What is cyber risk management and how to get started

In today’s digital world, organizations of all sizes and industries increasingly rely on technology and connected systems to operate, making them vulnerable to cyberattacks and other security threats. This is where the need for cyber risk management comes into play.

What is cyber risk management?

Cybersecurity risk management is the process of identifying, assessing, and mitigating potential risks to an organization’s information systems and data. As such, a well-defined cybersecurity risk management process (or program) is critical to protecting sensitive information and maintaining confidentiality, integrity and availability of data.

Why is cybersecurity risk management important?

Cyber risk management is important for a variety of reasons, including:

  • Protecting sensitive information: Organizations often have confidential and sensitive information stored on their systems and networks, including financial data, customer information, and personal information of employees and customers alike. Through a cyber risk management program, security teams can get a better handle on the risks, helping them to protect this information from theft, unauthorized access and other security threats.
  • Compliance: Many industries are subject to regulations, legislation and standards that require their organization to maintain a certain level of security for their information systems and data. Without a proper approach or a measurable view of their security posture, organizations could face serious consequences, like penalties for non-compliance.
  • Reputation: A data breach or cyberattack can significantly impact an organization’s reputation and brand. Cyber risk management helps organizations maintain the trust and confidence of their customers, stakeholders and partners by reducing the likelihood and impact of a security incident.
  • Business continuity: Effective cyber risk management can help organizations ensure that their systems and data remain available and operational in the event of a security incident, minimizing the impact on day-to-day operations and preserving business continuity.

Cybersecurity- or cyber risk management frameworks

There are several widely recognized frameworks that organizations can use to guide their risk management efforts. Some of the most well-known frameworks include:

  • NIST Cybersecurity Framework: Developed by the National Institute of Standards and Technology (NIST), the NIST Cybersecurity Framework provides a comprehensive approach to managing cybersecurity risk and helps organizations align their risk management efforts with their business goals and objectives.
  • ISO/IEC 27001: This international standard provides a comprehensive framework for managing and protecting sensitive information and provides a systematic approach to information security management.
  • CIS Controls: Developed by the Center for Internet Security (CIS), the CIS Controls provide a prioritized set of actions that organizations can take to improve their cybersecurity posture.
  • FAIR (Factor Analysis of Information Risk): This framework provides a quantitative approach to cyber risk management and helps organizations understand and communicate the financial impact of potential cyber incidents.
  • SANS Critical Security Controls: Developed by the SANS Institute. The SANS Critical Security Controls (also known as the SANS 20) is a set of security controls and best practices that organizations can use to improve their cybersecurity posture. The controls are based on the experience and expertise of cybersecurity professionals and are designed to be practical and effective in defending against the most common cyber threats.

Although there are similarities across these frameworks, they all have their focus points and approach. Let’s take a closer look at the difference between the NIST Cybersecurity Framework (NIST CSF) and ISO/IEC 27001, both two prevalent frameworks for achieving cyber resilience.


ISO/IEC 27001 is an international standard that provides a comprehensive framework for managing and protecting sensitive information. It covers a wide range of topics, including information security management, risk management, access control and incident response. In contrast, the NIST CSF focuses specifically on managing cybersecurity risk and aligning an organization’s risk management efforts with its business goals and objectives.

ISO/IEC 27001 is a prescriptive framework that provides specific guidelines and requirements for managing information security. It requires organizations to implement a set of controls and to demonstrate compliance through regular audits and assessments. The NIST CSF, on the other hand, provides a flexible and adaptable framework for managing cybersecurity risk, allowing organizations to tailor their risk management efforts to their specific needs and priorities.

Finally, ISO/IEC 27001 is more focused on protecting sensitive information, regardless of where it is stored or how it is used. The NIST CSF, on the other hand, is explicitly focused on managing cybersecurity risk and improving an organization’s cybersecurity posture in general, thus having a much broader scope than its sibling framework.

Note that neither of these frameworks is mutually exclusive. Depending on your specific situation, you should make use of one, the other, or (parts) of multiple frameworks.

How to get started with cyber risk management

If you are new to cyber risk management, understand that it’s usually more about establishing a well-defined process around managing cyber security risks than it is about implementing security controls.

When establishing a cyber risk management program or process, you will need to understand your environment and the risks it is exposed to by applying the following steps:

  • Assess the current security posture: Start by evaluating the current state of the organization’s information security, including systems, networks and data. This will help identify potential vulnerabilities and areas for improvement.
  • Identify potential risks: Next, identify the potential risks to the organization’s information systems and data, including external threats such as hacking, malware and phishing, as well as internal threats such as accidental data breaches or human error.
  • Prioritize risks: Based on the potential impact and likelihood of a security incident, prioritize the risks and determine which ones require the most attention.

Based on the assessment and risk prioritization, it’s time to implement appropriate security controls to reduce or mitigate the risk of a security incident. Not all controls need to be technical. There are other ways to reduce or minimize risks too!

  • Administrative controls: These are policies, procedures and guidelines that provide a framework for managing security within an organization. Examples of administrative controls include security policies, employee training programs, and incident response plans.
  • Technical controls: These are technical solutions that organizations use to protect their systems and data from threats. Examples of technical controls include firewalls, intrusion detection systems and encryption.
  • Physical controls: These are physical security measures that organizations implement to protect their assets, such as buildings, equipment and data centers. Examples of physical controls include access control systems, security cameras and secure perimeter fencing.
  • Operational controls: These are processes and procedures that organizations use to manage their security operations and ensure that security measures are functioning as intended. Examples of operational controls include security monitoring and incident response.
  • Management controls: These are controls that organizations implement to ensure that security risks are effectively managed and mitigated. Examples of management controls include risk assessments, security audits and security budgeting. Establishing a cyber risk program itself is also a management control.

A cyber risk management process is never finished. Therefore, you should monitor and regularly update security measures in light of newly discovered risks, changing business requirements, new systems, evolving threats, and so on.


Whilst blindly implementing cybersecurity controls in an attempt to increase your environment’s security posture is effective, doing so does not guarantee that you are covering relevant risks, or risks specific to your environment.

Cybersecurity risk management for Active Directory

Learn how to achieve continuous cyber resilience lifecycle defenses for your Active Directory and Office 365 environments that map to the NIST Cyber Security Framework.

See How
Michael Van Horenbeeck is a Microsoft Certified Solutions Master (MCSM) and Azure Threat Protection MVP from Belgium, and one of the few people worldwide to hold both the coveted certification and award at the same time. He is a dynamic tech enthusiast and focuses on Security, Identity Management, with a history in Messaging and Collaboration. In his daily job, Michael is the CEO at The Collective and works with customers of all sizes around the globe to help them become and stay secure with, and through, Microsoft's solutions and services. Besides his job at The Collective, Michael loves to engage with the community and inspire people. He is the driving force behind the Microsoft 365 Security for IT Pros e-book and you can regularly find him writing about technology for a variety of tech websites or catch him speaking at different events across the globe.

Related Articles