Managers themselves are often sufficiently stimulated to finance the implementation of formal risk management processes because of the doubts they have the return on investment. Boards, management, business unit managers, auditors, external partners, and customers all want to be reassured about the existence of a formal risk management process that is proved and helps the company protect its assets. When establishing a formal risk management process, the recommendations of the standards, especially ISO 31000 and 27005. Risks are an inherent part of business, and every business executive is preoccupied with their mitigation. The impact of certain risks can have dramatic consequences, posing a major threat to a company. The goal of security risk management is to analyze and present the state of risk, making it possible to prioritize and improve mitigation measures. Through risk management, chief information security officer and information security professionals have the opportunity to influence decisions and increase the visibility of the added value of the efforts.