ISO 31010 is a supplementary document to the risk management standard ISO 31000. It was developed to support the risk assessment process in ISO 31000, outlining different risk assessment techniques to broaden the scope of an organization’s risk evaluation methods.
This post offers a comprehensive overview of ISO/IEC 31010, highlighting the standard’s potential to increase the effectiveness of risk management strategies.
Learn how UpGuard streamlines Vendor Risk Management >
What is ISO 31010?
ISO 31010 is an international standard for risk assessment techniques. It’s a supporting standard for ISO 31000, developed to help organizations improve the quality of risk management processes when implementing ISO 31000.
Read this post for an overview of ISO 31000 >
ISO 31010 keeps with the customization objectives of ISO 31000, making it applicable to most risk management contexts.
The risk assessment methodologies outlined in ISO 31010 are intended to support decision-making during times of uncertainty when managing risk, such as risk information collected from unreliable sources.
How to Use ISO 31010
To provide as much value as possible as an ISO 31000 supportive resource, ISO 31010 outlines an implementation guide for incorporating its assessment techniques within the ISO 31000 risk management framework. This implementation guide outlines the pros and cons of each proposed technique to help stakeholders choose the best option for their requirements.
ISO 31010 techniques could be used in risk management processes or as a tool for comparing the efficacy of different risk management options.
ISO 31010’s implementation guide consists of 5 parts:
- Assessment Planning - Guidance for understanding the risk assessment context. This includes defining risk assessment objectives, gathering insight expertise from multiple sources, such as SMEs, and setting a general risk measuring criteria to identify different levels of risks.
- Information Management - Guidance for gathering information from multiple sources and recognizing discrepancies to identify and segregate reliable sources.
- Assessment Techniques - Guidance on how to follow proposed risk techniques in the context of identified risk sources. Also supports the effort of evaluating existing security control efficacy.
- Analysis Review - Guidance on verifying the accuracy of risk assessment results against established risk models. This process involves understanding the probability of occurrence of all uncertainties that could influence result outcomes.
- Results Application - The influence of risk assessment results on decision-making against a criterion outlining acceptable risk levels.
The techniques presented in ISO 31010 aren’t just applicable in the risk assessment component of ISO 31000. They can support all of the components of the risk management process of ISO 31000.
The graphic below indicates which ISO 31010 techniques are applicable at each process stage of ISO 31000. The list of techniques corresponding to each number is outlined in the subsequent section of this post.
The 10 Risk Assessment Techniques of ISO 31010
These techniques map to a specific component of the risk management framework process outlined in ISO 31000 (see graphic above), with the majority concentrated in the risk assessment component. These techniques are defined in Annex A and Annex B of ISO 31010, with the majority focusing on the risk assessment component of the process
1. Techniques for Gathering Insights and opinions from Stakeholders and Subject Matter Experts (SMEs)
1.1 - Brainstorming
Because brainstorming doesn’t require reference to the risk register, mitigation, or failure mode databases, it’s a valuable technique when decision-makers identify risks associated with new technologies before any high-risk data is considered.
Brainstorming is most effective for generating ideas. It’s most effective when followed by other insight-gathering techniques.
1.2 - Delphi Technique
The Delphi technique involves collaborating with a panel of experts to gather their opinions of risk insights, such as the probability of particular risks occurring, the criticality of specific risks, risk treatment, likely lifecycles of different types of risks, etc.
The process involves providing each expert with questions answered in multiple rounds. SMEs are not in the same room during this process. They receive their questions online and answer them anonymously, preventing other opinions from influencing responses in progress.
After each round, a facilitator summarizes the responses and shares them with the group for collaborative feedback. Each expert then receives input about their suggestions from other panel members and is given an opportunity to refine their response based on feedback. The process continues until a consensus of views is reached.
As indicated in the graphic above, the Delphi Technique can be applied in most of the process lifecycles of ISO 31000 when estimating the probability of events and the effects of uncertainty. This technique is especially useful when expert judgment is required for complex scenarios.
The Delphi Technique is beneficial for systematically gathering expert opinions.
1.3 - Nominal Group Technique
The Nominal Group Technique aims to achieve a consensus about a problem by considering diverse opinions. It’s similar to brainstorming, but each person's opinions are collected privately rather than in a group setting.
Each idea is then shared with the group, which votes on the ones they like best. Ideas can be discussed for further clarification, but they’re not debated or discredited.
The Nominal Group Technique is an excellent choice for involving quieter group members in decision-making.
1.4 - Structured or Semi-Structured Interviews Technique
There are two methods to the interview technique - structured and semi-structured. With the structured approach, questions have a predetermined order to ensure consistency across all interviews. With the semi-structured approach, after completing a set of core questions, the interviewee is asked a set of follow-up questions based on their responses.
Inteviews are very useful for gathering detailed information about context-specific risks.
1.5 - Survey Technique
A very popular data collection method. Surveys based around specific risk management initiatives are sent to SMEs. Surveys can also provide helpful expert insights on ideal risk analysis methods and a general understanding of the risks being queried.
Surveys are very effective at collecting large amounts of contextualized risk assessment method information from a large audience.
2. Techniques for Identifying Risks
2.1 - Checklists, Classifications, and Taxonomies
Checklists offer a structured approach to risk identification by outlining a list of uncertainties that need to be addressed during a risk audit. Checklists provide the groundwork for more complex risk analysis, such as scenario analysis, hazard analysis, and root cause analysis.
By providing foundational risk index data, checklist outputs offer the initial supportive steps toward alignment against the risk identification standards of ISO 9001 Clause 6.1.
Checklists should be based on SME expertise and model information that supports the identification of risks and controls.
Learn how to create a vendor risk assessment matrix >
2.2 - Failure Modes and Effects Analysis (FMEA) and Failure Modes Effects and Criticality Analysis (FMECA)
FMEA (Failure Modes and Effects Analysis) and its variant FMECA (Failure Modes, Effects, and Criticality Analysis) are systematic methods for identifying potential failure modes within processes.
These methodologies aim to offer insights about how a particular process could fail and the impacts of this failure. Based on these insights, critical failure modes can be prioritized in mitigation measures.
There are four primary components of failure mode analysis methodology:
- Planning - The scope, metrics, and objectives of the analysis are established.
- Performance - The analysis is performed to identify failure modes and their impact on other processes.
- Documentation - Results and recommended preventative measures are documented.
- Maintenance - Analysis documentation is kept updated in line with new condition changes.
Failure mode analysis can be applied across organization domains to improve process reliability and safety.
2.3 - Hazard and Operability (HAZOP) Studies
Hazard and Operability Studies offer a systematic approach to identifying risks and operational issues against risk criteria.
Though HAZOP is a systematic approach to identifying hazard and operability issues, it can be resource-intensive and require expertise to execute well.
2.4 - Scenario Analysis
A range of techniques for determining plausible outcomes through predictive models. Scenario analysis involves exploring the associated risks associated with potential scenario outcomes.
Scenario analysis is a structured approach to exploring risks associated with future outcomes.
2.4 - Structured What If Technique (SWIFT)
SWIFT is a high-level risk identification method employing structured brainstorming (see technique 1.1). This technique combines predetermined guide words (such as timing and amount) with phrases such as “what if?” and “how could” to identify risks at a system or subsystem level.
SWIFT could be used in conjunction with bottom-up methods, like FMEA and HAZOP.
3. Techniques for Determining Sources, Causes and Drivers of Risks
3.1 - Cindynic Approach
The Cindynic Approach (translated as the science of danger) explores divergent opinions between stakeholders (dissonances) and identifies ambiguities between risk sources and drivers (deficits).
3.2 - Ishikawa Analysis
Ishikawa (fishbone) analysis is a team effort of understanding possible causes of desirable and undesirable events. These events are represented in a fishbone-like diagram, where potential factors are organized into broad categories of causes - human, technical, organizational, etc.
3.3 - Root Cause Analysis
Root cause analysis (RCA) aims to identify the cause of risks stemming from several potential sources, including design process techniques and organizational characteristics, human error, and external events from third-party vendors.
A risk matrix could assist in validating potential causes mapping from third-party vendors.
4. Techniques for Analysis controls
4.1 - Bow Tie Analysis
A graphical representation of events causes mapping to their respective consequences. Sometimes regarded as a simplified fault tree, a bow tie diagram indicates the controls that impact the likelihood and consequences of events
Watch this video for an overview of a bow tie analysis.
4.2 - Hazard Analysis and Critical Control Points (HACCP)
HACCP is useful for ensuring detected risks are addressed with monitoring controls throughout the duration of a process rather than after it’s finished.
Attack surface management could support HACCP efforts as this discipline continuously monitors for real-time security posture disruptions caused by emerging security risks.
Learn how to choose attack surface visibility software >
Watch this video for an overview of UpGuard’s attack surface management features.
4.3 - Layers of Protection Analysis (LOPA)
LOPA evaluates the impact of security controls on reducing overall risk levels. A security rating solution could be helpful in such an analysis as it quantifies security posture impacts mapping from security risks and remediation efforts.
Learn more about UpGuard’s security ratings >
5. Techniques for Understanding Consequences and Likelihood.
These techniques uncover deep insights into the impact risks by considering the context of each risk scenario.
The appendix of techniques in this category includes:
- 5.1 - Bayesian analysis
- 5.2 - Bayesian networks and influence diagrams
- 5.3 - Business Impact Analysis (BIA)
- 5.4 - Cause Consequence Analysis (CCA)
- 5.5 - Event Tree Analysis (ETA)
- 5.6 - Fault Tree Analysis
- 5.7 - Human Reliability Analysis (HRA)
- 5.8 - Markov Analysis
- 5.9 - Monte Carlo Simulations
- 5.10 - Private Impact Analysis (PIA)
6. Techniques for Analysing Dependencies and Interactions
These techniques uncover the relationships between events, risks, and their respective controls through mapping methods.
The list of techniques in this category includes:
- 6.1 - Casual Mapping
- 6.2 - Cross Impact Analysis
7. Techniques for Risk Measurement
These techniques measure the broader impact of risk across different systems.
The list of techniques in this category includes:
- 7.1 - Toxicological risk assessments
- 7.2 - Value at Risk (VaR)
- 7.3 - Conditional value at risk (CVaR)
- 7.4 - Data protection impact analysis
8. Techniques for Evaluating Risk Significance
After the impact of risk has been measured, these techniques help determine how each risk should be managed depending on its severity. These techniques need to be applied through the lens of your defined risk appeite and include the following methods:
The list of techniques in this category includes:
- 8.1 - Frequency Number (F-N) diagrams
- 8.2 - Pareto Charts
- 8.3 - Reliability Centred Maintenance (RCM)
- 8.4 - Risk Indexes
9. Techniques for Selecting Between Options
These techniques support decision-making when faced with multiple risk treatment options. These decisions are made in the context of a predefined risk appetite, helping security teams decide which risks can be accepted and which require treatment to compress within tolerance levels.
The list of techniques in this category includes:
- 9.1 - Cost-benefit analysis (CBA)
- 9.2 - Decision tree analysis
- 9.3 - Game theory
- 9.4 - Multiple criteria analysis
10. Techniques for Recording and Reporting
These techniques keep the risk index updated and record all risk mitigation efforts. The resulting risk mitigation paper trail allows security teams to track the improvement of their overall risk information tracking and management strategies.
The list of techniques in this category includes:
- 10.1 - Maintaining an up-to-date risk register
- 10.2 - S-Curve
- 10.3 - Bow-tie analysis.
Stakeholders also need to be kept informed of your risk management program performance. This is most efficiently achieved with cybersecurity reporting.
UpGuard offers a range of editable executive reporting templates to accommodate different risk program communication objectives.
- UpGuard's library of executive report templates.
When the board needs to be updated on your risk management program efforts, UpGuard’s board summary report can be instantly exported into editable PowerPoint slides, streamlining the entire board meeting preparation process.
