Quiz Entry - updated: 2026.05.31
What are the main phases of the risk-management process as standardised by ISO 31000 / ISO 27005?
Establish context → Risk assessment (Identify → Analyse → Evaluate) → Risk treatment → Acceptance → Monitor. Communication and review run alongside the whole loop.
The cycle, with German labels in parentheses:
- Context establishment (Zusammenhang herstellen) — Scope, criteria, who owns risk.
- Risk assessment (Risiken beurteilen) — has three sub-steps:
- Identify (Risiken identifizieren) — find the assets and threats.
- Analyse (Risiken analysieren) — estimate likelihood × impact (quantitatively or qualitatively).
- Evaluate (Risiken bewerten) — compare against the acceptance line.
- Risk treatment (Risiken behandeln) — pick a strategy (avoid, reduce, transfer, accept).
- Risk acceptance — formally sign off the residual risk.
- Communication & Consultation + Monitoring & Review — bracketing every other step, run continuously.
Two standards to know:
- ISO 31000/31010 — the generic enterprise risk-management standard.
- ISO/IEC 27005:2022 — "Information security, cybersecurity and privacy protection — Guidance on managing information security risks". This is the cyber-specific version.
Why it loops: New threats emerge, business changes, and treatments themselves alter the risk picture — so the whole cycle restarts at least annually.