Risk management is the ongoing process of identifying, analyzing, responding and monitoring and reviewing risks. The cyber security risk management process focusses specifically on managing risks related to cyber security. In order to manage cyber security risks, Member Organizations should:

• identify their cyber security risks - cyber security risk identification;
• determine the likelihood that cyber security risks will occur and the resulting impact - cyber security risk analysis;
• determine the appropriate response to cyber security risks and select relevant controls - cyber security risk response;
• monitor the cyber security risk treatment and review control effectiveness - cyber security risk monitoring and review.

The compliance with the cyber security controls should be subject to periodic review and audit.