What is the NIST Risk Management Framework (RMF)?

The NIST Risk Management Framework, described in NIST Special Publication 800-37, is a process for managing security and privacy risk for information systems and organizations. It has seven steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. It is widely used by U.S. federal agencies and their contractors, and it connects to other NIST publications such as FIPS 199 for categorization and SP 800-53 for the control catalog.

What are the seven steps of the NIST RMF?

The seven steps are Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. Prepare sets the foundation and risk strategy, Categorize sizes the system by impact, Select chooses and tailors controls, Implement deploys them, Assess tests whether they work, Authorize is the accountable decision to accept residual risk, and Monitor keeps the picture current over time.

What is the difference between NIST RMF and ISO 31000?

The NIST RMF is focused on security and privacy risk for information systems and is prescriptive about controls and authorization, which makes it the common choice for U.S. federal systems. ISO 31000 is a general, principles-based standard for managing any kind of risk across any organization, and it is guidance rather than a certifiable requirement. Many organizations use ISO 31000 to shape their overall approach and a more specific framework like the RMF or a control set where they need detailed, auditable rigor.

What is the COSO ERM framework?

COSO ERM, formally Enterprise Risk Management: Integrating with Strategy and Performance (2017), is a framework from the Committee of Sponsoring Organizations of the Treadway Commission. It ties risk management to strategy and performance and is organized around five components: governance and culture, strategy and objective-setting, performance, review and revision, and information, communication, and reporting. It is widely used for enterprise-level and financial risk oversight.

How do I choose a risk management framework?

Start from your driver. If you manage U.S. federal information systems or need an authorization to operate, the NIST RMF is usually the answer. If you want a flexible, organization-wide approach to any kind of risk, ISO 31000 gives you the principles and process to build on. If your focus is enterprise and strategic risk reported to a board, COSO ERM fits. Many programs combine them: a high-level framework for governance and a specific control set for the detailed, auditable work. The right answer is the one your regulators, customers, and board recognize.

Guide

The risk management framework, explained without the jargon

A plain-language guide to the risk management framework: what it is, why it matters, and how the NIST Risk Management Framework (RMF), ISO 31000, and COSO ERM compare. Learn the seven RMF steps and how to choose a framework for your program.

See the platform Get the free template

The short version

What is a risk management framework?

A risk management framework is a structured, repeatable approach for identifying, assessing, treating, and monitoring risk across an organization. Instead of handling each risk ad hoc, a framework gives your team a shared method, a common vocabulary, and a clear line of accountability for every decision about risk. The most widely used frameworks are the NIST Risk Management Framework (RMF), ISO 31000, and COSO ERM. They differ in scope and style, but they all exist to do the same job: turn scattered judgment calls into a defensible, consistent process.

Last updated June 2026. Educational guide. Free to read, no sign-up required.

Why a framework matters

Without a framework, risk lives in people’s heads and in scattered spreadsheets. Two assessors score the same risk differently, last quarter’s register is out of date, and when the board or an auditor asks how you reached a decision, there is no consistent answer. A framework fixes this by defining the steps everyone follows, the criteria used to rate risk, and who is accountable for accepting it.

The payoff is comparability and defensibility. When every risk is identified, analyzed, and treated the same way, you can roll results up across departments or sites, track them over time, and show your work. Regulators, customers, and boards recognize the major frameworks, so adopting one also signals that your program is mature rather than improvised.

The NIST Risk Management Framework (RMF)

The NIST Risk Management Framework is described in NIST Special Publication 800-37 (Revision 2). It is a process for managing security and privacy risk for information systems and the organizations that run them. It is the standard approach for U.S. federal agencies and their contractors, and it connects to a wider family of NIST guidance: FIPS 199 for impact categorization and SP 800-53 for the catalog of controls. The RMF is organized into seven steps.

1
Prepare
Get the organization and the system ready to manage security and privacy risk. Define roles, establish a risk management strategy and risk tolerance, conduct an organization-wide risk assessment, and identify common controls. Prepare was added as a formal step in Revision 2 to set the foundation before any system is categorized.
2
Categorize
Categorize the system and the information it processes, stores, and transmits based on an analysis of the potential impact of loss of confidentiality, integrity, and availability. This impact analysis, guided by FIPS 199, sets the baseline rigor for everything that follows.
3
Select
Select an initial set of controls for the system and tailor them as needed to reduce risk to an acceptable level. The control catalog is NIST SP 800-53, and the baseline is chosen to match the system categorization from the previous step.
4
Implement
Put the selected controls in place and document how each one is deployed within the system and its environment of operation. Implementation turns the control selection into real, described safeguards.
5
Assess
Determine whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements. Assessment is the evidence-gathering step that supports the authorization decision.
6
Authorize
A senior official makes a risk-based decision to authorize the system to operate, accepting the residual risk based on the assessment results. Authorization is an accountable, explicit acceptance of risk by a named decision maker.
7
Monitor
Continuously monitor the system and its controls on an ongoing basis. Track changes, reassess control effectiveness, report the security and privacy posture, and feed the results back into the earlier steps. Monitoring keeps the authorization current instead of letting it go stale between reviews.

If your program is built around NIST guidance, the framework you select pairs naturally with specific control sets. RiskWatch supports both the NIST Cybersecurity Framework (CSF) and NIST 800-53 as assessment frameworks inside one platform.

Free template

Put a framework to work with a free risk assessment template

Reading about frameworks is one thing. Running an assessment is another. Download a free, ready-to-use risk assessment template with likelihood and impact scoring built in, so you can apply the process from this guide to your own risks today.

Get the free risk assessment template

ISO 31000: principles, framework, and process

ISO 31000 is the international standard for risk management. Unlike the NIST RMF, it is not limited to information systems and it is not a certifiable requirement. It is guidance that any organization can apply to any kind of risk, from financial and operational to strategic and safety. ISO 31000 is built on three connected parts: a set of principles, a framework, and a process.

Principles

ISO 31000 opens with a set of principles that describe what effective risk management looks like. Risk management should be integrated into the organization, structured and comprehensive, customized to context, inclusive of stakeholders, dynamic, based on the best available information, mindful of human and cultural factors, and subject to continual improvement. The principles state the purpose: to create and protect value.

Framework

The framework is about leadership and integration. It centers on leadership and commitment and then cycles through integration, design, implementation, evaluation, and improvement so that risk management becomes part of how the organization is governed and run, not a separate activity bolted on the side.

Process

The process is the operational core. It moves through scope, context, and criteria, then risk assessment (risk identification, risk analysis, and risk evaluation), then risk treatment, wrapped by communication and consultation, monitoring and review, and recording and reporting throughout.

Many organizations use ISO 31000 to shape their overall philosophy and governance, then reach for a more prescriptive framework or control set where they need detailed, auditable rigor.

The COSO ERM framework

COSO ERM, formally titled Enterprise Risk Management: Integrating with Strategy and Performance (2017), comes from the Committee of Sponsoring Organizations of the Treadway Commission. Where the NIST RMF is system-focused and ISO 31000 is general guidance, COSO ERM is aimed at enterprise and strategic risk, the kind reported to a board. Its defining idea is that risk management should be tied directly to strategy and performance, not treated as a compliance exercise off to the side.

The framework is organized around five components: governance and culture; strategy and objective-setting; performance; review and revision; and information, communication, and reporting. Together they connect the risks an organization takes to the value it is trying to create. COSO ERM is widely used for enterprise-level and financial risk oversight, often alongside an operational framework for the detailed assessment work.

How to choose and apply a framework

There is no single best framework. The right one is the one that matches your driver and that your regulators, customers, and board recognize. A few clear cases make the choice easier:

Choose the NIST RMF if you run U.S. federal information systems or need an authorization to operate. It is prescriptive about controls and accountability.
Choose ISO 31000 if you want a flexible, organization-wide approach to any kind of risk. It gives you principles and a process to build on rather than a checklist.
Choose COSO ERM if your focus is enterprise and strategic risk reported to a board, and you want risk tied directly to strategy and performance.
Combine them when it helps. A high-level framework can govern your overall approach while a specific control set carries the detailed, auditable work.

Whichever framework you adopt, applying it well comes down to the same disciplines: a consistent scoring method, an owner for every risk, a real treatment decision, and a review cadence that keeps the register current. A spreadsheet can start you off, but the work of rolling results up, keeping an audit trail, and automating reviews is where a platform earns its keep. That is what risk management software is built to do.

FAQ

Frequently asked questions

From framework to program

Run your framework in one platform, not a stack of spreadsheets

RiskWatch operationalizes the framework you choose: consistent scoring, owners on every risk, automated review cycles, and roll-ups across the organization. Start a free trial or request a quote.

Start free trial Book a demo

No credit card required · 30-day free trial · Cancel anytime