Skip main navigation

Information risk management and information assurance

Information risk management and information assurance are often implemented using a standard.
© Coventry University. CC BY-NC 4.0
As mentioned previously, information risk management and information assurance are often implemented using a standard, with the most common of these being the ISO 27005 standard, which has the following key processes.
An illustration of the information risk management and information assurance processes as described below
The first process is to establish the context for any risk management processes. In establishing the context we are determining such things as who is responsible for the process, what is the aim of the process, what levels of risk we are willing to accept and other similar things.
The risk assessment process has three sub-processes – identifying risk where we identify the likely security risks; risk analysis where we consider the impacts of the risk and risk evaluation where we assess the risk impacts in light of the levels of acceptable risk as determined in the context.
After we have evaluated the risk we have to undertake some form of risk treatment. This can take the form of:
  • Risk modification: We introduce, remove or modify risk controls* to bring the risk down to acceptable levels
    * A control is something that we can do to affect the security properties of a particular object. For instance, we could add a rule into the firewall or introduce stronger password requirements
  • Risk retention: If the risk is already below acceptable levels, there is no need to do anything else
  • Risk avoidance: Don’t do the thing that causes the risk
  • Risk sharing: Employ a third-party to help deal with the risk, for example employ another organisation to filter email

Information assurance and information security compliance

Information assurance and information security compliance often requires more active auditing of the IT system. From a technical perspective, this can include such things as conducting pen tests on our own systems. These are often the easiest to do but may not give much in the way of information. In order to obtain the full picture, it’s necessary to review, or have reviewed, our compliance and assurance policies and processes to ensure that they are fit for purpose and fulfilling organisational needs. Ideally, this should be part of an ongoing programme of improvement.


BSI (2018) ISO/IEC 27005:2018 Information Technology. Security Techniques. Information Security Risk Management. [online] available from [30 July 2019]
© Coventry University. CC BY-NC 4.0
This article is from the free online

Security Operations

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education