How a Better IT Risk Assessment May Change Your Thoughts on the Traditional Gap Analysis

Does your company perform a risk assessment? If you said yes, what did you mean by “risk assessment”? I ask because often when people say “risk assessment” they are thinking “gap analysis”. As an IT auditor sometimes our instinct is to select our favorite security framework (probably ISO 27001 or NIST 800-53) and begin identifying gaps in the control[…]

IT Risk Assessment: Effective Identification and Selection of IT Audit Projects (Whitepaper)

  Over the past few months I’ve had several leaders of Internal Audit departments ask: “How can we build cyber-security into our annual audit plan?” After a few conversations I decided to put together a whitepaper to help the less-than-technical Chief Audit Executive (CAE) put together a well thought out IT Risk Assessment that helps[…]

How to Improve the Broken Risk Assessment Process

I recently participated in a CIO round-table to discuss mechanisms in which management teams assess information technology risks. Almost all of the CIOs said they were performing regular risk assessments, but they also expressed a lot of concern that the assessments were performed consistently or with high quality. The major concern between the CIOs was that[…]