Terminology Confusion in Practice
Risk management is central to security work — required by ISO 27001, NIS2, GDPR and virtually all frameworks. But terminology varies and creates confusion.
Are risk analysis and risk evaluation the same thing? What’s the difference from risk management? And where does risk identification fit in?
Core principle: Names vary, but the process is the same. What matters is doing the work — not fighting over terminology. This guide helps you understand the concepts so you can communicate clearly.
ISO 31000 Definitions
Risk Management Process according to ISO 31000:
| Concept | Definition | In Practice |
|---|---|---|
| Risk Identification | Find, recognise and describe risks | List potential threats and vulnerabilities |
| Risk Analysis | Understand risk nature and determine risk level | Assess likelihood × impact |
| Risk Evaluation | Compare risk analysis results with risk criteria to prioritise | Is this risk acceptable? Which risks are greatest? |
| Risk Treatment | Select and implement measures to manage risk | Reduce, avoid, share or accept |
The entire process (identification → analysis → evaluation → treatment) is called risk management.
Visual Overview
┌─────────────────────────────────────────────────────────────┐
│ RISK MANAGEMENT │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ IDENTIFY │→ │ ANALYSE │→ │ EVALUATE │ │
│ │ Find risks │ │ Likelihood │ │ Prioritise │ │
│ │ │ │ Impact │ │ Compare to │ │
│ │ │ │ Risk level │ │ criteria │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ ↓ │
│ ┌──────────────┐ │
│ │ TREAT │ │
│ │ Implement │ │
│ │ measures │ │
│ └──────────────┘ │
└─────────────────────────────────────────────────────────────┘
Risk Identification in Detail
What do you do? Systematically find and describe risks that could affect organisational objectives.
Typical activities:
- Inventory assets and their value
- Identify threat actors and threat scenarios
- Map vulnerabilities
- Analyse historical incidents
- Conduct workshops with business units
Output: A list of identified risks, each risk described with:
- Threat actor (who/what)
- Vulnerability (weakness that can be exploited)
- Asset (what is affected)
- Potential impact (what could happen)
Example: “The risk that external attackers (threat actor) exploit unpatched systems (vulnerability) to compromise customer data (asset), leading to data breach and GDPR fines (impact).”
Risk Analysis in Detail
What do you do? Understand the nature of risk by assessing likelihood and impact to determine risk level.
Likelihood Assessment:
| Level | Description | Frequency |
|---|---|---|
| Very Low | Unlikely | <1 time per 10 years |
| Low | Could occur | 1 time per 1-10 years |
| Medium | Likely | 1 time per year |
| High | Expected | Several times per year |
| Very High | Almost certain | Monthly or more often |
Impact Assessment:
| Level | Financial | Reputation | Legal |
|---|---|---|---|
| Negligible | <£5k | No impact | None |
| Low | £5k-50k | Local impact | Warning |
| Medium | £50k-500k | National attention | Fines |
| High | £500k-5M | Lasting damage | Serious fines |
| Catastrophic | >£5M | Business threatened | Prosecution |
Risk Level = Likelihood × Impact
Risk Evaluation in Detail
What do you do? Compare risk analysis results against organisational risk criteria to determine if risk is acceptable and prioritise actions.
Risk criteria define:
- Which risk level is acceptable without action
- Which risk level requires immediate action
- Who makes decisions at different levels
Typical risk matrix:
| Negligible | Low | Medium | High | Catastrophic | |
|---|---|---|---|---|---|
| Very High | Medium | High | High | Critical | Critical |
| High | Low | Medium | High | High | Critical |
| Medium | Low | Medium | Medium | High | High |
| Low | Negligible | Low | Medium | Medium | High |
| Very Low | Negligible | Negligible | Low | Medium | Medium |
Decisions based on evaluation:
- Critical: Escalate to management, immediate action
- High: Plan action within short timeframe
- Medium: Address within reasonable time, monitor
- Low: Acceptable with monitoring
- Negligible: Accept without action
Risk Treatment in Detail
- Avoid the risk Remove the activity or asset creating the risk. Example: Stop storing data you don't need. Suitable when risk cost exceeds activity benefit.
- Reduce the risk Implement controls that reduce likelihood or impact. Most common. Example: Firewall, training, backup, encryption.
- Share the risk Transfer all or part of risk to another party. Example: Cyber insurance, outsourcing to specialist. Legal responsibility often remains.
- Accept the risk Conscious decision not to take action. Documented with justification and approval at appropriate level. Suitable for low risks where action costs more than the risk.
English vs Other Language Terms
Common translation confusion:
| English | ISO 31000 | Often Used |
|---|---|---|
| Risk identification | Risk identification | - |
| Risk analysis | Risk analysis | Risk analysis |
| Risk evaluation | Risk evaluation | Risk assessment |
| Risk assessment | Risk assessment* | Risk analysis* |
| Risk treatment | Risk treatment | Risk management* |
| Risk management | Risk management | - |
*“Risk assessment” can refer to different parts of the process depending on context. In ISO 27001, “risk assessment” includes the entire identification → analysis → evaluation process.
Practical rule: Ask what the person means. Terminology varies — the process is the same.
How NIS2 and ISO 27001 Use These Concepts
NIS2
NIS2 Article 21 requires “risk-based measures” and specifically mentions “risk analysis”. The directive doesn’t define exact process but requires organisations to:
- Identify risks to network and information systems
- Assess risk severity
- Implement appropriate measures
ISO 27001
ISO 27001 requires a documented process for “information security risk assessment” that includes:
- Establishing risk criteria
- Identifying information security risks
- Analysing and evaluating risks
- Selecting risk treatment options
Practical Example: Ransomware Scenario
Identification: Risk: Ransomware attack encrypting business-critical systems and data.
- Threat actor: Cybercriminals
- Vulnerability: Poor email security, unpatched systems
- Asset: ERP system, customer database
- Impact: Business disruption, ransom payment, reputational damage
Analysis:
- Likelihood: High (sector is targeted, similar companies affected)
- Impact: High (1-2 weeks downtime, ~£500k direct costs)
- Risk level: High (High × High)
Evaluation:
- Risk criteria state: High risk requires action within 30 days
- Priority: Top 3 of identified risks
- Decision: Escalate to management, allocate resources
Treatment:
- Reduce: Implement email security, patch management, backup
- Share: Purchase cyber insurance
- Residual risk: Accept after measures (reduced to Medium)
Common Pitfalls
Using "risk analysis" when meaning the entire process. Unclear communication creates confusion.
Going directly to assessing risks without systematic identification. Missing risks you haven't thought of.
Evaluating risks without defined criteria. Subjective and inconsistent.
Doing the analysis but never implementing measures. Paper exercise without value.
Documentation Requirements
What should be documented?
| Step | Documentation |
|---|---|
| Identification | Risk register with all identified risks |
| Analysis | Assessment of likelihood and impact per risk |
| Evaluation | Risk criteria, prioritisation, decisions |
| Treatment | Action plan, responsible person, deadline, status |
For audit:
- Show the process is systematic and repeatable
- Document who participated and when
- Save history to show improvement over time
- Link risks to actions and evidence
How Securapilot Can Help
Securapilot structures the entire risk management process:
- Risk Register — Identify and document risks
- Risk Analysis — Assess likelihood and impact
- Risk Evaluation — Defined criteria and prioritisation
- Action Management — Track treatment and status
- Reporting — Overview for management and audit
Book a demo and see how we can support your risk work.
Frequently asked questions
Are risk analysis and risk evaluation the same thing?
No, but they overlap. Risk analysis focuses on understanding likelihood and impact. Risk evaluation includes the analysis but adds comparison against risk criteria and prioritisation.
What comes first — analysis or evaluation?
According to ISO 31000: Risk identification → Risk analysis → Risk evaluation. Analysis provides data, evaluation assesses and prioritises based on that data.
What is risk treatment?
Risk treatment is the step after evaluation — selecting and implementing measures. Options are: avoid, reduce, share (insure/outsource), or accept the risk.
Must I follow ISO 31000?
ISO 31000 is guidance, not certifiable. But the terminology is used in ISO 27001, NIS2 and most frameworks. It helps to speak the same language.
