Risk Profile

An organization’s information risk profile should include guiding principles aligned with both its strategic directives and the supporting activities of its IRMS program and capabilities. This information should be listed early in the profile to allow the reader to understand its context and intent. Common guiding principles include the following:

1. Ensure availability of key business processes including associated data and capabilities.

2. Provide accurate identification and evaluation of threats, vulnerabilities and their associated risk to allow business leaders and process owners to make informed risk management decisions.

3. Ensure that appropriate risk-mitigating controls are implemented and functioning properly and align with the organization’s established risk tolerances.

4. Ensure that funding and resources are allocated efficiently to ensure the highest level of information risk mitigation.