--Originally published at Stories by Juan Andrés Rocha on Medium

First of all, what is risk? Risk is a word which here means the possibility of something bad to happen, for example, stumbling on a rock and dropping your ice cream.

We could’ve managed that risk by taking the rock out of the way when we went to buy our ice cream in the first place, but we may have thought it wasn’t worth the time or effort. Now we’re about to lose our ice cream, we regret it.

Imagine this happening not to your ice cream, but to a bunch of other people’s data in your hands. Credit card information, birth certificates, pictures of their dogs.

There are several frameworks that help us prevent or manage these risks, but we’re going to talk about ISO 27005.

The newest version of ISO 27005 was released on 2011, and since every standard is reviewed every 5 years, it is currently under review.

It basically consists in guidelines to identify, analyze, and assessment of risks, divided in categories like:

Context Establishment:

First, you have to establish a context by identifying essential assets, and values to protect. Also, evaluate possible risks and their consequences and define the boundaries of the administrator.

Risk Assessment:

This phase consists in risk identification, analysis and evaluation.

Risk Treatment:

In risk treatment you decide how to treat this risk, wether you ignore it, do something about it, and how you plan to treat it.

Risk Acceptante:

Here you decide wheter you accept the plan or not.

Risk Communication:

This one is pretty obvious.

Risk Monitoring:

Here you monitor the risks, some new risks may appear, as they’re not static.

Here’s a nice report on how to use ISO 27005.