The IS risk is the business risk associated with the use, ownership, operation, involvement, influence, and adoption of information/technology solutions (Application, Hardware, Network and People) within an organization. IS risk consists of IS-related events that could potentially impact the business. It is also the management of uncertainty within the functions of IS so as to provide the organization with assurance that:
- the possibility of a threat occurring is reduced or minimized
- the impact, direct and consequential, is reduced or minimized
To provide this assurance, threats must be identified and their impact on the organization evaluated so that appropriate control measures can be taken to reduce the possibility or frequency of a threat occurring and to reduce or minimize the impact on the business.
Information is a key business resource which, in order to be of value, must be correct, relevant and applicable to the business process and delivered in a timely, consistent and usable manner; it must be complete and accurate and provided through via the best use of resources (planned or unplanned), and if sensitive it must have its confidentiality preserved. Information is the result of the combined application of data, application systems, technology, facilities, and people. IS Risk Management ensures that the threats to these resources are identified and controlled so that the requirements for information are met.