Integration of an IT-Risk Management / Risk Assessment Framework with Operational Processes

This paper discusses the background and results of a research project which was conducted by ENISA (European Network and Information Security Agency) in cooperation with the BOC Information Technologies Consulting GmbH. The project was initiated with respect to the main task of ENISA: ensuring a high and effective level of network and information security within organisations in the European Union. As an important step towards this goal the research project aimed at increasing the level of integration between an enterprise-level IT Risk Management/Risk Assessment on the one hand, and selected operational business processes, on the other hand. The proposed integration is mainly established on the level of document flows between processes and activities respectively. In particular, operational processes which are closely related to IT were selected for integration. The introduced approach promises a better overall quality of IT Risk Management in an enterprise in general, as well as an improved management of risks in operational processes.