Learn · Risk Management
Risk Management
Frameworks
A risk management framework is a structured, repeatable way to identify, assess, treat, and monitor the risks an organisation faces — so decisions about them are deliberate, not accidental.
The major frameworks — NIST RMF, ISO 31000, ISO 27005, COSO ERM, and FAIR — share the same backbone (identify → assess → treat → monitor) but differ in scope, sector, and whether they measure risk qualitatively or in money.
Plain-English explainer · NIST · ISO 31000 / 27005 · COSO · FAIR · Last reviewed June 2026
A risk management framework is a structured, repeatable method for handling risk — identifying what could go wrong, judging how likely and how damaging it is, deciding what to do about it, and keeping that under review as things change. Every credible framework shares the same backbone: identify → assess → treat → monitor. Where they differ is scope (enterprise-wide vs information-security only), origin and sector (US government, ISO, finance), and how they measure risk (qualitative high/medium/low vs quantitative loss in money). The five most common — NIST RMF, ISO 31000, ISO 27005, COSO ERM, and FAIR — are compared below. For most companies pursuing ISO 27001, the relevant one is ISO 27005, the risk method built into an ISMS.
The Common Backbone
Four Steps Every Framework Shares
1. Identify
Catalogue assets and the threats and vulnerabilities that could affect them.
2. Assess
Estimate each risk’s likelihood and impact to prioritise what matters most.
3. Treat
Decide to mitigate, transfer, avoid, or accept each risk — and apply controls.
4. Monitor
Review continuously; risk changes as the business, threats, and controls change.
The Major Frameworks
Five Frameworks, Compared
NIST RMF
NIST Risk Management Framework (SP 800-37)
A 7-step process (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor) from the US NIST. Widely used by US federal agencies and contractors; pairs with the NIST 800-53 control catalogue.
Best for: US government, federal contractors, and organisations standardising on NIST controls.
ISO 31000
ISO 31000:2018 — Risk Management
A principles-and-process standard for managing any kind of risk (not just IT) across the whole enterprise. It’s guidance, not a certifiable standard — a common vocabulary and process the others fit inside.
Best for: Enterprise-wide risk management and a common risk language across departments.
ISO 27005
ISO/IEC 27005 — Information Security Risk Management
The information-security-specific risk standard that supports ISO 27001. It tells you how to run the risk assessment and treatment your ISMS requires.
Best for: Organisations doing (or planning) ISO 27001 — this is the risk method behind the ISMS.
COSO ERM
COSO Enterprise Risk Management
A governance-led framework tying risk to strategy and performance, strong on internal control and financial reporting. Common in SOX and finance-heavy organisations.
Best for: Boards, finance, and SOX/internal-control contexts where risk meets strategy.
FAIR
Factor Analysis of Information Risk
A quantitative model that expresses cyber risk in financial terms (probable loss in money), rather than high/medium/low. Often layered on top of another framework for board-level reporting.
Best for: Quantifying cyber risk in rupees/dollars for executive and board decisions.
How to Choose
Which One Do You Need?
- Pursuing ISO 27001 → ISO 27005 (it’s the risk method your ISMS requires).
- Want one risk language across the whole company → ISO 31000.
- US government / federal contracts → NIST RMF with NIST 800-53.
- Board, finance, or SOX focus → COSO ERM.
- Need to express cyber risk in money for executives → add FAIR on top.
Risk Management Frameworks — Common Questions
The questions people ask most when picking a risk framework.
What is a risk management framework?
A risk management framework is a structured, repeatable method for identifying, assessing, treating, and monitoring risk. It gives an organisation a consistent process and vocabulary so risk decisions are deliberate and documented rather than ad hoc.
What are the main risk management frameworks?
The most widely used are NIST RMF (US government), ISO 31000 (enterprise-wide guidance), ISO/IEC 27005 (information-security risk, supporting ISO 27001), COSO ERM (governance and financial/internal-control focus), and FAIR (a quantitative model expressing risk in financial terms).
Which risk framework should I use for ISO 27001?
ISO/IEC 27005. ISO 27001 requires a documented risk assessment and risk treatment plan as part of the ISMS, and ISO 27005 is the standard that describes how to perform exactly that for information security.
Is NIST RMF the same as ISO 31000?
No. NIST RMF is a specific 7-step US-government process tied to the NIST 800-53 control catalogue. ISO 31000 is broader, non-certifiable guidance for managing any risk enterprise-wide. They share the same identify-assess-treat-monitor logic but differ in scope and origin.
Qualitative or quantitative risk assessment — what’s the difference?
Qualitative assessment rates risk in bands (high/medium/low) and is fast and common. Quantitative assessment (e.g., FAIR) estimates probable loss in money, which is harder but far more useful for board-level investment decisions. Many organisations start qualitative and add quantitative for their top risks.
Related reading: the Learn hub, what GRC is, what an ISMS is, and our ISO 27001 guide. More terms in the compliance glossary.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours