Skip to: Site menu | Main content

System Integrity banner

The Risk Management Cycle

Risk Management Life Cycle
Risk Management Life Cycle"
Click to view full size

The principle of risk management is at the heart of information security. It forms part of such standards and frameworks as CObIT, ISO–27001, and NIST 800-53
Security management should follow a risk management cycle such as the one below.

  1. Identify & Assess: Identify the needs based on an assessment of information security risks based on:
    • Risk Attitude and Awareness – “Appetite”
    • Evaluation of impact and likelihood
  2. Define desired results in terms of
  3. Determine appropriate Strategies and build business case
  4. Implement selected strategy or strategies via policies and controls
  5. Monitor the effectiveness of policies and controls and Report
  6. Review reports and evaluate the strategy
  7. Adjust as part of the continuous improvement cycle