This book brings together The Open Groups set of publications addressing risk management, which have been developed and approved by The Open Group. It is presented in three parts:
The Technical Standard for Risk Taxonomy
Technical Guide to the Requirements for Risk Assessment Methodologies
Technical Guide: FAIR ISO/IEC 27005 Cookbook
Part 1: Technical Standard for Risk Taxonomy
This Part provides a standard definition and taxonomy for information security risk, as well as information regarding how to use the taxonomy. The intended audience for this Part includes anyone who needs to understand and/or analyze a risk condition. This includes, but is not limited to:
Information security and risk management professionals
Auditors and regulators
This taxonomy is not limited to application in the information security space. It can, in fact, be applied to any risk scenario. This means the taxonomy to be used as a foundation for normalizing the results of risk analyses across varied risk domains.
Part 2: Technical Guide: Requirements for Risk Assessment Methodologies
This Part identifies and describes the key characteristics that make up any effective risk assessment methodology, thus providing a common set of criteria for evaluating any given risk assessment methodology against a clearly defined common set of essential requirements. In this way, it explains what features to look for when evaluating the capabilities of any given methodology, and the value those features represent.
Part 3: Technical Guide: FAIR ISO/IEC 27005 Cookbook
This Part describes in detail how to apply the FAIR (Factor Analysis for Information Risk) methodology to any selected risk management framework. It uses ISO/IEC 27005 as the example risk assessment framework. FAIR is complementary to all other risk assessment models/frameworks, including COSO, ITIL, ISO/IEC 27002, COBIT, OCTAVE, etc. It provides an engine that can be used in other risk models to improve the quality of the risk assessment results. The Cookbook enables risk technology practitioners to follow by example how to apply FAIR to other risk assessment models/frameworks of their choice.