Information must be considered an organizational asset and must consequently be protected. With the aid of a risk management process, risk should be identified and possible countermeasures implicated.
In general, risk management is based on four steps: risk identification, risk analysis, risk treatment and monitoring of risks.
Lots of different methods and best practices have been developed for effective risk management. The most appropriate method for you depends on the structure of your organization and your special requirements.
Security Research assists you in choosing an appropriate approach and supports you at each phase of the risk management process.
Based on experience, the following risk management approaches are most useful:
- CRISAM: The Corporate Risk Application Method (CRISAM) is a tool-based risk management method to implement a holistic risk management process within your organization. Divergences to specified set points can be identified and additional measures can be taken.
- ISO/IEC 27005: ISO 27005 is a revision of the Management of Information and communications technology security (MICTS) Standards ISO/IEC 13335 (MICTS Part 2) and BS7799-3. This standard supports the implementation of risk management in terms of ISO/IEC 27001. Both ISO 27005 and ISO 27001 are based on the PDCA cycle. If your ISMS is already based on ISO 27001, ISO 27005 might be the best choice to implement an effective risk management method in your organization.
- BSI IT Baseline Protection: IT Baseline Protection stands out as method for organizations to implement an Information Security Management System. It covers both general IT security recommendations and detailed technical recommendations to achieve the desired security level within a special domain. It proceeds from overall hazards. Appropriate countermeasures are provided to counteract.
- Austrian Security Handbook: the Austrian Security handbook is based on BSI IT Baseline Protection but is different in its scope and considers Austrian laws and regulations. The Austrian Security Handbook is well suited as a method for small and medium-sized companies.