IT risk management

IT risk management checklist


Risk management can be relatively simple if you follow some basic principles. To manage the IT risks to your business effectively, make sure that you do the following:

  • Think about IT security from the start when you plan or update an IT system. Discuss your needs and potential problems with the system users.
  • Actively look for IT risks that could affect your business. Identify their likelihood, costs and impact. Carry out a comprehensive IT risk assessment.
  • Think about the opportunity, capability and motivation behind potential attacks. Understand the reasons for cyber attack.
  • Assess the seriousness of each IT risk and focus on those that are most significant.
  • Understand the relevant laws, legislations and industry guidelines, especially if you have to comply with the data protection legislation.
  • Configure your PCs, servers, firewalls and other technical elements of the system. Keep software and hardware equipment up-to-date. Put in place other common cyber security measures and secure your wireless network.
  • Don't rely on just one technical control (eg a password). Use two-factor authentication to guarantee user identity - eg something you have (such as an ID card) and something you know (a PIN or password).
  • Develop data recovery and backup processes and consider daily backups to offsite locations.
  • Support technical controls with appropriate policies, procedures and training. Understand the most common insider threats in cyber security.
  • Make sure that you have a business continuity plan. This should cover any serious IT risk that you cannot fully control. Regularly review and update your plan. Read about IT risk and business continuity.
  • Establish effective IT incident response and recovery measures, as well as a recording and management system. Simulate incidents to test and improve your incident planning, response and recovery.
  • Develop and follow specific IT policies and procedures, such as on email and internet use, and make sure your staff know what falls under acceptable use.
  • Consider certification to the IT security management standards for your business and your trading partners.

The National Cyber Security Centre offers detailed guidance to help organisations make decisions about cyber security risk.

If you want to look at risks beyond IT, see how to manage business risks.