Does your company perform a risk assessment? If you said yes, what did you mean by “risk assessment”?
I ask because often when people say “risk assessment” they are thinking “gap analysis”. As an IT auditor sometimes our instinct is to select our favorite security framework (probably ISO 27001 or NIST 800-53) and begin identifying gaps in the control environment.
Even when we have “great” audit findings, […]