ISO 31000 is a generic risk management framework applicable to various contexts. It defines risk as “the effect of uncertainty on objectives.” ISO 27005 is based on ISO 31000 and applied in managing information security risk. The NIST Generic Risk Model (NIST SP 800-30 R1) aligns with the concept and elaborates risk using threat source, threat event, vulnerability, and adverse impact; those factors elaborate the uncertainty and effect of risk.
Risk Assessment vs Risk Analysis
In ISO 31000, risk assessment comprises three tasks: risk identification, risk analysis, and risk evaluation, while some risk management frameworks may treat “risk assessment” and “risk analysis” as synonyms. This question follows ISO 31000.
Risk Identification
Identified risks shall be associated with goals or objectives in question and often written in the risk registry.
Risk Analysis in ISO 31000
Risk analysis means breaking down risk and getting insight into its uncertainty and effect. The analysis can be qualitative or quantitative. The term likelihood implies that risk analysis employs a qualitative approach, while possibility is used in quantitative analysis. The effect of risk can be positive (opportunity) or negative (threat), which can be expressed in a qualitative or quantitative approach as well.
Risk Evaluation
Risk Treatment and Risk Response
Risk treatment options mentioned in ISO 31000 are commonly known as risk response strategies. Security controls mitigate risk or threats in the context of information security; they handle the uncertainty, the effect, or both. For example, an IPS may lower the likelihood of an attack and its adverse impact.
Residual Risk
Residual risk is the risk after treatment. Risk treatment is an iterative process. After treatment, the inherent risk results in the residual risk, which needs to be treated after another round of risk assessment if it is not acceptable.
Reference
- ISO 31000
- NIST SP 800-30 R1