This report presents the results of desktop research and the analysis of currently used cybersecurity Risk Management (RM) frameworks and methodologies with the potential for interoperability. The identification of the most prominent RM frameworks and methodologies was based on a systematic survey of related risk management approaches adopted in different contexts (including industry, business, government, academia, etc), at national, international and sectoral levels.
This collection of identified frameworks and methodologies includes well known and widely used RM standards that provide high level guidelines for risk management processes that can be applied in all types of organisations (e.g. ISO 27005; NIST SP 800-37, SP 800-30 & SP 800-39; BSI 100-3; OCTAVE S, Allegro & FORTE, Open FAIR etc.); frameworks applied in specific regions (e.g. COSO Enterprise Risk Management, the Australian ACSC Security Manual); frameworks applied in specific sectors (e.g. IMO MSC, Guidelines on Cyber Security Onboard Ships); industry-oriented standards (e.g. NIST 800-82, ANSI/ISA-62443-3‑2-2020); and more structured methodologies that follow specific phases or steps to implement RM processes (e.g. ETSI TVRA, MONARC, MAGERIT, EBIOS, EU ITSRM, CORAS etc.)
This report also describes the main characteristics and features of each one of the RM frameworks and methodologies identified. Based on this analysis, a basic set of interoperability features is derived. These comprise features such as components of the risk management process (e.g. Risk Identification, Risk Assessment, Risk Treatment and Risk Monitoring); type of approach to risk identification (asset-based or scenario-based); type of approach to risk assessment (quantitative or qualitative); method of risk calculation; and others.
