Result-oriented risk management processes, especially ones that seek to fulfil requirements, always begin with risk identification and evaluation based on best risk management principles. Risk identification by itself is not enough to change the current situation, however, and facilitating risk evaluation requires practical further actions. In order to accomplish the best result, proper management actions must also be defined for identified risks. The Granite ISO 27001 Information Security Risks tool guides the user into a situation where every risk has been taken into account in accordance with the ISO 27001 standard.