The standardized Threat Risk Assessments (TRA) process will identify areas of risk, assess those risks, and identify activities to reduce risks to an acceptable level. The output of this process will help identify appropriate controls for reducing / managing risk.

The enterprise risk assessment and enterprise risk management processes comprise the heart of the information security framework. These are the processes that establish the rules and guidelines of the security policy while transforming the objectives of an information security framework into specific plans for the implementation of key controls and mechanisms that minimize threats and vulnerabilities.