THE METHOD IS BASED ON A 6-STEP MODEL
CRISAM® is based on a 6-step process model, also called procedure model. Through a top-down and bottom-up approach, this enables a holistic view of: Strategy, Organization, Process and Infrastructure.
The CRISAM® PROCESS MODEL
This model is the core of the CRISAM® method and offers a high added value in the introduction, update and further development of a risk management system for project managers and decision makers.
Why? It serves as a guideline that you can use to implement your enterprise-wide risk management process. The process model used fulfills the requirements of the international standard ISO 31000 as well as the process steps required by the PDCA Deming cycle.
Different methods (e.g. fault tree, Monte Carlo simulation, etc.) are available for modeling and evaluating your risk models. From these, you can select the respective ones that are the most suitable for your organization and your risk assessment in order to map the relevant departments or processes.
For the evaluation of your risks, a variety of modern analysis methods as well as a comprehensive set of customizable standard reports are available.
The CRISAM® process model on an ISMS project example:
STEP 1 | FRAMEWORK CONDITIONS
- The responsible management derives a risk policy on the basis of the corporate strategy.
- The information security policy provides the framework within which the responsible management is to align IT security.
STEP 2 | SCOPE
- Identification and documentation of possible damages resulting from loss of availability, confidentiality and integrity.
- Result: plausible and comprehensible classification of possible IT-related damages
- Classification based on previously defined threat classes of IT applications
- Derivation of requirements for the company’s IT
Step 3 | Risk analysis
- Assessment of potential threats of loss of availability, confidentiality and integrity of the considered IT applications and data stored and/or processed in them
- Creation of the tree structure of risk sources and qualitative, quantitative or semi-quantitative assessment
- Result: model of the enterprise IT and a rating indicator
Step 4 & 5 | Risk management
- Rating indicator from the risk analysis is weighted and the actual value determined is compared with a target value from the information security policy.
- Analysis of deviations (GAP analysis)
- Result: List of all risk sources & creation of an action catalog
STEP 6 | IMPLEMENTATION OF MEASURES
The catalog of measures drawn up as part of the risk management process is grouped into implementation projects in the final “Implementation” step. The results of this step are project specifications, cost, resource and time estimates, which serve as a basis for decision-making by the responsible management.
Quality and continuity are guaranteed by two test cycles
Advantages
- Continuous improvement through the cyclic flow of the individual process steps
- adjustments due to changes in strategy or technological changes can be carried out quickly
With the implemented test cycles of CRISAM® you simultaneously implement the “Plan-Do-Check-Act” (PDCA) cycle of ISO 31000 required for standard-compliant management systems.
React with your risk management by means of the cascaded control cycles on all three levels:
- technological changes
- changes in threat profiles
- strategic repositioning of the company
Weitere Themen ///
News
THERE’S A FIRE – HOW WELL PROTECTED IS YOUR DATA?
In light of the recent fire at the cloud operator OHV, we recommend that every company take a close look at the topic of cloud outsourcing, because the consequences can be painful and an investment in information security that is saved at one end can be expensive at the other. It is therefore worth taking a closer look at a few points in good time. You can find out what these are in this article.
News Information Risk Management
THE ISMS AS A SUCCESS FACTOR FOR SECURE OT OPERATIONS
The current events around the COVID crisis or the almost daily new news about "hacked" companies show us all how important the secure operation of (critical) infrastructures is.
News Enterprise Risk Management
HOW TO GET CALMLY THROUGH THE IDW PS 340 N.F. AUDIT
A revised auditing standard was published on January 1, 2021. How do you get calm through the IDW PS 340 n.F. audit with CRISAM®? Take advantage of this opportunity and expand the capabilities of your corporate planning...
News
Content Release March 2021
Comprehensive innovation in the CRISAM® Knowledge Packs in the area of ISMS, SCADE, KRITIS, B3S, VDA-TISAX and Legal Essentials.
News
REVIEW OF THE FIRST CRISAM® COMMUNITY TALK
Tuesday, 2/23/2021 was the day. The first CRISAM® Community Talk took place online and the turnout was fantastic. Numerous participants from a wide range of industries took a day to exchange ideas among Risk Management experts.
News Enterprise Risk Management
CRISAM® Enterprise Server
With the CRISAM® Enterprise Server several users can work on the same project at the same time. The data is stored on a Microsoft SQL server. In addition, a flexible role and user management...
