Search This Site


Main menu

Information Security Risk Management (ISRM) Assessment

The Information Security Risk Management (ISRM) Assessment

The University of Virginia is committed to preventing incidents that may impact the confidentiality, integrity, and availability of information and IT resources.  In accordance with the Information Security of University Technology Resources policy, all units and departments are required to complete an annual information security risk assessment (ISRM) to evaluate the effectiveness of their IT security controls within their environments. 

Just like last year, we also have templates available to help you with the endpoint and server inventory questions:

How do I access this year's assessment?

The ISRM Assessment has been moved into the same OneTrust tool that the IT Compliance team uses for conducting vendor risk assessments (see Vendor Review FAQ).  While available for completion, you may access ISRM 2022 in OneTrust through the Self Service Portal by selecting the tile labeled "ISRM 2022".

Navigating the Risk Assessment in OneTrust

Initiating an Information Security Risk Assessment is now really easy!  Just follow the steps below.

1. Visit the UVA OneTrust Self Service portal

2. Type in your UVA email address and click “Next” to login through Netbadge


3. Click "Launch" on ISRM 2022.

4. Navigating the ISRM

When you launch the Assessment, the Assessment Name should reflect the group you represent (i.e., Classrooms, Desktop Support, Physics, etc.). If you do not anticipate being the only person to work on the Assessment, be sure to add additional respondents at this time.

Attachments can be added to every question by using the paperclip icon located below each question.

Comments can be added to every question by using the “speech cloud” icon located below each question. Use this to ask us about a specific question or to provide feedback.

NOTE: When completing some fields, you may need to click "Add Option" beneath the text field after you finish typing.

Adding Additional Respondents to the ISRM

Please contact

NOTE: OneTrust does not immediately populate user information throughout the system.  This means that OneTrust may throw error text when you go to edit respondents indicating that your are not a valid user.  To fix this, type in your email over the respondent field where your name is located before clicking the Save button.  If you run into any issues, reach out to and we can fix it.

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form