The key stages of the security risk management process (as per ISO31000:2018) are:
Scope, Context, and Criteria
Risk Assessment, which comprises three elements:
Monitoring and Review
Recording and Reporting
Communication and Consultation
Note: Monitoring and Review, Recording, and Reporting, and Communication and Consultation, are typically considered to be continual and concurrent practices. This means that they can occur at the same time, and run constantly throughout the risk assessment.
Scope, Context, Criteria, RiskAssessment, and Risk Treatment, may be one-off as part of a risk assessment or, ideally may be conducted continuously.