In a practical publication titled ‘Guidance for organisations that need to assess and make business decisions about technology and information risks’ the UK’s CESG put forward a set of recommendations on the topic of risk mitigation in ICT environments.
While the publication is principally intended for public sector organisations it is extremely relevant for private operators.
“Technology and information risk is not just about avoidance and mitigation; the pursuit and acceptance of risk creates opportunities and can help deliver business objectives.”
CESG said that risk management is not something an organisation can carry out once when implementing new technology and then forget about. The report provides an overview of risk management through an entire system or service lifecycle and clarified the value that each player (not merely IT suppliers) should play in such process.
Read the full report here.