Last week, one of my posts on the fundamentals of risk management sparked an interesting conversation on the definition of risk.
The conversation soon uncovered, that there are a lot of definitions and approaches towards risk management out there. With some of them being seemingly popular and well known, whereas others being almost unknown to the broader public.
Here is a list of risk management standards and publications that are worth knowing and reading.
I hope there are at least a few that you didn’t know already.
International Risk Management Standards
The International Organization for Standardization (ISO) sets global standards to ensure quality, safety, efficiency, and effectiveness in processes and products across different industries. ISO has several standards specifically designed for risk management, which guide organizations in identifying, assessing, and treating risks. Below is a brief overview of some key ISO risk management standards:
ISO 31000:2018 Risk management - Guidelines: This standard provides guidelines on managing risk faced by organizations. It enables organizations to increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment.
ISO 31073:2022 Risk management - Vocabulary: This FREE standard establishes a comprehensive set of terms and definitions related to risk management, helping to standardize the language used across different organizations and sectors.
ISO 31010:2019 Risk management — Risk assessment techniques: This FREE standard focuses on risk assessment concepts, processes, and the selection of risk assessment techniques, offering detailed guidance on how to conduct risk assessments to support risk management.
ISO 31022:2020 Guidelines for the management of legal risks: This standard provides guidelines for managing legal risks that organizations face. It helps in identifying, evaluating, and mitigating risks associated with legal rights, obligations, and compliance in a structured manner.
ISO 31030:2021 Travel risk management - Guidance for organizations: This standard offers guidance on managing travel risks, emphasizing the need for organizations to develop, implement, and maintain a travel risk management framework to ensure the safety and health of travelers.
ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection — Guidance on managing information security risks: This standard provides detailed guidelines on information security risk management in the context of an information security management system (ISMS) as outlined in ISO/IEC 27001.
Risk Management Publications by NIST
The National Institute of Standards and Technology (NIST) is on a mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. Here are some essential NIST publications for risk management:
NIST SP 800-30 Rev. 1 Guide for Conducting Risk Assessments: This publication serves as a comprehensive guide for conducting risk assessments, providing a systematic process for evaluating information systems and organizations in terms of risks to operations, assets, individuals, other organizations, and the nation. The guide helps in identifying, estimating, and prioritizing risks against criteria for risk acceptance and objectives relevant to the organization.
NIST SP 800-39 Managing Information Security Risk: Organization, Mission, and Information System View: This publication emphasizes the importance of a three-tiered approach to risk management that addresses organizational, mission/business processes, and information system levels.
NIST SP 800-37 Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy: The RMF integrates security, privacy, and risk management activities into the system development life cycle, while encouraging ongoing feedback and system monitoring.
NIST IR 8286 Series
The NIST Interagency Report (IR) 8286 series provides guidelines on how to integrate Cybersecurity risk management activities into enterprise risk management. The series consists of the following publications:
NIST IR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM): Base report.
NIST IR 8286A, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management: This report offers examples and information to illustrate risk tolerance, risk appetite, and methods for determining risks.
NIST IR 8286B, Prioritizing Cybersecurity Risk for Enterprise Risk Management: This report describes methods for applying enterprise objectives to prioritize the identified risks and, subsequently, to select and apply the appropriate responses
NIST IR 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight: This report describes how information, as recorded in cybersecurity risk registers (CSRRs), may be integrated as part of a holistic approach to ensuring that risks to information and technology are properly considered for the enterprise risk portfolio.
NIST IR 8286D, Using Business Impact Analysis to Inform Risk Prioritization and Response: This report describes the identification and management of risk as it propagates from system to organization and from organization to enterprise, which in turn better informs Enterprise Risk Management deliberations. NIST IR 8286D expands typical BIA discussions to inform risk prioritization and response by quantifying the organizational impact and enterprise consequences of compromised IT Assets.
New Video
I tried my best to explain information security / cybersecurity risk management in less than 5 minutes. You decide if I was successful.