Help Center
    Follow

    Getting Started

    Contents

    1. Workflow
    2. Impact Ratings
    3. Business Impact Reference Table (BIRT)
    4. Information Assets
    5. Components
    6. Threat Library
    7. Common Threat List (CTL)
    8. Threat Profile Reference Table (TPRT)
    9. Control Library
    10. Control Relevance Table (CRT)
    11. Threat Event Catalogue (TEC)
    12. Risk Appetite Matrix
    13. Action List
    14. Assessment Tracker

    Workflow

    The Getting Started form provides a base to create a central set of libraries so that repetition of data is greatly reduced. These can be used repeatedly across multiple assessments, and is the base of how your organisation assesses risks, threats and their impact. The workflow of this is the following:

    Workflow_snippet.png

    Reference Forms

    Impact Ratings

    The Impact Ratings is the standard scale by which your organisation can consistently assess the various elements of the IRAM assessment. This is fully adjustable to any preferred scale. As standard, the impacts are rated from Negligible to High (0 to 3).

    These impact ratings will be used throughout the IRAM2 assessment such as in the Business Impact Assessment, Threat Profiling, Risk Appetite and Risk Registers. The only exceptions are the Control Relevance Table and the Control Strength which will use fixed scales as determined by the ISF.

    Item   Title    Description  
    1 Local Ratings      This is a free text field where you can name the level of impact – by default these are “Negligible”, “Low”, “Moderate” and “High”. These can be changed to match your current impact ratings.
    2 Score      This is a value field where you can input the score rating on the impact – the higher score, the bigger the impact. These can be changed to match your current impact ratings.
    3 Colour     

    This is the colour of your risk and is a multi-select field. When selected, this will look as follows:

    The colours White, Grey, Dark Grey and Black are also available.
    4 New Row     

    To insert a new row for a new local impact rating, click on the  icon, and choose “Insert After”:

    When first reviewing the impact ratings, the impact ratings shown by default should be shown to mirror that of your organisation’s current risk assessment impact structure. These ratings can be simply modified by editing each field directly on the form. The scale can also be changed by removing or adding rows as detailed in item 4. Up to 10 different impact ratings can be defined.

    NB: Changing this scale will also impact existing assessments.
    This is intentional so that they may be updated in line with the new scale.

    Once this form has been reviewed and customised, the “Last Review” column on the Getting Started form should be filled in using the date reviewed.

    Business Impact Reference Table (BIRT)

    The BIRT should be used to provide detail on what the different levels of impact look like for different impact categories, in terms of impact to your business. The impact categories should be customised to suit your business. By default, it lists the standard ISF IRAM2 Impact Categories.

    Further details on the Business Impact Reference Table (BIRT) can be found on page 22 of the ISF’s IRAM2 Methodology document.

    BIRT_annotated.png

    Item   Title    Description  
    1 Local Ratings These are the local ratings you have chosen in the Impact Ratings sheet.
    2 Impact Category These are the different types of impact which may occur within your business – by default these are “Financial”, “Operational”, “Legal and Regulatory Compliance”, “Reputational” and “Health and safety”.
    3 Definitions These are free text fields where you can write what level of impact involves for each impact category.

    Once this form has been reviewed and customised, the “Last Review” column on the Getting Started form should be filled in using the date reviewed.

    Information Assets

    Information assets within your business are defined as information which adds value to your business. As such, the information assets form is a list of the different information assets with your business, and details regarding them. Unlike the majority of the Getting Started content, this section will need to be defined from scratch as it will be entirely specific to your organisation.

    Further details on identifying information assets can be found on page 19 of the ISF’s IRAM2 Methodology document.

    Information_Assets_annotated.png

    Item   Title    Description  
    1 Information Asset A free text field where you can input the name of one of your company’s information asset.
    2 Maximum Acceptable Outage (MAO)

    This is the total amount of time your company can tolerate the information asset being unavailable.

    This is a drop-down list with the options “1 hour”, “5 hours”, “1 day”, “5 days” or “1 week”.
    3 Recovery Time Objective (RTO)

    This is the targeted duration of time an information asset must be restored by.

    This is a drop-down list with the options “30 min”, “3 hours”, “18 hours”, “3 days” or “5 days”.
    4 Recovery Point Objective (RPO)

    This is the targeted level of restoration to the information asset after a data loss, for example to what age of back-up.

    This is a drop-down list with the options “1 hour”, “1 day”, “1 week”, “1 month” or “2 months”.
    5 Minimum Acceptable Service Level (MASL)

    This is the minimum service level that the information asset needs to be running at.

    This is a drop-down list with the options “<98%”, “99%”, “99.9%”, “99.99%” or “99.999%”.
    6 Comment This is a free text field where you can comment useful information regarding the information asset, such as supplementary comments about the MAO, RTO, RPO or MASL.

    Once this form has been reviewed and customised, the “Last Review” column on the Getting Started form should be filled in using the date reviewed.

    Components

    Components consists of a list of all the infrastructure, system and/or network components which relate to the information assets identified in the previous chapter. As with the Information Assets, this section will need to be defined from scratch as it will be entirely specific to your organisation.

    For components related to multiple information assets, list the component multiple times, once for each related information asset.

    Components_annotated.png

    Item   Title    Description  
    1 Components This is a free text field where you can describe a component that relates to an information asset, such as servers and databases.
    2 Information Assets

    This is a reference to the Information Assets form, where you can choose the information asset that relates to the component described.

    Please note, that if a component relates to more than one information asset, then a new row needs to be created for each information asset relation.
    3 Comments This is a free text field where you can input more detail about the relationship between the component and the information asset, for example how this is maintained, and more information about the component such as storage location.

    Once this form has been reviewed and customised, the “Last Review” column on the Getting Started form should be filled in using the date reviewed.

    Threat Library

    The Threat Library is a list of every threat which may be considered against your business. This can be filled in with the customised list of threats that your business may encounter. By default, it lists the standard ISF IRAM2 Threats.

    Threat_Library_annotated.png

    Item   Title    Description  
    1 Threat This is a free text field where you can input the type of threats your company may face. These may be external, internal, deliberate or unintentional.
    2 Description This is a free text field where you can describe the threat in more detail, such as how it might occur.

    Once this form has been reviewed and customised, the “Last Review” column on the Getting Started form should be filled in using the date reviewed.

    Common Threat List (CTL)

    The Common Threat List (CTL) organises the Threats from the threat library into one of three main categories: Adversarial, Accidental and Environmental. This enables a standardised approach to the Threat Profiling with Attributes aligned to each group. The Origin is also defined here, determining whether the threat is internal, external or both. By default, it lists the standard ISF IRAM2 Threats by Groups.

    CTL_annotated.png

    Item   Title    Description  
    1 Threat Category These are the section headers which are the different classifications of the threats – the sections available are “Adversarial”, “Accidental” and “Environmental”.
    2 Threat This is a reference field from your Threat Library, where you can pick which threat goes in the different categories.
    3 Origin This is where the threat may originate from – either from external sources, from sources internal to your company, or both.
    4 Threat Group This is an automatically populated field which depends on which type of threat section you have added the row to.

    Once this form has been reviewed and customised, the “Last Review” column on the Getting Started form should be filled in using the date reviewed.

    Threat Profile Reference Table (TPRT)

    The Threat Profile Reference Table (TPRT) lists the Threat Attributes used to undertake the Threat Profiling in Phase C of an assessment.

    Each attribute relates to one of the three threat groups (Adversarial, Accidental and Environmental) and lists the threshold for each impact rating to assess it against. Each will contribute to either the Likelihood of Initiation (LoI) or the Threat Strength (TS) though this can be modified by changing values in fields #6 & #7. By default, it lists the standard ISF IRAM2 Threats Attributes.

    More details about threat profiling is available on page 27 of the ISF’s IRAM2 Methodology document.

    TPRT_annotated.png

    Item   Title    Description  
    1 Threat Group This is a drop-down selection of the type of threat you’re considering – as in the Common Threat List sections, this has the options “Adversarial”, “Accidental” and “Environmental”.
    2 Threat Attribute

    This is a free text field where you can input which threat attribute you are considering in the row, for the chosen threat group.

    More ISF guidance on the types of attribute are available in the the ISF's IRAM2 Methodology document.
    3 Question

    This is a free text field where you can input a question in relation to the threat attribute.

    More ISF guidance on the types of attribute are available in the the ISF's IRAM2 Methodology document.
    4 Guidance

    This is a free text field with guidance about the threat attribute and the question.

    With the IRAM2 build out, the example fields contain the ISF default guidance about the threat attributes.
    5 Ratings The ratings fields are free text fields, where the headings come from your impact ratings table.
    6 Likelihood of Initiation (LoI) Calculation

    The likelihood that a threat will initiate one or more threat events against the environment being assessed. This is a drop-down field.

    You can choose to “Include” or “Not Include” this calculation for the threat.
    7 Threat Strength (TS) Calculation

    How effectively a threat can initiate or execute threat events against the environment being assessed.

    You can choose to “Include” or “Not Include” this calculation for the threat.

    Once this form has been reviewed and customised, the “Last Review” column on the Getting Started form should be filled in using the date reviewed.

    Control Library

    The Control Library lists all the chosen controls active within your business that assist to mitigate possible threats. By default, it lists the standard ISF IRAM2 Controls from the Security Health check.

    Further details on organisational control libraries are available on page 40 of the ISF’s IRAM2 Methodology document.

    Control_Library_annotated.png

    Item   Title    Description  
    1 Control Reference This is a free text field where you can input the reference you have for the given control. This can be the existing control references your company has in place.
    2 Control This is a free text field where you summarise the control.
    3 Extended Information This is a free text field where you provide more information about the control.
    4 Evidence This is an evidence field where you can upload files from the document library relating to the control and add comments about the evidence.

    Once this form has been reviewed and customised, the “Last Review” column on the Getting Started form should be filled in using the date reviewed.

    Control Relevance Table (CRT)

    The Control Relevance Table (CRT) states each control’s ability to reduce the likelihood and/or impact of threat events – as a score from 0-4.

    CRT_annotated.png

    Item   Title    Description  
    1 Threat Events Header This is the header for threat events, where you will have one each for Adversarial, Accidental and Environmental.
    2 Control Reference This is a reference to the Control Library, where you choose which control you are considering.
    3 Control Name This is the name of the control, pulled through when the control reference is selected.
    4 Threat Events

    The threat event headers are different events that could occur – in the above figure, this includes “Session hijacking”, “Unauthorised access to legitimate authentication credentials” and “Exploit vulnerable authorisation mechanisms.

    These will be configured to threat events you consider within your company.
    5 Control Relevance

    This is a drop-down list where you select how relevant the control selected is to the threat event described in the header.

    The possible options range from 0 to 4 – for more information about this, please see the ISF's IRAM2 Methodology document.

    Once this form has been reviewed and customised, the “Last Review” column on the Getting Started form should be filled in using the date reviewed.

    Threat Event Catalogue (TEC)

    The Threat Event Catalogue (TEC) considers the different possible threat events that could be used by threat actors to compromise the components within your organisation. Threat Events relate to multiple Controls that help mitigate the threat, influencing the Control Strength calculation in stage D4 of the IRAM2 assessment. The Initiation Strength must be equal to or less than the Threat Strength assessed for a Threat to be considered in stage C4 (Scoping and mapping Threat Events) of an Assessment. By default, it lists the standard ISF IRAM2 Threat Events.

    Further details about threat events is available on page 34 of the ISF’s IRAM2 Methodology document.

    TEC_annotated.png

    Item   Title    Description  
    1 Threat Event ID This is a free text field where you can input the ID of the Threat Event. This can be your existing threat event ID.
    2 Threat Group This is a free text field where you input what type of threat group the threat event belongs to – typically Adversarial, Accidental or Environmental.
    3 Threat Event Type This is a free text field where you input the type of event the threat event fits into. Some examples of type include Physical, Behavioural, Social Engineering and Supplier Compromise.
    4 Threat Event This is a free text field where you input the title of the threat event.
    5 Threat Event Description This is a free text field where you provide more description about the threat event.
    6 Control Guidance The is a reference field where you can multi-select all controls relating to the threat event.
    7 Origin Guidance This is a drop-down list where you select where the threat event originates from – you can select “External”, “Internal” or “Internal/External”.
    8 Initiation Strength

    This is the minimum threat strength required by a Threat to initiate the threat event.

    This is a reference to your impact ratings list, where you can select one of your impact ratings as to the strength required.

    Once this form has been reviewed and customised, the “Last Review” column on the Getting Started form should be filled in using the date reviewed.

    Risk Appetite Matrix

    The Risk Appetite Matrix is where you as a business state how much impact to different impact categories you as a business can accept, to achieve business objectives. A suggested set of risk appetite is provided for the standard Impact Categories, but this will need to be reviewed for your organisation.

    RAM_annotated.png

    Item   Title    Description  
    1 Impact Categories This is a reference which selects from the BIRT.
    2 Appetite This is the amount of risk the organisation is willing to accept in relation to the impact category chosen. This is a reference which selects from the impact ratings.
    3 Description This is the description of the impact that would occur if the risk appetite of the impact is achieved – this information is pulled from the BIRT.

    Once this form has been reviewed and customised, the “Last Review” column on the Getting Started form should be filled in using the date reviewed.

    Action List

    The Action List is a centralised way of managing the actions required to treat risks in the final stage of the IRAM2 assessment. It has been centralised to allow for actions to address multiple risk across multiple assessments without duplication of effort or documentation.

    To create an action, insert a new row at the end of the table and complete the fields from left to right (❷ to ❾). Once filled in, the -Assign- button will become available to assign the action to the chosen Facilitator who will be notified by email.

    Once created, an action can be assigned against multiple risks in any assessment. Multiple actions may also be listed against each risk. Assigning actions to a risk is undertaken in the Phase E/F Risk Register of each assessment. Alternatively, actions may also be left unassigned to be worked on independent of any particular risk.

    Action_List_annotated.png

    Item   Title    Description  
    1 Action Ref This is an automatically generated reference number for the action written.
    2 Action This is a free text field where you write a summary of the action required.
    3 Priority This is a drop-down list where you can select the priority of the action. The possible options are “Low”, “Medium” and “High”.
    4 Description This is a free text field where you input the description of what needs to take place for the action.
    5 Frequency

    This is a drop-down list where you can select whether the action will repeat or not. You can select from the following options:

    6 Start Date This is a date picker where you select the date the action will be started to need being actioned.
    7 Target Date This is a date picker where you select the target date for the completion of the action.
    8 Type

    This is the type that the action is classified as – the options are as follows:

    9 Facilitator This is a user selectable field where you can select who will be facilitating the completion of the action – this will let you pick from the list of active users and groups.
    10 Workflow

    This section lets you perform the workflow of the action:

    • Assign will start the action and will assign the facilitator a task on the platform associated with the action. This will also trigger an email to be sent to the facilitator and change the Status to “In Progress”.
    • Complete will complete the action and will change the Status of the action to “Complete”.
    • Re-open will re-open the action and will change the Status to “In Progress”.
    11 Updates This is a free text field where you can write any updates about the actions.
    12 Status This field corresponds to the workflow and will state the progress of the action. Prior to the action being assigned, the status will be “N/A”. When it has been assigned, the status will be “In Progress”, and will be “Complete” once completed.
    13 Supporting Info This is an evidence field where you can upload supporting information about the action from the document library or add comments.
    14 Comments This is a free text field where you can input further comments about the action.
    15 Associations This is an automatically populated field which, when applicable, will display a pop-up of all risks that have the action associated with it.

     

    Assessment Tracker

    Once all the Getting Started forms have been reviewed, you can then begin using the Assessment Tracker.

    Was this article helpful?
    0 out of 0 found this helpful

    Comments

    Get Additional Help