Contents
Cyber-security risk management – an overview
Cybersecurity risk management isn’t a one‑and‑done checklist — it’s an ongoing routine. Think of it as a cycle where organizations keep spotting, analyzing, and tackling threats before they turn into real problems. The process follows a structured approach, often backed by well‑known frameworks, to make sure defenses stay sharp and adaptable as risks evolve.
Essential Steps in the Continuous Cybersecurity Risk Management Process
Managing cybersecurity risk is an ongoing, iterative process rather than a one-time event. Organizations generally follow a structured process that starts with establishing scope and objectives and ends with continuous monitoring.
The core steps involved in a comprehensive cybersecurity risk management program include:
1. Risk Framing and Preparation
The first activities prepare the organization to manage security and privacy risks. Risk framing defines the context in which risk decisions are made, aligning risk management strategies with overall business goals. This involves defining:
Scope: Identifying which systems, assets, and threats will be examined, and the timeline for the process.
Asset Inventory and Prioritization: Determining which data, devices, and software are most critical to the organization.
Organizational Resources and Priorities: Establishing the IT systems, business processes, and resources (financial and otherwise) committed to risk management.
Legal and Regulatory Requirements: Identifying laws and standards the company must comply with.
Risk Tolerance: Defining the level of uncertainty the organization finds acceptable while striving to achieve its goals, which makes subsequent risk decisions easier.
2. Identify and Assess Risks
This step determines the organization's level of risk by identifying threats, vulnerabilities, and their potential consequences.
Identify Cybersecurity Risks: This involves understanding threats (events or circumstances that can negatively affect operations or assets, such as hostile attacks, human errors, or natural disasters), vulnerabilities (weaknesses that a threat source can exploit), and the resulting consequences.
Assess Likelihood and Impact: Risk assessments determine the probability of a threat exploiting a vulnerability and the severity of the potential impact (consequences). Consequences include fiscal costs (fines, lost income), operational costs (lost time), and reputational costs.
Determine Risk and Prioritize: The organization determines its overall risk, often listing risks by likelihood and impact. This process builds a risk profile, prioritizing threats based on their criticality level, which informs subsequent decisions.
3. Risk Evaluation and Response (Mitigation)
In the evaluation step, assessed risks are compared against organizational tolerance levels to prioritize them for decision-making. The organization determines how it will address risks, which may include developing documented risk treatment strategies.
Organizations can adopt one or more of four risk management strategies:
Mitigation (Reduction): Selecting and applying controls (people, processes, or technology) to make exploitation harder or minimize impact. Examples include privileged access management, cybersecurity training, or implementing incident response plans.
Acceptance: Accepting some residual risk when its potential impact is low, insignificant, or if investing in security measures is more expensive than the risk itself. Risks below the organizational risk tolerance are functionally considered accepted.
Transfer: Shifting potential loss or responsibility for risk impacts to a contracted third party, such as purchasing cyber insurance or contractually transferring responsibility to suppliers/vendors.
Avoidance: Implementing policies and technologies that help eliminate risk by avoiding or more closely managing activities that invite organizational risk.
Risks that are fully addressed so they cannot be exploited are considered remediated (e.g., patching a software bug). After applying all mitigation measures, any remaining, unavoidable risk is known as residual cybersecurity risk.
4. Continuous Monitoring and Review
Since change is constant, environments must be continually monitored to ensure internal controls align with risk. Monitoring involves maintaining ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions.
Monitoring activities include:
Tracking identified risks and evaluating the effectiveness of risk responses.
Monitoring the effectiveness of new security controls and verifying they meet regulatory requirements.
Staying abreast of regulatory change.
Assessing and documenting vendor risk.
Monitoring internal IT usage and the broader threat landscape.
Risk management is a continual process that should always include re-assessment, new testing, and ongoing mitigation. Organizations should also prepare for incident response (IR) and plan for recovery (DRP) before a vulnerability becomes an urgent security event.
Guiding Frameworks for Cybersecurity Risk Management
Several standards and frameworks provide a structure for enterprise risk management, helping teams align controls, assessments, and reporting. We'll briefly go through 4 of them:
- NIST Cybersecurity Framework Version 2.0 (NIST CSF 2.0)
- NIST Risk Management Framework (RMF)
- ISO/IEC 27001
- NIST Special Publication 800-30
NIST Cybersecurity Framework Version 2.0 (NIST CSF 2.0)
NIST CSF 2.0 is a voluntary framework designed to help organizations of all sizes manage and reduce cyber risks. It outlines a taxonomy of high-level cybersecurity actions across six critical security functions:
| Function | Focus |
|---|---|
| Govern | Establishing mission-aligned policies, priorities, constraints, risk tolerances, and strategies to support operational risk decisions. |
| Identify | Understanding cybersecurity risks to organizational operations, assets, and individuals. This includes identifying asset vulnerabilities, documenting threats, utilizing cyber threat intelligence, determining business impacts, and prioritizing risk responses. |
| Protect | Focusing on ensuring the delivery of critical infrastructure services. |
| Detect | Identifying the occurrence of a cybersecurity event. |
| Respond | Taking action regarding a detected cybersecurity incident. |
| Recover | Maintaining plans for resilience and restoring any impaired assets or services. |
NIST CSF 2.0 also provides detailed guidance for managing supply chain risks through its Cybersecurity Supply Chain Risk Management (C-SCRM) processes.
NIST Risk Management Framework (RMF)
The NIST Risk Management Framework provides a process that integrates security, privacy, and cyber supply-chain risk management into the system development life cycle. This approach can be applied across various system types (e.g., IoT, control systems) and organizations.
The key steps in the NIST RMF include:
Prepare: Essential activities to prepare the organization to manage security and privacy risks.
Categorize: Determining the adverse impact related to the loss of confidentiality, integrity, and availability of systems and the information they process.
Select: Choosing, tailoring, and documenting the controls necessary to protect the system and organization commensurate with risk.
Implement: Implementing the controls outlined in the security and privacy plans.
Assess: Determining if the controls are implemented correctly, operating as intended, and meeting security and privacy requirements.
Authorize: Requiring a senior official to determine if the security and privacy risk is acceptable.
Monitor: Maintaining ongoing situational awareness to support risk management decisions.
ISO/IEC 27001
This is the international standard for information security management. Clause 6.1.2 mandates specific requirements for information security risk assessment, including:
Establishing and maintaining information security risk criteria.
Ensuring repeated risk assessments produce consistent, valid, and comparable results.
Identifying risks associated with the loss of confidentiality, integrity, and availability.
Identifying the owners of those risks.
Analyzing and evaluating information security risks according to established criteria.
NIST Special Publication 800-30
This framework guides risk assessments and provides a helpful guide for organizations to choose controls to mitigate risks. It outlines a four-step progression for risk assessments:
Prepare for the assessment by clarifying purpose, scope, constraints, and the risk model/analytics to be used.
Conduct the assessment to list risks by likelihood and impact and determine overall risk.
Share the results to drive mitigation efforts.
Maintain the assessment by continually monitoring environments.
Steer Clear, matey.
Cybersecurity risk management isn’t something you can tackle in silos — it works best when everything is coordinated and consistent across the organization. Think of it like steering a ship:
First, you chart the waters (spot the risks).
Then, you check the hull (look for vulnerabilities).
Next, you decide how to handle storms (mitigate or transfer risk).
And finally, you keep an eye on the radar (continuous monitoring).
Do all that, and you’ll stay on course without drifting outside your comfort zone (risk tolerance).
back to more articlessecurity Acceptance Avoidance Consequences Continuous Monitoring and Review Detect DevSecOps GRC Management Govern Governance Risk & Compliance Management Identify Identify and Assess Risks Impact Likelihood mitigation NIST NIST CSF 2.0 NIST Cybersecurity Framework NIST Risk Management Framework Protect RMF Recover remediation Residual Cybersecurity Risk Respond Risk Criteria Risk Framing Risk Framing and Preparation Risk Management Strategies Risk Preparation Risk Tolerance risk management SecDevOps SecOps Threats Tracking Identified Risks Transfer vulnerabilities residual risk secure engineering security architecture ISO-IEC 27001 2022
