Introduction to information security risk management
2013-2014 - IMT1132 - 10 ECTS

Expected learning outcomes


  • The candidate can apply risk assessment methodologies suitable for the complexity and documentation accuracy of an information system


  • The candidate can carry out a risk assessment (based on a given standard, e.g. ISO27001 and ISO27002) on a given information system
  • The candidate is can collaborate with system owners and supervisors and can adjust his or her practice based on their feedback
  • The candidate can find, assess and refer to information and material necessary to carry out a risk assessment
  • The candidate can use the ISO2700x to structure the implementation of information security in an organisation

General  Competence

  • The candidate can carry out relatively complex projects in larger groups and accepts the necessity of tools and methods to carry out such tasks
  • The candidate is aware of the importance of mastering both oral and written communication depending on the target group (decision makers, colleagues and general public)
  • The candidate has gained ownership in a reference project where experience and view-points have been exchanged with collaborative partners and colleagues


  •  Project work
  •  Information security and risk
  •  Risk evaluation, analysis and assessment
  •  Standards ( ISO17799:2005 (ISO 27002) , ISO 27001 and BS7799-3:2006
  •  Information Security Managment System

Teaching Methods

Project work

Teaching Methods (additional text)

The students are assigned to groups of 6 - 10 persons. Each group gets a task assigned from an external system owner. The projects are formulated such that the students have to carry out a risk assessment as the part of a project work. All projects report to a coordination team. The students get feedback on the group processes and their deliveries (Project plan, status reports, meeting agendas and minutes). Lectures and group assignments are run in parallell. 

Form(s) of Assessment

Evaluation of Project(s)

Form(s) of Assessment (additional text)

One large project. The student groups keep the work going until the quality of the report is satisfying, the final deadline is the 3 week of june.

Grading Scale


External/internal examiner

Evaluated by internal examiner. External examiner is used periodically (every four years, next time in 2015/2016).

Re-sit examination

The project must be improved until the quality satisfies the "Pass" criterions.

Additional information

The students must have registered for the course by January 15th. The project work starts in the second week of teaching, and active participation in the group assignment is required from all students. The groups formulates their own group contract where the participation is regulated. This contract must be signed by all group members and approved by the course responsible. If the contract is violated by a group member, the group nominates the candidate for exclusion. The course responsible takes the final decision on exclusion. If a candidate is excluded there are two possible outcomes: (i) The candidate fails the course or (ii) the candidate carries out an individual project. The course responsible makes this decision based on available information on the reason for the nomination documented by written statements from both parties (group and candidate).