Risk management
Risk management is the systematic, continuous process of identifying, assessing, treating and monitoring information security risks in order to limit potential harm to the organisation in a controlled and traceable way.
In the context of information security, risk management refers to the structured management process by which an organisation recognises, analyses and deliberately steers risks to the confidentiality, integrity and availability of its information. The process follows a recurring cycle: establishing the context and risk criteria, identifying risks, analysing and evaluating them (together the risk assessment), treating the risks, and continuously monitoring and communicating. Risk management is therefore the methodological core of an information security management system (ISMS) — not a one-off exercise, but a continuously maintained control loop.
During the risk assessment, threats and vulnerabilities are mapped against the assets worth protecting, and the risk is typically derived from the likelihood of occurrence and the potential magnitude of damage. Based on defined acceptance criteria, the organisation decides how to treat each risk: avoiding it, reducing it (through technical and organisational measures), transferring it (for example via insurance or outsourcing), or knowingly accepting the residual risk. Methodologically, the approach draws on established standards — in particular ISO/IEC 27005 and ISO 31000 as well as the BSI IT-Grundschutz — while ISO/IEC 27001 provides an internationally recognised benchmark for the effectiveness of the resulting controls.
Risk management is increasingly anchored in law. The NIS2 Directive and its national transposition explicitly oblige in-scope entities to adopt a risk-based approach and appropriate technical, operational and organisational measures to manage risks; senior management bears responsibility for this and must approve and oversee the measures. The GDPR, too, requires — through its concept of risk-appropriate protection (Art. 32 GDPR) — that controls be chosen in line with the risks to the rights and freedoms of data subjects. Documented, regularly updated risk management therefore serves at once as a steering instrument and as evidence of due diligence towards supervisory authorities, auditors and business partners.
Legal Basis
Art. 21 NIS2 Directive (EU) 2022/2555; Section 30 BSIG (German NIS2 transposition); Art. 32 GDPR; ISO/IEC 27001, ISO/IEC 27005, ISO 31000; BSI IT-Grundschutz
Practical Example
A mid-sized machinery manufacturer qualifies as an important entity under NIS2 and sets up a formal risk management process. The information security officer first compiles an asset inventory, determines the protection requirement for each system, and assesses threats such as ransomware, an ERP outage and the manipulation of production data by likelihood and impact. For the highest risks, senior management decides on treatment measures — network segmentation, multi-factor authentication and a tested backup concept — and documents the accepted residual risks. The risk register is reviewed quarterly and updated after every security-relevant incident, so that the effectiveness of the measures can be demonstrated to auditors at any time.