Top Management Responsibility: Top management is unequivocally responsible for ensuring that adequate resources (personnel, budget, time, and tools) are allocated to risk management, as this dictates the viability of the entire ISMS.

Leadership Commitment: Management demonstrates active commitment not by executing technical tasks, but by providing strategic direction, such as issuing formalised policies that outline the organisation's risk management approach, plan, and course of action.

Risk Criteria Variables: When establishing risk criteria, an organisation must define precisely how consequence and likelihood will be predicted, measured, and categorised, ensuring consistency in how risks are evaluated across different departments.

Information Security Scope: Information security is a holistic discipline that determines exactly what needs protection, the rationale for protecting it (why), the mechanisms for protection (how), and the specific threat vectors it must protect against.

Event-Based Approach: The event-based approach to risk identification focuses on identifying broad, strategic scenarios by considering high-level risk sources and their impact on business objectives, rather than getting bogged down in individual hardware asset analysis.

Vulnerability and Threat Dynamics: A core tenet of ISO/IEC 27005 is that a vulnerability (a weakness) is passive and cannot cause damage on its own; a threat (a potential danger or actor) must actively exploit that vulnerability to actualise the risk.

Annual Loss Expectancy (ALE): ALE is a critical quantitative metric calculated by multiplying the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO). It provides the expected yearly financial loss for a specific risk.

Return on Security Investment (ROSI): ROSI utilises the ALE calculation to determine the cost-benefit ratio of implementing a security control. If the cost of the control exceeds the ALE reduction, the ROSI is negative, and the control is generally not recommended.

Residual Risk Definition: Residual risk is the risk that remains after implementing risk treatment options (controls). It is the critical metric that top management must ultimately review and accept.

Risk Sharing (Outsourcing): Risk sharing involves distributing the risk burden with external entities. Outsourcing IT operations or purchasing cybersecurity insurance are primary mechanisms for sharing the financial or operational impact of a risk.

Unconscious Risk Retention: If an organisation fails to identify a risk during the assessment phase, it inherently accepts its consequences without realising it. This dangerous state is defined as the retention of unconscious risk.

Detective Controls: Security controls are categorised by their temporal relationship to an event. Detective controls (e.g., intrusion detection systems) are intended to identify and alert administrators to information security events as they occur.

Documentation Rationale: Recording the rationale for risk-based decisions is highly recommended because it provides an auditable trail, allows organisations to learn from past analytical errors, and drives the continual improvement of the risk management framework.

Communication Outcomes: Effective communication and consultation foster transparency. When interested parties are involved early and often, they are far more likely to engage with the process and take ownership of the resulting decisions and mitigation plans.

EBIOS Strategic Cycle Transition: The EBIOS Risk Manager methodology utilises both operational and strategic cycles. The strategic cycle is re-evaluated when major organisational, external (regulatory), or significant information system changes disrupt the foundational context.

EBIOS Attack Sequence - Knowing: Operational scenarios in EBIOS RM are modelled on an attack sequence. The "Knowing" phase encompasses external reconnaissance, intelligence gathering, and source recruitment prior to any actual system intrusion.

CRAMM Methodology: The CCTA Risk Analysis and Management Method (CRAMM) is distinctive for its heavy reliance on proprietary supporting software to guide users through its three stages: Initiation, Risk Analysis, and Risk Management.

Harmonised TRA Risk Assessment Phase: In the Canadian Harmonised TRA methodology, the risk assessment phase culminates in the calculation of residual risks and the compilation of a prioritised list of these risks.

NIST RMF Categorisation: Step 2 of the NIST Risk Management Framework is "Categorise," in which the organisation determines the criticality and impact of potential loss of confidentiality, integrity, and availability for specific information systems.

OCTAVE-S: Developed by the Software Engineering Institute, OCTAVE-S is specifically tailored to provide a self-directed risk evaluation method for small organisations possessing a simple hierarchical structure and limited resources.