Link
Risk management guidance
https://www.ncsc.gov.uk/collection/risk-management-collection
Component-driven vs Systems-driven
Component-driven
- Pick a system component (scope)
- Dependencies (no control)
- Analyse
- Impact → CIA
- Vulnerability
- Threat
- Prioritisation
Methods and Frameworks
- ISO/IEC 27005
- NIST 800-30
- https://www.nist.gov/publications/guide-conducting-risk-assessments
- Octave Allegro
- Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
- Information Security Forum (ISF) IRAM 2
- HMG Information Assurance Standard 1 & 2
- ISACA COBIT 5 for Risk
System-driven