Whenever our team works on a project for one of our clients, we are most likely performing a risk assessment for a single information system. The purpose of this is for the organisation’s leadership to understand if that system falls within their risk appetite and to approve that system’s use. It’s like a warrant of fitness for your car – where the risk assessment is the development of items that need to be checked, and then when we audit the system, we’re playing the role of the mechanic checking each one of the items on that list. Then the organisation can approve the system for use (like when you get your WoF sticker and drive your car legally).
This is not a new post, I originally wrote and published it nearly six years ago. However, based on a number of discussions I have been party to over the last few weeks, not much has changed since it was published so I thought I would repost it as a prologue for a new series of blog posts about risk, risk assessment and risk management.