WHAT DOES AN INFORMATION SECURITY RISK ANALYST DO?

Published: Sep 10, 2025 - The Information Security Risk Analyst coordinates and executes technical security assessments, identifying risks, evaluating controls, and documenting findings to support compliance and governance requirements. This role involves conducting risk assessments, managing certificate and cryptographic key services, and advising business and technology leaders on security risks and appropriate treatment options. The analyst also contributes to the maturity of the Information Security Program by monitoring metrics, validating remediation actions, and providing input to security policies and procedures.

A Review of Professional Skills and Functions for Information Security Risk Analyst

1. Information Security Risk Analyst Tasks

  • Automation: Implement automation to improve service delivery.
  • Dashboard Management: Develop and manage dashboards that deliver practical metrics.
  • ISO Program: Improve the ISO 27001:2013 program, deliverables, and operationalization efforts.
  • Risk Assessment: Perform qualitative internal risk assessments and manage risk treatment plans and reporting.
  • Process Documentation: Assist the Information Security team with documenting security procedures and other business process mapping notation.
  • Security Guidance: Provide guidance and outreach to help teams improve their security posture.
  • Risk Registry: Maintain the cyber risk registry and report on continual improvement efforts.
  • Audit Support: Support internal and external audits and regulatory requirement efforts.
  • Audit Response: Assist in responding to internal and external audits, including third-party security assessments.
  • Gap Analysis: Perform gap analyses against regulatory expectations and industry standards.

2. Information Security Risk Analyst Roles

  • Risk Framework: Implement the Information Security risk framework and ensure timely assessment and treatment of security risks.
  • Risk Appetite: Ensure Information Security risks are either treated or accepted in accordance with the risk appetite.
  • Risk Identification: Work with the IT teams to identify and assess Information Security risks, including Cyber risks.
  • Risk Assessment: Ensure periodic Information Security risk assessments of key services, third parties, and regulatory commitments are performed, and monitor remediation plans.
  • Service Classification: Ensure services are assessed and classified based on their Confidentiality, Integrity, and Availability.
  • Control Gaps: Use the output of Information Security risk assessments to identify control gaps and weaknesses and provide direction to strategy and change programs to improve control efficacy.
  • Business Collaboration: Work with the business units to understand their key Information Security risks and agree on actions to mitigate or monitor and improve their controls.
  • Risk Reporting: Produce the quarterly IT Risk submission to the business units and work with Group-level risk functions on Information Security risk.
  • Leadership Communication: Inform senior leadership of risks and recommendations in non-technical terms, considering cost/benefit, to ensure security of Information Systems.
  • Compliance Support: Support Legal and Compliance teams, such as Data Protection and Privacy, concerning Information Security risks.
  • Trend Monitoring: Understand the external security environment and emerging trends to support Information Security risk management.

3. Information Security Risk Analyst Overview

  • Security Awareness: Assist in facilitating and promoting activities to create information security awareness within the organization.
  • Policy Documentation: Document security policies and procedures created by the Technology Committee and Firm Management.
  • Policy Review: Participate in the review process of security policies and procedures created by the Technology Committee and Firm Management as required by ISO 27001 certification.
  • Internal Auditing: Serve as an internal auditor for security issues in accordance with the ISO 27001 framework.
  • Vendor Assessment: Perform vendor information security risk assessments in accordance with the Firm’s standard operating procedures.
  • Client Audits: Participate in Information Security audits received from the Firm’s clients or prospective clients.
  • System Review: Review systems-related security plans throughout the organization’s network, acting as a liaison to the IT Department.
  • Compliance Monitoring: Monitor compliance with information security policies and procedures, referring problems to the appropriate department manager.
  • Access Control: Monitor the internal control systems to ensure that appropriate access levels are maintained.
  • DR/BC Planning: Participate in keeping DR/BC plans updated to reflect technology and business changes.
  • Certification Audits: Participate in internal and external ISO 27001 certification audits.

4. Senior Information Security Risk Analyst Functions

  • Risk Identification: Lead the identification, analysis, and monitoring of information security and business continuity risks.
  • Risk Assessment: Perform risk assessments of corporate operating plan initiatives and maintain risk registers.
  • Risk Management: Manage enterprise-level information security and business continuity risks.
  • Risk Monitoring: Develop key risk indicators and continuously monitor identified risks.
  • IT Alignment: Work with IT to ensure alignment with information security risk management functions, including risk tolerance management.
  • Regulatory Compliance: Partner with Corporate Compliance and Legal to identify applicable laws and regulations and document security and compliance requirements.
  • Annual Assessment: Create and lead the process of the annual enterprise information security risk assessment required by regulations.
  • Risk Analysis: Determine current risk levels through risk likelihood and impact analysis, and make risk treatment recommendations.
  • Risk Software Expertise: Serve as the subject matter expert on the Integrated Risk Management software solution.
  • System Configuration: Set up system users, configure risk assessment and risk reporting workflows, create system reports, and provide technical assistance to system users.

5. Information Security Risk Analyst Accountabilities

  • Project Execution: Execute assigned tasks aligned to projects across all functions of the Security GRC team.
  • Risk Lifecycle: Participate in the end-to-end enterprise security risk management lifecycle.
  • Policy Development: Develop and implement effective and reasonable policies, standards, and controls aligned to enterprise risk tolerance.
  • Control Documentation: Write control narratives and gather and document evidence of control compliance.
  • Risk Assessment: Be accountable for delivering high-quality, accurate, complete, and timely risk and control assessments.
  • Threat Awareness: Stay informed of internal and external security risks and threats, and communicate them appropriately.
  • Relationship Management: Manage internal and external relationships effectively.
  • Program Improvement: Advocate for and contribute to efforts that enhance the program, improving both operational efficiency and the organization’s risk posture.
  • Security Advocacy: Be a champion for security and model behaviors consistent with cybersecurity best practices.
  • Organizational Representation: Represent the best interests of the organization.

6. Information Security Risk Analyst Job Summary

  • Risk Assessment: Perform risk assessments and assist in providing a strategy to mitigate identified risks.
  • Risk Reporting: Develop, produce, and maintain ITRM reports and presentations, including dashboards and data visualizations to highlight key risk metrics and other changes in the underlying risk.
  • Department Liaison: Serve as a liaison between the Information Security Office and various departments.
  • Control Testing: Identify and test IT controls and understand where controls need to be within processes.
  • Controls Catalog: Maintain the IT Controls Catalog and IT asset inventory.
  • Third-Party Risk: Assist in third-party risk management activities related to information security.
  • Audit Preparation: Assist in preparing material and resources for regulatory examinations and audits.
  • Incident Management: Focus on significant incidents, support root cause analysis and remedial actions, and ensure incidents are documented and resolved promptly.
  • Control Monitoring: Contribute to the ongoing development of risk oversight and control monitoring activities and the incident management process for information security incidents.
  • Ad Hoc Reviews: Perform control testing and ad hoc risk reviews, reporting results and recommendations to internal groups and committees.
  • ITRM Duties: Perform other ITRM-related duties as assigned by the Information Security Officer.

7. Information Security Risk Analyst Responsibilities

  • Risk Framework: Oversee and deliver the information system risk and control framework, including leading regular risk and control assessments.
  • Incident Management: Oversee and deliver the incident management process for Information Systems.
  • Security Assessment: Conduct security assessments through risk analysis and audits.
  • Risk Modeling: Create risk models dependent on departments and risk appetite.
  • Risk Mitigation: Analyze risks to create risk mitigation or resolution plans.
  • Remediation Testing: Drive remediation activities and control effectiveness testing.
  • Risk Reporting: Create and maintain risk reporting through the Atlassian suite of tools.
  • Dashboard Management: Create and manage dashboards through the Atlassian suite of tools.
  • Security Research: Research security enhancements and make recommendations to management.
  • Security Support: Support the Information Security Manager in delivering wider security objectives.

8. Senior Information Security Risk Analyst Details

  • Risk Analysis: Perform risk analysis to identify IT security risks and remediation plans.
  • Policy Alignment: Ensure alignment of security policies and standards with IT infrastructure frameworks (e.g., ISO 2700x, NIST, ITIL).
  • Compliance Monitoring: Monitor compliance with risk mitigation and remediation plans, and address non-compliance issues appropriately.
  • Security Controls: Establish appropriate security controls based on defined data classifications to align with applicable laws, regulations, and standards.
  • Requirement Analysis: Analyze business requirements and ensure that solutions meet established security policies and controls.
  • Metrics Reporting: Maintain metrics and report them.
  • Work Prioritization: Prioritize and organize own work to meet deadlines.
  • Standards Knowledge: Understand applicable IT industry security standards (e.g., PCI-DSS, SSAE16, ISO 27001:2013).
  • Knowledge Maintenance: Maintain current knowledge on information security topics and their applicability to program requirements.
  • Policy Compliance: Comply with the terms and conditions of the employment contract, company policies and procedures, and any directives such as transfer or re-assignment to different work locations, changes in teams or work shifts, etc.

9. Information Security Risk Analyst Job Description

  • Risk Analysis: Responsible for conducting risk analyses and security evaluations of systems and processes.
  • Risk Mitigation: Provide expertise for the resolution and risk mitigation of identified risks.
  • Risk Integration: Integrate risk assessment processes and outputs into the Security Exception program.
  • Risk Processing: Support the intake, triage, and processing of reported risks and identified gaps.
  • KRI Reporting: Develop, track, and report on Key Risk Indicators (KRIs) for information security risks.
  • Risk Tracking: Monitor, track, and report on mitigation and resolution of information security risks.
  • Risk Communication: Effectively communicate key risks, findings, and recommendations for improvement with stakeholders.
  • Compliance Support: Provide support for security-related FFIEC and SOC 2 compliance controls and audit systems, services, and processes to verify adherence to security policies and procedures.
  • Security Posture: Assist with maintaining and reporting on the organization’s security posture in alignment with industry frameworks (e.g., NIST, CIS CSC, etc.).
  • Program Analysis: Regularly analyze program and project status, risk management reports, and results from risk assessments and control testing.

10. Information Security Risk Analyst Duties

  • Risk Assessment: Contribute to and lead security risk assessments across security domains, projects, operational requirements, and technical change initiatives.
  • Risk Alignment: Pragmatically assess risks and ensure alignment with information security policies and risk management methodologies within the Information Security Management System (ISMS).
  • Risk Metrics: Develop and expand metrics and KPI/KRIs to support risk management functions.
  • Risk Communication: Communicate the security impact of technical decisions, approaches to risk mitigation, and alignment to risk tolerance with stakeholders at all levels of the business.
  • Supply Chain Risk: Participate in due diligence and ongoing risk management of supply chain activities.
  • Threat Intelligence: Review and interpret threat intelligence and provide risk advisory and tutorial services to wider teams.
  • Stakeholder Collaboration: Collaborate with both technical and non-technical stakeholders to enable a pragmatic application of security best practices.
  • Framework Knowledge: Demonstrate knowledge of industry frameworks and security principles aligned with NCSC standards.
  • Security Standards: Support the creation and maintenance of new security standards and procedures to strengthen organizational security culture.
  • Personnel Security: Assist with personnel and physical security processes associated with HMG handling requirements.

11. Information Security Risk Analyst Details and Accountabilities

  • Risk Standards: Ensure risk assessments meet or exceed standards set by Enterprise Risk Management.
  • Risk Identification: Develop processes for interviewing business units to properly identify risks associated with assets or processes.
  • Risk Consistency: Ensure consistency in applying inherent likelihood, inherent impact, and control effectiveness to risks across multiple asset categories or similar processes across different business units.
  • Control Effectiveness: Apply industry-standard recommendations for control effectiveness appropriate to the size and complexity of the organization.
  • Control Library: Collaborate with Information Security Analysts to build and maintain a control library.
  • Assessment Leadership: Lead risk assessments and ensure timely completion in accordance with the schedule set by the Information Security Officer.
  • Policy Compliance: Ensure proper policies, procedures, risk mitigation activities, and operating controls are followed, and report gaps in policies and procedures.
  • Issue Management: Ensure risks exceeding enterprise risk appetite are entered into the Issue Management system with proper documentation for corrective actions.
  • Mitigation Review: Review completed mitigations with Information Security Analysts and ensure updates are appropriately recorded in the Issue Management system.
  • Risk Metrics: Develop metrics on risk mitigation activities and accepted risks to inform senior leadership of current observed risk levels.
  • Training Recommendations: Provide recommendations to the ISO and the Director of Enterprise Risk Management to ensure training appropriate to the size and complexity of the organization is available for business unit leaders.

12. Information Security Risk Analyst Additional Details

  • Supplier Evaluation: Evaluate suppliers' security controls and determine their effectiveness in protecting organizational assets.
  • Supplier Reviews: Contribute to supplier security risk reviews, including Software as a Service (SaaS) and Cloud suppliers.
  • Supplier Assessments: Participate in the planning and execution of supplier security risk assessments.
  • Control Verification: Examine and verify security capabilities, behaviors, and controls for authentication, authorization, integrity, availability, assurance, audit, and disposal of information assets to determine exposure and compliance levels.
  • Stakeholder Communication: Provide proactive and professional communications to business partners, management, and suppliers.
  • Control Implementation: Recommend and drive the implementation of additional security controls to meet current and future needs.
  • Risk Assessment: Perform risk assessments and policy exceptions for enterprise solutions.
  • Policy Exceptions: Review policy exceptions and help identify mitigation plans to enable business partners.
  • Capability Development: Contribute to the development of security capabilities within the organization and across the security industry.
  • Risk Projects: Engage in other information security projects requiring risk management expertise in direct support of business units.

13. Information Security Risk Analyst Essential Functions

  • Security Assessments: Perform daily efforts to coordinate and complete technical information security assessments, including identifying, compiling, and analyzing assessment inputs, as well as executing and documenting risk or control assessments in accordance with defined approaches.
  • Key Management: Assist in the development and management of Certificate and Cryptographic Key services.
  • Risk Evaluation: Conduct security risk assessments, evaluating inherent risk, severity indicators such as CVSS, business impact, compensating controls, control effectiveness, and residual risk.
  • Team Collaboration: Collaborate across teams and diverse functions to drive initiatives forward.
  • Best Practices: Maintain a broad understanding of information security best practices and their practical applications.
  • Risk Advisory: Enable risk-aware decision-making by advising business units and technology leaders on information security risks of initiatives and proposing acceptable risk treatment options.
  • Program Support: Support the Information Security Program by collecting and assessing performance indicators, metrics, and other evidence.
  • Governance Documentation: Assist in documenting and assessing IT governance, risk management, and compliance programs.
  • Gap Remediation: Validate, identify remediation actions, and monitor gaps discovered through security risk and control assessments.
  • Program Maturity: Contribute to the continuous maturity and evolution of the Information Security and Privacy Program by challenging current practices and identifying opportunities for improvement in assessment, monitoring, and response.
  • Policy Review: Provide input to the annual review of information security policies and procedures.

14. Senior Information Security Risk Analyst General Responsibilities

  • Risk Assessments: Lead information security risk assessments utilizing the organization’s risk scoring methodology.
  • Executive Reporting: Create periodic executive management reports to depict the current information security risk landscape.
  • GRC Enhancement: Enhance the Governance, Risk, and Compliance (GRC) platform to align the system with operational risk management tasks.
  • Dashboard Development: Develop information security risk management dashboards with consumable metrics.
  • GRC Management: Leverage the GRC platform to manage both ongoing and one-time risk assessments.
  • Vendor Review: Lead the information security review of potential vendors to identify control weaknesses that could pose risks to the organization and its members.
  • Vendor Assessment: Conduct and document annual vendor information security risk assessments for approved vendors, and record observations in alignment with policies and practices.
  • Remediation Collaboration: Collaborate with IT and business partners to recommend appropriate defenses, countermeasures, remediation, and policy or process improvements to strengthen security and risk posture.
  • Consultative Support: Provide consultative support as a security subject matter expert on organizational projects and initiatives.
  • Security Requirements: Define and evaluate functional requirements and specifications of security systems for both internal and external environments.
  • Control Monitoring: Monitor, measure, test, and report on the effectiveness and efficiency of information security controls as well as compliance with policies and procedures.
  • Issue Escalation: Keep management informed of outstanding issues that remain unresolved on time, following established escalation procedures.
  • Audit Support: Act as the primary point of contact for internal and external auditors during examinations, providing support and assistance in addressing audit recommendations.
  • Regulatory Knowledge: Maintain a thorough understanding of applicable state and federal laws and regulations related to compliance, including bank secrecy and anti-money laundering laws relevant to the role.

15. Information Security Risk Analyst Key Accountabilities

  • Incident Reporting: Report information security incidents externally.
  • Risk Training: Provide training to other structural units on operational risk management.
  • Risk Indicators: Report key risk and control indicators of the department or business unit.
  • Incident Follow-Up: Follow up on significant operational risk incidents related to information security.
  • Risk Evaluation: Participate in risk assessment sessions and evaluate operational risks associated with significant changes.
  • Risk Challenge: Review and challenge operational risk identification, assessment, and treatment, proposing mitigation actions.
  • Risk Oversight: Independently oversee, assess, and report on operational risk, with a focus on information security risk, across the organization.
  • Risk Assessment: Initiate information risk assessments on IT applications and cloud services, managing the workflow from initiation to finalization and sign-off.
  • Risk Monitoring: Monitor the information risk management cycle to ensure mitigation plans are followed up on, and re-assessments are initiated.
  • Compliance Monitoring: Implement and monitor compliance with relevant group, local, and regulatory guidelines regarding information risk.
  • Governance Tooling: Ensure approval and documentation of results in the Enterprise Governance Risk and Control tool used for information risk management (e.g., RSA Archer).
Relevant Information
What Does A Cybersecurity Analyst Do?
What Does A Cyber Security Analyst Do?
What Does An Information Security Analyst Do?