Information Security Risk Management (ISRM) Assessment

The Information Security Risk Management (ISRM) Assessment

The University of Virginia is committed to preventing incidents that may impact the confidentiality, integrity, and availability of information and IT resources.  In accordance with the Information Security of University Technology Resources policy, all units and departments are required to complete an annual information security risk assessment (ISRM) to evaluate the effectiveness of their IT security controls within their environments. 

Just like last year, we also have templates available to help you with the endpoint and server inventory questions:

How do I access this year's assessment?

The ISRM Assessment has been moved into the same OneTrust tool that the IT Compliance team uses for conducting vendor risk assessments (see Vendor Review FAQ).  While available for completion, you may access ISRM 20YY in OneTrust through the Self Service Portal by selecting the tile labeled "ISRM 20YY".

Navigating the Risk Assessment in OneTrust

Initiating an Information Security Risk Assessment is now really easy!  Just follow the steps below.

1. Visit the UVA OneTrust Self Service portal

2. Type in your UVA email address and click “Next” to login through Netbadge


3. Click "Launch" on ISRM 20YY.


4. Navigating the ISRM

When you launch the Assessment, the Assessment Name should reflect the group you represent (i.e., Classrooms, Desktop Support, Physics, etc.). If you do not anticipate being the only person to work on the Assessment, be sure to add additional respondents at this time.

Attachments can be added to every question by using the paperclip icon located below each question.


Comments can be added to every question by using the “speech cloud” icon located below each question. Use this to ask us about a specific question or to provide feedback.

NOTE: When completing some fields, you may need to click "Add Option" beneath the text field after you finish typing.

Adding Additional Respondents to the ISRM

Please contact [email protected].

NOTE: OneTrust does not immediately populate user information throughout the system.  This means that OneTrust may throw error text when you go to edit respondents indicating that you are not a valid user.  To fix this, type in your email over the respondent field where your name is located before clicking the Save button.  If you run into any issues, reach out to [email protected] and we can fix it.

Source URL: