This section summarises number of commonly used risk methods and frameworks. Note that:
- using a single method or framework may not meet your requirements; this is not a finite list and you may wish to use a hybrid approach, or develop your own
- other methods and frameworks not listed here may prove to be a better choice, depending on the unique circumstances of your business and technology needs
Selecting a risk management method or framework
Ensure your selection meets your needs
When selecting a risk method or framework, an organisation should ensure it fits their purposes. Considerations may include:
- The overall cost of using the method. For example, the procurement of tools, licencing and expertise.
- The scope of the project. Is the risk method proportionate to what is being assessed?
- Ensuring the required resources are proportionate and sustainable. What specialist resources required, and do we have them?
- Any commercial aspects that could restrict its use.
- Can we use the method at any time, on any system, using any resources?
- Are there any licencing restrictions?
When is the right time to use a risk method or framework?
Practitioners and decision makers should understand not only how, but when to use risk methods or frameworks. Their use will not be effective at all times because:
- there are situations when they do not introduce any new information in support of decision making and management
- there are situations when a scenario is so complex or chaotic, that as a result information is neither obtainable nor knowable through prior learning
Assessment and analysis is only effective in situations where it can be used to obtain new information, in support of decision making and management, since the scenario is knowable. As a result most organisations will need to use a variety of different approaches to effectively manage their risk.
ISO/IEC 27005:2011
https://www.iso.org/iso/catalogue_detail?csnumber=56742
What is it?
ISO 27005 is an international standard providing guidelines for information risk management. Although it does outline a generic risk assessment process in Chapter 8 and Annex E, it leaves the choice of that process to the business.
ISO 27005 is part of the ISO 27000 family of standards. There is some dependency between these documents, with concepts from one being important for understanding those in another. ISO 27005 is likely to be used by organisations following the security requirements of ISO/IEC 27001:2013 (ISO/IEC 27001:2013 ‘Information technology – Security techniques – Information security management systems – Requirements’), although it can be used in other contexts.
How does it work?
The appendices provide guidance on using qualitative and quantitative approaches. The standard is not prescriptive about which should be used. It refers out to IEC 31010:2009 (‘Risk management – Risk assessment techniques’) to inform the choice of risk assessment technique. ISO 27005 requires that a risk assessment takes into account threats, vulnerabilities, and impacts. They must be contextualised to the business, then fed into the risk evaluation process, which informs the decisions made on how to treat risks.
Who is it for?
As a framework that is not overly prescriptive, the principles of ISO 27005 can be applied to a variety of types and sizes of organisation.
Costs and pre-requisites
Given the broad and generic nature of the guidance, specialist skilled resources are needed to tailor the implementation to the requirements of the business. The cost of these resources should be considered along with the cost of purchasing the standards.
Information Security Forum (ISF) IRAM 2
https://www.securityforum.org/tool/information-risk-assessment-methodology-iram2/
What is it?
IRAM 2 is the ISF’s risk assessment methodology and is intended to help organisations better understand and manage information risks.
How does it work?
This approach uses a number of phases to identify, evaluate and treat risks through the analysis and assessment of risk components (threat, vulnerability and impact).
Who is it for?
IRAM 2 is aimed at organisations.
Costs and pre-requisites
IRAM 2 is only provided to members of the ISF and organisations will need to have in place information risk management expertise to use it effectively.
CESG Information Assurance Standard 1 & 2
What is it?
CESG Information Assurance Standard 1 & 2 (IS 1&2) and its supporting documents is a legacy suite of information risk management guidance. The risk assessment method includes defining the scope of assessment and the corresponding information assets and then conducting an impact, threat and vulnerability assessment of them.
How does it work?
The risk treatment method includes: the production of a risk treatment plan, defining an implementation approach for the identified controls (largely based on ISO/IEC 27002:2013), the development of an assurance plan, a residual risk assessment and gap analysis.
Who is it aimed at?
IS 1 & 2 is used predominantly by central government departments, the wider public sector and its suppliers. However it could also be used by any organisation to assess and manage their technical risks.
Costs and pre-requisites
The risk assessment method and supporting tool is no longer supported. The steps presented in IS1/2 are complex and achieving a consistent and reasoned outcome requires a skilled practitioner.
US National Institute of Standards and Technology (NIST) SP 800-30
What is it?
NIST SP 800-30 is the US government’s preferred risk assessment methodology, and is mandated for US government agencies. It features a detailed step-by-step process from the initial stages of preparing for an assessment, through conducting it, communicating the results, and maintaining the assessment. The guidance itself is comprehensive and clear. Unsurprisingly, as a US standard, much of the supporting documentation in the NIST Risk Management Framework is heavily US-focussed, often dwelling on regulatory issues that may have little relevance to non-US users.
How does it work?
The risk assessment process in SP 800-30 takes inputs from a preparatory step that establishes the context, scope, assumptions, and key information sources for the process, and then uses identified threats and vulnerabilities to determine likelihood, impact and risk. The process next requires that the results are communicated and the assessment maintained, including monitoring effectiveness of controls and verifying compliance.
Who is it aimed at?
The methodology should be usable by organisations of all sizes in both the private and public sectors. It is designed to be consistent with the ISO standards, and flexible enough to be used with other risk management frameworks.
Costs and pre-requisites
It is freely available directly from the NIST website, although since NIST SP 800-30 is aimed largely at the US public sector, finding appropriate support to implement it may be difficult outside the US and should be factored into the cost.
Octave Allegro
https://www.cert.org/resilience/products-services/octave/index.cfm
What is it?
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methodology originates from Carnegie Mellon University in the USA. Older versions are still in use but the most recent version, OCTAVE Allegro, is more streamlined and is actively supported. It is primarily intended as a qualitative assessment, although may be used for simple quantitative analysis.
How does it work?
Octave Allegro is an asset-focussed method. The first step is establishing consistent, qualitative risk measurement criteria specific to the organisation’s drivers and objectives. After assets have been profiled, threats and impacts are considered in light of real world scenarios to identify risks. These risks are then prioritised according to the risk measurement criteria and planned mitigation.
Who is it aimed at?
OCTAVE is intended to be managed in a ‘workshop’ style, with a small group of participants from the operational and IT areas of the business, not requiring extensive expertise. Therefore, this approach might suit organisations looking for a risk assessment process that can be done without investing heavily in training or consultants.
Costs and pre-requisites
The resources to perform a risk assessment can be downloaded for free and are integral to the process. If training is required, Carnegie Mellon offers elearning for a fee.
ISACA COBIT 5 for Risk
https://www.isaca.org/COBIT/Pages/Risk-product-page.aspx
What is it?
COBIT 5 for Risk is provided by ISACA and provides guidance covering the governance of and understanding of enterprise IT risk.
How does it work?
COBIT 5 for Risk provides risk management and governance framework in the form of principles and guidance.
Who is it aimed at?
COBIT 5 for Risk is likely to suit organisations where there already exists or there is a need to manage risks in a formalised way.
Costs and pre-requisites
The COBIT 5 for Risk book is available for purchase on the ISACA website. An organisation looking use COBIT 5 for Risk will also need to take into account any specialist resources necessary to implement its guidance and principles.
IEC 62443-2-1:2010
https://webstore.iec.ch/publication/7030
What is it?
The ISA/IEC 62443 series of standards is intended to help organisations implement a risk management programme for their Industrial Automation and Control Systems environment.
How does it work?
Broadly aligned with and building on well-known standards such as the ISO 27000 series, IEC 62443-2-1:2010 describes a security programme aimed at operational technology, and as such covers such things as reliability and safety that may be less relevant in an IT environment.
Who is it for?
Aimed at organisations with Industrial Automation and Control Systems.
Costs and pre-requisites
Skilled security practitioners will be required to implement and maintain this standard. If done well it will provide a holistic and rigorous approach to managing risks to operational technology, but done poorly could prove costly and difficult to maintain.
Source: NCSC
