What Is the ISO31000 Process?

ISO31000 Process

The key stages of the security risk management process (as per ISO31000:2018) are:

1. Scope, Context, and Criteria

2. Risk Assessment, which comprises three elements:

   1. Risk Identification

   2. Risk Analysis

   3. Risk Evaluation

3. Risk Treatment

4. Monitoring and Review

5. Recording and Reporting

6. Communication and Consultation

7. Note: Monitoring and Review, Recording and Reporting, and Communication and Consultation are typically considered continual and concurrent practices. This means they can occur simultaneously and run constantly throughout the risk assessment.

Scope, Context, Criteria, Risk Assessment, and Risk Treatment may be one-off as part of a risk assessment or, ideally, may be conducted continuously.