LOGBOOK

HELP

Quiz Entry - updated: 2026.05.31

What are the main phases of the risk-management process as standardised by ISO 31000 / ISO 27005?

Establish context → Risk assessment (Identify → Analyse → Evaluate) → Risk treatment → Acceptance → Monitor. Communication and review run alongside the whole loop.

The cycle, with German labels in parentheses:

  1. Context establishment (Zusammenhang herstellen) — Scope, criteria, who owns risk.
  2. Risk assessment (Risiken beurteilen) — has three sub-steps:
    • Identify (Risiken identifizieren) — find the assets and threats.
    • Analyse (Risiken analysieren) — estimate likelihood × impact (quantitatively or qualitatively).
    • Evaluate (Risiken bewerten) — compare against the acceptance line.
  3. Risk treatment (Risiken behandeln) — pick a strategy (avoid, reduce, transfer, accept).
  4. Risk acceptance — formally sign off the residual risk.
  5. Communication & Consultation + Monitoring & Review — bracketing every other step, run continuously.

Two standards to know:

  • ISO 31000/31010 — the generic enterprise risk-management standard.
  • ISO/IEC 27005:2022"Information security, cybersecurity and privacy protection — Guidance on managing information security risks". This is the cyber-specific version.

Why it loops: New threats emerge, business changes, and treatments themselves alter the risk picture — so the whole cycle restarts at least annually.

From Quiz: ISF / Risk Management | Updated: May 31, 2026