Daniel Kapellmann Zafra

University of Washington

Assignment #1

Risk Management Frameworks:

A Comparison between NIST, ISO and COSO

Introduction

Organizations operating in today’s digital economy depend each day more and more on technology

for managing their information assets in order to achieve their main goals and objectives. For this reason,

it is important for companies to develop integral plans and strategies that enable them to know the threats

they face and manage risks efficiently thus promoting a more secure information environment.

Information Risk Management refers to the integral and ongoing process that involves an entire

entity on the identification, analysis and response to external or internal factors that can damage its main

information assets (Elky, 2007, pp. 1-2). It consists on the continuous security framing, assessment and

evaluation of risks followed by risk control actions to address impacts on a company´s performance and the

follow-up actions to monitor success and define next steps. (Vladimirov, et al., 2010, p.264)

Even though risk management does not seem to have an evident repercussion on an organization’s

overall performance, it certainly generates numerous benefits. Efficient risk management programs allow

organizations to better allocate resources, enhance decision-making, support business continuity, affect the

likelihood of materializing risks, increase operational efficiency, promote accurate financial reporting,

generate better reputation and comply with regulation, among other things. (AIRMIC, Alarm, IRM, 2010)

The increasing importance of dealing with informational risks nowadays has led to the development

of different frameworks and methodologies that provide guidance for securing information assets. Some of

the most commonly used frameworks include the NIST Risk Management Framework, the ISO 31000

series, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Risk

Management Framework, the Operationally Critical Threat, Asset, and Vulnerability Evaluation

(OCTAVE) and the Security Risk Management Discipline (SRMD).

In the next sections of this paper three of the most well recognized risk management frameworks

will be presented and compared. Organizations may use these frameworks as guidance, but must ultimately

combine features from different methodologies to tailor their own risk management strategies based on

their culture, values, budget, nature, missions and objectives.

NIST Cybersecurity and Risk Management Framework

The National Institute of Standards and Technology (NIST) Risk Management Framework is

designed to comply with the USA Federal Information Security Management Act (FISMA) and attempts

to provide information security guidance for federal systems. It seeks to protect individuals, operations and

assets relevant for the business objectives and mission of an organization. (Computer Security Division)

This framework offers a holistic approach that integrates risk management guidance, cybersecurity

guidelines and compliance with federal regulations while offering abundant freely available information.

(CESG, 2015) Even though it is designed particularly for public institutions, the framework may be

adjustable for business entities within the USA. The NIST approach is contained within a series of special

publications that deal with different aspects of risk management and their application. Particularly four

documents are relevant for this paper: NIST SP 800-30, 800-37, 800-39 and 800-53.

In the first place, the NIST SP 800-39 defines how information security risk management must be

managed within the three tiers of an institution, which are the organization, mission/business processes and

information systems. The implicated process mostly deals with framing the risk, assessing, responding and

monitoring without establishing a particular order for the process. (NIST, 2011, pp. 9-32)

To address risk assessment methodologies, the NIST SP 800-30 document provides further support.

This publication explains how to prepare, conduct, constantly communicate and maintain an assessment.

The main exercise is subdivided in five actions which start with the identification of threat sources,

identification of vulnerabilities, determination of likelihood, impact calculation and definition of the risk.

(NIST, 2012, pp.32-35)

NIST Risk Assessment Model

Source: NIST SP 800-30 Guide for Conducting Risk Assessments

Finally, the NIST SP-37 and NIST SP-53 explain the process that must be followed for

implementing the Risk Management Framework and Security Controls throughout the System

Development Life Cycle in federal information systems. The process consists in six steps that are

categorizing systems and managed information, selecting a security baseline, implementing security

controls, assessing controls and their performance, authorizing information systems operation once risks

are acceptable and monitoring the security controls on a continuous basis. (NIST, 2010, pp. 7-9)

ISO 31000 Risk Management Framework

The ISO 31000 Risk Management Framework was published in 2009 by the International

Organization for Standardization. This document contains principles and generic guidelines for risk

management in the public, private and community sectors. (ISO 31000, 2009) Further details are provided

by three main additional tools: an implementation guide (ISO/TR 31004:2013), vocabulary compilation

(ISO 73:2009) and risk assessment techniques (ISO/IEC 31010:2009).

What is mostly relevant from this framework besides from its international recognition is the fact

that it offers a generic approach that is not specific for any industry or sector and does not seek to generate

uniformity in risk management. It can be applied to a diverse set of activities within organizations, including

strategies, decisions, operations, functions, services and assets, among others. Furthermore, it is adaptable

to any nature of risks and also contemplates opportunities or positive events. (ISO 31000, 2009)

The main ISO architecture scheme for managing risks is represented by the following diagram:

Risk Management Principles, Framework and Process

Source: ISO 31000 Risk Management Framework

The ISO Risk Management Framework is implemented, monitored and continuously improved

based on a set of principles that include value creation, decision making, systematization, transparency and

dynamism, among other things. Finally, the ISO/IEC 31010:2009 document explains the risk management

process, which consists on establishing the context, risk assessment and implementing treatments. This

happens simultaneously with two feedback mechanisms, which are communication/consulting and

monitoring/review. It is important to notice that the process does not include reporting or disclosure steps,

and that feedback mechanisms exclude monitoring risk performance as well as framework review.

(AIRMIC, Alarm, IRM, 2010)

COSO Risk Management Framework

The Committee of Sponsoring Organizations of the Treadway Commission was created in 1985

under the sponsorship of five major financial and accounting US organizations. The group is specialized in

developing guidelines related to three main areas: enterprise risk management, internal control and fraud

deterrence. (COSO)

For the objective of this paper, two main documents will be addressed: the Enterprise Risk

Management (ERM) and the Internal Controls Integrated Frameworks. Both of these frameworks are

designed to interrelate in such a way that they promote better risk management guidance through the

incorporation of internal controls as a main strategy for mitigating risks, adapting to a changing business

environment and accomplishing an organization’s objectives. (COSO, 2013)

The combination of these frameworks allows an organization to manage uncertainty and enhance

its performance by strengthening the internal processes and governance. It helps to align risk appetite with

business strategies, enhance the decision making process, reduce operational losses, identify and manage

risks, seize opportunities and improve the deployment of capital. (COSO, 2004) All of this, bearing in mind

the main objectives of the institution for preserving value among the stakeholders.

The COSO Framework recognizes three main concepts worth noticing: objectives, components and

organizational structure. In order to achieve effective risk management and internal controls, three main

objectives must be achieved by following a set of guidelines or principles related to each of the six main

components. (COSO, 2013)

COSO Framework Model

Source: COSO Internal Control – Integrated Framework Executive Summary

The entire process must be accomplished within all the levels of the organizational structure, incorporating

entity level (institutional), division, operating unit and function. This provides a general overview about the

importance of engaging the entire company on risk management despite of requiring clear roles and

accountability among directives.

Selecting a Framework for Your Organization

The three risk management frameworks studied in this paper share the common goal of guiding

organizations for managing risks through the integration of overall strategies that run over all the levels of

an institution. Nevertheless, there are several differences between each of these approaches. They offer a

diverse set of positive and negative features that may be combined in order to attain an organization’s needs.

The first relevant contrasts between them are the area of validation and their main target. While the

NIST Risk Management Framework is mostly validated in the USA and focused on federal institutions,

ISO 31000 –and its supporting documents- have international recognition and may be adapted for its use in

the public, private and community domains. COSO is mostly accepted within the USA and targets private

organizations.

Frameworks Comparison

Source: Created based on information from the official webpages of NIST, ISO and COSO

In terms of their main focus, the NIST Framework is the only one of the three directly specialized

on the assurance of information assets and cybersecurity, adopting a defensive approach that results strongly

convenient for relevant government institutions. Besides, the framework offers abundant freely available

information for supporting both public and private institutions in developing risk management strategies. It

is important to remember that this approach is substantially robust in terms of information systems

protection and that it is also useful for complying with FISMA regulation under the validation of the US

government.

Differently, ISO offers generic guidelines for risk management in a wide range of activities within

the industry and with the absence of adequate monitoring considerations. COSO is mostly specialized in

internal controls and accurate reporting as mechanisms for mitigating risks. The COSO framework ensures

transparency and adequate control over the processes of both big and small companies, adopting a

stakeholder oriented approach that bears in mind the creation of value for a firm.

As proven by the former descriptions and comparisons, risk management is not a simple one way

process. Organizations may find guidance from these frameworks, but must carefully analyze which ones

work best for their particular cases based on their structure, values and main objectives. It is also important

to remember that the threats being faced by organizations are dynamic, thus making it necessary for these

frameworks to suffer continuous modifications for adaptation purposes.

Framework Organization Validation Orientation Relevant Publications Focus Overall Strategy

NIST Special Publication 800-30 Guide for

Conducting Risk Assessments

NIST Special Publication 800-37 Guide for

Applying the Risk Management Framework

to Federal Information Systems: A Security

NIST Special Publication 800-39 Managing

Information Security Risk Organization,

Mission, and Information System View

NIST Special Publication 800-53 and 53A

Recommended Security Controls for Federal

Information Systems and Organizations, and

Guide for Applying Security Controls

ISO 31000:2009 Risk Management

Principles and Guidelines

ISO Guide 73:2009 Risk Management

Vocabulary

ISO/TR 31004:2013 Guidance for

Implementation of ISO 31000

ISO/ IEC 31010:2009 Risk Assessment

Techniques

Internal Control — Integrated Framework

2013

Fraudulent Financial Reporting: 1998-2007

2004 Enterprise Risk Management -

Integrated Framework (next version in

process)

National Institute of Standards

and TechnologyNIST

Generic guidelines for Risk

Management in a diverse

set of activities from the

industry

Framework design based on risk

management principles. Process

consistent on context review, risk

assessment and treatment. Includes

feedback mechanisms

Information Security and Risk

Management Achieved by

separating in different processes.

The Assessment consists on

preparation, conduction,

communication and maintenance.

Information Risk

Management, Assessment,

Monitoring and

Cybersecurity

Government

(possible adaptation

for industry)

USA

ISOInternational Organization for

StandardizationInternational

Public, private and

community

organizations

COSOCommittee of Sponsoring

Organizations of the Treadway

Commission (COSO)

Enterprise

Risk Management, Internal

Controls and Financial

Fraud Deterrence

Aligns objectives, components (with

principles or guidelines) and

organizational structure

USA

References:

AIRMIC, Alarm, IRM. (2010). A Structured Approach to Enterprise Risk Management (ERM) and the

Requirements of ISO 31000. Available in: https://www.theirm.org/media/886062/ISO3100_doc.pdf

Committee of Sponsoring Organizations Treadway Commission. About Us. Available in:

http://www.coso.org/aboutus.htm

Committee of Sponsoring Organizations Treadway Commission. (2004). Enterprise Risk Management –

Integrated Framework. Available in: http://www.coso.org/documents/coso_erm_executivesummary.pdf

Committee of Sponsoring Organizations Treadway Commission. (2013). Internal Control – Integrated

Framework. Available in:

http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf

Computer Security Division. Risk Management Framework (RMF) Overview, National Institute for

Standards and Technology. Available in: http://csrc.nist.gov/groups/SMA/fisma/framework.html

Elky, Steve. (2007). An Introduction to Information System Risk Management, SANS Institute. Available

in: https://www.sans.org/reading-room/whitepapers/auditing/introduction-information-system-risk-

management-1204

International Organization of Standardization. (2009). ISO 31000:2009 Risk Management – Principles and

guidelines. Available in:

http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43170

National Institute for Standards and Technology. (2010). Guide for Applying the Risk Management

Framework to Federal Information Systems. Available in: http://csrc.nist.gov/publications/nistpubs/800-

37-rev1/sp800-37-rev1-final.pdf

National Institute for Standards and Technology. (2011). Managing Information Security Risk. Available

in: http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf

National Institute for Standards and Technology. (2012). Guide for Conducting Risk Assessments.

Available in: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

National Technical Authority for Information Assurance (CESG). (2015). Analysis of information risk

management methodologies, March 2015. Available in: https://www.gov.uk/guidance/analysis-of-

information-risk-management-methodologies

Vladimirov A, et al. (2010). Assessing Information Security, IT Governance Publishing. Accessed via Jstor,

available in: http://www.jstor.org/stable/j.ctt5hh6v9.11