Risk Management is simply the process of managing risks based on your organisation’s security policies. The process includes assessment of people, processes and technologies that can potentially impact security.
A risk register and plan are developed in the process of risk (threat) identification, evaluation, prioritisation and development of mitigation controls (accept, reduce, transfer).
Risk Treatment Plan
The Risk Treatment Plan is built based on the results of the assessment, containing the actions recommended to improve ineffective controls. Each Risk Treatment step is mapped to relevant risks; as risk treatments are completed, the effectiveness of the control improves and in turn reduces the likelihood of mapped risks occurring.