Develop and Implement a Security Risk Management Program

The first step to successfully securing your business.


This content requires an active subscription.

Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.

Speak With A Representative Sign In
or Call: 1-888-670-8889 (US) or 1-844-618-3192 (CAN)

Your Challenge

  • A security risk management process, in conjunction with an overall Enterprise Risk Management (ERM) strategy, is the first step in truly getting proactive about protecting your assets.
  • Today’s threat landscape is too unpredictable not to have a plan in place.
  • Security risk management does not always require third-party consultants. It can be done in-house if you invest the time.

Our Advice

Critical Insight

  • Once you identify your risks, you can make better spending choices instead of attempting to do too much and over-engineering your security portfolio, or underestimating and under-engineering it.
  • Knowing the big picture helps you align with business goals more succinctly. Transparency in security practices are becoming more of a requirement for customers so having a comprehensive program can create competitive advantage.

Impact and Result

  • Develop a comprehensive plan for assessing risks without getting lost in the weeds.
  • Minimize unnecessary spend and maximize cost effectiveness by establishing a risk mitigation roadmap and focusing on the truly important issues.
  • Establishing successful strategies for properly communicating the program and its results with key stakeholders to continue fostering the integration of risk management into overall business practices.


  • Robert Ng-a-Fook, Director of Quality Assurance and Governance, JGWPT Holdings
  • Anonymous contributor, Information Technology & Services Branch, United States military organization
  • Brian Braban, Group Information Security Manager, URENCO Limited 
  • Simon Ho, Consultant at Simon.TK.Ho and Associates Inc.
  • Robert Hawk, Secure Network Designer / Risk & Security Assessment SME at BC Hydro
  • Michel Fosse, Consulting Services Manager, IBM
  • Paul Stillwell, President and Senior Security Consultant, Intrepita Inc. 
  • Steve Woodward, CEO, Cloud Perspectives
  • Jake Klearman, IT Ops Manager, Local & State Government

Get the Complete Storyboard

See how all the steps you need to take come together, with tools and advice to help with each task on your list.

Download Now

Get to Action

  1. Define the information security risk management program

    Understand what risk means to your organization.

  2. Conduct a security risk assessment

    Classify risks in preparation to create a mitigation plan.

  3. Develop a security risk mitigation plan

    Prioritize risks and determine appropriate mitigation controls.

  4. Communicate security risks

    Communicate results of the program.

  5. Reassess security risks

    After a year, review risks to ensure continued relevance.

  6. Reassess the program/framework

    After a year, review program to ensure continued relevance.

Guided Implementation icon Guided Implementation

This guided implementation is a six call advisory process.

  • Call #1: Define a security risk management program (minimum 5 calls)

    Discuss risk definitions and risk levels, begin to document assets, and understand threats and vulnerabilities. Develop ways to strategically communicate the program to stakeholders to secure buy-in.

  • Call #2: Conduct a security risk assessment (minimum 2 calls)

    Begin to classify assets based on threat and vulnerability. Conduct comprehensive assessment and get deeper into Security Risk Management deliverable.

  • Call #3: Develop a risk mitigation plan (minimum 4 calls)

    Complete assessment, determine effort required to address risks, and prioritize risks. Build a roadmap and identify mitigation strategies.

  • Call #4: Communicate security risks (minimum 1 call)

    Develop a strategy to communicate results of the program once it has been in place for a minimum of a year.

  • Call #5: Reassess security risks (minimum 3 calls)

    A year into the program, review the security risks – determine whether proper mitigation has been carried out and whether changes need to be made.

  • Call #6: Reassess the program/framework (minimum 1 call)

    A year into the program, review the program processes, participants, etc. to ensure relevance. Determine metrics.

Onsite Workshop

Module 1: Define the Information Security Risk Management Program

The Purpose

  • Create definitions around how your organization understands risks
  • Identify roles and responsibilities
  • Communicate program to key players

Key Benefits Achieved

  • Assets documented
  • Comprehensive understanding of program steps
  • Strategy developed over effective communication

Activities: Outputs:
1.1 Establish definitions
  • Security Risk Management Methodology
1.2 Document assets
  • Security Risk Management Workbook
1.3 Understand threats and vulnerabilities
1.4 Review program steps
1.5 Communicate the program

Module 2: Conduct a Security Risk Assessment

The Purpose

  • Get a clear vision of what your organization is truly facing in terms of risks.
  • Get prepared to prioritize risks for mitigation.

Key Benefits Achieved

  • Big picture of your real risks is established.
  • Better idea of which risks are truly concerning and which ones you might be able to safely accept.

Activities: Outputs:
2.1 Identify security risks
  • Security Risk Management Workbook
2.2 Classify security vulnerabilities
2.3 Classify security threats

Module 3: Develop a Risk Mitigation Plan

The Purpose

  • Identify what risks your organization truly needs to mitigate and which they can accept without much negative impact.
  • Establish which controls are needed.

Key Benefits Achieved

  • Prioritized list of risks to tackle.
  • Mitigation plan roadmap.
  • Strategic controls identified.

Activities: Outputs:
3.1 Prioritize identified risks
  • Security Risk Management Workbook
3.2 Make strategic decisions on mitigating identified risks
3.3 Architect appropriate security controls to reduce security risks
3.4 Estimate resources and readiness
3.5 Build your roadmap

Workshop Icon Book Your Workshop

Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.

Book Now
GET HELP Contact Us
VL Methodology