Is there a common list of Risk Frameworks that logically categorize common IT Risk Statements?

Jim Lamadrid · ‎01-15-2020

Hello all: I've been struggling with how to properly categorize risk by the Risk Framework in the GRC Risk Application. I've taken the GRC Fundamentals class and the examples of Risk Framework categories were:

1. Physical and Environmental Threats

2. Third Party and Supply Chain Threats

I understand SN does not provide content, but has anyone curated a good set of Risk Frameworks they'd like to share? We've referenced NIST, but can't find the right fit.

Sleepless in Salt Lake

Community Alums · ‎01-16-2020

Probably NIST is the most used but there are few others from ISACA or ISO - it all depends of your organization. The security and privacy control families outlined by NIST 800-53 are flexible, customizable and can be implemented by organizations as part of their overall risk management strategy. The controls cover areas such as access control, security awareness training, formal risk assessments, incident response or continuous monitoring to support organizational risk management. Have you read the information provided by NIST already?

Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
https://www.nist.gov/publications/risk-management-framework-information-systems-and-organizations-sy...
Guide for Mapping Types of Information and Information Systems to Security Categories
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf

Consider also publications from:

International Organization for Standardization

ISO-31000 (Principles and guidelines for Risk Management)
https://www.iso.org/iso-31000-risk-management.html

ISO 27001:2013 (Requirements for Information Security Management Systems)
https://www.itgovernance.co.uk/iso27001/iso27001-risk-assessment

ISO 9001:2015 (Requirements for Quality Management Systems)
Important to note is that ISO 9001 and ISO 27001 have identical content in their chapters, while ISO 31000 has a different structure of general recommendations.
ISACA

COBIT for Risk
http://www.isaca.org/knowledge-center/risk-it-it-risk-management/pages/default.aspx
https://www.isaca.org/COBIT/Documents/COBIT-5-for-Risk-Preview_res_eng_0913.pdf
http://www.isaca.org/COBIT/focus/Pages/cobit-5-for-risk-a-powerful-tool-for-risk-management.aspx

View solution in original post

jing3 · ‎01-29-2020

This presentation provided a good list and review.

JohnJasinski · ‎01-17-2021

Brainstorm - extra info related to Risk Framework(s) content from ISACA / COBIT 5 (GRC / IRM)

ISACA > COBIT 5 > Risk - Scenarios:

ISACA offers a COBIT 5 Risk Scenarios Toolkit which includes 20 word.doc templates for scenarios listed in the book.

Download Risk-Scenarios-Toolkit ZIP here - 20 Scenarios in Word. docs

Consider converting twenty docs into one xls and import into NOW > GRC / IRM > Risk table.

Use Cases:

Categorization - includes 20 common categories and threat types
Major enterprises have been known to use this specific content as a common reference for reviews of Governance and Management risks and responses
Supplement your existing Risk Framework(s) with ISACA risk scenarios content aligned to COBIT processes/objectives
Support your Risk stakeholders with value add content
Industry validated content - Risk Scenarios: Using COBIT 5 for Risk book

Risk Scenarios: Using COBIT 5 for Risk provides practical guidance on how to use COBIT 5 for Risk to solve current business issues. The publication provides a high-level overview of risk concepts, along with over 60 complete risk scenarios covering all 20 categories described in COBIT 5 for Risk. An accompanying toolkit contains interactive risk scenario templates for each of the 20 categories.

ISACA members can download this content - ask them.