We often are asked if FAIR™, the international standard for cyber and technology risk quantification and the basis of the RiskLens platform, is compatible with the common security and risk standards and frameworks.
The answer is yes — by bringing a financial discipline to otherwise technical guidelines, FAIR and RiskLens enhance their value as business-decision support tools. The most widely used cybersecurity framework, the NIST CSF, includes FAIR as a recommended best practice for risk assessment and risk analysis.
The ISO 27000 standards don’t prescribe a specific approach to analyzing risk and leave it to the risk practitioners to select their preferred analytics model. This is where FAIR comes in.
Factor Analysis of Information Risk (FAIR) decomposes risk into discrete factors that can be quantified and analyzed together to describe risk as a range of probable loss in dollars. Unlike risk assessment methods that focus their output on qualitative color charts or numerical weighted scales, the FAIR standard delivers financially derived results through the RiskLens platform that can be communicated across the enterprise in standard business terms of loss exposure and return on investment.
Source: How FAIR & ISO 27001 Work Together
Measuring and Managing Information Risk: A FAIR Approach
May 11th, 2021 3:33 pm
[…] pricing models that provide quantifiable probabilistic estimates of potential losses based on Fair methodology, the vast majority of insurers still continue to use scenario-based approaches for estimating the […]
August 3rd, 2021 12:23 pm
[…] How FAIR & ISO 27001 Work Together […]