ISF Methods

Published under Risk Management

ISF methods for risk assessment and risk management

Product identity card

General information
Basic information to identify the product

Method or tool name : ISF products concerning RA/RM refer often to each other and can be used complementarily. Such products are: 1)The Standard of Good Practice for Information Security 2) FIRM (Fundamental Information Risk Management) and the revised FIRM Scorecard 3) ISF's Information Security Status Survey 4) Information Risk Analysis Methodologies (IRAM) project 5) SARA (Simple to Apply Risk Analysis) 6) SPRINT (Simplified Process for Risk Identification)
Vendor name : Information Security Forum (ISF). ISF is an international association of over 260 leading companies and public sector organisations
Country of origin : International ISF members

Level of reference of the product
Details about the type of initiator of the product

Private sector organisation / association : ISF member organisations

Specify the phases this method supports and a short description

R.A. Method phases supported

  • Risk identification : (IRAM, SARA, SPRINT)
  • Risk analysis : (IRAM, SARA, SPRINT)
  • Risk evaluation : (IRAM, SARA, FIRM Scorecard) : As a part of the IRAM project in the phase 1 "Business Impact Assessment" SARA, phase 4, step 4.1 "Analyse security exposures" The FIRM Scorecard collects information about criticality, vulnerabilities, level of threat connected to information resources and assesses the out coming business impact. Parts of the IRAM project such as the Business Impact Reference Table (BIRT) and relevant information from the Survey such as incident information are included in the Scorecard as well.

R.M. Method phases supported

  • Risk assessment (FIRM Scorecard, SARA, SPRINT)
  • Risk treatment (The Standard of Good Practice) : The Standard of Good Practice provides a set of high-level principles and objectives for information security together with associated statements of good practice (controls).
  • Risk acceptance (The Standard of Good Practice)
  • Risk communication (FIRM) : FIRM, Part 5 "Coherent roles and reporting lines"

Brief description of the product

  • The Standard of Good Practice provides a set of high-level principles and objectives for information security together with associated statements of good practice. They can be used to improve the level of security in an organization in a number of ways.
    The Standard of Good Practice is split into five distinct aspects, each of which covers a particular type of environment. These are:
    • Security Management (enterprise-wide)
    • Critical Business Applications
    • Computer Installations (‘Information Processing’ in previous versions)
    • Networks (‘Communications Networks’ in previous versions)
    • Systems Development
    FIRM is a detailed methodology for the monitoring and control of information risk at the enterprise level. It has been developed as a practical approach to monitoring the effectiveness of information security. As such it enables information risk to be managed systematically across enterprises of all sizes. It includes comprehensive implementation guidelines, which explain how to gain support for the approach and get it up and running. The Information Risk Scorecard is an integral part of FIRM. The Scorecard is a form used to collect a range of important details about a particular information resource such as the name of the owner, criticality, level of threat, business impact and vulnerability.
    The ISF’s Information Security Status Survey (the Survey) is a comprehensive Risk Management tool that evaluates a wide range of security controls used by organizations to control the business risks associated with their IT-based information systems.
    SARA is a detailed methodology for analyzing information risk in critical information systems. It consists of 4 phases:
    • Planning
    • Identify Business Requirements for Security
    • Assess Vulnerability and Control Requirements
    • Report
    SPRINT is a relatively quick and easy-to-use methodology for assessing business impact and for analyzing information risk in important but not critical information systems. The full SPRINT methodology is intended to be applied to important, but not critical, systems. It complements the Forum’s SARA methodology, which is better suited to analyzing the risks associated with critical business systems.
    SPRINT first helps decide the level of risk associated with a system. After the risks are fully understood, SPRINT helps determine how to proceed and, if the SPRINT process continues, culminates in the production of an agreed plan of action for keeping risks within acceptable limits. SPRINT can help:
    • identify the vulnerabilities of existing systems and the safeguards needed to protect against them;
    define the security requirements for systems under development and the controls needed to satisfy them.


Date of the first edition, date and number of actual version

Date of first release : Different dates for different ISF products
Date and identification of the last version : The Standard of Good Practice for Information Security: newest version in 2005. The ISF's Information Security Status Survey: newest version in 2005. FIRM: newest version in 2005.

Useful links
Link for further information

Official web site : Available only to ISF Members at
User group web site : N/A
Relevant web site : N/A

List the available languages that the tool supports

Availability in European languages : English

Specify the price for the method

  • Not free, Membership required


Page top


Target organisations
Defines the most appropriate type of organisations the product aims at

  • Government, agencies
  • Large companies
  • Commercial CIEs
  • Non commercial CIEs

Specific sector : N/A

Geographical spread
Information concerning the spread of this tool

Used in EU member states : Many
Used in non-EU member states : Many

Level of detail
Specify the target kind of users

  • Management
  • Operational
  • Technical


License and certification scheme
Specify the licensing and certification schemes available for this method

Recognized licensing scheme : No
Existing certification scheme : No

Page top

Users viewpoint

Skills needed
Specify the level of skills needed to use and maintain the solution

  • To introduce : Specialist
  • To use : Specialist
  • To maintain : Specialist


Consultancy support
Specify the kind of support available

Consultancy : No

Regulatory compliance
There is a given compliance of the product with international regulations

  • N/A


Compliance to IT standards
There is a compliance with a national or international standard


Trial before purchase
Details regarding the evaluation period (if any) before purchase of the product.

Availability : No

Maturity level of the Information system
The product gives a means of measurement for the maturity of the information system security

It is possible to measure the I.S.S. maturity level : No

Tools supporting the method
List of tools that support the product

Non commercial tools

  • ISF provides a variety of tools (Excel tables, lists and forms) for these products. These tools are available for ISF members only.

Commercial tools

  • N/A


Technical integration of available tools
Particular supporting tools (see C-7) can be integrated with other tools

Tools can be integrated with other tools : No

Organisation processes integration
The method provides interfaces to existing processes within the organisation

Method provides interfaces to other organisational processes : Under development

Flexible knowledge databases
It is possible to adapt a knowledge database specific to the activity domain of the company.

Method allows use of sector adapted databases : No

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more