rectangle e31837

 A Project Risk Management Assessment provides an in-depth analysis or the application or the vendor.

Click here to see a list of the applications and vendors that have been assessed by ISEA or others that ISEA knows about.

The assessment involves:

Gathering the information.

  • ISEA provides an UofT-Information-Risk-Management-Questionnaire (IRMQ) to capture the information.
  • Vendors and the HECVAT. The Security section of the IRMQ can be replaced by a completed HECVAT, but sections of the IRMQ are still required.
    • Use of the HECVAT by vendors is encouraged, as this reduces duplication of effort for vendors in the higher education space.
    • The HECVAT does not capture all necessary details relating to use of personal information.Vendors must also complete parts of the IRMQ, particularly pertaining to personal information, and third parties. Sections required are clearly explained in the IRMQ.
    • What is the HECVAT?
      • Educause provide a Higher Education Cloud Vendor Assessment Tool (HECVAT), in two version, Full and Light. This is useful, as vendors then provide only one set of answers for all institutions. Please see
      • In general, the full version would be used, unless there is no or very little personal information.
      • Some completed HECVAT’s are available on the re-isac site.

Analyzing the information.

The questionnaire / HECVAT is not an assessment – the tools provide the information to allow a Privacy Impact Assessment (PIA) and a Threat/Risk Assessment (TRA) of  the vendor or project  – together called the Information Risk and Risk Management Assessment (IRRM)

  • ISEA will complete an IRRM of your project or process, possibly at a fee, depending on the assessment; or
  • ISEA will provide help for you to complete your own assessment; or of course
  • You are free to carry out your own assessment. If you want to make use of it, ISEA provides an Information Risk Management Assessment template.

Managing the risk

  • After analysis, the project team need to respond to the recommendations to manage risk, by mitigating the risk (making changes), accepting, transferring or avoiding the risk.

Continuous risk monitoring

  • On a continuing basis, the project needs to be monitored for risk, and reviewed at intervals to ensure the goals of the risk management assessment are being met.  This is an iterative process, as threats constantly evolve, and new vulnerabilities are discovered.


  • The steps require communication and consultation between stakeholders.

The diagram below captures the steps involved in the process. It is derived from a diagram in ISO27005, with a modification added from NIST SP 800-39, and further modified to apply to the requirements of UofT.

Information Risk Assessment Process

Information Risk Assessment Process