I’m pleased to announce that our new paper, “Comparing Methodologies for IT Risk Assessment and Analysis,” is now available to Gartner for Technical Professionals subscribers! This research represents a few months of work, including many interviews with method owners and method implementers. The research process was quite fascinating and led to some unique insights.
“Technical professionals are often asked to research, recommend, implement and execute IT risk assessment and analysis processes. Here we compare and contrast common methodologies, highlighting attributes that readily integrate with risk management programs, as well as scale and evolve over time.”
Methods compared: FAIR, ISACA COBIT 5, ISF IRAM, ISO/IEC 31000:2009, MAGERIT, NIST SP 800-30, OCTAVE Allegro, and RiskSafe by Platinum Squared Technologies (it’s a SaaS-based approach)
Most surprising finding: all the risk assessment methods (we did differentiate between assessment and analysis), with possible exception of COBIT 5, are converging on ISO 31000. As such, there’s incredible parity between approaches, which means choosing an approach can be easier or harder depending on one’s sensitivities.
In terms of guidance for clients on selecting an approach, we’ve provided several recommendations in the paper to help make the process easier. We hope you’ll find that to be the case!
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.