ISO/IEC 27005 Objective: The standard explicitly provides guidelines for information security risk management, supporting the general concepts specified in ISO/IEC 27001. It does not mandate specific technical algorithms or quality management processes; rather, it offers a structured methodology for risk analysis and treatment.

Opportunity Definition: An opportunity is formally defined as a combination of circumstances expected to be favourable to objectives. This contrasts with a threat, which is a potential cause of an unwanted incident, and a vulnerability, which is a weakness that a threat can exploit.

Context Establishment Approach: SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis is a foundational model for analysing an organisation's strategic context, enabling leadership to determine where to invest resources to maximise effectiveness.

Interested Parties: The context establishment phase requires identifying basic requirements for all relevant internal and external interested parties, ensuring that the ISMS addresses the full stakeholder ecosystem rather than just internal IT staff.

Risk Identification Approach: The asset-based approach focuses on operational scenarios centred on the inspection of specific primary and supporting assets, along with their corresponding threats and vulnerabilities. Conversely, the event-based approach establishes high-level strategic scenarios.

Vulnerability Classification: Vulnerabilities are categorised as intrinsic (inherent flaws in the asset itself, such as software bugs) or extrinsic (external environmental factors). An unstable power grid or a facility in a flood zone represents an extrinsic vulnerability.

Single Loss Expectancy (SLE): In quantitative risk analysis, SLE represents the monetary loss resulting from a single occurrence of a risk event. It serves as the baseline for calculating annualised financial impacts.

SLE Calculation: SLE is calculated by multiplying the Asset Value (AV) by the Exposure Factor (EF). Therefore, $200,000 multiplied by 0.50 (50%) results in a Single Loss Expectancy of $100,000.

Inherent Risk: The baseline level of risk present before any controls, countermeasures, or mitigating actions are implemented. It represents the raw threat landscape.

Unacceptable Residual Risk: If residual risk remains unacceptable (i.e., exceeds the target risk defined by the acceptance criteria), the organisation must implement a risk improvement plan to systematically reduce the residual risk to an acceptable level.

Risk Modification: Risk modification is the active process of reducing risk through the strategic selection and implementation of security controls, aiming to align residual risk with organisational acceptance criteria.

Risk Avoidance: Risk avoidance involves a definitive decision not to start or to halt an activity that poses a particular risk, usually because the risk significantly exceeds the organisation's appetite and cannot be mitigated cost-effectively.

Risk Register Purpose: A risk register consolidates critical information on identified risks, including descriptions, likelihoods, sources, and current controls, to inform stakeholders and those responsible for ongoing management.

Principle of Appropriateness: Effective risk communication requires the principle of appropriateness, which dictates that information be delivered in formats, languages, and media that specifically meet the needs and comprehension levels of the intended recipients.

Continuous Monitoring Imperative: Risks are inherently dynamic. Threat landscapes, asset values, and vulnerabilities change abruptly. Therefore, continual monitoring is paramount for detecting these shifts and ensuring the ongoing efficacy of the ISMS.

Corrective Action Definition: A corrective action goes beyond a mere temporary fix; it is a systematic action taken to permanently eliminate the root cause of an identified nonconformity or undesirable event, thereby preventing its reoccurrence.

OCTAVE Variants: The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methodology is available in four distinct forms to accommodate different organisational scales and focus areas: OCTAVE Method, OCTAVE-S, OCTAVE Allegro, and OCTAVE FORTE.

EBIOS Workshop 1: The EBIOS Risk Manager methodology utilises five collaborative workshops. Workshop 1 explicitly focuses on establishing the scope and the security baseline, defining exactly what the organisation aims to protect.

MEHARI Knowledge Base: MEHARI provides an extensive knowledge base containing approximately 800 predefined risk scenarios. This allows organisations to select and adapt relevant scenarios to estimate intrinsic likelihood and impact.

NIST RMF Initialisation: The NIST Risk Management Framework is a 7-step process that begins with the "Prepare" step. This step establishes key roles, responsibilities, and the overarching organisational risk management strategy