In a blog post for ISACA, FAIR™ model creator Jack Jones reviews the recently released Risk IT Framework, 2nd Edition and Risk IT Practitioner Guide, 2nd Edition, and finds them “revitalized.”
Jack served on the original ISACA task force to create the Risk IT Framework, which provides descriptions and guidance for the key elements of a risk management program.
He was particularly pleased to see the updates to Risk IT’s section on risk assessment, with “significantly improved” guidance on quantitative vs. qualitative risk measurement
“Of particular importance to me is the fact that Risk IT remains highly compatible with the FAIR risk measurement model,” Jack writes. “If anything, it is even more closely aligned, which further strengthens the utility of both frameworks.”
Jack cites these points of alignment with FAIR:
- Risk IT uses approximately the same definition for risk — essentially, the probability and impact of loss events.
- Risks are defined as loss event scenarios.
- The components used to define loss event scenarios are the same as in FAIR (asset, threat, event type, etc.).
- The example scenarios Risk IT provides consistently align with that loss event scenario construct.
Read more of Jack’s comments in his ISACA blog post, Risk IT Revitalized.
How to Clearly Define a Risk Scenario Statement for FAIR Analysis