The One-Page IT Risk Management (ITRM) Checklist

Written By Azim Sheikh
IT Risk Management Visual

IT Risk Management should be clear and actionable. Use this guide to ensure you are covering the four essentials: know your assets, know your threats, close the gaps, and track remediation.

  • Asset inventory: Hardware, endpoints, servers, cloud resources, and SaaS (including shadow IT).
  • Data inventory & classification: Identify “crown jewel” data (PII, IP, financial, regulated) and where it lives.
  • Identity & access: Account lifecycle (joiner/mover/leaver), admin access review, MFA coverage, and privileged access controls.
  • Threat model (high level): Ransomware/phishing, insider risk, third-party/supply chain, physical/environmental, and availability risks.
  • Framework alignment: Map core controls to NIST CSF / ISO 27001 / CIS Controls (and PCI-DSS/HIPAA/GDPR where applicable).
  • Policy vs. practice check: Confirm real-world enforcement matches written standards (ensure exceptions are documented and approved).
  • Vulnerability management: Internal/external scanning cadence, patch SLAs, and remediation validation.
  • Security testing: Periodic penetration testing and control validation for critical systems and applications.
  • Vendor risk management: Criticality tiers, due diligence, contract/security requirements, and ongoing monitoring.
  • Logging & monitoring: Centralized logging, alerting coverage, and incident escalation paths.
  • BC/DR readiness: RPO/RTO targets, backup testing, recovery exercises, and ransomware recovery plan.
  • Remediation roadmap: Prioritized actions with assigned owners, deadlines, and status tracking.

If you want this turned into an executable Build vs. Assess plan with a defensible trail for auditors, boards, and insurers, contact Red Spider Security.

Azim Sheikh
Next

Cybersecurity Strategic Planning Checklist