Managing information security risk is a highly complex activity that requires the information security professional to be actively involved in all facets of the organization, from top-level organizational leadership down to the people, processes, and technology that makes the organization's mission successful:

The information professional must establish a risk management strategy whereby an organization can establish repeatable mechanisms for the ongoing assessment, response, and monitoring of information security risks. This allows the information security professional to engage the organization in a repeatable and transparent way, helping to ensure a greater level of acceptance by the organization. Use the following examples as a guide as you begin the process of understanding your organization more deeply.