Information Systems Risk Management


Is your IS risk management plan tailored to the specific risk profile of your business? 

Information systems risk management strategy, including system security, continuity strategy, safety and compliance, has attracted substantial interests since no organization can bear the losses that endangered information systems will result. The perpetrators may be internal to a firm or external attackers. The risks faced include theft of information, destruction, interception, alteration, stalling or rerouting of data, as well as forged messages. Proactive risk management initiatives are the risk reduction formula for competition and compliance. Our speakers will share with participants their experience in IS risk management and taking professional examinations through case studies, class discussions and mini-project.



This course equips attendees with the necessary perspective, knowledge and skills to understand the essential elements and benefits of applying effective IS risk management and to:

  Identify the risks associated, audit requirements and solutions with information system management

  Match the risk & crisis management approach according to the corporate business strategy with appropriate preventive controls and corrective actions.

Our speaker will share with participants his experience in risk assessment, consultation, control strategies and tools, measurement tools, policy setting, and audit planning.


Feature of the workshop

  • Experienced and qualified trainer, Danny Ha, with 27-year practical industrial experience in the IT, information systems audit, security and business risk management industry, holding designations of CISA, CISM, CISSP, CPM, FCRP, CRT, PMP, MBA, ISLA ISC2. For his bio, please visit

  • Comprehensive coverage of course material and past exam questions discussion

  • Precise and clear presentation slides with live audit experience sharing

  • In depth revision and explanation to help students passing the examination

  • Exam techniques sharing


Course Content

I. Information System Risk Management

  • Risk management Principles

  • Understanding risk management

  • Classification of Risk Management

  • Security models and access control management

  • Risk analysis, possible attacks, security standards

  • Enterprise Risk Management and implementation

  • Topics related to CISSP, CISM, and CISA requirements

II. Planning and Organization of Information Systems

  • IS Auditing Standards & process

  • Risk Assessment : Statutory Requirement and Duty of Care

  • Risk Assessment Guidelines

  • Risk Assessment Process

  • Risk Management in production

  • Risk Management Automation with Risk Database

  • Topics related to CISSP, CISM, and CISA requirements

III. Risk Analysis and Project Management

  • Possible Threats and Vulnerabilities

  • Attack Methods

  • Operation Security and Virtual Organization

  • Physical Security and Control Theory

  • Authorization Issues

  • IT Project Development

  • Project Risk Management

  • Topics related to CISSP, CISM, and CISA requirements

VI. Security & Audit on Application Systems

  • Business application threats and risks analysis

  • Security Management Process in SDLC

  • Application controls

  • Application Selection Factors

  • Writing the Business Application Analysis Report

  • The Report, Layout and Document Format

  • Topics related to CISSP, CISM, and CISA requirements

V. Business Continuity Management and Practices

  • Example of Impact Analysis for risk assessment

  • Awareness Training and Protection

  • Management Planning

  • Risk & Continuity Theory & Strategies

  • BCP and DRP Strategies

  • Trends in IT Risk Management

  • Topics related to CISSP, CISM, and CISA requirements

VI. Information Security Policy and Program Management

  • Creating and maintaining plans.

  • Developing information security baseline(s).

  • Developing procedures and guidelines in business processes.

  • Developing procedures and guidelines for IT infrastructure activities.

  • Integrating information security program(me) requirements.

  • Developing methods of meeting information security policy requirements.

  • Promoting accountability by business process owners and other stakeholders.

  • Establishing metrics.

  • Identify internal and external resources for information security.

  • Topics related to CISSP, CISM, and CISA requirements

VII. Response management

  • Developing and implementing processes for detecting, identifying and analyzing security-related events.

  • Developing response and recovery plans.

  • Periodic testing of the response and recovery plans.

  • Execution of response and recovery plans.

  • Establishing procedures for documenting events

  • Topics related to CISSP, CISM, and CISA requirements


Who Should Attend

The course is designed for professionals, managers and security practitioners, CISSP/CISM and CISA candidates who should like to gain knowledge and practical tools in information systems risk management and professional examinations.



Mr. Danny Ha

Holder of CISA, CISM, CGEIT, CISSP, CSSLP, FCRP, CRT, CCC, CPM, ISO20000, ISO27000 LA, ISLA, APSNY, MBA, B.Sc.(Hon.), and Mentor and Lectures of universities.

Danny Ha has extensive experience and proven record in information systems audit, security, risk and crisis management. He has been an information technology practitioner for more than 27 years covering area in application system development, systems integration, services management, information systems security and audit, project management, and business management for banking, FSI, government, retail and servicing, logistics, warehouse, trading, manufacturing, garment, property agencies, health-care, and hospital industries. Danny is now the Director/ Chief Consultant and Auditor of risk management services for many MNC, vendors, banks and HKSAR government departments. He has delivers a numerous courses at professional certification level, in graduate diploma courses, degree courses in social science, and executive management certificate courses at different universities, professional bodies and institutes in Hong Kong and China. He is now the Mentor of HKUST BSC in Risk Management and Business Intelligence. He has conducted the CRP courses over 100 lecturing hours for over 300 audience since 2006; conducted the CISA Exam Preparation Courses with over 1000 lecturing hours for over 500 audiences since 2002; and also, conducted the CISSP Exam Preparation Courses for over 2000 audiences with over 1,500 lecturing hours since 2001.


Back to the top