A Framework For Aligning Information Security Risk Management Methods With It Governance Recommendations

Organisations are under constant pressure from governments and industry to implement risk management methods. There are various information security risk management methods available that organisations can implement, and each has different approaches to identifying, measuring, controlling and monitoring the information security risks. Organisations find it difficult to select an information security risk management method; therefore there is a need for an objective comparative framework to evaluate information security risk management methods. This article provides a comparative framework based on CobiT’s Planning and Organisation Control Nine, Assess Risks, which can be used as evaluation criteria for information security risk management methods. Three prominent methods are evaluated using this comparative framework. The evaluated methods’ strengths and weaknesses as identified through the comparative framework are highlighted. This comparative framework provides an objective evaluation method to determine whether or not an information security risk management method is in line with information technology governance.