Risk management sits at the heart of everything the information security team does. As such, the information security manager should encourage the business to embed information risk management into every process it uses to deliver its products and services. Every member of staff should be encouraged (and educated) to raise threats, vulnerabilities, and risks with the information security team when they are discovered or observed.
This should instigate an assessment process where the threat, vulnerability, or risk is taken through the formal Risk Management process to assess its potential impact to the business, decide on remediation and mitigation strategies, and implement changes as required. Threats, vulnerabilities, and risks are recorded in a central register, known as a risk register , which will eventually become the focal point and core tool used to drive the whole risk management process.
Risk management process is iterative, comprising the four key stages of identify, analyze, threat, and monitor. This continual cycle of reviewing the threats, vulnerabilities and risks on the risk register (more on this later) process is a continual cycle because new risks can emerge which require analysis and treatment.