I’m pleased to announce that our new paper, “Comparing Methodologies for IT Risk Assessment and Analysis,” is now available to Gartner for Technical Professionals subscribers! This research represents a few months of work, including many interviews with method owners and method implementers. The research process was quite fascinating and led to some unique insights.
Summary:
“Technical professionals are often asked to research, recommend, implement and execute IT risk assessment and analysis processes. Here we compare and contrast common methodologies, highlighting attributes that readily integrate with risk management programs, as well as scale and evolve over time.”
Methods compared: FAIR, ISACA COBIT 5, ISF IRAM, ISO/IEC 31000:2009, MAGERIT, NIST SP 800-30, OCTAVE Allegro, and RiskSafe by Platinum Squared Technologies (it’s a SaaS-based approach)
Most surprising finding: all the risk assessment methods (we did differentiate between assessment and analysis), with possible exception of COBIT 5, are converging on ISO 31000. As such, there’s incredible parity between approaches, which means choosing an approach can be easier or harder depending on one’s sensitivities.
In terms of guidance for clients on selecting an approach, we’ve provided several recommendations in the paper to help make the process easier. We hope you’ll find that to be the case!