Last updated

December 1, 2025

{x} minute read

Unpacking ISO 31010: Effective Risk Assessment Techniques

Get a demo

Free trial

Download the PDF guide

Free trial

Written by

Edward Kost

Senior Cybersecurity Writer

Edward is a cyber writer with a mechanical engineering background. His work has been referenced by academic institutions and government bodies.

Reviewed by

Phil Ross

Chief Information Security Officer

Phil is a Forrester Zero Trust Strategist leveraging decades of experience in enterprise cybersecurity architectures.

Table of contents

ISO 31010 is a supplementary document to the risk management standard ISO 31000. It was developed to support the risk assessment process in ISO 31000, outlining different risk assessment techniques to broaden the scope of an organization’s risk evaluation methods.

This post offers a comprehensive overview of ISO/IEC 31010, highlighting the standard’s potential to increase the effectiveness of risk management strategies.

Learn how UpGuard streamlines Vendor Risk Management >

What is ISO 31010?

ISO 31010 is an international standard for risk assessment techniques. It’s a supporting standard for ISO 31000, developed to help organizations improve the quality of risk management processes when implementing ISO 31000.

Read this post for an overview of ISO 31000 >

ISO 31010 keeps with the customization objectives of ISO 31000, making it applicable to most risk management contexts.

The risk assessment methodologies outlined in ISO 31010 are intended to support decision-making during times of uncertainty when managing risk, such as risk information collected from unreliable sources.

How to Use ISO 31010

To provide as much value as possible as an ISO 31000 supportive resource, ISO 31010 outlines an implementation guide for incorporating its assessment techniques within the ISO 31000 risk management framework. This implementation guide outlines the pros and cons of each proposed technique to help stakeholders choose the best option for their requirements.

ISO 31010 techniques could be used in risk management processes or as a tool for comparing the efficacy of different risk management options.

ISO 31010’s implementation guide consists of 5 parts:

Assessment Planning - Guidance for understanding the risk assessment context. This includes defining risk assessment objectives, gathering insight expertise from multiple sources, such as SMEs, and setting a general risk measuring criteria to identify different levels of risks.
Information Management - Guidance for gathering information from multiple sources and recognizing discrepancies to identify and segregate reliable sources.
Assessment Techniques - Guidance on how to follow proposed risk techniques in the context of identified risk sources. Also supports the effort of evaluating existing security control efficacy.
Analysis Review - Guidance on verifying the accuracy of risk assessment results against established risk models. This process involves understanding the probability of occurrence of all uncertainties that could influence result outcomes.
Results Application - The influence of risk assessment results on decision-making against a criterion outlining acceptable risk levels.

The techniques presented in ISO 31010 aren’t just applicable in the risk assessment component of ISO 31000. They can support all of the components of the risk management process of ISO 31000.

The graphic below indicates which ISO 31010 techniques are applicable at each process stage of ISO 31000. The list of techniques corresponding to each number is outlined in the subsequent section of this post.

Corresponding technique numbers in ISO 31000.

The 10 Risk Assessment Techniques of ISO 31010

These techniques map to a specific component of the risk management framework process outlined in ISO 31000 (see graphic above), with the majority concentrated in the risk assessment component. These techniques are defined in Annex A and Annex B of ISO 31010, with the majority focusing on the risk assessment component of the process

1. Techniques for Gathering Insights and opinions from Stakeholders and Subject Matter Experts (SMEs)

1.1 - Brainstorming

Because brainstorming doesn’t require reference to the risk register, mitigation, or failure mode databases, it’s a valuable technique when decision-makers identify risks associated with new technologies before any high-risk data is considered.

Brainstorming is most effective for generating ideas. It’s most effective when followed by other insight-gathering techniques.

1.2 - Delphi Technique

The Delphi technique involves collaborating with a panel of experts to gather their opinions of risk insights, such as the probability of particular risks occurring, the criticality of specific risks, risk treatment, likely lifecycles of different types of risks, etc.

The process involves providing each expert with questions answered in multiple rounds. SMEs are not in the same room during this process. They receive their questions online and answer them anonymously, preventing other opinions from influencing responses in progress.

After each round, a facilitator summarizes the responses and shares them with the group for collaborative feedback. Each expert then receives input about their suggestions from other panel members and is given an opportunity to refine their response based on feedback. The process continues until a consensus of views is reached.

As indicated in the graphic above, the Delphi Technique can be applied in most of the process lifecycles of ISO 31000 when estimating the probability of events and the effects of uncertainty. This technique is especially useful when expert judgment is required for complex scenarios.

The Delphi Technique is beneficial for systematically gathering expert opinions.

1.3 - Nominal Group Technique

The Nominal Group Technique aims to achieve a consensus about a problem by considering diverse opinions. It’s similar to brainstorming, but each person's opinions are collected privately rather than in a group setting.

Each idea is then shared with the group, which votes on the ones they like best. Ideas can be discussed for further clarification, but they’re not debated or discredited.

The Nominal Group Technique is an excellent choice for involving quieter group members in decision-making.

1.4 - Structured or Semi-Structured Interviews Technique

There are two methods to the interview technique - structured and semi-structured. With the structured approach, questions have a predetermined order to ensure consistency across all interviews. With the semi-structured approach, after completing a set of core questions, the interviewee is asked a set of follow-up questions based on their responses.

Inteviews are very useful for gathering detailed information about context-specific risks.

1.5 - Survey Technique

A very popular data collection method. Surveys based around specific risk management initiatives are sent to SMEs. Surveys can also provide helpful expert insights on ideal risk analysis methods and a general understanding of the risks being queried.

Surveys are very effective at collecting large amounts of contextualized risk assessment method information from a large audience.

2. Techniques for Identifying Risks

2.1 - Checklists, Classifications, and Taxonomies

Checklists offer a structured approach to risk identification by outlining a list of uncertainties that need to be addressed during a risk audit. Checklists provide the groundwork for more complex risk analysis, such as scenario analysis, hazard analysis, and root cause analysis.

By providing foundational risk index data, checklist outputs offer the initial supportive steps toward alignment against the risk identification standards of ISO 9001 Clause 6.1.

Checklists should be based on SME expertise and model information that supports the identification of risks and controls.

Learn how to create a vendor risk assessment matrix >

2.2 - Failure Modes and Effects Analysis (FMEA) and Failure Modes Effects and Criticality Analysis (FMECA)

FMEA (Failure Modes and Effects Analysis) and its variant FMECA (Failure Modes, Effects, and Criticality Analysis) are systematic methods for identifying potential failure modes within processes.

These methodologies aim to offer insights about how a particular process could fail and the impacts of this failure. Based on these insights, critical failure modes can be prioritized in mitigation measures.

There are four primary components of failure mode analysis methodology:

Planning - The scope, metrics, and objectives of the analysis are established.
Performance - The analysis is performed to identify failure modes and their impact on other processes.
Documentation - Results and recommended preventative measures are documented.
Maintenance - Analysis documentation is kept updated in line with new condition changes.

Failure mode analysis can be applied across organization domains to improve process reliability and safety.

2.3 - Hazard and Operability (HAZOP) Studies

Hazard and Operability Studies offer a systematic approach to identifying risks and operational issues against risk criteria.

Though HAZOP is a systematic approach to identifying hazard and operability issues, it can be resource-intensive and require expertise to execute well.

2.4 - Scenario Analysis

A range of techniques for determining plausible outcomes through predictive models. Scenario analysis involves exploring the associated risks associated with potential scenario outcomes.

Scenario analysis is a structured approach to exploring risks associated with future outcomes.

2.4 - Structured What If Technique (SWIFT)

SWIFT is a high-level risk identification method employing structured brainstorming (see technique 1.1). This technique combines predetermined guide words (such as timing and amount) with phrases such as “what if?” and “how could” to identify risks at a system or subsystem level.

SWIFT could be used in conjunction with bottom-up methods, like FMEA and HAZOP.

3. Techniques for Determining Sources, Causes and Drivers of Risks

3.1 - Cindynic Approach

The Cindynic Approach (translated as the science of danger) explores divergent opinions between stakeholders (dissonances) and identifies ambiguities between risk sources and drivers (deficits).

3.2 - Ishikawa Analysis

Ishikawa (fishbone) analysis is a team effort of understanding possible causes of desirable and undesirable events. These events are represented in a fishbone-like diagram, where potential factors are organized into broad categories of causes - human, technical, organizational, etc.

3.3 - Root Cause Analysis

Root cause analysis (RCA) aims to identify the cause of risks stemming from several potential sources, including design process techniques and organizational characteristics, human error, and external events from third-party vendors.

A risk matrix could assist in validating potential causes mapping from third-party vendors.

Vendor risk matrix representing the distribution of vendor risks on the UpGuard platform.

Get a free trial of UpGuard >

4. Techniques for Analysis controls

4.1 - Bow Tie Analysis

A graphical representation of events causes mapping to their respective consequences. Sometimes regarded as a simplified fault tree, a bow tie diagram indicates the controls that impact the likelihood and consequences of events

Watch this video for an overview of a bow tie analysis.

4.2 - Hazard Analysis and Critical Control Points (HACCP)

HACCP is useful for ensuring detected risks are addressed with monitoring controls throughout the duration of a process rather than after it’s finished.

Attack surface management could support HACCP efforts as this discipline continuously monitors for real-time security posture disruptions caused by emerging security risks.

Learn how to choose attack surface visibility software >

Watch this video for an overview of UpGuard’s attack surface management features.

Get a free trial of UpGuard >

4.3 - Layers of Protection Analysis (LOPA)

LOPA evaluates the impact of security controls on reducing overall risk levels. A security rating solution could be helpful in such an analysis as it quantifies security posture impacts mapping from security risks and remediation efforts.

The UpGuard platform estimates the likely impact of selected remediation tasks on security postures.

Learn more about UpGuard’s security ratings >

5. Techniques for Understanding Consequences and Likelihood.

These techniques uncover deep insights into the impact risks by considering the context of each risk scenario.

The appendix of techniques in this category includes:

5.1 - Bayesian analysis
5.2 - Bayesian networks and influence diagrams
5.3 - Business Impact Analysis (BIA)
5.4 - Cause Consequence Analysis (CCA)
5.5 - Event Tree Analysis (ETA)
5.6 - Fault Tree Analysis
5.7 - Human Reliability Analysis (HRA)
5.8 - Markov Analysis
5.9 - Monte Carlo Simulations
5.10 - Private Impact Analysis (PIA)

6. Techniques for Analysing Dependencies and Interactions

These techniques uncover the relationships between events, risks, and their respective controls through mapping methods.