Per Service / Asset: - Assessment of risks / vulnerabilities - Implementation of Control Measures -- Avoid (Change the way of working) -- Reduce impact -- Reduce probability -- Transfer (Insurance, ...) -- Accept (residual) Risk (or reject service) - Report