Skip to main content

NIST 800-39 and ISO alignment for risk management implementation

Step 1: Framing Risk

The first component of risk management addresses how organizations frame risk or establish a risk context, that is, describing the environment in which risk-based decisions are made.

The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk, making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions. The risk management strategy establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations.

This phase aligns with the initial “Plan” phase of the ISO 31000 ISMS, where the context is established.


Step 2: Assessing risk

The second component of risk management addresses how organizations assess risk within the context of the organizational risk frame.

The purpose of the risk assessment component is to identify:

  1. Threats to organizations (i.e., operations, assets, or individuals) or threats directed through organizations against other organizations or the Nation;
  2. Vulnerabilities internal and external to organizations;
  3. The harm (i.e., adverse impact) that may occur given the potential for threats exploiting vulnerabilities; and
  4. The likelihood that harm will occur. The end result is a determination of risk (i.e., typically a function of the degree of harm and likelihood of harm occurring).
  5. The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required.

Risk assessment Is defined in ISO 31000 through the overall process of risk identification, risk analysis and risk evaluation.

Risk identification:

The purpose of risk identification is to find, recognize and describe risks that might help or prevent an organization achieving its objectives. Relevant, appropriate and up-to-date information is important in identifying risk.

Risk analysis

The purpose of risk analysis is to comprehend the nature of risk and its characteristics including, where appropriate, the level of risk. Risk analysis involves a detailed consideration of uncertainties, risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness.

Risk evaluation:

The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required.


Step 3: Responding to Risk

The third component of risk management addresses how organizations respond to risk once that risk is determined based on the results of a risk assessment.

The purpose of the risk response component is to provide a consistent, organization-wide response to risk in accordance with the organizational risk frame by:

  1. Developing alternative courses of action for responding to risk;
  2. Evaluating the alternative courses of action;
  3. Determining appropriate courses of action consistent with organizational risk tolerance; and
  4. Implementing risk responses based on selected courses of action.

This phase is considered within ISO 31000 as spanning both the Plan and Do phases through actions such as:

  • Developing risk treatment plan
  • Risk acceptance
  • Implementation of risk treatment plan

Step 4: Monitoring risk

The fourth component of risk management addresses how organizations monitor risk over time.

The purpose of the risk monitoring component is to:

  1. Determine the ongoing effectiveness of risk responses (consistent with the organizational risk frame);
  2. Identify risk-impacting changes to organizational information systems and the environments in which the systems operate;
  3. Verify that planned risk responses are implemented and information security requirements derived from and traceable to organizational missions/business functions, federal legislation, directives, regulations, policies, standards, and guidelines are satisfied.

This part is considered in the check and act phases of ISO 31000:

  • Continual monitoring, reviewing and reviewing of risks
  • Maintain and improve the information Security Risk Management process.