• Home
  • /
  • Resources
  • /
  • Risk Management Frameworks: A CISSP Guide to ISO, NIST, COBIT & More

Estimated reading time minutes

Image of towers with locks and pads on the doors and windows - Destination Certification

Last Updated On: September 19, 2024

Cybersecurity professionals face a constant barrage of threats in today's digital landscape. As a CISSP candidate, you're preparing to join \those who stand between these threats and the organizations they protect. One of your most powerful tools? Risk management frameworks.

Think of these frameworks as your toolbox for tackling cybersecurity challenges. While you don't need to be an expert in every framework for the CISSP exam, understanding the key players is crucial. This guide will walk you through four essential frameworks: NIST SP 800-37, COBIT, COSO, and ISO 31000.

By the end of this article, you'll have a better understanding of these frameworks, their core principles, and how they apply to real-world scenarios. Let's explore these important risk management tools!

What are Risk Management Frameworks?

Imagine you've just been appointed as a risk manager in a growing tech company. You're tasked with developing a comprehensive risk management program that identifies assets, assesses threats and vulnerabilities, and implements appropriate controls. Where do you start? This is where risk management frameworks come into play.

Risk management frameworks provide a structured approach to identifying, assessing, and mitigating risks within an organization. They offer best practices and step-by-step guidance on how to perform risk management activities, which controls to implement, and how to implement them effectively. In essence, these frameworks allow you to leverage the collective wisdom of industry experts and apply it to your organization's unique context.

These frameworks serve as roadmaps, helping organizations navigate the complex landscape of risk management. They provide a common language and methodology for addressing risks, ensuring that all stakeholders within an organization are on the same page. By following a recognized framework, you can be confident that you're not overlooking critical aspects of risk management and that your approach aligns with industry best practices.

Risk Frameworks Every CISSP Candidate Should Know

As a CISSP candidate, you'll encounter various risk management frameworks throughout your career. While the landscape of frameworks is vast, there are several that stand out due to their widespread adoption and relevance to information security. Let’s look at them:

NIST SP 800-37 (Risk Management Framework)

NIST SP 800-37, also known as the Risk Management Framework (RMF), is one of the most important risk management frameworks you'll encounter as a CISSP candidate. This guide describes the RMF and provides guidelines for applying it to information systems and organizations.

Understanding the RMF is critical, as it underpins just about every facet of operational security governance within an organization. The framework consists of seven steps, each playing a crucial role in the risk management process:

1

Prepare to execute the RMF
This includes identifying and assigning roles, establishing a strategy, performing a risk assessment, establishing baselines and more.

2

Categorize information systems
In this step, information systems are identified, described and categorized. It includes questions like “What do we have?”; “How does this system, its subsystems, and its boundaries fit into our organization’s business processes?”; “How sensitive is it?”; “Who owns it and the data within it?” The purpose of this step is to determine any potential adverse impacts to the confidentiality, integrity, and availability of organizational operations and assets. 

3

Select security controls
After a risk assessment has been conducted, the next step is to select, tailor, document, monitor, and review the security controls that are needed to protect the information systems. Security controls protect the confidentiality, integrity, and availability of those systems and the information contained therein. Assurance provides evidence that the security controls within an information system are effective.

4

Implement security controls
Activities in this step are based entirely on the controls selected in step 3 and involve two key tasks:
1) implementing the selected controls; and
2) documenting the changes to the planned implementation of controls. This latter task is critical because it allows everybody to understand what controls exist. It also enables them to understand the controls in the context of the larger operational framework of the organization.

5

Assess security controls
This step involves assessing the security controls to determine if they are implemented correctly, operating as intended, and meeting the security and privacy requirements for the system and the organization. This step involves formulation of a comprehensive plan that must be reviewed and approved.

6

Authorize the information system and controls
This step requires senior management to decide whether it’s acceptable to operate the system in question, given the potential risk, controls, and residual risk. In addition to determining if the risk exposure is acceptable, senior management should review the plan of action related to the remaining weaknesses and deficiencies—the residual risk. Finally, this authorization or approval is usually given for a set period of time that is often tied to milestones in the plan of actions and milestones (POA&M), which facilitates tracking and the status of failed controls.

7

Monitor the security posture of the information system
Continuous monitoring of programs allows an organization to maintain the security of an information system over time. It helps it adapt to changing threats, vulnerabilities, technologies, and business processes. Milestones from step 6 are a key component of this step.

During the monitoring step, questions like “Are the controls still effective?” and “Have new vulnerabilities developed?” are examined. Risk management can become near real-time using automated tools, although automated tools are not required. This helps with configuration drift and other potential security incidents associated with unexpected changes on components and their configurations.

As a CISSP candidate, you should be familiar with these seven steps of the NIST SP 800-37 RMF. While you don't need to memorize every detail, understanding the overall process and the purpose of each step will serve you well both in the exam and in your professional practice.

Looking for some CISSP exam prep guidance and mentoring?


Learn about our personal CISSP mentoring

Image of Lou Hablas mentor - Destination Certification

ISO 31000

ISO 31000 is a family of standards relating to risk management developed by the International Organization for Standardization (ISO). When preparing for the CISSP exam, it's important to be familiar with this standard as it provides a universal approach to managing risk that can be applied across various industries and organizations.

The primary purpose of ISO 31000 is to provide best practice structures and guidance to all organizations concerned with risk management. Unlike some other standards, ISO 31000 is not specific to any industry or sector, making it widely applicable across different types of risks and organizations.

Key aspects of ISO 31000 include:

  • Principles: The standard outlines eight principles for effective risk management, including the creation of value, being an integral part of organizational processes, and being tailored to the organization.
  • Framework: ISO 31000 provides a framework for integrating risk management into the organization's overall governance, strategy, and planning.
  • Process: The standard describes a systematic approach to managing risk, including risk assessment (identification, analysis, and evaluation), risk treatment, monitoring and review, and communication and consultation.
  • Continuous Improvement: ISO 31000 emphasizes the importance of continually improving the risk management framework based on results and experiences.
  • Flexibility: The standard is designed to be flexible, allowing organizations to adapt its guidelines to their specific needs and context.

While ISO 31000 doesn't provide specific requirements or controls like some other standards, it offers a comprehensive approach to risk management that can be integrated with other management systems.

COSO (Committee of Sponsoring Organizations of the Treadway Commission)

COSO, which stands for the Committee of Sponsoring Organizations of the Treadway Commission, is a crucial framework that CISSP candidates should be familiar with. It's particularly important in the context of enterprise risk management (ERM).

COSO is a voluntary private sector initiative dedicated to improving organizational performance and governance through effective internal control, enterprise risk management, and fraud deterrence. The COSO Enterprise Risk Management (ERM) framework provides several key elements that are valuable for risk management:

  • Definition of Essential Components: COSO ERM provides a definition of essential enterprise risk management components. This helps organizations understand what constitutes effective risk management at an enterprise level.
  • Principles and Concepts: The framework reviews important ERM principles and concepts. This gives organizations a solid foundation for understanding and implementing risk management practices.
  • Guidance: COSO provides direction and guidance for enterprise risk management. This practical aspect of the framework helps organizations implement ERM effectively.
  • Internal Control: While primarily focused on ERM, COSO also addresses internal control, which is closely related to risk management. The COSO Internal Control framework is widely used for designing and implementing internal controls.
  • Fraud Deterrence: COSO includes guidance on fraud deterrence, which is an important aspect of risk management, especially in financial and operational contexts.

The easiest way to get your CISSP Certification 


Learn about our CISSP MasterClass

Image of masterclass video - Destination Certification

The COSO ERM framework is designed to be flexible and adaptable, allowing organizations of various sizes and in different industries to apply its principles. It emphasizes the importance of considering risk in both the strategy-setting process and in driving performance.

For CISSP candidates, COSO offers a valuable perspective on how organizations approach risk management from a broader business standpoint. By grasping COSO's key components and overall approach, you'll be better equipped to understand and implement comprehensive risk management strategies in your professional role.

COBIT (Control Objectives for Information Technologies)

COBIT is a framework that plays a crucial role in IT governance and management. Developed by ISACA (Information Systems Audit and Control Association), COBIT is particularly useful for IT assurance activities such as conducting audits and gap assessments.

Here are some key aspects of COBIT that make it a powerful tool for risk management and IT governance:

  • Comprehensive Coverage: COBIT provides a comprehensive framework that covers 40 governance and management objectives across five domains, including risk management, information security, and compliance.
  • Alignment of IT and Business Goals: One of COBIT's primary strengths is its focus on aligning IT objectives with overall business goals. This alignment ensures that IT initiatives and controls support the organization's strategic objectives.
  • Risk Optimization: COBIT includes guidelines and practices for risk optimization, helping organizations balance the potential benefits of risk-taking with the consequences of risk realization.
  • Information Security Focus: While COBIT covers a broad range of IT management areas, it places significant emphasis on information security, making it particularly relevant for CISSP candidates.
  • Integration with Other Standards: COBIT is designed to complement and integrate with other IT standards and best practices, including ITIL for service management and ISO 27001 for information security.
  • Measurable Goals and Metrics: COBIT provides a framework for establishing measurable goals and metrics for IT processes, enabling organizations to assess and improve their IT governance continually.
  • Adaptability: The framework is flexible and can be tailored to fit organizations of different sizes and industries, making it widely applicable across various business contexts.

COBIT offers a structured approach to understanding how IT governance, risk management, and information security fit into the broader context of business management. By familiarizing yourself with COBIT's principles and approach, you'll gain a deeper understanding of how organizations can effectively manage IT-related risks while ensuring that IT initiatives deliver value to the business.

As you prepare for your CISSP exam and your future role in information security, consider how COBIT's principles can be applied to create robust IT governance structures that support effective risk management and security practices.

FAQs

What is the risk framework method?

The risk framework method is a structured approach to managing risk within an organization. It typically involves identifying, assessing, and prioritizing risks, followed by coordinated application of resources to minimize, monitor, and control the probability or impact of unfortunate events.

What are the 3 main types of risk?

The three main types of risk are strategic, operational, and financial. Strategic risks affect or are created by an organization's business strategy and objectives. Operational risks stem from inadequate or failed internal processes, people, and systems, or from external events. Financial risks are associated with the organization's financial structure, transactions, and finance systems.

What is the purpose of a risk framework?

The purpose of a risk framework is to provide a systematic and consistent approach to managing risk across an organization. It helps identify potential threats, assess their likelihood and impact, implement appropriate controls, and monitor the effectiveness of risk management efforts. By providing a structured approach, risk frameworks enable organizations to make informed decisions, allocate resources effectively, and improve their overall resilience to potential threats.

Strengthen Your Risk Management Foundation with Destination Certification

The CISSP exam doesn't demand encyclopedic knowledge of every risk management framework, but a solid grasp of key concepts is indispensable. Frameworks like NIST SP 800-37, COBIT, COSO, and ISO 31000 significantly impact how organizations approach risk management, making this knowledge vital for any security professional.

Destination Certification recognizes the importance of this foundational understanding. Our CISSP MasterClass is designed to give you just the right level of knowledge about risk management frameworks—comprehensive enough to pass your exam and apply in real-world scenarios, without overwhelming you with unnecessary details.

Ready to elevate your risk management skills? Join our CISSP MasterClass and transform your understanding of these critical tools. With Destination Certification, you'll be well-prepared to tackle risk management challenges in your CISSP journey and beyond.

Image of John Berti - Destination Certification

John is a major force behind the Destination Certification CISSP program's success, with over 25 years of global cybersecurity experience. He simplifies complex topics, and he utilizes innovative teaching methods that contribute to the program's industry-high exam success rates. As a leading Information Security professional in Canada, John co-authored a bestselling CISSP exam preparation guide and helped develop official CISSP curriculum materials. You can reach out to John on LinkedIn.

John is a major force behind the Destination Certification CISSP program's success, with over 25 years of global cybersecurity experience. He simplifies complex topics, and he utilizes innovative teaching methods that contribute to the program's industry-high exam success rates. As a leading Information Security professional in Canada, John co-authored a bestselling CISSP exam preparation guide and helped develop official CISSP curriculum materials. You can reach out to John on LinkedIn.

Want to try our amazing CISSP MasterClass for Free and learn about Cryptography?

Take our free

Mini MasterClass Cryptography Decoded

>