This post summarizes some relevant IT risk analysis and management frameworks or methodologies.
Please do not confuse them with risk analysis methodologies.
List IT of Risk Management frameworks
List of IT risk analysis frameworks:
- ISO/IEC 27005
- NIST SP 800-30/37/39
- Interoperable EU Risk Management Framework
- Intel’s TARA
- ISACA’s Risk IT Framework
- COSO’s Enterprise Risk Management (ERM)
- Microsoft’s Security Management Guide
The title of ISO/IEC 27005 is “Information technology — Security techniques — Information security risk management”
As of November 2022, latest version is ISO/IEC 27005:2022.
NIST SP 800-30/37/39
There are different NIST Special Publications that are related to Risk, and are interconnected and work together:
- NIST SP 800-30
- NIST SP 800-37
- NIST SP 800-39
- NIST SP 800-82
NIST Special Publication 800-30, abbreviated as NIST SP 800-30 or NIST 800-30, whose title is “Guide for Conducting Risk Assessment”, is issued and managed by NIST, a governamental organization of the USA.
It was originally published in January 2002, and updated on September 2012.
You can find more about SP 800-30 Rev. 1 on this link.
800-30 is aimed on Risk Assessment. 800-37 and 800-39 are aimed on Risk Management.
NIST Special Publication 800-39, abbreviated as NIST SP 800-39 or NIST 800-39, is focused on overall risk management.
NIST Special Publication 800-37, abbreviated as NIST SP 800-37 or NIST 800-37, is focused on Risk Management Framework (RMF) for USA federal information systems.
The Risk Management Framework consists of six cyclical phases plus the first one, that represent the process initiation:
NIST Special Publication 800-82, abbreviated as NIST SP 800-82 or NIST 800-82, is about Industrial Control Systems (ICS) Security.
Interoperable EU Risk Management Framework
Interoperable EU Risk Management Framework was issued by ENISA on 2021.
You can find it on this external link
Magerit, sometimes written as MAGERIT, is issued and managed by institutions related to the Government of Spain.
Latest version is from 2012 (version 3).
You can find a complete post about Magerit on this link.
Mehari is issued and managed by CLUSIF (Club de la Securité de l’Information Français) of France.
OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation.
Latest version is from 2005, so it does not seem to be updated.
It is developed by CERT, connected to the Software Engineering Institute (SEI) of the Carnegie Mellon University.
You can find more information on this link.
Factor Analysis of Information Risk (FAIR) is developed by FAIR Institute.
You can find more information on this link.
Threat Agent Risk Assessment (TARA) was developed by American company Intel.
Do not confuse it with MITRE’s Threat Assessment and Remediation Analysis (TARA), that is part of a MITRE portfolio of systems security engineering (SSE).
You can find more information about Intel’s TARA on this external link.
ISACA’s Risk IT Framework
There is a Risk IT Famework developed by ISACA.
You can buy ISACA’s Risk IT Framework on this link.
Microsoft’s Security Management Guide
Microsoft’s Security Management Guide was developed by Microsoft, and more specifically Microsoft Solutions for Security and Compliance and Microsoft Security Center of Excellence.
It was issued on 2006 so I guess it is completely outdated.
It is still available to be checked on this link.
List of General-purpose Risk Management Frameworks
General-purpose Risk Management Frameworks may also be relevant when considering IT Risk Management Frameworks. Some of them are ISO 31000 and COSO ERM.
You can find a list of general-purpose risk management frameworks on this post.
IT Risk Management Framework Compendiums
An IT risk management framework compendium would be a report, document or any other resource that list risk management frameworks.
The only compendium feature in this post is:
- Compendium of Risk Management Frameworks with Potential Interoperatibility
Compendium of Risk Management Frameworks with Potential Interoperatibility
The Compendium of Risk Management Frameworks with Potential Interoperatibility report was issued in 2022 by the ENISA.
You can find the report on this external link.
There is also a Interoperable EU Risk Management Framework that you can download on this external link.
You might be also interested in…
- Magerit IT Risk Analysis Methodology
- Risk Management Frameworks
- IT Risk Management Certifications for Professionals
- ENISA; “Risk Management“; ENISA
- NIST; “NIST Risk Management Framework“; NIST
- Cuelogic Technologies; “How to make sense of Cybersecurity Frameworks”; Cuelogic
- Sherifat Akinwonmi, Geary Sikich; “ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Management“, PECB
- IT Risk Assessment
- M. Chapple et al; “CISSP Study Guide Ninth Edition”, pp. 79-81; Wiley, 2021
- Bob Violino; “5 IT risk assessment frameworks compared“; CSO Online, 2021-11-11
- A. Syalim, Y. Hori & K. Sakurai; “Comparison of Risk Analysis Methods: Mehari, Magerit, NIST800-30 and Microsoft’s Security Management Guide“; IEEE