0345 4506120

Information Assurance Risk Management for HMG (second day)

This course will provide a basic awareness of the principles of technical risk assessment, risk treatment and risk management. It is relevant to both HMG organisations and to supply chain companies delivering to HMG contracts.

The course is a second day for the Information Assurance Risk Management for HMG  course and explains in greater depth how risk management, specifically IS1 & 2 can be conducted in government organisations.

It also links to the course Introduction to Accreditation  which explains the role of the HMG accreditor in the risk management process.

This part of the course uses a scenario based approach with instructor led group and individual exercises to practice the risk management methodology.

Target Audience:

This course is aimed at delegates with a basic knowledge of Information Assurance. Ideally, delegates should have some understanding of business risk management and security topics in general.

The course will benefit:

  • Those who are tasked with conducting risk management in their organisation.
  • Those who are involved in projects delivering information systems and who review or contribute to risk assessments and risk management.
  • Senior staff who want to understand the process and terminology in order to maintain an effective information risk management culture.
  • Operational staff who want to understand the process and terminology in order to manage day to day risks in the delivery of the organisation's objectives.
  • Project manager's delivering IT projects to government either directly or as a member of a supply chain company delivering against a contract.

Learning Objectives

The course objectives are:

  • To explain the principles of risk assessment, risk treatment and risk management as implemented in HMG organisations.
  • To describe the available methods for completing a basic risk assessment.
  • To enable delegates to understand the application of security controls to risks and the importance of adequate assurance.
  • To explain how risk management can be conducted in the context of the business.

The course emphasises that information risk management is part of overall business risk management. It explains the benefits of a common methodology and language for risk management but stresses that a rigid adoption of a process model is often not appropriate and that each aspect of risk management must be considered in the context of the business requirements and its appetite for risk.

At the end of this course you will be able to understand:

  • The process steps available in the IS1&2 methodology to use in risk assessment, risk treatment and risk management in their own organization.
  • How to undertake a basic risk assessment using the IS1&2 methodology in their own organizations;
  • How to analyze and provide a meaningful review of risk assessments and risk management plans produced by others.


Students must have attended the  pre-requisite one day 'Information Assurance Risk Management for HMG  course prior to attending this second day.

Students should also have general familiarity with HMG security policy.

Recommended pre-reading: The latest version of the Security Policy Framework

Recommended pre-reading for this course only - The Executive Summary to the IS1& 2 Technical Supplement: Technical Risk Assessment and Risk Treatment.

Course Content

This course is delivered in one day as a companion course for Information Assurance Risk Management for HMG  and is primarily focused on HMG IS1&2.

The course is intended for government organisations and supply chain companies that continue to use the risk management approach defined in the HMG Information Assurance Standard 1&2: Technical Supplement. This option is provided because organisations may wish to continue to use that approach, at least for the time being. This part of the course will give delegates an awareness of how the IS1&2 methodology can be used and will enable them to produce a risk management solution.

Risk Management Using HMG IS1&2

Module 1: Overview of HMG IS1&2
Module 2: Threat Sources
Module 3: Foci of Interest & Threat Actors
Module 4: Risk Assessment
Module 5: From Risk Assessment to Risk Treatment
Module 6: Risk Treatment
Module 7: Implementation and Assurance
Module 8: Residual Risk Management

Please note: Delegates who have not attended this compulsory pre-requisite course will be asked to leave the course without refund.

Related Courses

Privacy Notice

In order to provide you with the service requested we will need to retain and use your contact information in accordance with our Privacy Notice. If you choose to provide us with this information you explicitly consent to us using the information as necessary to provide the requested service to you. If you do not agree please do not proceed to request the service from us.

Marketing Permissions

Would you like to receive our newsletter and other information on products and services which we think will be of interest to you by email. We will always treat your information with care and in accordance with our Privacy Notice. You are free to withdraw this permission at any time.


Virtual Classroom

Virtual classrooms provide all the benefits of attending a classroom course without the need to arrange travel and accomodation. Please note that virtual courses are attended in real-time, commencing on a specified date.

Virtual Course Dates

Our Customers Include