ISACA is embarking upon a project to update its Risk IT Framework and the Risk IT Practitioner Guide.
The RISK-IT Framework and Practitioners guide are considered to be an authoritative source for assisting enterprises to manage IT-related risk. The RISK-IT framework is about IT risk which is defined as the business risk related to the use of information technology (IT). The original development approach was to use the subject matter expertise of a group of risk professionals to codify a framework for identification and management of IT risk.
RISK-IT defines, and is founded on, a number of guiding principles for effective management of IT-related business risk. RISK-IT also uses the international authoritative source for risk management vocabulary, ISO 73 and risk management process, ISO 31000. The principles developed for RISK-IT are based on commonly accepted Enterprise Risk Management (ERM) principals, which have been applied to the domain of IT.
The RISK-IT framework principles are:
- Always connect to business objectives
- Align management of IT-related business risk with overall ERM
- Balance the costs and benefits of managing IT risk
- Promote fair and open communication of IT risk
- Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels
- Are a continuous process and part of daily activities
The approach for the project is to update the RISK-IT publications and modify as necessary to “modernize” the text while respecting the overarching principles and authoritative source ISO references.
This will be done in a phased approach, and include recommendations on current themes, processes, or concepts that may be better suited as stand-alone (future) products that would be used as job aids to support the principles and practices in the RISK-IT publications. Modernizing the RISK-IT will include extension of IT risks to include cyber security examples and current thinking on qualitative and quantitative risk analysis techniques.
There are 12 chapters and 3 appendices in the current Risk IT Framework and 8 chapters and 6 appendices in the current Practitioner Guide. Some of the chapters include references to COBIT and VAL-IT. The intention for this modernization project is to ensure RISK-IT products are standalone and refence the other ISACA publications but are not dependent on those products.
The Subject Matter Experts (SMEs) Review Team will be asked to review the updated content and provide feedback to ensure its accuracy. The goal is to publish the updated content by the end of August 2019.