IT Risk Management Frameworks

This post summarizes some relevant IT risk analysis and management frameworks or methodologies.

Please do not confuse them with risk analysis methodologies.

List IT of Risk Management frameworks

List of IT risk analysis frameworks:

  • ISO/IEC 27005
  • NIST SP 800-30/37/39
  • Interoperable EU Risk Management Framework
  • Magerit
  • Mehari
  • FAIR
  • ISACA’s Risk IT Framework
  • Microsoft’s Security Management Guide

ISO/IEC 27005

The title of ISO/IEC 27005 is “Information technology — Security techniques — Information security risk management”

As of November 2022, latest version is ISO/IEC 27005:2022.

NIST SP 800-30/37/39

There are different NIST Special Publications that are related to Risk, and are interconnected and work together:

  1. NIST SP 800-30
  2. NIST SP 800-37
  3. NIST SP 800-39
  4. NIST SP 800-82

NIST Special Publication 800-30, abbreviated as NIST SP 800-30 or NIST 800-30, whose title is “Guide for Conducting Risk Assessment”, is issued and managed by NIST, a governamental organization of the USA.

It was originally published in January 2002, and updated on September 2012.

You can find more about SP 800-30 Rev. 1 on this link.

Link to Framework for Improving Critical Infrastructure Cybersecurity

800-30 is aimed on Risk Assessment. 800-37 and 800-39 are aimed on Risk Management.

NIST Special Publication 800-39, abbreviated as NIST SP 800-39 or NIST 800-39, is focused on overall risk management.

NIST Special Publication 800-37, abbreviated as NIST SP 800-37 or NIST 800-37, is focused on Risk Management Framework (RMF) for USA federal information systems.

NIST Special Publication 800-82, abbreviated as NIST SP 800-82 or NIST 800-82, is about Industrial Control Systems (ICS) Security.

Interoperable EU Risk Management Framework

Interoperable EU Risk Management Framework was issued by ENISA on 2021.

You can find it on this link


Magerit, sometimes written as MAGERIT, is issued and managed by institutions related to the Government of Spain.

Latest version is from 2012 (version 3).

You can find a complete post about Magerit on this link.


Mehari is issued and managed by CLUSIF (Club de la Securité de l’Information Français) of France.

Link to Mehari entry at ENISA


OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation.

Latest version is from 2005, so it does not seem to be updated.

It is developed by CERT, connected to the Software Engineering Institute (SEI) of the Carnegie Mellon University.

You can find more information on this link.


Factor Analysis of Information Risk (FAIR) is developed by FAIR Institute.

You can find more information on this link.

ISACA’s Risk IT Framework

There is a Risk IT Famework developed by ISACA.

You can buy ISACA’s Risk IT Framework on this link.

Microsoft’s Security Management Guide

Microsoft’s Security Management Guide was developed by Microsoft, and more specifically Microsoft Solutions for Security and Compliance and Microsoft Security Center of Excellence.

It was issued on 2006 so I guess it is completely outdated.

It is still available to be checked on this link.

IT Risk Management Framework Compendiums

An IT risk management framework compendium would be a report, document or any other resource that list risk management frameworks.

The only compendium feature in this post is:

  • Compendium of Risk Management Frameworks with Potential Interoperatibility

Compendium of Risk Management Frameworks with Potential Interoperatibility

The Compendium of Risk Management Frameworks with Potential Interoperatibility report was issued in 2022 by the ENISA.

You can find the report on this external link.

There is also a Interoperable EU Risk Management Framework that you can download on this external link.

You might be also interested in…

External references

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *