Gartner Blog Network

New Research on IT Risk Assessment and Analysis Methods

by Ben Tomhave  |  February 3, 2014  |  2 Comments

I’m pleased to announce that our new paper, “Comparing Methodologies for IT Risk Assessment and Analysis,” is now available to Gartner for Technical Professionals subscribers! This research represents a few months of work, including many interviews with method owners and method implementers. The research process was quite fascinating and led to some unique insights.


“Technical professionals are often asked to research, recommend, implement and execute IT risk assessment and analysis processes. Here we compare and contrast common methodologies, highlighting attributes that readily integrate with risk management programs, as well as scale and evolve over time.”

Methods compared: FAIR, ISACA COBIT 5, ISF IRAM, ISO/IEC 31000:2009, MAGERIT, NIST SP 800-30, OCTAVE Allegro, and RiskSafe by Platinum Squared Technologies (it’s a SaaS-based approach)


Most surprising finding: all the risk assessment methods (we did differentiate between assessment and analysis), with possible exception of COBIT 5, are converging on ISO 31000. As such, there’s incredible parity between approaches, which means choosing an approach can be easier or harder depending on one’s sensitivities.

In terms of guidance for clients on selecting an approach, we’ve provided several recommendations in the paper to help make the process easier. We hope you’ll find that to be the case!

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: research  risk-management  

Tags: analysis  assessment  methods  risk  

Ben Tomhave
Research Director
1 years at Gartner
19 years IT Industry

Ben is conducting research within the Security and Risk Management Strategies team under Gartner for Technical Professionals.

Thoughts on New Research on IT Risk Assessment and Analysis Methods

  1. Peter Oconor says:

    I can not find the document on the gartner website. Do you need to be a paying member to be able to download it?


    • Ben Tomhave says:

      Hi Peter,

      Yes, that’s correct, you need a “Gartner for Technical Professionals” (or legacy Burton Group) subscription to access the document. Apologies if that wasn’t clear in my blog post. If you’re interested, please send me an email (ben(dot)tomhave(at)gartner(dot)com) and I can forward to Sales for follow-up.

      Thank you,


Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.