Feb 25 2021

How FAIR & ISO 27001 Work Together

Category: ISO 27k,Security Risk AssessmentDISC @ 11:43 am

We often are asked if FAIR™, the international standard for cyber and technology risk quantification and the basis of the RiskLens platform, is compatible with the common security and risk standards and frameworks.

The answer is yes — by bringing a financial discipline to otherwise technical guidelines, FAIR and RiskLens enhance their value as business-decision support tools. The most widely used cybersecurity framework, the NIST CSF, includes FAIR as a recommended best practice for risk assessment and risk analysis.

The ISO 27000 standards don’t prescribe a specific approach to analyzing risk and leave it to the risk practitioners to select their preferred analytics model. This is where FAIR comes in.

Factor Analysis of Information Risk (FAIR) decomposes risk into discrete factors that can be quantified and analyzed together to describe risk as a range of probable loss in dollars. Unlike risk assessment methods that focus their output on qualitative color charts or numerical weighted scales, the FAIR standard delivers financially derived results through the RiskLens platform that can be communicated across the enterprise in standard business terms of loss exposure and return on investment.

Source: How FAIR & ISO 27001 Work Together

Measuring and Managing Information Risk: A FAIR Approach

Tags: FAIR, Quantitative Cyber Risk Management

2 Responses to “How FAIR & ISO 27001 Work Together”

  1. Significance of risk management in cyber insurance to determine premium says:

    […] pricing models that provide quantifiable probabilistic estimates of potential losses based on Fair methodology, the vast majority of insurers still continue to use scenario-based approaches for estimating the […]

  2. ISO 27001 vs. ISO 27002: What’s the difference? says:

    […] How FAIR & ISO 27001 Work Together […]

Leave a Reply

You must be logged in to post a comment. Login now.