Risk IT Fact Sheet 

Risk IT:  Based on COBIT 

Risk IT: Based on COBIT is the first comprehensive, globally applicable IT-related risk framework.

About Risk IT

Risk IT is a framework and supporting set of practical, real-world practices that helps enterprises seize opportunities and seek greater return through better management of risks. It works at the intersection of business, information and technology, and allows enterprises to manage—and even capitalize on—risk, to create value.

It extends COBIT, the globally recognized IT governance framework, and saves time, cost and effort by providing enterprises with a way to focus effectively on IT-related business risk areas, including risks related to late project delivery, compliance, misalignment, obsolete IT architecture and IT service delivery problems.

Developed by an international team of IT and business experts, Risk IT provides the guidance to help executives and management ask the key questions, make better risk-adjusted decisions and guide their enterprises so that risk is managed more effectively. Risk IT helps professionals detect warning signs earlier to better protect their business and revenue. Many of these risks can be reduced by using IT and many are the direct result of the existence of technology. Currently, these IT-related risks are often managed in silos. Risk IT addresses these issues by providing a business focus and holistic way of managing—and capitalizing on—risks.

Risk IT is issued by the nonprofit, independent membership association ISACA, a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance.

Risk IT Materials

Risk IT components include:

  • The Risk IT Framework
  • The Risk IT Practitioner Guide

The Risk IT Framework is available as a free download at the Risk IT home page. Print versions of both publications can be purchased from the ISACA Bookstore.

COBIT 5COBIT 5 Incorporates Risk IT

The scope of the guidance provided in the Risk IT framework has been incorporated into the latest thinking offered in COBIT 5. More information on COBIT 5 can be found at www.isaca.org/cobit.

Risk IT Recognitions

  • The Global Status Report on the Governance of Enterprise IT (GEIT) 2011, a study conducted by the IT Governance Institute (ITGI), ISACA’s research affiliate, found that ISACA’s Risk IT framework, released in 2009, is already being used by 12 percent of the respondent enterprises; it was the sixth most mentioned framework of the 14 references listed.
  • The CyLab group within Carnegie Mellon University included references to ISACA’s Risk IT in a document titled, “Governance of Enterprise Security: CyLab 2010 Report.”
  • Zawya Dow Jones News announced that the National Commercial Bank (NCB) of the Kingdom of Saudi Arabia will implement an IT risk management program based on the Risk IT Framework.
  • MetLife leveraged Risk IT to create a MetLife-specific IT risk management framework that allows management to consider all aspects of managing IT risk consistently across the enterprise and better connect it to business operational risk activities.

Risk IT in the News 

  • “To achieve (IT maturity), companies gradually adopt best practices such as COBIT, ITIL, Risk IT and ISO 17799 to guide IT personnel…IT risk management is the second major maturity enabler and is addressed at length in ISACA’s Risk IT framework.” CIO Update, October 2011
  • Ready for 2011? Five questions for CISOs” states that ISACA's Risk IT framework (based on the COBIT framework) and best practice guidance can help with risk management. SC Magazine, January 2011 
  • Brian Barnier, principal at ValueBridge Advisors, discusses the benefits of Risk IT in a Mash Risk Television video titled The ISACA Risk IT Framework.
  • CIO was among the many outlets that included the results of ISACA’s 2010 IT Risk/Reward Barometer survey. In an April 2010 article titled, “Many Managers See Cloud Computing As Risky Business,” Joab Jackson states, “Despite the hoopla surrounding cloud computing, almost half of U.S. IT managers are still wary of using cloud computing services within their own operations, according to the results of a survey released Wednesday by (ISACA).”
  • In an article titled “Today's 10 most common security threats on the Net” in the Bangkok Post, Acis Professional Centre CEO Prinya Hom-anek suggests that organizations should apply best practices such as ITIL, COBIT or the Risk IT Framework.


Kristen Kessinger, +1.847.660.5512
Joanne Duffer, +1.847.660.5564