We often are asked if FAIR™, the international standard for cyber and technology risk quantification and the basis of the RiskLens platform, is compatible with the common security and risk standards and frameworks.
The answer is yes — by bringing a financial discipline to otherwise technical guidelines, FAIR and RiskLens enhance their value as business-decision support tools. The most widely used cybersecurity framework, the NIST CSF, includes FAIR as a recommended best practice for risk assessment and risk analysis.
Joe Vinck is a RiskLens Strategic Account Executive
Besides the NIST CSF, organizations in financial services, web services or others that handle sensitive data often also seek to reassure customers and management with certification in the ISO 27000 set of standards, particularly ISO 27001, requirements for information security management systems (ISMS) and ISO 27005, requirements for implementation of information security based on a risk management approach.
These ISO standards help organizations maintain the security of their information assets by recommending types of security controls and processes. They also help to define a risk strategy based on business needs to mitigate risk across the enterprise and continually monitor and communicate progress in a methodical fashion – as shown in this schematic.
While ISO 27001 and the like are highly useful as compliance standards, and signs of a certain level of maturity for security organizations, they can’t answer on the basics that any organization would like to know, such as “How much risk do we have?” and “If we invest in security controls, how much less risk will we have?”—questions that can only be answered with a method to quantify risk in financial terms.
The ISO 27000 standards don’t prescribe a specific approach to analyzing risk and leave it to the risk practitioners to select their preferred analytics model. This is where FAIR comes in.
Factor Analysis of Information Risk (FAIR) decomposes risk into discrete factors that can be quantified and analyzed together to describe risk as a range of probable loss in dollars. Unlike risk assessment methods that focus their output on qualitative color charts or numerical weighted scales, the FAIR standard delivers financially derived results through the RiskLens platform that can be communicated across the enterprise in standard business terms of loss exposure and return on investment.
FAIR and RiskLens can be used to:
In sum, FAIR can be used as a complementary risk analytics model to get the highest business value from ISO 27001 and related programs.
The RiskLens SaaS platform enables the practical use of FAIR analysis, with a guided workflow, built-in data libraries and automated, flexible analysis and reporting. Platform capabilities include:
RiskLens is already serving large IT, financial and other ISO 27001-certified organizations. Talk to us about implementing RiskLens and FAIR to maximize the business value of your ISO 27000 program.
RiskLens is leading a revolution in the way cyber risk is assessed, measured and managed by bringing to market a Software as a Service solution that makes cyber risk quantification a reality.We help organizations translate cyber risk from the technical into the economic language of business.Schedule a Demo