Risk Management Frameworks (RMF)
A risk management framework describes the vocabulary, tools and techniques for a coherent approach and ensure that all stakeholders are on the same page.
Enterprise frameworks identifies any type of risk that could prevent the company from achieving its business objectives while others focus on information security, cybersecurity and privacy protection.
COSO Enterprise Risk Management
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) help organizations improve internal control with the ERM Framework (2020).
Factor Analysis of Information Risk (FAIR)
Fair is a quantitative model for information security and operational risk.
International Organization for Standardization (ISO)
ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection — Guidance on managing information security risks provides guidelines to managing information security risks faced by organizations. The application of these guidelines can be applied to an Information Security Management System (ISMS) specified in ISO/IEC 27001 and ISO/IEC 27002.
A technical committee named ISO/IEC JTC 1/SC 27 focus on the development of standards for the protection of information and ICT.
ISO 31000 provides a common approach to managing any type of risk faced by organizations. The application of these guidelines can be customized to any organization and its context.
The ISO 31000 Risk Management umbrella include some specifications still under development: ISO 31000:2018 Risk management — Guidelines
- ISO 31000 Risk management – Guidelines
- ISO 31000:2019 Risk Management – Risk Assessment Techniques
- ISO 31022:2020 Risk Management — Guidelines for the management of legal risk
- ISO/FDIS 31030 Travel Risk Management — Guidance for organizations
- ISO/AWI 31050 – Guidance for managing emerging risks to enhance resilience
- ISO/DIS 31073 Risk Management – Vocabulary
A technical committee namedISO/TC 262 focus on the development of standards in the field of risk management. Visit the Technical Committee's own website for more information.
NIST
The NIST Risk Management Framework provides a process that integrates security, privacy and risk management activities into the system development life cycle to meet the requirements of the Federal Information Security Modernization Act (FISMA).
Note that NIST Special Publications 800-53 revision 5 describe the Security and Privacy Controls for Information Systems and Organizations and the special publication 800-53B describe the control baselines.
Related initiatives
- Special Publication 800-37: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
- Special Publication 800-39: Managing Information Security Risk: Organization, Mission, and Information System View
- Special Publication 800-30 Rev. 1: Guide for Conducting Risk Assessments
- Special Publication 800-53A: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
- Special Publication 800-161: Supply Chain Risk Management Practices for Federal Information Systems and Organizations
Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
The OCTAVE method was developed by the Software Engineering Institute (SEI) at Carnegie Mellon University on behalf of the Department of Defense.
Rapid Risk Assessment
The Rapid Risk Analysis (RRA) methodology developed by Mozilla helps formalize decisions in 60 minutes.
Threat Agent Risk Assessment (TARA)
Threat Assessment and Remediation Analysis (TARA) is an engineering methodology used to identify and assess cyber vulnerabilities and select countermeasures effective at mitigating those vulnerabilities. TARA is part of a MITRE portfolio of systems security engineering (SSE) practices.