University of Toronto Logo

Information + Technology Services

Small normal big

Project Information Risk Management Assessment

Information Risk Management Process_2



A Project Risk Management Assessment provides an in-depth analysis.  The assessment involves:

  • Gathering the information.  ISEA provides an Information Risk Management Questionnaire (IRMQ) to capture the information.
  • Analyzing the information.  ISEA will complete an Information Risk Management Assessment (IRMA) of your project or process, possibly at a fee, depending on the assessment.  ISEA will provide help for you to complete your own assessment, or of course, you are free to carry out your own assessment. ISEA provides an Information Risk Management Assessment template.
  • After analysis, the project team need to respond to the recommendations to manage risk, by mitigating the risk (making changes), accepting, transferring or avoiding the risk
  • On a continuing basis, the project needs to be monitored for risk, and reviewed at intervals to ensure the goals of risk management assessment are being met.  This is an iterative process, as threats constantly evolve, and new vulnerabilities are discovered.
  • The steps require communication and consultation between stakeholders.

The diagram  is derived from a diagram in ISO27005, with a modification added from NIST SP 800-39, and further modified to apply to the requirements of UofT.