risk management frameworks
TRANSCRIPT
Daniel Kapellmann Zafra
University of Washington
Assignment #1
Risk Management Frameworks:
A Comparison between NIST, ISO and COSO
Introduction
Organizations operating in today’s digital economy depend each day more and more on technology
for managing their information assets in order to achieve their main goals and objectives. For this reason,
it is important for companies to develop integral plans and strategies that enable them to know the threats
they face and manage risks efficiently thus promoting a more secure information environment.
Information Risk Management refers to the integral and ongoing process that involves an entire
entity on the identification, analysis and response to external or internal factors that can damage its main
information assets (Elky, 2007, pp. 1-2). It consists on the continuous security framing, assessment and
evaluation of risks followed by risk control actions to address impacts on a company´s performance and the
follow-up actions to monitor success and define next steps. (Vladimirov, et al., 2010, p.264)
Even though risk management does not seem to have an evident repercussion on an organization’s
overall performance, it certainly generates numerous benefits. Efficient risk management programs allow
organizations to better allocate resources, enhance decision-making, support business continuity, affect the
likelihood of materializing risks, increase operational efficiency, promote accurate financial reporting,
generate better reputation and comply with regulation, among other things. (AIRMIC, Alarm, IRM, 2010)
The increasing importance of dealing with informational risks nowadays has led to the development
of different frameworks and methodologies that provide guidance for securing information assets. Some of
the most commonly used frameworks include the NIST Risk Management Framework, the ISO 31000
series, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Risk
Management Framework, the Operationally Critical Threat, Asset, and Vulnerability Evaluation
(OCTAVE) and the Security Risk Management Discipline (SRMD).
In the next sections of this paper three of the most well recognized risk management frameworks
will be presented and compared. Organizations may use these frameworks as guidance, but must ultimately
combine features from different methodologies to tailor their own risk management strategies based on
their culture, values, budget, nature, missions and objectives.
NIST Cybersecurity and Risk Management Framework
The National Institute of Standards and Technology (NIST) Risk Management Framework is
designed to comply with the USA Federal Information Security Management Act (FISMA) and attempts
to provide information security guidance for federal systems. It seeks to protect individuals, operations and
assets relevant for the business objectives and mission of an organization. (Computer Security Division)
This framework offers a holistic approach that integrates risk management guidance, cybersecurity
guidelines and compliance with federal regulations while offering abundant freely available information.
(CESG, 2015) Even though it is designed particularly for public institutions, the framework may be
adjustable for business entities within the USA. The NIST approach is contained within a series of special
publications that deal with different aspects of risk management and their application. Particularly four
documents are relevant for this paper: NIST SP 800-30, 800-37, 800-39 and 800-53.
In the first place, the NIST SP 800-39 defines how information security risk management must be
managed within the three tiers of an institution, which are the organization, mission/business processes and
information systems. The implicated process mostly deals with framing the risk, assessing, responding and
monitoring without establishing a particular order for the process. (NIST, 2011, pp. 9-32)
To address risk assessment methodologies, the NIST SP 800-30 document provides further support.
This publication explains how to prepare, conduct, constantly communicate and maintain an assessment.
The main exercise is subdivided in five actions which start with the identification of threat sources,
identification of vulnerabilities, determination of likelihood, impact calculation and definition of the risk.
(NIST, 2012, pp.32-35)
NIST Risk Assessment Model
Source: NIST SP 800-30 Guide for Conducting Risk Assessments
Finally, the NIST SP-37 and NIST SP-53 explain the process that must be followed for
implementing the Risk Management Framework and Security Controls throughout the System
Development Life Cycle in federal information systems. The process consists in six steps that are
categorizing systems and managed information, selecting a security baseline, implementing security
controls, assessing controls and their performance, authorizing information systems operation once risks
are acceptable and monitoring the security controls on a continuous basis. (NIST, 2010, pp. 7-9)
ISO 31000 Risk Management Framework
The ISO 31000 Risk Management Framework was published in 2009 by the International
Organization for Standardization. This document contains principles and generic guidelines for risk
management in the public, private and community sectors. (ISO 31000, 2009) Further details are provided
by three main additional tools: an implementation guide (ISO/TR 31004:2013), vocabulary compilation
(ISO 73:2009) and risk assessment techniques (ISO/IEC 31010:2009).
What is mostly relevant from this framework besides from its international recognition is the fact
that it offers a generic approach that is not specific for any industry or sector and does not seek to generate
uniformity in risk management. It can be applied to a diverse set of activities within organizations, including
strategies, decisions, operations, functions, services and assets, among others. Furthermore, it is adaptable
to any nature of risks and also contemplates opportunities or positive events. (ISO 31000, 2009)
The main ISO architecture scheme for managing risks is represented by the following diagram:
Risk Management Principles, Framework and Process
Source: ISO 31000 Risk Management Framework
The ISO Risk Management Framework is implemented, monitored and continuously improved
based on a set of principles that include value creation, decision making, systematization, transparency and
dynamism, among other things. Finally, the ISO/IEC 31010:2009 document explains the risk management
process, which consists on establishing the context, risk assessment and implementing treatments. This
happens simultaneously with two feedback mechanisms, which are communication/consulting and
monitoring/review. It is important to notice that the process does not include reporting or disclosure steps,
and that feedback mechanisms exclude monitoring risk performance as well as framework review.
(AIRMIC, Alarm, IRM, 2010)
COSO Risk Management Framework
The Committee of Sponsoring Organizations of the Treadway Commission was created in 1985
under the sponsorship of five major financial and accounting US organizations. The group is specialized in
developing guidelines related to three main areas: enterprise risk management, internal control and fraud
deterrence. (COSO)
For the objective of this paper, two main documents will be addressed: the Enterprise Risk
Management (ERM) and the Internal Controls Integrated Frameworks. Both of these frameworks are
designed to interrelate in such a way that they promote better risk management guidance through the
incorporation of internal controls as a main strategy for mitigating risks, adapting to a changing business
environment and accomplishing an organization’s objectives. (COSO, 2013)
The combination of these frameworks allows an organization to manage uncertainty and enhance
its performance by strengthening the internal processes and governance. It helps to align risk appetite with
business strategies, enhance the decision making process, reduce operational losses, identify and manage
risks, seize opportunities and improve the deployment of capital. (COSO, 2004) All of this, bearing in mind
the main objectives of the institution for preserving value among the stakeholders.
The COSO Framework recognizes three main concepts worth noticing: objectives, components and
organizational structure. In order to achieve effective risk management and internal controls, three main
objectives must be achieved by following a set of guidelines or principles related to each of the six main
components. (COSO, 2013)
COSO Framework Model
Source: COSO Internal Control – Integrated Framework Executive Summary
The entire process must be accomplished within all the levels of the organizational structure, incorporating
entity level (institutional), division, operating unit and function. This provides a general overview about the
importance of engaging the entire company on risk management despite of requiring clear roles and
accountability among directives.
Selecting a Framework for Your Organization
The three risk management frameworks studied in this paper share the common goal of guiding
organizations for managing risks through the integration of overall strategies that run over all the levels of
an institution. Nevertheless, there are several differences between each of these approaches. They offer a
diverse set of positive and negative features that may be combined in order to attain an organization’s needs.
The first relevant contrasts between them are the area of validation and their main target. While the
NIST Risk Management Framework is mostly validated in the USA and focused on federal institutions,
ISO 31000 –and its supporting documents- have international recognition and may be adapted for its use in
the public, private and community domains. COSO is mostly accepted within the USA and targets private
organizations.
Frameworks Comparison
Source: Created based on information from the official webpages of NIST, ISO and COSO
In terms of their main focus, the NIST Framework is the only one of the three directly specialized
on the assurance of information assets and cybersecurity, adopting a defensive approach that results strongly
convenient for relevant government institutions. Besides, the framework offers abundant freely available
information for supporting both public and private institutions in developing risk management strategies. It
is important to remember that this approach is substantially robust in terms of information systems
protection and that it is also useful for complying with FISMA regulation under the validation of the US
government.
Differently, ISO offers generic guidelines for risk management in a wide range of activities within
the industry and with the absence of adequate monitoring considerations. COSO is mostly specialized in
internal controls and accurate reporting as mechanisms for mitigating risks. The COSO framework ensures
transparency and adequate control over the processes of both big and small companies, adopting a
stakeholder oriented approach that bears in mind the creation of value for a firm.
As proven by the former descriptions and comparisons, risk management is not a simple one way
process. Organizations may find guidance from these frameworks, but must carefully analyze which ones
work best for their particular cases based on their structure, values and main objectives. It is also important
to remember that the threats being faced by organizations are dynamic, thus making it necessary for these
frameworks to suffer continuous modifications for adaptation purposes.
Framework Organization Validation Orientation Relevant Publications Focus Overall Strategy
NIST Special Publication 800-30 Guide for
Conducting Risk Assessments
NIST Special Publication 800-37 Guide for
Applying the Risk Management Framework
to Federal Information Systems: A Security
NIST Special Publication 800-39 Managing
Information Security Risk Organization,
Mission, and Information System View
NIST Special Publication 800-53 and 53A
Recommended Security Controls for Federal
Information Systems and Organizations, and
Guide for Applying Security Controls
ISO 31000:2009 Risk Management
Principles and Guidelines
ISO Guide 73:2009 Risk Management
Vocabulary
ISO/TR 31004:2013 Guidance for
Implementation of ISO 31000
ISO/ IEC 31010:2009 Risk Assessment
Techniques
Internal Control — Integrated Framework
2013
Fraudulent Financial Reporting: 1998-2007
2004 Enterprise Risk Management -
Integrated Framework (next version in
process)
National Institute of Standards
and TechnologyNIST
Generic guidelines for Risk
Management in a diverse
set of activities from the
industry
Framework design based on risk
management principles. Process
consistent on context review, risk
assessment and treatment. Includes
feedback mechanisms
Information Security and Risk
Management Achieved by
separating in different processes.
The Assessment consists on
preparation, conduction,
communication and maintenance.
Information Risk
Management, Assessment,
Monitoring and
Cybersecurity
Government
(possible adaptation
for industry)
USA
ISOInternational Organization for
StandardizationInternational
Public, private and
community
organizations
COSOCommittee of Sponsoring
Organizations of the Treadway
Commission (COSO)
Enterprise
Risk Management, Internal
Controls and Financial
Fraud Deterrence
Aligns objectives, components (with
principles or guidelines) and
organizational structure
USA
References:
AIRMIC, Alarm, IRM. (2010). A Structured Approach to Enterprise Risk Management (ERM) and the
Requirements of ISO 31000. Available in: https://www.theirm.org/media/886062/ISO3100_doc.pdf
Committee of Sponsoring Organizations Treadway Commission. About Us. Available in:
http://www.coso.org/aboutus.htm
Committee of Sponsoring Organizations Treadway Commission. (2004). Enterprise Risk Management –
Integrated Framework. Available in: http://www.coso.org/documents/coso_erm_executivesummary.pdf
Committee of Sponsoring Organizations Treadway Commission. (2013). Internal Control – Integrated
Framework. Available in:
http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf
Computer Security Division. Risk Management Framework (RMF) Overview, National Institute for
Standards and Technology. Available in: http://csrc.nist.gov/groups/SMA/fisma/framework.html
Elky, Steve. (2007). An Introduction to Information System Risk Management, SANS Institute. Available
in: https://www.sans.org/reading-room/whitepapers/auditing/introduction-information-system-risk-
management-1204
International Organization of Standardization. (2009). ISO 31000:2009 Risk Management – Principles and
guidelines. Available in:
http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43170
National Institute for Standards and Technology. (2010). Guide for Applying the Risk Management
Framework to Federal Information Systems. Available in: http://csrc.nist.gov/publications/nistpubs/800-
37-rev1/sp800-37-rev1-final.pdf
National Institute for Standards and Technology. (2011). Managing Information Security Risk. Available
in: http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
National Institute for Standards and Technology. (2012). Guide for Conducting Risk Assessments.
Available in: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
National Technical Authority for Information Assurance (CESG). (2015). Analysis of information risk
management methodologies, March 2015. Available in: https://www.gov.uk/guidance/analysis-of-
information-risk-management-methodologies
Vladimirov A, et al. (2010). Assessing Information Security, IT Governance Publishing. Accessed via Jstor,
available in: http://www.jstor.org/stable/j.ctt5hh6v9.11