OR-03 IT Operations & Resilience

IT Risk Assessment

Technology risks are identified and treated.

Domain: IT Operations & Resilience
Control type: Detective
Automated / manual: Manual
Frequency: Annual
Framework reference: MAS TRM – Risk; COBIT APO12

What good looks like

A periodic IT risk assessment identifies, rates and treats risks in a register.

Risk if it fails

Unmanaged technology risk.

How Tess tests it

3 tests — each concludes only on cited evidence.

Risk-assessment methodology defined

Design

Procedure: Inspect the methodology.
Expected: Defined.
Sample: 1 (design inspection)
Evidence: Risk register, assessment report.

Risk assessment performed; register maintained

Operating

Procedure: Inspect the latest assessment/register.
Expected: Current.
Sample: 1
Evidence: Risk register, assessment report.

Risk treatments tracked

Operating

Procedure: Inspect treatment tracking.
Expected: Monitored to closure.
Sample: 1
Evidence: Risk register, assessment report.

Evidence Tess looks for

Risk register, assessment report.

More in IT Operations & Resilience

OR-01 IT Governance & Oversight OR-02 IT & Information Security Policies OR-04 Asset & Configuration Management OR-05 Regulatory & Compliance Monitoring

Want Tess to test OR-03 against your evidence?