Ben Tomhave

A member of the Gartner Blog Network

Ben Tomhave
Research Director
1 years at Gartner
19 years IT Industry

Ben is conducting research within the Security and Risk Management Strategies team under Gartner for Technical Professionals.

Coverage Areas:

New Research on IT Risk Assessment and Analysis Methods

by Ben Tomhave  |  February 3, 2014  |  2 Comments

I’m pleased to announce that our new paper, “Comparing Methodologies for IT Risk Assessment and Analysis,” is now available to Gartner for Technical Professionals subscribers! This research represents a few months of work, including many interviews with method owners and method implementers. The research process was quite fascinating and led to some unique insights.

Summary:

“Technical professionals are often asked to research, recommend, implement and execute IT risk assessment and analysis processes. Here we compare and contrast common methodologies, highlighting attributes that readily integrate with risk management programs, as well as scale and evolve over time.”

Methods compared: FAIR, ISACA COBIT 5, ISF IRAM, ISO/IEC 31000:2009, MAGERIT, NIST SP 800-30, OCTAVE Allegro, and RiskSafe by Platinum Squared Technologies (it’s a SaaS-based approach)

method-breakdown

Most surprising finding: all the risk assessment methods (we did differentiate between assessment and analysis), with possible exception of COBIT 5, are converging on ISO 31000. As such, there’s incredible parity between approaches, which means choosing an approach can be easier or harder depending on one’s sensitivities.

In terms of guidance for clients on selecting an approach, we’ve provided several recommendations in the paper to help make the process easier. We hope you’ll find that to be the case!

2 Comments »

Category: Research Risk Management     Tags: , , ,

2 responses so far ↓

  • 1 Peter Oconor   February 4, 2014 at 5:43 pm

    I can not find the document on the gartner website. Do you need to be a paying member to be able to download it?

    Thanks,
    Peter

  • 2 Ben Tomhave   February 4, 2014 at 6:04 pm

    Hi Peter,

    Yes, that’s correct, you need a “Gartner for Technical Professionals” (or legacy Burton Group) subscription to access the document. Apologies if that wasn’t clear in my blog post. If you’re interested, please send me an email (ben(dot)tomhave(at)gartner(dot)com) and I can forward to Sales for follow-up.

    Thank you,

    -ben

Leave a Comment