Methodologies and Tools of Information Security Risk Management

Abstract

Information security deals with providing protection for digital information and information systems, ensuring confidentiality, integrity and availability of data. The complexity of information security does not resume to mere technicality, transferring significant liability to proper management. The ISO/IEC 27005:2011 – Information security risk management, does not specify any particular method for managing the risks associated with information security, but a general approach. It is up to the organization to devise control objectives that would reflect specific approaches to risk management and the degree of assurance required. There have been multiple attempts to shaping risk analysis and control methodologies and tools amongst which those like CRAMM (United Kingdom, Insight Consulting), RiskWatch (USA, RiskWatch), Risicare/Mehari (France, BUC S.A./Clusif) and GRIF (Russia, Digital Security). Using the appropriate risk assessment solution, an organization can devise its own security requirements. This report deals specifically with the analysis of these methods as well the systems that use it.