IT Risk Management Frameworks

This post summarizes some relevant IT risk analysis and management frameworks or methodologies.

Please do not confuse them with risk analysis methodologies.

List IT of Risk Management frameworks

List of IT risk analysis frameworks:

• ISO/IEC 27005
• NIST SP 800-30/37/39
• Interoperable EU Risk Management Framework
• FAIR
• Magerit
• Mehari
• OCTAVE
• Intel’s TARA
• ISACA’s Risk IT Framework
• COSO’s Enterprise Risk Management (ERM)
• Microsoft’s Security Management Guide

ISO/IEC 27005

The title of ISO/IEC 27005 is “Information technology — Security techniques — Information security risk management”

As of November 2022, latest version is ISO/IEC 27005:2022.

NIST SP 800-30/37/39

There are different NIST Special Publications that are related to Risk, and are interconnected and work together:

1. NIST SP 800-30
2. NIST SP 800-37
3. NIST SP 800-39
4. NIST SP 800-82

NIST Special Publication 800-30, abbreviated as NIST SP 800-30 or NIST 800-30, whose title is “Guide for Conducting Risk Assessment”, is issued and managed by NIST, a governamental organization of the USA.

It was originally published in January 2002, and updated on September 2012.

You can find more about SP 800-30 Rev. 1 on this link.

Link to Framework for Improving Critical Infrastructure Cybersecurity

800-30 is aimed on Risk Assessment. 800-37 and 800-39 are aimed on Risk Management.

NIST Special Publication 800-39, abbreviated as NIST SP 800-39 or NIST 800-39, is focused on overall risk management.

NIST Special Publication 800-37, abbreviated as NIST SP 800-37 or NIST 800-37, is a guide for implementing a Risk Management Framework (RMF) for USA federal information systems.

RMF is a methodology for handling all organizational risk in a holistic, comprehensive and continual manner. It relises on the use of automated solutions, risk analysis and ssessment, and implementing controls based on those assessments, with continuous monitoring and improvement.

RMF supersedes the old “Certification and Accreditation” model of cyclical inspections witha specific duration that was used in American military, intelligence, and federal government communities.

The Risk Management Framework consists of six cyclical phases plus the first one, that represent the process initiation:

1. Prepare
2. Categorize
3. Select
4. Implement
5. Assess
6. Authorize
7. Monitor

NIST Special Publication 800-82, abbreviated as NIST SP 800-82 or NIST 800-82, is about Industrial Control Systems (ICS) Security.

Interoperable EU Risk Management Framework

Interoperable EU Risk Management Framework was issued by ENISA on 2021.

You can find it on this external link

FAIR

Factor Analysis of Information Risk (FAIR) is developed by FAIR Institute.

You can find more information on this link.

Magerit

Magerit, sometimes written as MAGERIT, is issued and managed by institutions related to the Government of Spain.

Latest version is from 2012 (version 3).

You can find a complete post about Magerit on this link.

Mehari

Mehari is issued and managed by CLUSIF (Club de la Securité de l’Information Français) of France.

Link to Mehari entry at ENISA

OCTAVE

OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation.

Latest version is from 2005, so it does not seem to be updated.

It is developed by CERT, connected to the Software Engineering Institute (SEI) of the Carnegie Mellon University.

You can find more information on this link.

Intel’s TARA

Threat Agent Risk Assessment (TARA) was developed by American company Intel.

Do not confuse it with MITRE’s Threat Assessment and Remediation Analysis (TARA), that is part of a MITRE portfolio of systems security engineering (SSE).

You can find more information about Intel’s TARA on this external link.

ISACA’s Risk IT Framework

There is a Risk IT Famework developed by ISACA.

You can buy ISACA’s Risk IT Framework on this link.

Microsoft’s Security Management Guide

Microsoft’s Security Management Guide was developed by Microsoft, and more specifically Microsoft Solutions for Security and Compliance and Microsoft Security Center of Excellence.

It was issued on 2006 so I guess it is completely outdated.

It is still available to be checked on this link.

List of General-purpose Risk Management Frameworks

General-purpose Risk Management Frameworks may also be relevant when considering IT Risk Management Frameworks. Some of them are ISO 31000 and COSO ERM.

You can find a list of general-purpose risk management frameworks on this post.

IT Risk Management Framework Compendiums

An IT risk management framework compendium would be a report, document or any other resource that list risk management frameworks.

The only compendium feature in this post is:

• Compendium of Risk Management Frameworks with Potential Interoperatibility

Compendium of Risk Management Frameworks with Potential Interoperatibility

The Compendium of Risk Management Frameworks with Potential Interoperatibility report was issued in 2022 by the ENISA.

You can find the report on this external link.

There is also a Interoperable EU Risk Management Framework that you can download on this external link.

You might be also interested in…

• Magerit IT Risk Analysis Methodology
• Risk Management Frameworks
• IT Risk Management Certifications for Professionals

External references

• ENISA; “Risk Management“; ENISA
• NIST; “NIST Risk Management Framework“; NIST
• Cuelogic Technologies; “How to make sense of Cybersecurity Frameworks”; Cuelogic
• Sherifat Akinwonmi, Geary Sikich; “ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Management“, PECB
• IT Risk Assessment
  • M. Chapple et al; “CISSP Study Guide Ninth Edition”, pp. 79-81; Wiley, 2021
  • Bob Violino; “5 IT risk assessment frameworks compared“; CSO Online, 2021-11-11
  • A. Syalim, Y. Hori & K. Sakurai; “Comparison of Risk Analysis Methods: Mehari, Magerit, NIST800-30 and Microsoft’s Security Management Guide“; IEEE
• NIST 37
  • Chapman; “CISSP Study Guide 9th Edition”, chapter 2, “Risk Frameworks”, pp. 79-81, Wiley;