The information risk assessment is a systematic evaluation process designed to identify, analyze and manage potential risks associated with projects and vendors (applications, hardware, service providers or any other vendors where data collection, storage or transfer may be involved). Regular risk assessments allow organizations to stay ahead of potential vulnerabilities, ensuring that the mitigation, avoidance, acceptance or transfer of identified risks remains effective over time.

This assessment is a proactive measure to enhance information security practices and maintain a resilient and secure environment at U of T. It is a valuable tool for those involved in projects and vendor relationships, such as project teams, departments and vendors engaged with the University, and it promotes a culture of risk-aware decision-making and continuous improvement.

Project owners, managers and stakeholders involved in initiatives that collect or use information should prioritize this assessment. Vendors providing services to the University, especially those handling sensitive data, benefit from this evaluation to align their practices with U of T’s standards.

Assessments usually follow established global standards like ISO27005 and NIST SP 800-39, which are further modified to fit U of T requirements.