Announcing the FAIR Cyber Risk Management Program (FAIR-CRMP) Standard v1.0

/
FAIR-CRMP Featured

The FAIR Institute is proud to release the FAIR Cyber Risk Management Program (FAIR-CRMP) Standard v1.0, a first-of-its-kind standard that defines what a comprehensive and business-aligned cyber risk management program should look like when built on the Factor Analysis of Information Risk (FAIR) model.

As the practice of cyber risk quantification (CRQ) becomes more mainstream, this new standard helps organizations operationalize FAIR beyond analysis into governance, strategy, decision-making, and enterprise-wide execution.

Why This Standard Is Needed

For years, organizations have adopted frameworks and best practices that describe what cybersecurity controls to implement, but few have defined what a cyber risk management program should do. Most current models focus on maturity scores, compliance checklists, or abstract principles that don’t translate easily into measurable business outcomes.

As regulatory requirements, board expectations, and risk landscapes evolve, organizations urgently need a cohesive, standards-based structure to guide their cyber risk programs, rooted in economic principles, accountability, and informed decision-making.

The FAIR-CRMP Standard provides that structure. And better yet, it is compatible with existing frameworks such as ISO/IEC 27005, NIST Risk Management Framework, COSO Enterprise Risk Management, and others. It is also designed to help organizations meet cyber risk management requirements established by case law in the United States and many other countries. 

Key Components of the FAIR-CRMP Standard

The FAIR-CRMP Standard v1.0 outlines four essential components of a successful cyber risk management program. Each component is supported by a set of actionable principles that organizations can tailor to their size, structure, and industry context:

1. Agile Governance

Establish and maintain the structures needed for clear accountability and effective oversight of cyber risk. This includes defining CRMP policies, roles, and responsibilities; aligning with enterprise risk frameworks; and facilitating board and executive engagement.

2. Risk-Informed System

Develop the capabilities necessary to consistently identify, assess, monitor, and communicate cyber risk. Key principles include defining a risk assessment methodology, establishing risk thresholds, enabling monitoring, and reporting risk insights in a timely, actionable way.

3. Risk-Based Strategy and Execution

Align cyber strategy, investments, and operational decisions to acceptable levels of risk. This component ensures that cybersecurity actions and budgets are tied to risk thresholds, with mechanisms in place to track progress and adjust as needed.

4. Risk Escalation and Disclosure

Ensure there are defined, reliable processes for escalating and disclosing cyber risk when thresholds are exceeded or legal/regulatory triggers are met. This includes clarifying escalation paths, establishing disclosure protocols, and integrating with legal, compliance, and external reporting functions.

Together, these components create a closed-loop system for governing cyber risk: from identifying and measuring it, to acting on it, communicating it, and continuously aligning with business objectives.

Built by the Community, for the Community

This standard was developed through our working group of the following professionals:

  • Brian Allen, Managing Director, AI RegRisk™ Think Tank
  • Brandon Bapst, Senior Manager, Cyber Risk Advisor, EY1
  • Zach Coissart, Senior Director, Risk Advisory, SAFE
  • Heather Dart, Sr Manager, Information Risk Management, Danaher
  • Randy Herold, SVP, CISO and CPO, ManpowerGroup
  • Jimmy Lumis, Business Information Security Officer, Corporate Functions, IHG
  • Mike Prieur, Senior Director, Security GRC, Centene
  • Todd Tucker, Managing Director, FAIR Institute

The FAIR Institute’s Standards Committee reviewed the standard artifact and approved its released version.

FAIR-CRMP reflects years of practical experience implementing FAIR and building cyber risk management programs, combined with a commitment to standardizing how organizations manage cyber risk in a defensible and repeatable way.

We would especially like to thank Brandon Bapst and Brian Allen for their contributions. Their book, “Building a Cyber Risk Management Program,” provided critical insight into program-level structures and inspired much of the language and approach in the FAIR-CRMP Standard. Their thought leadership helped shape a document that now sets a new benchmark for cyber risk programs.

A Milestone in Advancing the Profession

The FAIR-CRMP Standard complements other FAIR-aligned standards, such as:

  • The FAIR Model for quantifying risk
  • The FAIR Controls Analytics Model (FAIR-CAM) for evaluating controls
  • And the FAIR Materiality Assessment Model (FAIR-MAM) for determining financial impact

With FAIR-CRMP, organizations now have a complete programmatic framework to define, measure, and manage cyber risk from strategy to execution, all while aligning with business priorities, satisfying governance requirements, and delivering real economic insight.

Download the FAIR-CRMP Standard v1.0

We look forward to having more discussions with our community on this and related topics. Consider joining us at the 2025 FAIR Conference, November 4-5, where we’ve got numerous presentations and discussions on the topic of building and running successful CRM programs, including:

  • Building an Effective Cyber Risk Management Program, executive roundtable led by Alexander Antukh, CISO, AboitizPower; Michael Montoya, COO, BlueVoyant, F5 Board Member; Paul Love, Managing Director, GRC, Delta Airlines; Robert Moore, VP, Technology Risk Management, Mastercard; Zach Cossairt, Senior Director, Risk Advisory, SAFE; and Brandon Bapst, Cyber Risk Advisory, EY
  • From Checkbox to Chess Move: Building a Risk-Driven GRC Program, case study by Adrienne Allen, Fmr. Senior Director, Technology Risk & Controls, Coinbase
  • Operationalizing Decision Support in the Age of AI, best practices presentation by Zach Cossairt and Tony Martin-Vegue, Risk Management Researcher & Author
  • From Challenges to Capabilities: Maturing Cyber Risk Management Programs with FAIR, case study by Michael Schiavone, Manager of Governance & Risk and Niki Hale, Manager, Third Party Security from Liberty Mutual)

Lastly, we welcome your feedback. Email us at Standards@FAIRInstitute.org with any suggestions, questions, or concerns..
image 37

Recent Blogs

SEE ALL
FAIR Conference 2025

FAIRCON25 Welcome: Lifting the Curtain on a Breakthrough Year in Standards, Education, and Collaboration

FAIR Conference 2025

Video: Meet Our New Board Member: Khalil Jackson, BNY Global Head of Cybersecurity Operations and Defense

FAIR Conference 2025

Press Release: Winners of 2025 FAIR Institute Awards for Cyber Risk Management Announced at Gala in New York City

FAIR Conference 2025

FAIR Institute Awards Honor FAIR Practitioners and Programs Resetting Cyber Risk in the AI Age