Source: NIST SP 800-30 R1

Risk Assessment_ISO31000

According to NIST SP 800-30 R1, risk assessment is the process of identifying, estimating, and prioritizing information security risks. This definition matches the one in ISO 31000; estimating refers to the analysis, while prioritizing refers to evaluation.

However, the guideline uses two terms in the risk assessment process that may confuse people: assessment approach and analysis approach.

Assessment approach: e.g., quantitative, qualitative, or semi-qualitative
Analysis approach: e.g., threat-oriented, asset/impact-oriented, or vulnerability-oriented

Risk Framing Components

The assessment approach defined in the Frame stage should apply to the “risk assessment process” as a whole, while the analysis approach should refer to the approach used to “estimate” risk as a part of the risk assessment process.

NIST FARM-Assessment Methodology

FIGURE 2: RELATIONSHIP AMONG RISK FRAMING COMPONENTS (NIST SP 800-30 R1)

FIGURE 5: RISK ASSESSMENT PROCESS (NIST SP 800-30 R1)

Risk Assessment “Slash” Analysis?

It seems that both ISO and NIST distinguish risk assessment from risk analysis. However, it’s common for people to use them interchangeably. I think it’s a good practice to use them precisely.

Security Control Assessment (SCA)

Wentz Wu

ISSAP, ISSEP, ISSMP CISSP, CCSP, CSSLP, CGRC, SSCP, CC, CISM, CISA, CRISC, CGEIT, PMP, ACP, PBA, RMP, CEH, ECSA

Risk Assessment “Slash” Analysis?

Risk Framing Components

Risk Assessment “Slash” Analysis?

Like this:

Related

Leave a ReplyCancel reply

Risk Framing Components

Risk Assessment “Slash” Analysis?

Share this:

Like this:

Related

Leave a ReplyCancel reply

Discover more from Wentz Wu