ISO 31000:2018 Risk Management Guidelines Are Good Advice, Up to a Point

The influential International Standards Organization (ISO) updated its standard for risk management, ISO 31000, earlier this year, to make it “clearer, shorter and more concise,” the ISO said. There’s a new focus on the responsibility of organizational leadership to make sure that risk management is integrated into all activities, and direction to risk managers to keep improving and revising security processes and controls as conditions change.

In a recent article in Security Intelligence, Key Questions for Effective Cyber Risk Management From the ISO 31000:2018, Chris Veltsos (AKA DrInfoSec) of the computer science department at Minnesota State University breaks out some questions for CISOs, inspired by ISO 31000:2018, including:

How Integrated Are Your Organization’s Security Practices?

  • Don’t treat cybersecurity as strictly an IT issue, Veltsos recommends, and in particular connect it with the organization’s enterprise risk management (ERM) initiative.

How Does Your Organization Assess Cyber Risks?

  • “Is the scope of the cyber risk assessment aligned with your organization’s strategy and objectives?” Veltsos asks. “Is the risk-assessment process systematic, inquisitive, iterative and collaborative?”

Is Your Organization Effectively Communicating Cyber Risks?

  • “Does the information provided as part of the cyber risk-management process help decision-makers improve the quality of their cyber risk decisions?” “Is the information tied to its impact on business objectives?”

(Read the complete article on Security Intelligence)

“The article does a nice job of highlighting the risk management ideals laid out by ISO 31000 (which ISO gets right),” comments Jack Jones, RiskLens EVP and creator of the FAIR model for quantitative risk analysis.

But what’s not in the article – and the standard itself – show some serious limitations to the ISO’s approach, in Jack’s view:

“It does not include anything meaningful about risk measurement, which everything else is at least somewhat dependent upon in order to be effective (e.g., prioritization, cost-effective use of resources, etc.)”

“It doesn’t touch on the inconsistency and inaccuracy that is rampant in cyber risk measurement today, which is due to poor terminology, uncalibrated mental models, heavy reliance on compliance and ‘best practice’, broken models (e.g., CVSS and NIST 800-30), and the fact that most wet-finger risk measurements (‘It feels like High Risk to me’) are made without any explicit scoping what’s just been ‘measured’”.

Jack’s conclusion: “Absent good measurement practices, ISO’s ideals can’t be realized.”


The FAIR model that powers the RiskLens application is the only international standard quantitative model for cyber security and operational risk.Unlike risk assessment standards that focus their output on qualitative color charts or numerical weighted scales, the FAIR model specializes in financially derived results tailored for enterprise risk management. The FAIR Institute has over 3,000 members sharing information on use of the FAIR approach to risk.  Recently, leading technology analyst firm Gartner identified risk quantification  as a critical capability for any effective cyber risk management program.