Reflective of ensuring effective IT control objectives, undertaking IT risk management provides the framework that enables future activity to take place in a consistent and controlled manner. As a particular, prioritization enables appropriate resource allocation to prevent, avoid, detect, and/or correct potential risks to the entity’s IT architecture. Once management understands the degree of total risk to information assets, decisions can be made regarding accepting specific risks or conducting tests to verify the sufficiency of detail risk treatment measures. Thereafter, in descending sequential order, the IT risk points exceeding the IT risk tolerance level can be addressed through adoption or revision of the entity’s IT control objectives.
“View Part I of the Governing IT: Setting Control Objectives series here“