Manage Learn to apply best practices and optimize your operations.

Fundamental Information Risk Management

In this Ask the Expert Q&A, our security management expert discusses what FIRM is, how and why it was developed. Also learn what other risk management methodologies are available today.

Where can I receive information about FIRM (Fundamental Information Risk Management)? Is it an information risk management methodology?
There are several risk management methodologies available in the industry today. They include:
  • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
  • CCTA Risk Analysis and Management Method (CRAMM)
  • Information Security Forum's Fundamental Information Risk Management (FIRM)
  • Commonly Accepted Security Practices and Regulations (CASPR)
  • Control Objectives for Information and (Related) Technology (COBIT)
  • A portion of ISO 17799
Fundamental Information Risk Management (FIRM) was developed by a consortium of corporations that make up the Information Security Forum (ISF). ISF is a not-for-profit that organizations can join by paying an annual fee. FIRM provides outlined processes to carry out a structured risk assessment. This approach to risk management requires the owner of each business resource or asset to fill out a scorecard to measure the five elements of risk:
  • Criticality
  • The vulnerability of various elements in your resource
  • Any special circumstances affecting your resource, such as the maturity or complexity of technology
  • The level of threat
  • The potential business impact of a breach or denial-of-service
After each owner supplies this information, the program director (often the security officer) correlates the data to provide a holistic view of the organization's risk posture as it relates to the identified assets. The goal is to identify the business impact if one or more of these assets are negatively affected. The scorecards are mapped together to provide a visual representation of the data that has been entered and collected.

Citicus has created a risk management tool, Citicus ONE, which is based mainly on the FIRM assessment methodol...


FIRM is more popular outside of the U.S. and COBIT and OCTAVE are more industry-accepted approaches to IT governance and risk assessment methodologies.

I had difficulties accessing FIRM documentation, which leads me to believe you will need to contact Information Security Forum directly and most likely pay to become a member in order to access their documentation. You can contact them via Tel: +44 (0)20 7212 5346, or E-mail: becky.meyjes@securityforum.org or isfinfo@securityforum.org.

More Information:
  • Discover other available risk management tools.
  • Attend this on-demand webcast and learn other security management practices.

  • This was last published in September 2005

    Dig Deeper on Risk assessments, metrics and frameworks

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.