The short answer is: Whichever type most effectively communicates the risk to the organization's executives. As I mentioned in another risk assessment question, there are quite a number of different frameworks to choose from, such as FAIR, OCTAVE, SOMAP and the emerging ISO 27005 standard. At first blush, though, it seems that choosing a framework is a daunting task.
I'm going to let you in on one of the dirty secrets of the risk assessment world: It doesn't really matter which framework you use, as long as you apply the model consistently you will get similar results with each of the frameworks. The trick to deciding is to choose the one that most closely resembles the way your organization already does business, so that throughout the assessment the organization can leverage as many existing processes as possible, minimizing disruption to the business.
So for instance, if you work for a U.S. Federal government agency, then this choice has been made for you by the Federal Information Security Management Act of 2002 (FISMA), which points to NIST 800-30 for the process to follow. If you don't work for the U.S. government, then I recommend talking with your CIO, CRO, CFO or audit group to see if they have a preference toward or experience with any of the frameworks mentioned above; I'd recommend choosing a framework that many people in the organization have experience with, as it will make the entire process run more smoothly. This is also a prime opportunity to find out what sort of information the executives are interested in seeing and what format they'd like to see it in. If you do your homework right, when you come back to present your results, you will look even more effective.
For more information:
- What types of software can help a company perform a security risk assessment? Read more.
- Learn how to get information security buy-in from the executive team.
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ... Continue Reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security... Continue Reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ... Continue Reading