How does FAIR compare to other risk standards, such as NIST CSF, ISO 2700x, etc., and can they work in tandem? We have been hearing people ask this question on a regular basis, so we addressed the complementary nature between FAIR and NIST CSF in a blog post. Beyond CSF, many organizations follow the ISO 2700x series of standards to keep information assets secure.
What is ISO 2700x?
The ISO 2700x series is a set of standards adopted to help organizations maintain the security of their information assets. Within an organization's risk management program (see the chart below), it's crucial to define a risk strategy based on the organization's context, set out procedures that will mitigate risk across the enterprise, and continually monitor and review progress.
As a component of the greater risk management program, the ISO 2700x frameworks provide recommended processes and activities that allow organizations to assess risks, align necessary controls, and ultimately report and review their systems' performance in a methodical fashion.
Organizations find that the ISO standards provide a practical series of guidelines in order to manage sensitive information like financial data, intellectual property, employee details, etc. While following these steps and earning the certification may give The Board, auditors, and customers peace of mind, this checklist method often leaves organizations wondering if compliance is enough.
What is FAIR?
FAIR stands for Factor Analysis of Information Risk. Simply stated, it is a standard model that decomposes risk into discrete factors which then allows for risk analysis and quantification. Unlike risk assessment standards that focus their output on qualitative color charts or numerical weighted scales, the FAIR model specializes in financially derived results tailored for enterprise risk management.
One problem that organizations often encounter is that there are too many mental models floating around when it comes to defining risk; by implementing FAIR, everyone at a company can speak the same language when it comes to risk. After all, "you cannot manage what you don't measure," and being able to quantify cyber and operational risk – made possible by FAIR – is at the core of any effective risk management program.
How do they fit together?
ISO2700x does not prescribe a specific approach to analyzing risk and leaves it to the risk practitioners to select their preferred analytics model. This is where FAIR comes in and can be used to:
- Identify top risks, according to the FAIR definitions
- Analyze risk, in monetary terms
- Evaluate the efficacy of treatment options in terms of possible risk reduction
- Communicate risk in a language than everyone understands, dollars and cents
In sum, FAIR can be used as a complementary risk analytics model to ISO2700x programs.
Enhance your risk management program by adding the economic dimension
RiskLens, as the only risk quantification platform purpose-built on FAIR, is helping many of the world's largest organizations to analyze their top risks in economic terms and enable effective decision-making as it relates to:
- Justifying security investments
- Defining security budgets
- Optimizing cyber insurance coverage
Contact us today to evaluate how RiskLens can add an economic dimension to your ISO2700x risk management program.