This post summarizes some relevant IT risk analysis methodologies.
IT risk analysis methodologies
List of IT risk analysis methodologies:
- NIST 800-30
- ISO 27005
- Microsoft’s Security Management Guide
NIST Special Publication 800-30, abbreviated as NIST SP 800-30 or NIST 800-30, whose title is “Guide for Conducting Risk Assessment”, is issued and managed by NIST, a governamental organization of the USA.
It was originally published in January 2002, and updated on September 2012.
You can find more about SP 800-30 Rev. 1 on this link.
Latest version is ISO/IEC 27005:2018.
Magerit, sometimes written as MAGERIT, is issued and managed by institutions related to the Government of Spain.
Latest version is from 2012 (version 3).
You can find a complete post about Magerit on this link.
Mehari is issued and managed by CLUSIF (Club de la Securité de l’Information Français).
OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation.
Latest version is from 2005, so it does not seem to be updated.
You can find more information on this link.
Microsoft’s Security Management Guide
It was developed by Microsoft, and more specifically Microsoft Solutions for Security and Compliance and Microsoft Security Center of Excellence.
It was issued on 2006 so I guess it is completely outdated.
It is still available to be checked on this link.
You might be also interested in…
- A. Syalim, Y. Hori & K. Sakurai; “Comparison of Risk Analysis Methods: Mehari, Magerit, NIST800-30 and Microsoft’s Security Management Guide“