Template of Risk Management - Risk Assesment Methods

Published under Risk Management

[method name]

Product identity card

General information
This attribute holds basic information to identify the product. The information provided here contains the name of the product, the company or cross-frontier organization that provides the product and the country of origin (in case the product originated from a company or national organization).

Method or tool name :
Vendor name
Country of origin :


Level of reference of the product
Details about the type of initiator of the product like: (a) National Standardization body, (b) International Standardization body, (c) Private sector organization / association or (d) Public / government organization



Method: primarily a set of consistent documents, stating how to conduct Risk Assessment (RA) or Risk Management (RM) and not requiring an installation of an application on a computer.
When standard:
specify if issued by a national or international body . A brief description of the product is given.
The number of bullets used in these attributes varies from none to three. It specifies the degree of fulfillment of the phase by the considered product.

R.A. Method phases supported

  • Risk identification :
  • Risk analysis :
  • Risk evaluation :

R.M. Method phases supported

  • Risk assessment :
  • Risk treatment :
  • Risk acceptance :
  • Risk communication :

Brief description of the product



Date of the first edition, date and number of actual version

Date of first release
Date and identification of the last version :


Useful links
Official web site: hyperlink to the site of the originator/provider of the product, where to download the product or order it.
Related user group web site: hyperlink to the web site of the user group (if any) for the product.
Main relevant web site: web site that offers relevant and neutral information concerning the product.

Official web site
User group web site
Relevant web site :


Languages available: the first occurrence gives the language that was used to develop the product. Other occurrences are languages in which the product is available within the European Union.

Availability in European languages :


Free: the solution is free of charge.
Not free: the price to buy or the yearly fee (this also includes membership fees to acquire access to the product, e.g. ISO standards).
Updating fee:
the yearly fee for updates.




Target organisations
Defines the most appropriate type of organisations the product aims at:
Governments, agencies: the product is developed by organizations working for a state (e.g. a national information security authority).
Large companies: the product is useful for companies with more than 250 employees.
SME: the product is useful for small and medium size companies that cannot afford dedicated Risk Management personnel or complete segregation of duties.
Commercial companies: the product is targeted to companies that have to implement it due to commercial demands from stakeholders, financial regulators, etc.
Non-profit: companies where commercial benefits are not essential like the NGO’s health sector, public services, etc.
Specific sector: the product is dedicated to a very specific sector (e.g. nuclear, transportation) and usually cannot be used in other sectors.


Specific sector :


Geographical spread
Used in EU member states: list of EU member states in which implementation is known by working group members. This includes organization as European institutions (e.g. European Commission, European Union Council, European agencies) or International organizations located in Europe (e.g. NATO, UNO, OECD, UNESCO).
Used in non-EU countries:
used within potential new member states of the European Union or outside the EU (e.g. Switzerland or USA).

Used in EU member states
Used in non-EU member states :


Level of detail
The targeted kind of users is:
Management level: generic guidelines.
Operational level:
guidelines for implementation planning with a low level of detail.
Technical level:
specific guidelines, concerning technical, organizational, physical and human aspects of IT Security with a high level of detail.



License and certification scheme
Recognized licensing scheme: there is a recognized scheme for consultants/firms stating their mastering of a method.
Existing certification scheme: an organization may obtain a certificate, that it has fully and correctly implemented the method on its information systems.

Recognized licensing scheme
Existing certification scheme :


Users viewpoint

Skills needed
Three types of skills are considered:
To introduce
(the skills needed to understand the dependencies among the specific details of the product, e.g. different concepts supported, phases, activities etc.)
To use
(the specific qualifications needed in order to perform current work, e.g. documentation easy to understand and use),
To maintain (the specific qualifications needed to maintain the life cycle of the product, e.g. to customize, tailor or perform regular updates)
For each type, the level of skills is classified according to the following scale:
Basic level: common sense and experience.
Standard level: some days or weeks of training are sufficient.
Specialist level: thorough knowledge and experience is required.

  • To introduce :
  • To use :
  • To maintain :


Consultancy support
It is necessary to use external help (consultancy) in order to apply the product. In such cases, the product can be open to any consultant on the market or is it bound to a specific category of consultants (e.g. licensed).

Consultancy :


Regulatory compliance
There is a given compliance of the product with international regulations (e.g. Basel II, Sarbanes Oxley Act).



Compliance to IT standards
There is a compliance with a national or international standard (e.g. ISO/IEC IS 13335-1, ISO/IEC IS 15408).



Trial before purchase
Details regarding the evaluation period (if any) before purchase of the product.

Availability :


Maturity level of the Information system
The product gives a means of measurement for the maturity of the information system security (e.g. through a reasoned best practice document).

It is possible to measure the I.S.S. maturity level :


Tools supporting the method
List of tools that support the product (commercial tools as well as non-commercial ones). If relevant, the organizations/sectors that can obtain the tool for free are mentioned.

Non commercial tools


Commercial tools



Technical integration of available tools
Particular supporting tools can be integrated with other tools (e.g. CERT tools).

Tools can be integrated with other tools :


Organisation processes integration
The method provides interfaces to existing processes within the organization (e.g. project management, procurement, etc.)

Method provides interfaces to other organisational processes :


Flexible knowledge databases
It is possible to adapt a knowledge database specific to the activity domain of the company.

Method allows use of sector adapted databases :

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more