Regularly identify, analyze, and evaluate security risks to organizational assets.

• Asset inventory and classification
• Threat and vulnerability identification
• Risk calculation (likelihood × impact)
• Risk treatment decisions