The Information Security Forum (ISF) has launched the Information Risk Assessment Methodology version 2 (IRAM2), meant to help businesses identify, analyze and treat information risk throughout the organization.
“With the explosion of digital information, it’s not possible for organizations to protect all of their information and associated systems to the same level,” said Steve Durbin, managing director at ISF, in a statement. “To help organizations address the increasing challenge of managing information risk, we have completely redesigned our approach to conducting information risk assessments. IRAM2, the latest version of our Information Risk Assessment Methodology, has been designed to guide information risk practitioners’ analysis so that information risk is assessed from the perspective of the business. The end result is a risk profile that rejects a complete view of information risk in business terms.”
As information risks and cybersecurity threats increase, organizations need to move away from reacting to these incidents and toward predicting and preventing them.
“IRAM2 focuses on simplicity and practicality, while embedding consistency and reliability throughout the assessment process,” the organization noted. “This enables consistent results and a depth of analysis that enhances business decision-making.”
One of the goals of IRAM2 is to provide organizations with the ability to tailor their threat tables to reflect an organization’s overall risk appetite. Once defined at an organizational level, the risk appetite may be cascaded down and presented differently throughout an organization.
If an organization does not have a defined risk appetite, the decisions regarding the treatment for each risk will have to be made by the key stakeholders on a risk-by-risk basis. The practitioner should make the key stakeholders aware that the lack of a defined risk appetite could result in inconsistent decisions regarding the amount of risk the organization accepts.
“Managing information risk fundamentally relates to being able to effectively balance risk against reward,” continued Durbin. “IRAM2 empowers information risk practitioners to engage with key business, risk and technology stakeholders in an organized and enterprise-aware manner. It allows key business and technology stakeholders to determine risk versus reward and obtain a clear picture of where to focus resources, in order to deal with information risks that are most significant to the organization.”
Information risk is assessed by evaluating a variety of information risk factors that comprise each information risk equation. IRAM2 is designed in a modular format to provide guidance in assessing each of these factors, and assist the practitioner in determining the final residual risk rating.