LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is the risk management process in information security?

Risk management follows a systematic process: identify assets, identify threats and vulnerabilities, assess likelihood and impact, then treat risks.

Risk-management cycle: context, identify, analyse, evaluate, treat, looping back.

* The risk-management process as a cycle — Context → Identify → Analyse → Evaluate → Treat, feeding back. *

The risk management process:

  1. Context establishment — Define scope, risk criteria, and risk appetite
  2. Risk identification — What assets do you have? What threats and vulnerabilities affect them?
  3. Risk analysis — Assess the likelihood and impact of each risk
  4. Risk evaluation — Compare against risk criteria to prioritize
  5. Risk treatment — Choose how to handle each risk

Risk treatment options (the four T's):

Option Meaning Example
Treat/Mitigate Reduce risk with controls Install a firewall, encrypt data
Transfer Shift risk to a third party Buy cyber insurance, outsource to a provider
Tolerate/Accept Consciously accept the residual risk Risk is low enough to live with
Terminate/Avoid Eliminate the risk entirely Stop the risky activity, decommission a system

Standards: Risk management in InfoSec is governed by ISO 27005 and ISO 31000. BSI 200-3 provides a detailed risk analysis methodology. The combined approach uses BSI Grundschutz for standard risks and detailed risk analysis for high-value assets.

Go deeper:

From Quiz: ISM / ISM Intro & Repetition | Updated: Jul 14, 2026