Link

Risk management guidance

https://www.ncsc.gov.uk/collection/risk-management-collection

Component-driven vs Systems-driven

Untitled

Untitled

Component-driven

  1. Pick a system component (scope)
  2. Dependencies (no control)
  3. Analyse
    1. Impact → CIA
    2. Vulnerability
    3. Threat
  4. Prioritisation

Methods and Frameworks

  1. ISO/IEC 27005
  2. NIST 800-30
    1. https://www.nist.gov/publications/guide-conducting-risk-assessments
  3. Octave Allegro
    1. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
  4. Information Security Forum (ISF) IRAM 2
  5. HMG Information Assurance Standard 1 & 2
  6. ISACA COBIT 5 for Risk

System-driven