The FAIR Institute is proud to release the FAIR Cyber Risk Management Program (FAIR-CRMP) Standard v1.0, a first-of-its-kind standard that defines what a comprehensive and business-aligned cyber risk management program should look like when built on the Factor Analysis of Information Risk (FAIR) model.
As the practice of cyber risk quantification (CRQ) becomes more mainstream, this new standard helps organizations operationalize FAIR beyond analysis into governance, strategy, decision-making, and enterprise-wide execution.
For years, organizations have adopted frameworks and best practices that describe what cybersecurity controls to implement, but few have defined what a cyber risk management program should do. Most current models focus on maturity scores, compliance checklists, or abstract principles that don’t translate easily into measurable business outcomes.
As regulatory requirements, board expectations, and risk landscapes evolve, organizations urgently need a cohesive, standards-based structure to guide their cyber risk programs, rooted in economic principles, accountability, and informed decision-making.
The FAIR-CRMP Standard provides that structure. And better yet, it is compatible with existing frameworks such as ISO/IEC 27005, NIST Risk Management Framework, COSO Enterprise Risk Management, and others. It is also designed to help organizations meet cyber risk management requirements established by case law in the United States and many other countries.
The FAIR-CRMP Standard v1.0 outlines four essential components of a successful cyber risk management program. Each component is supported by a set of actionable principles that organizations can tailor to their size, structure, and industry context:
Establish and maintain the structures needed for clear accountability and effective oversight of cyber risk. This includes defining CRMP policies, roles, and responsibilities; aligning with enterprise risk frameworks; and facilitating board and executive engagement.
Develop the capabilities necessary to consistently identify, assess, monitor, and communicate cyber risk. Key principles include defining a risk assessment methodology, establishing risk thresholds, enabling monitoring, and reporting risk insights in a timely, actionable way.
Align cyber strategy, investments, and operational decisions to acceptable levels of risk. This component ensures that cybersecurity actions and budgets are tied to risk thresholds, with mechanisms in place to track progress and adjust as needed.
Ensure there are defined, reliable processes for escalating and disclosing cyber risk when thresholds are exceeded or legal/regulatory triggers are met. This includes clarifying escalation paths, establishing disclosure protocols, and integrating with legal, compliance, and external reporting functions.
Together, these components create a closed-loop system for governing cyber risk: from identifying and measuring it, to acting on it, communicating it, and continuously aligning with business objectives.
This standard was developed through our working group of the following professionals:
The FAIR Institute’s Standards Committee reviewed the standard artifact and approved its released version.
FAIR-CRMP reflects years of practical experience implementing FAIR and building cyber risk management programs, combined with a commitment to standardizing how organizations manage cyber risk in a defensible and repeatable way.
We would especially like to thank Brandon Bapst and Brian Allen for their contributions. Their book, “Building a Cyber Risk Management Program,” provided critical insight into program-level structures and inspired much of the language and approach in the FAIR-CRMP Standard. Their thought leadership helped shape a document that now sets a new benchmark for cyber risk programs.
The FAIR-CRMP Standard complements other FAIR-aligned standards, such as:
With FAIR-CRMP, organizations now have a complete programmatic framework to define, measure, and manage cyber risk from strategy to execution, all while aligning with business priorities, satisfying governance requirements, and delivering real economic insight.
Download the FAIR-CRMP Standard v1.0
We look forward to having more discussions with our community on this and related topics. Consider joining us at the 2025 FAIR Conference, November 4-5, where we’ve got numerous presentations and discussions on the topic of building and running successful CRM programs, including:
Lastly, we welcome your feedback. Email us at Standards@FAIRInstitute.org with any suggestions, questions, or concerns..