Risk standards comparison
Assign topic to the user
Answer: In a general manner, risk standards cover in different levels of details these steps listed in ISO 31000: context establishment, risk identification, risk analysis, risk evaluation and risk treatment.
While ISO 31000 is more focused on general risk management structure (it does not define specific methods, although you can find examples in ISO 31010), OCTAVE focus on risk management, on a strategic and planning level, and FAIR addresses security practice weaknesses. Another risk management framework I can tell about is used by NIST (National Institute of Standards and Technology). Documents SP 800-30 and 800-37 are focused on helping implementation in US federal systems, presenting great level of details regarding risk levels, security and assurance controls.
The European Network and Information Security Agency has an old, but still useful, content about Risk Management / Risk Assessment Methods you may find useful: ENISA Inventory of R isk Management / Risk Assessment Methods: https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods
This article will provide you further explanation about risk standards:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
Comment as guest or Sign in
Dec 09, 2016