STORM-RM: A collaborative and multicriteria risk management methodology. Risk management (RM) is a necessary process in order to identify, categorise and handle security threats, vulnerabilities and risks of information and communication systems (ICS). Existing RM methodologies for the implementation of standards impose various barriers (e.g., limitation in knowledge gathering, time and resources consumption, and cost) which make them unable to meet the growing needs of the current distributed and complex ICS and their hosting critical data and services. Identifying these weaknesses, we treat RM as a multi-criteria problem and we propose a multi-criteria group decision making methodology STORM-RM for its solution combining the analytic hierarchy process (AHP) with security management standards (ISO27001 and AS/NZS 4360.