top of page

Risk Management & Security Control

Risk is the probability of loss due to a threat — a malicious act or unexpected event — that damages information systems or organizational assets.

Risk impact is the damage incurred by an event which causes loss of asset(s) or disruption of service(s). The goal of risk management is to reduce these threats to an acceptable level and to implement controls to maintain that level.  

Risk can be internal, external, or both. Its impact can ripple through the whole organization and affect other external entities.

Promoting risk awareness within the organization helps employees to develop an understanding of what risks exist, their potential impact and how the organization can manage those risks.


Risk management is a formal process that measures the impact of a threat and the cost to implement controls or countermeasures to mitigate that threat.

Risk cannot be eliminated completely but it can still be managed to an acceptable level. All organizations accept some risk and the cost of a counter measure should not be more than the value of the asset being protected.

The inherent risk of a system is the risk that the system poses inherently — without any people, process or technology controls in place.

Security controls are safeguards or countermeasures that an organization implements to avoid, detect, counteract or minimize security risks to organizational assets. 

The Center for Internet Security (CIS) has created a mapping of its 18 critical security controls to some of the common compliance frameworks. This provides helpful guidance to security professionals who are working to create and maintain compliance with the required frameworks.

bottom of page