CISM: Implementing Risk Management

From Glitchdata
Jump to navigation Jump to search

Risk management should be applied to all organisation activities. While not all activities pose an unacceptable risk, the practice of risk management is still applied to determine which risk requires treatment.


  • The business manager is best placed to decide which mitigating controls should be implemented. This would be in-line with the business strategy, and budget.
  • Cost-benefit helps determine which risk migrating activity should be implemented.
  • An effective risk management program reduces the risk to an acceptable level; this is achieved by reducing the probability of a loss event through preventive measures as well as reducing impact of a loss event through corrective measures.
  • The risk management process is about making specific, security-related decisions such as the selection of specific risk responses. This supports security policy decisions.