What is Risk Management?

“Risk management is the process of identifying, assessing, and controlling risk. It means taking into consideration the probability of an event occurring along with its associated impact if it does.” – ISO 31000:2009

The process starts with a basic risk assessment, followed by the formulation of policy and procedures then monitoring their implementation.

A thorough understanding of this process and how it is applied within an organization will help managers put their information security function on a surer footing.

As such, Information Security Magazine has distilled this process into a series of articles that will take us from the early days when we had to make do with whatever policy and procedures we could cobble together and develop them over time as our understanding of risk improves. In particular, it will focus on how an ISO 31000 compliant information security function can be integrated within a modern organization.

What Should be Included in a Risk Assessment? 

ISO 31000:2009 calls such an initial risk assessment a “concise description of the risks to be managed” and says that it should include the following elements:

  • the context in which the organization operates;
  • the assets within the scope of this risk management process that need protection from harm;
  • threats and opportunities (also known as hazards) against which those assets might become vulnerable;
  • consequences should any of these threats materialize;
  • the likelihood of the threat occurring;
  • an indication of priority.

ISO 31000 Processes

How best to conduct such a risk assessment is covered in ISO 31000:2009, which states that “The process for undertaking a risk assessment could range from an informal discussion to the use of a structured estimating technique or mathematical modelling.”

An informal discussion will certainly be adequate when applied to low risk organisations but there are a number of structured estimating techniques that can help the information security function provide management with an accurate assessment of risk.

ISO 31000:2009 is very clear that, once the risk has been identified and assessed, it must be prioritised. The standard sets out a number of ways this can be done but simply recommends that you “Choose the risk with the most serious potential consequences.” This makes sense because these are likely to be risks that require action in order to avoid them coming to fruition.

Get Your Certification Journey Started Today

Support your organization with a globally recognised certification from Sustainable Certification. Find out more today at co@sustainablecertification.com.au.

The Process



We review your existing management systems in relation to requirements of the relevant standards for certification.


Stage 1 Audit

A review of your management system(s) documentation is undertaken as the first step in the certification process.


Certification Audit

The Certification Audit is conducted on site to verify that you have implemented the management system across your organisation.


Years 2 & 3: Certification Maintenance

We will conduct an annual Surveillance Audit to check the ongoing implementation of management systems across your organisation.

Benefits of a risk management certification

With the ISO 31000 standard, you can

Standardizes the risk assessment methodology of an organization throughout their business operations.

Develops a consistent approach to risk management for all stakeholders

Assists in identifying risk assessment and treatment options

Reduces level of errors via improved accuracy of risk data by application of the nominated principles