EDUCATION · RISK · ITRMS

⚖️ Risk analysis - IT Risk Management System (ITRMS)

Six topics on risk analysis: how risks arise, how to assess and handle them according to international practice (ISO 31000, ISO/IEC 27005, NIST SP 800-30 and RMF, FAIR). Figures will apply to fiction, designed for training.

Basic concept of risk

Risk anatomy - from danger to risk

Application

Helps to formulate risk as a scenario, not just a "weak spot." Risk exists only when there is a source of threat, vulnerability AND a valuable asset.

Reference

ISO Guide 73:2009 (dictionary) · ISO/IEC 27005:2022 · NIST SP 800-30 Rev.1.

Safety Note

The residual risk is assessed, not the initial risk: decisions are made on what remains after controls. The risk appetite determines how much remaining risk is acceptable.

Risk Management Life Cycle

ITMS process - ISO/IEC 27005:2022 & ISO 31000:2018

Application

One repeatable process is valid for both ISO 27001 ISMS and NIS2. Identical steps, only changes volume and criteria.

Reference

ISO/IEC 27005:202 · ISO 31000:2018 · NIST SP 800-39 · NIST SP 800-37 Rev. 2 (RMF).

Safety Note

Risk analysis is not a one-off document. It shall be reviewed periodically and after each major change (new system, incident, new threat), otherwise it becomes misleading as it becomes obsolete.

Qualitative assessment

Risk matrix - Probability × effect (5×5)

Scale (3×3, 5×5) and thresholds must be aligned to the organisation's risk appetite - matrix is a communication tool, not an accurate measurement.

Application

Rapidly classify many risks according to severity and show where to start. Simple, understandable also for management and non-technical parties.

Reference

ISO/IEC 27005:2022 · NIST SP 800-30 Rev.1 (Appendix G/H/I) · ISO/IEC 31010 (technical).

Safety Note

The matrix is subjective: the same "high' risks may not be comparable. For big decisions (investments, cyber insurance), add quantitative analysis.

Quantitative assessment

Risk of money - ALE, ROSI and FAIR

Application

ALE shows the expected annual loss in cash - it justifies budget controls and compares whether control costs less than the risk it eliminates (ROSI).

Reference

NIST SP 800-30 Rev.1 (SLE/ARO/ALE) · FAIR / The Open Group O-RT, O-RA · ISO/IEC 27005:2022.

Safety Note

Quantitative numbers look exactly, but it's only as good as the data behind them. Rare events with a huge impact (right risk) are not assessed by ALE - add to the scenarios.

Risk Treatment Options

Four options (4 T) and residual risk acceptance

Application

For each risk over appetite, one or more of the 4 T options shall be selected and recorded in the risk record with the responsible and the deadline.

Reference

ISO/IEC 27005:2022 (processing options) · ISO/IEC 27001:2022 6.1.3 + Annex A (SoA) · NIST SP 800-37 Rev. 2 (Authorize).

Safety Note

"Train" does not mean getting rid of: insurance covers part of the loss, but reputation and responsibility remain. Acceptance valid only knowingly and documented.

Standard and Compliance Card

Risk management standards and NIS2 / ISO / MK 397 linkage

Application

Helps to choose a method for certification (ISO 27005), authorisation system (NIST RMF) or money decisions (FAIR) starting from scratch.

Reference

ISO 31000 · ISO/IEC 27005 · ISO/IEC 31010 · NIST SP 800-30/37/39 · NIST CSF 2.0 · FAIR · NIS2 · MK Regulation No 397 · GDPR.

Safety Note

Article 21 (2a) of the NIS2 requires a direct risk analysis. In Latvia, it is detailed by Cabinet Regulations No 397 and EU Implementing Regulation 2024/2690 - linking the risk register to them.

Abbreviations

All abbreviations used in the guide (original and meaning).

ITRMS: IT Risk Management System (IT risk management system).
ISO/IEC: International Organization for Standardization / International Electrotechnical Commission.
NIST SP: NIST Special Publication, published by the US National Standards Institute.
RMF: Risk Management Framework (SP 800-37).
CSF: Cybersecurity Framework √ NIST cybersecurity framework (2.0).
ISMS: Information Security Management System (ISO/IEC 27001).
SoA: Declaration of applicability (ISO/IEC 27001 6.1.3).
PDCA: Plan-Do-Check-Act is planned to be carried out (continuous cycle of improvement).
AV: Value of asset asset.
EF: Exposure Factor (loss of asset share).
SLE: Single Loss Expectancy (AV × EF).
ARO: Annual frequency of the event.
ALE: Annual loss of Annualized Loss Expectancy (SLE × ARO).
ROSI: Return on Security Investment.
FAIR: Factor Analysis of Information Risk .
LEF: Loss Event Frequency (FAIR).
LM: Loss amount (FAIR).
O-RT / O-RA: Open Group Risk Toxonomy/Risk Analysis.
4 T: Treat, Transfer, Tolerate, Terminate √ Reduce, Transfer, Adopt, Escape.
NIS2: Network and Information Security Directive 2.
DORA: Digital Operational Resilience Act (the financial sector).
TIBER-EU: Three Intelligence-based Ethical Red Teaming tests.
GDPR: General Data Protection Regulation (GDPR).
DPIA: Data Protection Impact Assessment (GDPR 35).
MK 397: Cabinet Regulations No. 397 (Implementation of CIS2 in Latvia).
COSO ERM: Committee of Sponsoring Organizations · Enterprise Risk Management.
COBIT: Control Objectives for Information and Related Technologies (ISACA).
OCTAVE: Operationally Critical Threat, Asset and Vulnerability Evaluation (CERT/SEI).
FMEA: File Mode and Effects Analysis √ analysis of types and consequences of errors.
IKT: information and Communication Technologies (ICT).