Professional Documents
Culture Documents
IT Risk Fundamentals
IT Risk Fundamentals
For more than 50 years, ISACA® (www.isaca.org) has advanced the best talent, expertise and learning in
technology. ISACA equips individuals with knowledge, credentials, education and community to progress their
careers and transform their organizations, and enables enterprises to train and build quality teams. Among those
credentials, ISACA advances and validates business-critical skills and knowledge through the globally respected
Certified Information Systems Auditor® (CISA®), Certified in Risk and Information Systems Control™ (CRISC™),
Certified Information Security Manager® (CISM®) and Certified in the Governance of Enterprise IT® (CGEIT®)
credentials. ISACA is a global professional association and learning organization that leverages the expertise of its
145,000 members who work in information security, governance, assurance, risk and privacy to drive innovation
through technology. It has a presence in 188 countries, including more than 220 chapters worldwide.
Disclaimer
ISACA has designed and created IT Risk Fundamentals Study Guide (the “Work”) primarily as an educational
resource for professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome.
The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other
information, procedures and tests that are reasonably directed to obtaining the same results. In determining the
propriety of any specific information, procedure or test, professionals should apply their own professional
judgment to the specific circumstances presented by the particular systems or information technology environment.
Reservation of Rights
© 2020 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA.
ISACA
1700 E. Golf Road, Suite 400
Schaumburg, IL 60173, USA
Phone: +1.847.660.5505
Fax: +1.847.253.1755
Contact us: https://support.isaca.org
Website: www.isaca.org
Twitter: http://twitter.com/ISACANews
LinkedIn: www.linkedin.com/company/isaca
Facebook: www.facebook.com/ISACAGlobal
Instagram: www.instagram.com/isacanews/
ISBN 978-1-60420-727-9
IT Risk Fundamentals Study Guide
Printed in the United States of America
Acknowledgments
ISACA would like to recognize:
Expert Reviewers
Urs Fischer, CISA, CRISC, CPA (Swiss), UBS Business Solutions AG, Switzerland
Jack Freund, Ph.D., CISA, CRISC, CISM, CGEIT, CDPSE, Moody’s/Team8 Cyber Risk Assessment Venture, USA
Mike Hughes, CISA, CRISC, CGEIT, MIoD, Prism RA, United Kingdom
Jack Jones, Chief Risk Scientist, RiskLens, USA
Linda Kostic, CISA, CISSP, Doctor of IT-Cybersecurity & Information Assurance, PRMIA Complete Course in Risk
Management, George Washington University, Citi, USA
Katsumi Sakagawa, CISA, CRISC, Japan
James C. Samans, CISA, CRISC, CISM, CBCP, CISSP-ISSEP, CPP, PMP, American Institutes for Research, USA
Peter C. Tessin, CISA, CRISC, CISM, CGEIT, Discover Financial Services, USA
Alok Tuteja, Ph.D., CRISC, CGEIT, CIA, CISSP, BRS Ventures, India
Evan Wheeler, CRISC, IASO, Edelman Financial Engines, USA
Prometheus Yang, CISA, CRISC, CISM, CFE, Standard Chartered Bank, Hong Kong
Lisa Young, CISA, CISM, CISSP, Axio, USA
Board of Directors
Tracey Dedrick, Chair, Former Chief Risk Officer, Hudson City Bancorp, USA
Rolf von Roessing, Vice-Chair, CISA, CISM, CGEIT, CDPSE, CISSP, FBCI, Partner, FORFA Consulting AG,
Switzerland
Gabriela Hernandez-Cardoso, Independent Board Member, Mexico
Pam Nigro, CISA, CRISC, CGEIT, CRMA, Vice President–Information Technology, Security Officer, Home Access
Health, USA
Maureen O’Connell, Board Chair, Acacia Research (NASDAQ), Former Chief Financial Officer and Chief
Administration Officer, Scholastic, Inc., USA
David Samuelson, Chief Executive Officer, ISACA, USA
Gerrard Schmid, President and Chief Executive Officer, Diebold Nixdorf, USA
Gregory Touhill, CISM, CISSP, President, AppGate Federal Group, USA
Asaf Weisberg, CISA, CRISC, CISM, CGEIT, Chief Executive Officer, introSight Ltd., Israel
Anna Yip, Chief Executive Officer, SmarTone Telecommunications Limited, Hong Kong
Brennan P. Baybeck, CISA, CRISC, CISM, CISSP, ISACA Board Chair, 2019-2020, Vice President and Chief
Information Security Officer for Customer Services, Oracle Corporation, USA
Rob Clyde, CISM, ISACA Board Chair, 2018-2019, Independent Director, Titus, and Executive Chair, White Cloud
Security, USA
Chris K. Dimitriadis, Ph.D., CISA, CRISC, CISM, ISACA Board Chair, 2015-2017, Group Chief Executive Officer,
INTRALOT, Greece
4
TABLE OF CONTENTS
Ta b l e o f C o n t e n t s
List of Figures ..............................................................................................................................................................................11
About this Study Guide ....................................................................................................................................................15
Intended Audience ................................................................................................................................................................16
Study Guide Scope and Organization ............................................................................................................17
Chapter 1:
Risk Introduction and Overview ............................................................................................................................19
Learning Objectives .................................................................................................................................................................20
Risk Introduction and Overview ........................................................................................................................................21
1.1 Risk Terminology ...............................................................................................................................................................21
1.1.1 Common Risk Terms ...............................................................................................................................................21
1.2 Business Risk ......................................................................................................................................................................22
1.2.1 Types of Business Risk ............................................................................................................................................22
Strategic Risk ..............................................................................................................................................................23
Environmental Risk .....................................................................................................................................................23
Market Risk .................................................................................................................................................................23
Credit Risk...................................................................................................................................................................24
Operational Risk ..........................................................................................................................................................24
Compliance Risk .........................................................................................................................................................24
Project Risk .................................................................................................................................................................25
1.2.2 Levels of Risk ..........................................................................................................................................................25
Strategic Level .............................................................................................................................................................25
Program and Project Level ..........................................................................................................................................25
Operational Level ........................................................................................................................................................26
1.3 I&T-related Risk ................................................................................................................................................................26
1.3.1 I&T Risk Types .......................................................................................................................................................26
I&T Benefit/Value Enablement Risk ...........................................................................................................................27
I&T Program and Project Delivery Risk......................................................................................................................27
Project Risk .................................................................................................................................................................28
I&T Operations and Service Delivery Risk .................................................................................................................28
Change Risk ................................................................................................................................................................28
Cyber and Information Security Risk ..........................................................................................................................28
1.3.2 Risk Standards and Guidance ..................................................................................................................................28
1.3.3 Risk IT Framework ..................................................................................................................................................29
1.3.4 Risk-Related Business Functions.............................................................................................................................29
Risk and Business Continuity ......................................................................................................................................30
Risk and Audit .............................................................................................................................................................30
Risk and Information Security .....................................................................................................................................30
1.3.5 Three Lines of Defense ............................................................................................................................................30
1.4 Controls ..............................................................................................................................................................................31
1.4.1 Policies, Standards and Procedures .........................................................................................................................31
1.4.2 Risk Relationship to Control ...................................................................................................................................32
Control Risk ................................................................................................................................................................33
1.4.3 General Controls ......................................................................................................................................................33
1.4.4 I&T Controls ..........................................................................................................................................................34
Input Controls ..............................................................................................................................................................34
Processing Controls .....................................................................................................................................................35
Application Controls ....................................................................................................................................................35
1.5 Summary of Terminology ..................................................................................................................................................35
Chapter 2:
Risk Governance and Management .................................................................................................................39
Learning Objectives .................................................................................................................................................................40
Risk Governance and Management..................................................................................................................................41
2.1 Risk Governance ................................................................................................................................................................41
2.1.1 Governance Objectives ............................................................................................................................................41
Benefits Realization ....................................................................................................................................................41
Risk Optimization........................................................................................................................................................41
Resource Optimization ................................................................................................................................................41
2.1.2 Risk Governance Objectives....................................................................................................................................42
2.2 Risk Management ..............................................................................................................................................................43
2.2.1 Risk Management Overview ...................................................................................................................................44
2.2.2 I&T Risk Governance and Management .................................................................................................................44
Connect to Enterprise Business or Mission .................................................................................................................46
Align with Enterprise Risk Management .....................................................................................................................46
Balance Costs and Benefits..........................................................................................................................................46
Promote Ethical and Open Communication.................................................................................................................46
Establish Tone at the Top and Accountability ..............................................................................................................47
Consistent Approach Aligned to Strategy ....................................................................................................................47
2.2.3 Risk Universe ..........................................................................................................................................................47
2.3 Positioning Risk .................................................................................................................................................................49
2.3.1 Risk Appetite, Risk Tolerance and Risk Capacity....................................................................................................50
Risk Appetite ...............................................................................................................................................................50
Risk Tolerance .............................................................................................................................................................51
Risk Capacity ..............................................................................................................................................................52
2.4 Risk Stakeholders, Roles and Culture ..............................................................................................................................52
2.4.1 I&T Risk Management Stakeholders .......................................................................................................................52
2.4.2 Risk Roles ...............................................................................................................................................................55
2.4.3 Risk Culture .............................................................................................................................................................56
2.5 Risk Communication, Policy, Scope and Workflow ........................................................................................................59
2.5.1 Risk Communication ...............................................................................................................................................59
2.5.2 Risk Policy ..............................................................................................................................................................61
2.5.3 Risk Scope ...............................................................................................................................................................63
2.5.4 Risk Management Workflow ...................................................................................................................................64
2.6 Summary of Terminology ..................................................................................................................................................65
Chapter 3:
Risk Identification .................................................................................................................................................................69
Learning Objectives .................................................................................................................................................................70
Risk Identification .....................................................................................................................................................................71
3.1 Asset Types .........................................................................................................................................................................71
3.1.1 People ......................................................................................................................................................................71
3.1.2 Information ..............................................................................................................................................................71
3.1.3 Business Processes ..................................................................................................................................................71
3.1.4 Infrastructure ...........................................................................................................................................................72
3.1.5 Finances ...................................................................................................................................................................72
3.1.6 Reputation ...............................................................................................................................................................72
3.2 Asset Classification (Criticality and Sensitivity)..............................................................................................................72
3.3 Asset Valuation ...................................................................................................................................................................74
3.4 Information Asset Valuation .............................................................................................................................................75
Chapter 4:
Risk Assessment and Analysis ............................................................................................................................107
Learning Objectives ...............................................................................................................................................................108
Risk Assessment and Analysis ...........................................................................................................................................109
4.1 Risk Assessment Processes ..............................................................................................................................................109
4.1.1 Risk Assessment ....................................................................................................................................................109
4.1.2 Risk Analysis .........................................................................................................................................................109
4.1.3 Risk Evaluation......................................................................................................................................................110
Chapter 5:
Risk Response .........................................................................................................................................................................139
Learning Objectives ...............................................................................................................................................................140
Risk Response ............................................................................................................................................................................141
5.1 Risk Response and Strategies .........................................................................................................................................141
5.1.1 Purpose and Business Objective Alignment ..........................................................................................................141
5.1.2 Risk Response Strategies .......................................................................................................................................142
Risk Acceptance ........................................................................................................................................................142
Risk Acceptance Framework .....................................................................................................................................143
Risk Mitigation ..........................................................................................................................................................144
Awareness Education and Training ............................................................................................................................145
Risk Transfer (Sharing) .............................................................................................................................................145
Risk Avoidance ..........................................................................................................................................................146
5.2 Control Design and Implementation ..............................................................................................................................146
5.2.1 Control Design ......................................................................................................................................................146
5.2.2 Control Matrix .......................................................................................................................................................147
5.2.3 Control Management .............................................................................................................................................147
5.3 Incident Management, Business Continuity and Disaster Recovery ...........................................................................148
5.3.1 Incident Management ............................................................................................................................................148
5.3.2 Business Continuity Planning ................................................................................................................................149
5.3.3 Disaster Recovery ..................................................................................................................................................150
Chapter 6:
Risk Monitoring, Reporting and Communication ..........................................................................165
Learning Objectives ...............................................................................................................................................................166
Risk Monitoring, Reporting and Communication ..................................................................................................167
6.1 Risk Monitoring Process .................................................................................................................................................167
6.1.1 Risk Monitoring Stakeholders ...............................................................................................................................168
6.1.2 Risk Monitoring Status ..........................................................................................................................................168
6.2 Key Risk Indicators .........................................................................................................................................................168
6.2.1 Types of Key Risk Indicators.................................................................................................................................169
Lag Risk Indicator .....................................................................................................................................................169
Lead Risk Indicator ...................................................................................................................................................169
6.2.2 Developing Risk Indicators ...................................................................................................................................169
Root Cause Analysis ..................................................................................................................................................169
6.2.3 KRI Selection ........................................................................................................................................................170
KRI Attributes ...........................................................................................................................................................171
KRI Selection Benefits ..............................................................................................................................................171
KRI Selection Challenges ..........................................................................................................................................171
6.2.4 Examples of Key Risk Indicators ..........................................................................................................................172
6.2.5 Using KRIs for Gap Analysis ................................................................................................................................174
6.2.6 KRI Optimization, Communication and Maintenance ...........................................................................................174
6.3 Key Performance Indictors .............................................................................................................................................175
6.3.1 Using KPIs with KRIs ...........................................................................................................................................175
KPI and KRI Example ...............................................................................................................................................176
6.4 Risk and Control Monitoring and Testing .....................................................................................................................176
6.4.1 Continuous Monitoring..........................................................................................................................................176
6.4.2 Control Monitoring ................................................................................................................................................177
6.4.3 Control Assessment and Testing ............................................................................................................................177
Control Self-Assessment ...........................................................................................................................................178
Internal Audit Control Review...................................................................................................................................178
Vulnerability Assessment...........................................................................................................................................178
Vulnerability Scan .....................................................................................................................................................178
Penetration Test .........................................................................................................................................................178
Third-party Assurance ...............................................................................................................................................179
6.4.4 Risk and Control Monitoring Effectiveness ...........................................................................................................179
6.4.5 Monitoring Control Exceptions .............................................................................................................................180
6.5 Risk Reporting and Communication ..............................................................................................................................181
6.5.1 Reporting Principles ..............................................................................................................................................181
6.5.2 Risk Report/Communication Types .......................................................................................................................182
6.5.3 Risk Reporting Channels .......................................................................................................................................185
6.6 Summary of Terminology ................................................................................................................................................187
LIST OF FIGURES
Chapter 1. Risk Introduction and Overview
Figure 1.1—Simple View of Threats, Vulnerabilities and Risk ...........................................................................22
Figure 1.2—Business/Enterprise Risk Types ...............................................................................................................23
Figure 1.3—Levels of Risk ....................................................................................................................................................25
Figure 1.4—I&T-related Risk Relative to Business/Enterprise Risk ...............................................................27
Figure 1.5—Three Lines of Defense .................................................................................................................................31
Figure 1.6—Risk in Relation to Control .........................................................................................................................32
Figure 1.7—Control Types ....................................................................................................................................................33
Figure 1.8— Chapter 1 Terminology ...............................................................................................................................35