agilient-logo-white
MENU

Security risk management explained

Boardroom meeting, representing risk and governance decision-making.

Security risk management is the structured discipline of identifying the security threats an organisation faces, assessing the risk they pose, and treating that risk in a defensible way. In Australia, it is built on AS ISO 31000:2018, the risk management standard, and applied to security by the handbook SA HB 167:2025. It is the foundation that protective security, critical infrastructure and prudential frameworks all draw on.

For security managers, risk and governance leads, and any organisation that needs a defensible basis for its security decisions, the value is in the process rather than any single report. This page explains what security risk management is, the standards that govern it, how a security risk assessment puts it into practice, and why a single credible risk process can feed into several of the frameworks an organisation has to meet.

Overview

What is security risk management?

Security risk management is the structured process of identifying the security threats an organisation faces, assessing how likely they are and how serious their consequences would be, and deciding how to treat them. It applies the general principles of risk management to the specific problem of protecting people, information, assets and reputation from deliberate harm.

Unlike a one-off audit, it is a continuing cycle. The threat environment changes, the organisation changes, and controls that were adequate last year may no longer be adequate. A credible security risk management process gives an organisation a defensible basis for its security decisions and a clear record of why each control is in place.

The standard

AS ISO 31000:2018 and the risk management process

AS ISO 31000:2018, Risk management — Guidelines, is the current Australian standard for risk management. It is the Australian adoption of ISO 31000:2018 and replaces the earlier AS/NZS ISO 31000:2009. It sets out a process that runs from establishing the scope, context and criteria, through risk assessment — identification, analysis and evaluation — to risk treatment, with communication and consultation, and monitoring and review, running throughout.

The AS ISO 31000:2018 risk management process and a five-by-five security risk matrix.

The standard is deliberately general. It gives the structure rather than the security-specific detail, which is where SA HB 167:2025 comes in.

Security focus

How SA HB 167:2025 applies the process to security risk

SA HB 167:2025, Managing Security-Related Risks, is the Standards Australia handbook that applies the AS ISO 31000:2018 process to security. It replaces the 2006 edition and was developed by the committee responsible for security and resilience. It provides guidance for executives, managers and practitioners on identifying and managing risks to people, assets, information and reputation, including threat and vulnerability assessment techniques such as scenario analysis and red teaming.

The handbook is designed to complement AS ISO 31000:2018 and references AS/NZS 5050 for managing disruption-related risk. In short, AS ISO 31000:2018 sets the process, and SA HB 167:2025 shows how to run it for security.

Starting point

The security risk assessment is the practical starting point

In practice, the process begins with a security risk assessment. A security risk assessment identifies the threats and vulnerabilities relevant to an organisation, analyses the risk each presents, and evaluates it against the organisation’s risk criteria, producing a prioritised picture that the rest of the program builds on. The security risk matrix shown above is a common tool for rating risks based on their likelihood and consequences.

A structured security risk assessment is usually the first engagement, and its output serves as the input for every other framework.

The foundation

How security risk management underpins the other frameworks

Security risk management is the common spine beneath the other frameworks on this hub. The PSPF asks government entities to manage protective security risk; the SOCI Act requires a risk-management program for critical infrastructure assets; and APRA’s prudential standards, covered in the financial services and APRA pillar, require regulated entities to manage operational and information security risk. Each ultimately asks the same thing: identify the risks, treat them, and show the work.

An organisation that runs one credible risk process in accordance with AS ISO 31000:2018 and SA HB 167:2025 can meet several of these obligations from it rather than repeating the exercise for each. The same process also underpins physical and facility security, determining which physical controls the risk actually justifies.

How we help

How Agilient supports security risk management

Agilient applies AS ISO 31000:2018 and SA HB 167:2025 to real security problems. The work is independent and vendor-neutral, and spans government, healthcare, aviation, defence and critical infrastructure.

 

Security risk assessments

A prioritised view of the threats, vulnerabilities and risks you face.

 

Threat and risk assessments

Threat and vulnerability analysis for specific assets, sites or events.

 

Risk treatment planning

Treatments matched to the risk, with owners and timeframes.

 

Framework and policy development

A risk management framework and policy aligned to the standards.

 

Standards-aligned advisory

Advice grounded in AS ISO 31000:2018 and SA HB 167:2025.

 

Monitoring and review

Keeping the risk picture current as the organisation and threats change.

Agilient works across Sydney, Melbourne, Brisbane, Adelaide and Canberra.

Build a defensible security risk picture

A security risk assessment in accordance with AS ISO 31000:2018 and SA HB 167:2025 is the practical first step and the foundation on which all other frameworks are built.

Request a security risk assessmentor book a short briefing

FAQs

Frequently asked questions

What is security risk management?
Security risk management is the structured process of identifying the security threats an organisation faces, assessing their likelihood and consequence, and treating the risk in a defensible way. It applies the principles of risk management to protecting people, information, assets and reputation from deliberate harm.
What standard applies to risk management in Australia?
The current standard is AS ISO 31000:2018, Risk management — Guidelines. Specifically for security, the Standards Australia handbook SA HB 167:2025, Managing Security-Related Risks, applies the AS ISO 31000:2018 process to security risks.
Is AS ISO 31000 the same as AS/NZS ISO 31000?
No. AS ISO 31000:2018 is the current Australian adoption of ISO 31000:2018. The earlier AS/NZS ISO 31000:2009 edition has been superseded and should not be cited as the current standard.
What is the difference between AS ISO 31000 and SA HB 167?
AS ISO 31000:2018 sets out the general risk management process. SA HB 167:2025 is a handbook that applies the process to security risk, with security-specific guidance such as threat and vulnerability assessment. The handbook complements the standard.
Where does security risk management start?
It usually starts with a security risk assessment, which identifies the threats and vulnerabilities relevant to an organisation, rates each risk by likelihood and consequence, and produces a prioritised picture that the rest of the security program builds on.
Australian hospital interior, representing an organisation managing its security risk.

References

  1. Standards Australia, AS ISO 31000:2018 Risk management — Guidelines, standards.org.au
  2. Standards Australia, SA HB 167:2025 Managing Security-Related Risks, standards.org.au
  3. Standards Australia, AS/NZS 5050 Managing disruption-related risk, standards.org.au