Definition

Risk matrix

A risk matrix classifies risks by probability and impact, facilitating prioritization and treatment.

The risk matrix crosses occurrence probability with impact magnitude to classify risks into levels (low, medium, high, critical). Widely used in ISO 27001, ISO 31000 and ISO 22301 to prioritize treatment and allocate resources.

Key aspects

Probability x impact

Each risk is evaluated on two dimensions. The intersection determines the risk level.

Prioritization

Red zone risks require immediate treatment. Green zone risks can be accepted or monitored.

Periodic review

Must be reviewed when context, assets, threats or existing controls change.

Frequently asked questions

Depends on maturity. A 5x5 offers greater granularity. ISO 31000 does not prescribe a specific format.

ISO 27001 requires a risk assessment process but does not prescribe the tool. The matrix is most used but other methodologies are acceptable.

Comparison

Ready to act on these findings?

Need an assessment in this area?

Request diagnosis→View research→

Loading content…

Risk matrix

Key aspects

Probability x impact

Prioritization

Periodic review

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Risk matrix

Key aspects

Probability x impact

Prioritization

Periodic review

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Risk matrix

Key aspects

Probability x impact

Prioritization

Periodic review

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Risk matrix

Key aspects

Probability x impact

Prioritization

Periodic review

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?