A standard from the [[ISO|ISO]] that details an approach to [[risk management]]. The process is broken down into three phases: establishment, assessment, treatment. Additionally, two ongoing functions support this three-phase structure: monitoring and review; and communication and consultation ## scope, context, and criteria establishment As you can see, there are three parts to this phase. Firstly: the scope, which comes up again and again in management. Then the context: the environment (with every lens: legal, physical, etc) in which the risks are situated. Finally, the risk criteria, or [[risk appetite]], which are the levels of risk the organisation is willing to tolerate. ## [[risk assessment]] See linked page for more detail ## [[risk treatment]] See linked page for more detail ## monitoring and review A reminder that the entire process must be iterative and alive to change - either in the risk landscape or in the scope of what's being protected. ## communication and consultation All relevant stakeholders should be able to feed into the risk management process