IT Risk Management

By selecting the risk module in the QSEC software menu, the risk management functions are activated. The complete IT risk management is carried out here according to the requirements of ISO 27005 and/or BSI. The potential weaknesses and threats of the asset groups in the corresponding scope (scope, consisting of the relevant business units and the associated assets and standards) are determined.


The operational risk method implemented in this module works according to the requirements of the ISO/IEC 27005 standard or according to the IT basic protection requirements (200-3). The calculation methods and classification tables are predefined and can be individually customized to meet the specific requirements. The stored threat and vulnerability catalogues (hazard and building block catalogues) are assigned to the existing asset types (infrastructure, IT hardware, IT software, cloud etc.) and evaluated. Since the assessment of the security requirements (asset group value) is a company-specific value, the criteria can be configured flexibly. An adjustment is possible at any time via the administration tool.


During the risk assessment, the measures for risk reduction and the associated incidents (security incidents) are displayed. The following values are calculated:

  • Protection requirements (asset group value),
  • likelihood of occurrence,
  • Risk value in EURO,
  • Risk level,
  • Net risk.

One of the great advantages of IT risk management assessment according to the methodology of ISO 27005 is the focus on the business processes of the company. The business processes stored in QSEC are evaluated for their criticality and assigned to the required asset groups (buildings, IT infrastructure, etc.).


Identified critical asset groups will be checked for

  • Availability,
  • Integrity,
  • Confidentiality,
  • Authenticity,
  • Data protection relevance and
  • their financial value

which determines the need for protection. This enables the identification of concrete action plans to reduce weak points (risk treatment planning).


IT-risk management assetgroup overview

QSEC®: Tabular IT risk management overview sorted by status


QSEC®: hierarchical business process view with the IT risk overview according to the associated asset groups


QSEC®: Risk matrix of the risk levels of the considered asset groups

Risk development in IT risk management

QSEC®: risk development in IT risk management

QSEC modules

Data-Protection-Management-System-QSEC Information_Assets Compliance_Management_System
IT-Risk-kachel Security Incident Management Measure-Management
Document-Management Master-Data-qsec Business_Continuity_Management
Reporting-Dashboard Interview-Wizard Interview-transfer-Wizard
Compliance-Wizard Risk-Assessment-Wizard Security-Level-Wizard
Measure-Evaluation-Wizard Usability Task-Manager
Administration Technology