1. Home
  2. Training Library
  3. Risk management life cycle and treatment [CISMP]

Risk identification

Risk identification

Having identified the asset, risk will be determined by the vulnerabilities and threats acting on it, so these must be identified and assessed. The data asset register should contain information about the location of the data, its owner and value to the organisation. Ownership of the data is important, as the data owner is responsible for deciding whether to accept the risks identified through the risk assessment.


Vulnerabilities are weaknesses in the controls protecting the asset, so they’re usually easier to find than threats which can be much harder to predict. There are many vulnerability assessment tools, like Nessus and OpenVAS, which automatically scan networks to find vulnerabilities. Remember that while automated scans are fast and convenient, they are nevertheless simply tools and results should not be taken at face value. They’ll often highlight a vulnerability but can’t ‘understand’ what other controls may be in place to mitigate it.

Introducing CiSP

The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative, set up to allow UK organisations to share cyber threat information in a secure and confidential environment.

The benefits of CiSP

The benefits of CiSP include:

  • Engagement with industry and government counterparts in a secure environment
  • Early warning of cyber threats
  • Ability to learn from experiences, mistakes, successes of other users and seek advice
  • An improved ability to protect their company network
  • Access to free network monitoring reports tailored to your organisations’ requirements 

Decorative Image: Gauging the risk involves many considerations.

Gauging the risk

The risk will generally relate to the value of the data, but this isn’t always easy to calculate. Value is typically assessed in terms of the data’s sensitivity and criticality. In other words, what would happen if it became public (sensitivity), or it was unavailable for any reason (criticality). In this case, value must include a consideration of an organisation’s contractual and legal obligations, its relationship with suppliers and customers, the potential for reputational damage, projected value of intellectual property, and many other considerations.

Configuration management databases (CMDBs)

A CMDB is an archive that acts as a data warehouse, storing information about your IT environment and the components that are used to deliver IT services. The data stored in a CMDB include lists of assets (known as configuration items) and the relationships among them.

The heart of modern IT operations

CMDBs and the configuration management processes that surround them are the heart of modern IT operations. They allow the company to manage data about a diverse set of IT components in a centralised location (even if the actual devices are widely distributed). The CMDB helps the organisation perform service management processes such as incident management, change management and problem management, and is also an essential resource for decision-makers who need information to improve the cost, quality and performance of the organisation's IT Services.

In addition to an organisation's own interests in keeping a well-ordered, up to date CMDB, GDPR has also increased fines for failures to protect personal data, so organisations are taking data asset control much more seriously than before. It's a cornerstone of information security and needs constant attention.

To wrap up

In the previous articles, you have seen that the risk management life cycle is an iterative process involving four phases: Identify, Analyse, Treat, and Monitor. Following these steps allows us to focus our cyber defences to the best effect within the constantly evolving threat environment.

What's next?

Next up, you're going to look at qualitative and quantitative methods of measuring and describing risk.


In this course, you'll be examining the risk management life cycle and treatment, you'll learn about qualitative and quantitative methods as well as risk register and asset classification.

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.