Risk Assessment Method

Generally speaking, a risk assessment methodology compliant with ISO 27001 has these 5 elements:

• risk identification
• risk owner
• likelihood
• impact
• risk level.

Provided CIS CRAM can fulfill these requirements, it can be used in an ISO 27001 context.

We are not experts in CIS RAM, but based on the material provided in the Center for Internet Security (https://www.cisecurity.org/white-papers/cis-ram-risk-assessment-method/), this methodology seems too complex for beginners (please note that risk assessment is more useful when everyone in an organization can use it by themselves in a quick way, not depending upon few persons).

To see a risk assessment methodology compliant with ISO 27001 that we consider simple to learn and use, please access this free demo template: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/

These articles will provide information about risk management in ISO 27001:

• How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

This material will also help you regarding risk management:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/