Compilation of Risk Assessment Guidelines from Various Regulatory and Compliance Entities
PDF | Thought Leadership
The Cyber Risk Management Workgroup has now published a compilation of risk assessment guidelines from various regulatory and compliance entities intended to be used as an overview for practitioners. This compilation can be used to help identify which entities share commonalities amongst risk assessment guidelines and also reveal where the benefits of quantification can be used to achieve stated objectives. Further, while one entity specifically reference FAIR as a framework to conduct a risk analysis (i.e., PCI-DSS), others cite the added benefits that quantification of risk using a consistent model/framework can provide to the overall risk assessment process. These suggestions may be indicative of a future movement in the direction of risk assessments fueled by FAIR.) To summarize this, the Workgroup analyzed guidance from 15 separate entities against the following criteria:
Language for risk assessment requirements
Frequency that the risk assessment should be performed
Does the entity recommend quantifying risk?
Does the entity recommend measuring risk / use of metrics?
Does the entity require monitoring changing risk levels over time?
Intended use of the risk assessment
Framework(s) or tools cited by entity
Download the compilation of risk assessment guidelines: