Risk management in information security is the concept where an organization introduces a formal process to manage the risks introduced using information and communication technology. Therefore, an inventory of its information assets is compiled, the relevant threats are selected and the maximally tolerable resumption time in case of a serious problem according to the business impact analysis is estimated.

The result is a list of potential risks with a calculated impact on a given organization. Managing the risk means to decide how to deal with the risk. In general there are three approaches to managing risks:

  1. Accept the risk and do nothing
  2. Reduce the risk by implementing additional technical or organizational controls
  3. Transfer the risk to another organization

A drastic alternative is to avoid the risk by stopping the activity.