Introduction to Information Security Risk Management
Study plans 2016-2017 - IMT1132 - 10 ECTS

Expected learning outcomes


  • The candidate can select an appropriate risk assessment methodology suitable for the complexity and documentation accuracy of an information system


  • The candidate can based on given guidelines or standards carry out a risk assessment on a given information system
  • The candidate can collaborate with system owners and supervisors and can adjust his or her practice based on their feedback
  • The candidate can find, assess and refer to information and material necessary to carry out a risk assessment
  • The candidate can use guidelines and standards to structure the implementation of information security in an organisation

General Competence

  • The candidate can carry out relatively complex projects in larger groups and accepts the necessity of tools and methods to carry out such tasks
  • The candidate is aware of the importance of mastering both oral and written communication depending on the target group (decision makers, colleagues and general public)
  • The candidate has gained ownership in a reference project where experience and view-points have been exchanged with collaborative partners and colleagues


  •  Project work
  •  Information security and risk
  •  Risk evaluation, analysis and assessment
  •  Standards and guidelines
  •  Information security management systems

Teaching Methods

Project work

Teaching Methods (additional text)

The students are assigned to groups of 6 - 10 persons. Each group gets a task assigned from an external system owner. The projects are formulated such that the students have to carry out a risk assessment as the part of a project work. All projects report to a coordination team. The students get feedback on the group processes and their deliveries (Project plan, status reports, meeting agendas and minutes). Lectures and group assignments are run in parallel. 

Form(s) of Assessment

Evaluation of Project(s)

Form(s) of Assessment (additional text)

One large project. The student groups keep the work going until the quality of the report is satisfying; the final deadline is the 3 week of June.

Grading Scale


External/internal examiner

Evaluated by internal examiner. External examiner is used periodically (every four years, next time in 2015/2016).

Re-sit examination

The project must be improved until the quality satisfies the "Pass" criterions.

Teaching Materials

Core reading:

  • ISO/IEC 27001
  • ISO/IEC 27002
  • Nasjonal sikkerhetsmyndighet: Veiledning i risiko og sårbarhetsanalyse (2005)
  • Datatilsynet: Risikovurdering av informasjonssystem (2009)

Additional reading:

  • T. Aven, W. Røed og H.S. Wienche: Risikoanalyse; prinsipper og metoder, med anvendelser, Universitetsforlaget (2008)
  • H. Westhagen, O. Faafeng og K.G. Hoff, T. Kjeldsen og E. Røine: Prosjektarbeid; utviklings- og endringskompetanse, Gyldendal akademisk (2008)
  • T. Aven: Risikostyring; grunnleggende prinsipper og ideer, Universitetsforlaget (2007)

Additional information

The students must have registered for the course by January 15th. The project work starts in the second week of teaching, and active participation in the group assignment is required from all students. The groups formulate their own group contract where the participation is regulated. This contract must be signed by all group members and approved by the course responsible. If a group member violates the contract, the group nominates the candidate for exclusion. The course responsible takes the final decision on exclusion. If a candidate is excluded there are two possible outcomes: (i) The candidate fails the course or (ii) the candidate carries out an individual project. The course responsible makes this decision based on available information on the reason for the nomination documented by written statements from both parties (group and candidate).