Inventory of Risk Management / Risk Assessment Methods

ENISA has generated an inventory of Risk Management / Risk Assessment methods. A total 13 methods have been considered. Each method in the inventory has been described through a template. The template used consists of 21 attributes that describe characteristics of a method.

The methods considered have been selected by the ENISA ad hoc Working Group on technical and policy aspects of Risk Assessment and Risk Management [ENISA-WG]. The inventory of methods is not exhaustive. Due to the composition of the ENISA Working Group (experts from eight EU member states) as well as the time available, only a limited number of methods were addressed. Therefore, these pages do not contain a complete list of methods and standards dealing with IT risks.

Specific methods were deliberately excluded from the survey:

  • High-level reference documents: documents like the ISO Guide 73 are not taken into consideration.
  • Non-RA/RM methods: methods that are not classified as RA or RM oriented, according to the definitions used.
  • Unknown methods: some methods could not be investigated, because relevant documentation was not available to the members of the working group at the time of the inventory development. In the mean time, this shortcoming might be overcome by newer method submissions.
  • General management oriented (i.e. corporate governance) methods: for example Cobit, Basel II have been excluded due to this reason.
  • Product or system security oriented methods: for example Common Criteria is excluded for this reason.

However, as the inventory is an open list, additional methods will be included in the future. For this purpose, ENISA is currently developing a process for submission of additional methods through standardization bodies/vendors, etc., as well as a process to update existing inventory entries.

The information included in the inventory of methods has been assessed by the experts of the ENISA Working Group in 2005 and reflects the status of the assessed methods at that time. In cases of newer releases it might be the case that some of the method properties described in the templates do not correspond to the current version. Through recurring assessments this information will be permanently updated.