ISRM Identify And Achieve A Level Of Risk. Information security risk management or ISRM is risk-management procedures relevant to the use of IT. It covers the recognition, measurement, and risk treatment of secrecy, reputation, and usability of properties of an entity.
The ultimate purpose of this method is to deal with risk in line with the overall risk perception of an organization. Further, the company does not expect to minimize all threats. However, should look for an appropriate degree of danger for their enterprise to be established and accomplished.
ISRM phases:
Identifying
Identify assets: what are your organization’s “crown jewels” in terms of records, systems, or other assets? For example, what properties may have a big effect on the secrecy, credibility, or availability of your organization? It is not difficult to grasp the value of data protection, including social security and IP numbers.
Identify vulnerabilities: what vulnerabilities in the processes or applications jeopardizing the security and dignity of the assets? What vulnerabilities or weaknesses could compromise knowledge in organizational processes?
Identifying threats: What potentially affects the causes of properties or information? For example, is the data center of your company situated in an area with more prevalent environmental risks, such as tornadoes and floods?
Identify controls: What are the properties you have now in order to protect? A search explicitly tackles the defined flaw or danger by either entirely repairing it (restoration) or reducing the possibility and/or effect of a risk (mitigation). For instance, a management mechanism that automatically excludes users from the application after they terminate may be a process that has established the possibility that terminates users would continue to have access to a particular application. A “security network” control, implicitly addressing risk, is a compensatory control.
Assessment
This is a mechanism that incorporates knowledge about properties, vulnerabilities and controls that you have collected to classify a risk. For this function, there are several structures and methods, but this equation can differ somewhat:
Risk = (threat x vulnerability (exploit likelihood x exploit impact) x asset value ) – security controls
Treatment
Upon assessment and review of the risk, an organisation must choose the treatment options:
Remediation: Introduce a control that addresses the underlying risk entirely or almost completely.
Example: On a server where sensitive assets are saved, you have found a flaw and have submitted a fix for it.
Mitigation: minimize, but not completely repair, the probability and/or effect of the risk.
For example, on a server that housed sensitive properties, you found a vulnerability but imposes a firewall rule that only enables those programs, rather than patching the vulnerability. 
Transference: transfer the risk to another company so that the corporation can benefit from the expense of the risk.
Example: If you use insecure devices, you buy policies to cover all risks.
Acceptance of risk: not risk fixing. This is applicable where the danger is obviously minimal and it takes time and money to fix the cost of the risk rather than if the risk were to be realized.
Example: You have found a vulnerability on a server but you have decided that there is nothing vulnerable on that server; you cannot access other essential assets as an entry point, and it is very difficult to exploit the vulnerability successfully. In that way, you decide that the weakness is not to waste time and money.
Communication
Whatever the care of risk, they must share the decision within the company. Stakeholders have to consider the costs and the reasoning behind the decision for treating or not treating a risk. The responsibility of the person and the team in the company should explicitly define and link in order to ensure that they involve the right individuals in the process at the right time.

