I. Manage assets

A. Identify assets
B. Classify and categorize assets
C. Assign ownership and custodianship of assets

II. Manage organizational threats & vulnerabilities

A. Identify threats & vulnerabilities
B. Classify and categorize threats & vulnerabilities
C. Assess threats & vulnerabilities

III. Manage Risk

A. Understand risk management concepts, principals, & objectives
B. Evaluate risk management frameworks, models, & standards
C. Evaluate risk profiles
D. Determine & assess risks

1. Understand Qualitative assessments
2. Understand Quantitative assessments
3. Assess risk methods & tools

E. Assess risk treatment methods & controls

1. Evaluate risk treatment methods
2. Evaluate and select controls

F. Establish roles and responsibilities

G. Document the risk management effort

1. Develop and maintain Risk Management Plans (RMP)
2. Develop and maintain Business Impact Analyses (BIA)
3. Develop and maintain Business Continuity Plans (BCP)
4. Develop and maintain Disaster Recovery Plans (DRP)
5. Track ongoing efforts

H. Address risk communication

I. Use risk reporting mechanisms

J. Implement Incident Management

1. Plan and prepare for incident response
2. Investigate incidents
3. Contain incidents
4. Restore and follow-up

K. Measure the effectiveness of risk management efforts

IV. Implement Governance, Compliance & Process Improvement

A. Understand organisational structure and processes
B. Understand ethical and privacy constraints
C. Implement policies, standards, procedures, and guidelines
D. Define governance roles and responsibilities
E. Understand contractual constraints
F. Understand legislative constraints
G. Understand privacy constraints
H. Understand regulatory constraints
I. Manage awareness education & training