CIS RAM conforms to and supplements established information security risk assessment standards and methods, such as ISO 270051, NIST Special Publications 800-302, and Risk Information Technology (IT)3.
CIS RAM Principles and Practices
Principles
1 Risk analysis must consider the interests of all parties that may be harmed by the risk.
2 Risks must be reduced to a level that would not require a remedy to any party.
3 Safeguards must not be more burdensome than the risks they protect against.
Practices
1 Risk analysis considers the likelihood that threats could create magnitudes of impact.
2 Tolerance thresholds are stated in plain language and are applied to each factor in a
risk analysis.
3 Impact and likelihood scores have a qualitative component that concisely states the concerns
of interested parties, authorities, and the assessing organization.
4 Impact and likelihood scores are derived by a quantitative calculation that permits
comparability among all evaluated risks, safeguards, and against risk acceptance criteria.
5 Impact definitions ensure that the magnitude of harm to one party is equated with the
magnitude of harm to others.
6 Impact definitions should have an explicit boundary between those magnitudes that would be
acceptable to all parties and those that would not be.
7 Impact definitions address; the organization’s mission or utility to explain why the organization
and others engage risk, the organization’s self-interested objectives, and the organization’s
obligations to protect others from harm.
8 Risk analysis relies on a standard of care to analyze current controls and
recommended safeguards.
9 Risk is analyzed by subject matter experts who use evidence to evaluate risks and safeguards.
10 Risk assessments cannot evaluate all foreseeable risks. Therefore, risk assessments re-occur
to identify and address more risks over time.
