Managing risk
Risk is a broad area and in the context of risk management, risk relates to threats, vulnerabilities and assets.
For an organization to manage risk, risk need to be identified. Once identified, risk can be analyzed and treated.
Larger organizations manage risk by identifying as much risk at the same time while small and medium sized businesses usually start with the first risk identified.
Risk analysis is analyzing threats, vulnerabilities and assets. Threat modeling being part of threat analysis.
From risk analysis, risk is evaluated by looking at likelihood and impact of the risk. Likelihood is the probability that a threat exploits a vulnerability and impact is the possible asset value loss. In a quantitative way when measured in currency and in a qualitative way when evaluating importance.
Once inherent risk is evaluated, it is treated and residual risk remains. The table below gives a high level overview.
| Evaluation | Treatment | How |
|---|---|---|
| Risk exceeds a threshold | Avoid | Stop using a specific technology or behavior |
| Likelihood or impact can be reduced with cost effective measures | Mitigate | Implement controls |
| Mitigation is not cost effective | Transfer | Shift risk onto a 3rd party by e.g. insurance or cloud services |
| Mitigation and transfer are not cost effective | Accept | Be aware |
Frameworks for managing risk
The ISO 31000 family is a guideline for managing risk that details a process, principles and a framework. It is a framework that fits all types of industry and is regulation independent. Many other frameworks like e.g. ISO 14971 for medical devices address specific industry types and align with industry specific regulations.
Specifically for cyber security, NIST SP 800-37 is a well known risk framework. Two other notable cyber security specific risk standards are not frameworks but do provide useful guidance.
- ISO 27005, provides guidance on managing information security risks
- NIST 800-30, a guide for conducting information security risk assessments
NIST CSF
NIST CSF, with cyber security in it's name is specific for the field. It is an outcome oriented roadmap that does not mandate the how. What does NIST CSF have on the roadmap for risk management?
NIST CSF risk management
The first NIST CSF core function IDENTIFY is about the organization's current
cyber security risks. Asset management and risk management are on the roadmap
here.
The core function PROTECT is about treating the risk. Based on the results of
IDENTIFY, controls are added where needed instead of the one-size-fits-all
approach.
As expected for a cyber security framework, NIST CSF clearly has managing risk on the roadmap. But NIST CSF has a broader scope than only managing cyber security risk and the framework does not contain specifics on how to manage risk.
ISO 27001
ISO 27001 is a management system for cyber security and like NIST CSF, there is no 'how'. What does it say on risk management requirements?
ISO 27001 risk management
ISO 27001 requires 'Actions to address risks and opportunities' in clause 6 which details to:
- 6.1.2 Information security risk assessment
- 6.1.3 Information security risk treatment
Appendix A contains the recommended Information security controls and states that the controls shall be used in context with information security risk treatment (6.1.3) as mentioned above.
Two specific controls on risk management are:
- 5.7 Threat intelligence
- 5.9 Inventory of information and other associated assets
As you may expect from a cyber security management framework, ISO 27001 makes risk management mandatory. Similar to NIST CSF the standard is more broad than only managing cyber security risk. Another similarity is that is does not contain specifics on how to manage risk.
Conclusion
The post below on NIST CSF and ISO 27001 states that the standards have a different purpose, but their goals align and the standards strengthen each other. This is in line with risk management being part of both standards.
- Jacco Meijer
- |
- Jun 6, 2025
Combining ISO 27001 and NIST CSF
How to use ISO 27001 and NIST Cyber Security Framework together
How to manage risk
Both standards do not mandate how to manage risk. Threat modeling is a way to achieve this. This fits on the NIST CSF roadmap and answers to the ISO 27001 requirements. More on that in the post below.
- Jacco Meijer
- |
- Jul 18, 2025
Threat modeling as part of a risk framework
Threat modeling in the context of ISO 27001 and NIST CSF
