Quiz Entry - updated: 2026.07.14
What is the risk management process in information security?
Risk management follows a systematic process: identify assets, identify threats and vulnerabilities, assess likelihood and impact, then treat risks.
* The risk-management process as a cycle — Context → Identify → Analyse → Evaluate → Treat, feeding back. *
The risk management process:
- Context establishment — Define scope, risk criteria, and risk appetite
- Risk identification — What assets do you have? What threats and vulnerabilities affect them?
- Risk analysis — Assess the likelihood and impact of each risk
- Risk evaluation — Compare against risk criteria to prioritize
- Risk treatment — Choose how to handle each risk
Risk treatment options (the four T's):
| Option | Meaning | Example |
|---|---|---|
| Treat/Mitigate | Reduce risk with controls | Install a firewall, encrypt data |
| Transfer | Shift risk to a third party | Buy cyber insurance, outsource to a provider |
| Tolerate/Accept | Consciously accept the residual risk | Risk is low enough to live with |
| Terminate/Avoid | Eliminate the risk entirely | Stop the risky activity, decommission a system |
Standards: Risk management in InfoSec is governed by ISO 27005 and ISO 31000. BSI 200-3 provides a detailed risk analysis methodology. The combined approach uses BSI Grundschutz for standard risks and detailed risk analysis for high-value assets.
Go deeper:
ISO/IEC 27001 (Wikipedia DE) — Risikomanagement als Kernanforderung des ISMS (Risikobewertung und -behandlung).
Risk management (Wikipedia EN) — the treat / transfer / tolerate / terminate options and the wider process.
ISO 31000 (Wikipedia EN) — the generic risk-management framework that ISO 27005 aligns with.