risk, how can it become incident later, even it identified earlier
1) Risk assessment is a process where you try to identify all the potential security breaches that might happen in the future. Incidents are the risks that have materialized, i.e. the real breaches that have happened; incident management is a process for managing incidents.
2) Disaster itself is not a risk, it is a threat; it can become an incident if you didn't implement all the security controls to prevent such an incident.