□ [ISO/IEC 27002:2000]

Process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost.

以可接受的费用识别、控制、降低或消除可能影响信息系统的安全风险的过程。

□ [ISO Guide 73:2002]

Coordinated activities to direct and control an organization with regard to risk.

指导和控制组织风险的协调活动。

NOTE: Risk management typically includes risk assessment, risk treatment, risk acceptance and risk communication

注：风险管理活动一般包括风险评估、风险处理、风险接受和风险沟通。

□ [ISO/IEC TR 13335-1:2004]

The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect IT system resources.

识别、控制、消除或降低不期望事件影响IT系统资源的全过程。