- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2020 07:25 PM
Hello all: I've been struggling with how to properly categorize risk by the Risk Framework in the GRC Risk Application. I've taken the GRC Fundamentals class and the examples of Risk Framework categories were:
1. Physical and Environmental Threats
2. Third Party and Supply Chain Threats
I understand SN does not provide content, but has anyone curated a good set of Risk Frameworks they'd like to share? We've referenced NIST, but can't find the right fit.
Sleepless in Salt Lake
Solved! Go to Solution.
- Labels:
-
Risk Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2020 12:16 AM
Probably NIST is the most used but there are few others from ISACA or ISO - it all depends of your organization. The security and privacy control families outlined by NIST 800-53 are flexible, customizable and can be implemented by organizations as part of their overall risk management strategy. The controls cover areas such as access control, security awareness training, formal risk assessments, incident response or continuous monitoring to support organizational risk management. Have you read the information provided by NIST already?
- Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
https://www.nist.gov/publications/risk-management-framework-information-systems-and-organizations-sy... - Guide for Mapping Types of Information and Information Systems to Security Categories
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
Consider also publications from:
- International Organization for Standardization
ISO-31000 (Principles and guidelines for Risk Management)
https://www.iso.org/iso-31000-risk-management.html
ISO 27001:2013 (Requirements for Information Security Management Systems)
https://www.itgovernance.co.uk/iso27001/iso27001-risk-assessment
ISO 9001:2015 (Requirements for Quality Management Systems)Important to note is that ISO 9001 and ISO 27001 have identical content in their chapters, while ISO 31000 has a different structure of general recommendations.
- ISACA
COBIT for Risk
http://www.isaca.org/knowledge-center/risk-it-it-risk-management/pages/default.aspx
https://www.isaca.org/COBIT/Documents/COBIT-5-for-Risk-Preview_res_eng_0913.pdf
http://www.isaca.org/COBIT/focus/Pages/cobit-5-for-risk-a-powerful-tool-for-risk-management.aspx
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2020 12:16 AM
Probably NIST is the most used but there are few others from ISACA or ISO - it all depends of your organization. The security and privacy control families outlined by NIST 800-53 are flexible, customizable and can be implemented by organizations as part of their overall risk management strategy. The controls cover areas such as access control, security awareness training, formal risk assessments, incident response or continuous monitoring to support organizational risk management. Have you read the information provided by NIST already?
- Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
https://www.nist.gov/publications/risk-management-framework-information-systems-and-organizations-sy... - Guide for Mapping Types of Information and Information Systems to Security Categories
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
Consider also publications from:
- International Organization for Standardization
ISO-31000 (Principles and guidelines for Risk Management)
https://www.iso.org/iso-31000-risk-management.html
ISO 27001:2013 (Requirements for Information Security Management Systems)
https://www.itgovernance.co.uk/iso27001/iso27001-risk-assessment
ISO 9001:2015 (Requirements for Quality Management Systems)Important to note is that ISO 9001 and ISO 27001 have identical content in their chapters, while ISO 31000 has a different structure of general recommendations.
- ISACA
COBIT for Risk
http://www.isaca.org/knowledge-center/risk-it-it-risk-management/pages/default.aspx
https://www.isaca.org/COBIT/Documents/COBIT-5-for-Risk-Preview_res_eng_0913.pdf
http://www.isaca.org/COBIT/focus/Pages/cobit-5-for-risk-a-powerful-tool-for-risk-management.aspx
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2020 03:59 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2020 09:53 AM
Thank you Rafael and John for your guidance. I've read through NIST and ISACA COBIT 5 and will have to look deeper into ISO. I appreciate the quick replies.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2020 06:46 AM
