ISACA's Risk IT Framework Offers a Structured Methodology for Enterprises to Manage Information and Technology Risk

Schaumburg, Ill. (June 25, 2020) — Managing risk and opportunity, including information and technology (I&T) risk, is a key strategic activity for enterprise success: which is even more relevant today during this time of disruption. ISACA has released new editions of risk IT resources to help guide enterprises: Risk IT Framework, 2nd Edition and Risk IT Practitioner Guide, 2nd Edition.


The updated Risk IT Framework offers guidelines and practices that optimize risk, opportunity, security and business value, and helps practitioners build consensus regarding risk IT decisions at all enterprise levels. Its companion guide, the Risk IT Practitioner Guide, 2nd Edition, gives practical guidance on how to accomplish the activities described in the Risk IT Framework, 2nd Edition. Both publications were updated to reflect new regulations, methods, and technology that have been introduced since the original editions were published. The second editions include a stronger focus on cybersecurity and align with the latest version of COBIT.


Risk IT offers a structured, systematic methodology that helps enterprises:


  • Identify current and emerging risk throughout the extended enterprise
  • Develop appropriate operational capabilities to ensure that business processes continue operating through adverse events
  • Leverage investments in compliance or internal control systems already in place to optimize I&T-related risk
  • Frame I&T-related risk within a business context to understand aggregate exposure in terms of enterprise value


Both Risk IT Framework, 2nd Edition and Risk IT Practitioner Guide, 2nd Edition were created to assist in developing, implementing or enhancing the practice of risk management by:


  • Connecting the business context with I&T assets.
  • Shifting the focus to activities over which the enterprise has significant control, such as actively directing and managing risk, while minimizing the focus on the conditions over which an enterprise has little control (threat actors).
  • Increasing the focus on using a common risk language that correctly labels the items that must be managed well to create value.


"Risk management works best when integrated with the regular workflow of the staff and management rather than as an add-on activity," says Lisa Young, CISA, CISM, VP of Cyber Risk Engineering at Axio, and the lead developer for both publications. "As Risk IT shows, effective I&T risk management provides many benefits, including reduced or minimized losses, better oversight of organizational assets and increased ability (or capability) to manage risk in alignment with enterprise strategy."


The Risk IT Framework, 2nd Edition is offered in the digital format for free to members and costs $75 for non-members. In the print format, the framework costs $60 for members and $75 for non-members. The Risk IT Practitioner Guide, 2nd Edition costs $75 for members and $100 for non-members and is offered in both the print and digital format. To download the framework, visit To download the practitioner guide, visit Find additional ISACA resources at



For more than 50 years, ISACA ( has advanced the best in technology. ISACA equips individuals with knowledge, credentials, education and community to progress their careers and transform their organizations. Through the CSX, COBIT and CMMI solutions, ISACA enables enterprises to train and build quality teams. ISACA is a global professional association and learning organization that leverages the expertise of its 145,000 members who work in information and cybersecurity, governance, assurance, risk and privacy to drive innovation through technology. It has a presence in 188 countries, including more than 223 chapters worldwide.