# Security Risk Management The security risk framework, explained in the Security Risk Management Standard for NTT DATA EMEAL, defines the roles and responsibilities of all actors involved in risk management, as well as describes the various risk approaches and risk governance instances. The steps for systematic risk management such as establishing the context, identifying and evaluating risks, treating risks, communicating, and reviewing are outlined based on the ISO 27005 standard. The approach to security risk management is oriented both to protect work tools and products as well as to ensure business objectives, thus, two security risk dimensions are highlighted: asset-based risk assessment, and operational risk assessment. Risk governing bodies at strategic and operational levels, and the communication and escalation mechanisms for risk owners and committees are also defined. Risk treatment measures are implemented to maintain the risk levels below the established risk appetite set by the Top Management and monitoring actions are carried out to ensure they are completed in due time. The periodicity of assessments is stablished to be, at least, yearly. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://trustcenter.syntphony.com/trust-center/security/security-risk-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.