ISO 31000 is an international standard that provides guidelines on managing risk. It can be customized to any situation and applied to any activity, including decision-making. The standard can be used by anyone who wants to create and protect value by managing risks, making decisions, setting and achieving objectives, and improving performance. The standard defines risk as “the effect of uncertainty on objectives” and provides a systematic application of policies, procedures, and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording, and reporting risk .
ISO 27001 is a standard that specifies the requirements for an information security management system (ISMS). The ISO 27001 risk assessment is a systematic process by which an organization identifies its information security risks, their likelihood, and their impact so as to implement plans to mitigate them. The process involves three stages: risk identification, analysis and evaluation; risk assessment and the ISO 27001 Statement of Applicability; and how to use risk assessments to achieve maximum benefits from minimum security costs. Risk assessments fit into the continuous improvement cycle .