Gartner Blog Network

NIST Cybersecurity Framework Supports Use of IRM

by John A. Wheeler  |  January 9, 2017  |  Submit a Comment

2017 brings a new focus and urgency to improving cybersecurity at all levels of our society. While a fierce debate rages in Washington, DC over the cyber-intrusion impact on the US presidential election results, our clients are working to strengthen their risk management programs to propel their businesses forward in a safe and profitable way. Many of our clients are utilizing the NIST Cybersecurity Framework (CSF) to guide their efforts.

A key component of the NIST CSF is the use of “implementation tiers” to determine the level of sophistication required to appropriately mitigate cybersecurity risks through an “Integrated Risk Management (IRM) Program”. According to the NIST CSF, “the tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practices and the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization’s overall risk management practices.” Below is a summary of the NIST CSF related IRM characteristics supporting each implementation tier.

Tier 1: Partial

There is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization may not have processes that enable cybersecurity information to be shared within the organization.

Tier 2: Risk Informed

There is an awareness of cybersecurity risk at the organizational level but an organization-wide approach to managing cybersecurity risk has not been established. Risk-informed, management-approved processes and procedures are defined and implemented, and staff has adequate resources to perform their cybersecurity duties. Cybersecurity information is shared within the organization on an informal basis.

Tier 3: Repeatable

There is an organization-wide approach to manage cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities.

Tier 4: Adaptive

There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on their systems and networks.

Gartner also recommends an integrated risk management (IRM) approach to build and sustain successful risk management programs. Under the Gartner definition, IRM focuses on six attributes within three key dimensions of framework, metrics and systems:

  • Framework —
    • Strategy: Enablement and implementation of a framework, including performance improvement through effective governance and risk ownership;
    • Assessment: Identification, evaluation and prioritization of risks;
    • Response: Identification and implementation of mechanisms to mitigate risk
  • Metrics —
    • Communication and reporting: Provisioning of the best or most appropriate means to track and inform stakeholders of an enterprise’s risk response
  • Systems —
    • Monitoring: Identification and implementation of processes that methodically track governance objectives, risk ownership/accountability, compliance with policies and decisions that are set through the governance process, risks to those objectives, and the effectiveness of risk mitigation and controls;
    • Technology: Design and implementation of an IRM solution (IRMS) architecture

Our recently published “Risk Management Program Primer for 2017” (available with Gartner subscription) details how companies can incorporate frameworks like NIST CSF into the development of a successful IRM program. In addition, you can discover more about our risk management research agenda and areas of focus for the upcoming year.


Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: audit-and-risk  business-continuity-management  cyber-risk  cyber-security  cyberinsurance  digital-risk  enterprise-risk-management  enterprise-risk-management-program-management  integrated-risk-management  irm  it-risk-management  operational-risk-management  risk-assessment-process-and-methodologies  risk-coverage  risk-management  risk-response-strategies  security  security-of-applications-and-data  technology-and-emerging-trends  

Tags: cybersecurity  nist  risk-management  

John A. Wheeler
Global Research Leader - Risk Management Technology
9 years at Gartner
30 years IT Industry

John A. Wheeler is global research leader for risk management technology solutions and professional services. His areas of specialty include integrated risk management, executive leadership and corporate governance. Follow him on Twitter @JohnAWheeler Read Full Bio

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.