Information security risk assessments are vital procedures for maintaining the security of information resources and meeting legal requirements for protecting confidential information. The purpose and goal of these assessments can only be achieved if the assessments are conducted effectively and accurately. The purpose of this Control is to implement a monitoring process which adequately provides management with assurance that the information on which risk assessment assertions are made is factual. The goal of these procedures is to assist Texas A&M University units with improving the effectiveness of their use of the Information Security Risk Assessment Procedures (ISRAP) and the value and accuracy of their risk assessments.


  • This Control applies to all information security risk assessments that are conducted annually for university information resources.

  • The intended audience includes all University personnel involved in performing, assisting with, approving, or making risk management decisions related to information security risk assessments


  • 1. After completion of the annual Information Security Risk Assessment, all assessment reports will be reviewed by the Division of IT Risk Management and Policy personnel (i.e., the “primary review”). Based on the primary review, some assessments will be selected for additional review (i.e., a “secondary review”). The selection of assessments for secondary review and the order of these reviews will be predicated on areas of inherent risk (e.g., confidential information, high or moderate impact information resources, and/or problematic conditions) or at the direction of the Vice President for Information Technology & Chief Information Officer (or designee).

  • 2. The specific process followed for each review will be designed with effectiveness and efficiency as primary goals. Where beneficial and feasible, these reviews may utilize automated software tools to provide confirmation and/or information regarding the configuration and classification (e.g., contains confidential data) of the information resources.

  • 3. The review process shall include where appropriate: notification, information gathering, analysis, and reporting.

  • 4. During the review, the Division of IT Risk Management and Policy personnel will answer any questions units have regarding the risk assessment process with the goal of promoting a better understanding and effective use of the Information Security Risk Assessment Procedures.

  • Suggestions regarding clarification and improvement of the risk assessment tools and process will be sought from unit personnel.

  • 5. Detailed guidelines can be found at the ISRAP website.

  • (This control replaces the previous SAP 29.01.03.M1.26 Information Resources – Security Risks Assessment Reviews)