This methodology has minor adaptations from ‘FIGURE 11.3 Expansion of AS/NZS 4360:2004 Risk Management Process for Security Risk Management’ in SRMBOK (2009) to reflect the updates to ISO31000:2018.
Individual elements are described in more detail in the SRM-AM under Threat Assessment, Vulnerability Analysis, Criticality Assessment and Risk Treatments.
This model is not necessarily the best or only model. Nor does it need to be followed in a step by step process. It is designed purely to illustrate the relationships of various elements of security risk assessment to each other and provide a level of integration with models such as CARVER, ISO31000 Process, and Hierarchy of Controls in a single diagram.