Nieuws
Mooi overzicht van risicomanagement frameworks & tools
Op 20 augustus heeft Andrey Prozorov (CISM, CIPP/E, CDPSE, LA 27001) een handig overzicht gepubliceerd van de meest gangbare normen en raamwerken die binnen het werkveld van risicomanagement worden gebruikt. De meest bekende organisaties voor risicomanagement in de westerse wereld, zoals ISO, COSO, ANSSI, FAIR, ISACA en NIST, worden erin genoemd. Ofschoon het aanbod veel breder is, zeker op het niveau van technische standaarden en uitvoeringsmodellen, geeft dit een mooi overzicht van aangeboden hulpmiddelen bij het inrichten, uitvoeren en verbeteren van uw risicomanagement functie. Voor een aantal standaarden en modellen moet worden betaald, een heel aantal anderen, inclusief de toolbox van Enisa, zijn vrij verkrijgbaar. U vindt in het document tevens de links naar de betreffende downloadsites. Doe er uw voordeel mee!
1. ISO 31000:2018 Risk management — Guidelines |
ISO |
International, Switzerland |
CHF124 ($140) |
2. COSO Enterprise Risk Management Integrating with Strategy and Performance |
COSO |
International, USA |
£158 |
3. RIMS Risk Maturity Model (RMM) |
RIMS |
International, USA |
$199 |
4. S&P Enterprise Risk Management Evaluations |
S&P |
International, USA |
Free |
Information Security, Privacy, and IT |
|||
5. ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection — Guidance on managing information security risks |
ISO |
International, Switzerland |
CHF187 ($210) |
6. ISO/IEC 27557:2022 Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organizational privacy risk management |
ISO |
International, Switzerland |
CHF124 ($140) |
7. Information Risk Assessment Methodology 2 (IRAM2) |
ISF |
International, USA |
For members |
8. EBIOS Risk Manager (EBIOS RM) |
ANSSI |
France |
Free |
9. OCTAVE FORTE (Operationally Critical Threat, Asset, and Vulnerability Evaluation FOR The Enterprise) |
CMU |
USA |
Free |
10. Factor Analysis of Information Risk (FAIR) |
FAIR Institute |
USA |
35$ |
11. Risk IT Framework (+Risk IT Practitioner Guide, Risk Starter Kit Tool Risk Scenarios Starter Pack) |
ISACA |
International, USA |
75$ |
12. COBIT Focus Area: Information and Technology Risk Using COBIT 2019 |
ISACA |
International, USA |
90$ |
13. EU Risk Management Toolbox |
ENISA |
Europe |
Free |
14. NIST Risk Management Framework RMF |
NIST |
USA |
Free |
15. NIST SP 800-30 Rev. 1 Guide for Conducting Risk Assessments |
NIST |
USA |
Free |
16. NIST SP 800-39 Managing Information Security Risk: Organization, Mission, and Information System View |
NIST |
USA |
Free |
17. Cyber security risk management framework |
NCSC |
UK |
Free |
18. Controls of Risk and Business Continuity Management for Digital Government |
DGA |
Saudi Arabia |
Free |
19. Risk Analysis based on IT-Grundschutz (BSI-Standard 200-3) |
BSI |
Germany |
Free |
20. IEC 62443-3-2:2020 Security for industrial automation and control systems - Part 3-2: Security risk assessment for system design |
IEC |
International, Switzerland |
CHF220 ($250) |
21. Threat Assessment & Remediation Analysis (TARA) |
MITRE |
USA |
Free |
22. Microsoft’s Cloud Risk Decision Framework |
Microsoft |
USA |
Free |
Links:
- ISO 31000: https://www.iso.org/standard/65694.html
- COSO: https://www.coso.org/guidance-erm
- RIMS: https://www.rims.org/Tools/risk-maturity-model
- S&P: https://www.spglobal.com/ratings/en/products-benefits/products/enterprise-risk-management- evaluations
- ISO 27005: https://www.iso.org/standard/80585.html
- ISO 27557: https://www.iso.org/standard/71675.html
- IRAM2: https://www.securityforum.org/solutions-and-insights/information-risk-assessment- methodology-iram2
- EBIOS: https://www.ssi.gouv.fr/guide/ebios-risk-manager-the-method
- OCTAVE FORTE: https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=644636
- FAIR: https://www.fairinstitute.org/what-is-fair
- RISK IT Framework: https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004Ko9VEAS
- COBIT Focus Area: https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KmAREA0
- EU Toolbox: https://www.enisa.europa.eu/publications/interoperable-eu-risk-management-toolbox
- NIST RMF: https://csrc.nist.gov/projects/risk-management/about-rmf
- NIST SP 800-30: https://csrc.nist.gov/pubs/sp/800/30/r1/final
- NIST SP 800-39: https://csrc.nist.gov/pubs/sp/800/39/final
- NCSC Framework: https://www.ncsc.gov.uk/collection/risk-management/cyber-security-risk- management-framework
- DGA RM:
https://dga.gov.sa/en/Controls_Of_Risk_and_Business_Continuity_Management_For_Digital_Governme nt
- BSI-Standard 200-3: https://www.bsi.bund.de/DE/Themen/Unternehmen-und- Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/BSI-Standards/BSI-Standard-200-3- Risikomanagement/bsi-standard-200-3-risikomanagement_node.html
- IEC 62443-3-2: https://webstore.iec.ch/publication/30727
- TARA: https://www.mitre.org/news-insights/publication/threat-assessment-and-remediation-analysis- tara
- Microsoft CRDF: https://download.microsoft.com/documents/australia/enterprise/smic1545_pdf_v7_pdf.pdf
Reacties
Log in om de reacties te lezen en te plaatsen