FEATURE

Addressing Risk Using the New

Enterprise Security Risk
Management Cycle
Enterprise Security Risk Management (ESRM) is a
holistic security program designed to identify and
prioritize assets and risk to mitigate those risk
areas. ESRM bridges security professionals and
asset owners in making informed decisions through
the ESRM cycle.
The ESRM cycle shown in figure 1 is based on new
ESRM guidelines from ASIS,1 which were drafted
based on globally established and accepted risk
management principles, implemented by identifying,
evaluating and mitigating the security risk areas of an
enterprise to reach its business objectives. Practicing

Figure 1—ESRM Strategic Approach

Identify and
Prioritize Content
Assets

Mission
and Vision

Analysis
Monitoring Assessment Identify and
Continuous Core
Improvement Prioritize Values
Risk
Mitigation
Operating
Environment

Mitigate Stakeholders
Prioritized
Risk

Holistic Risk Stakeholders Transparency Governance

Management Partnership

Foundation

Source: ASIS International, Enterprise Security Risk Management Guideline, 2019. Used with permission.

Harisaiprasad Kumaragunta, CISA, APP, ISO 22301 LI, ISO 27001 LA, ISO 9001 LA, Six Sigma Green Belt
Is an associate consultant with Mahindra Special Services Group with more than 12 years of experience in the industry. He is the
ISACA® New Delhi (India) Chapter leader and social media chair. He is also a topic leader for the ISACA Certified Information
Systems Auditor® (CISA®) online forum. He is a frequent contributor to blogs and has published articles related to the information
security domain in ISACA Now , COBIT Focus and the ISACA® Journal. He conducts user awareness training, internal auditor training,
International Organization for Standardization ISO 27001 audits, regulatory audits, third-party audits, internal audits, IT audits, risk
assessments and implements ISO 27001, among other tasks. He can be contacted at harisaiprasad@gmail.com.

© 2020 ISACA. All rights reserved. www.isaca.org

ISACA JOURNAL VOL 5 1

ESRM helps an enterprise improve the maturity of its
security process. This cycle can be initiated after
understanding an enterprise’s context. Understanding
the context involves understanding the mission,
vision, core values, operating environment (i.e.,
physical, nonphysical and logical) and stakeholders.
This helps security professionals identify the risk
areas that restrict the organization in achieving its
goals and objectives. The ESRM cycle includes
four processes:
1. Identifying and prioritizing assets—Anything
that adds value to the organization is defined as
an asset. Assets are owned by asset owners who
are responsible for mitigating risk areas of
assets to an acceptable level for the
organization. Assets should be valued and
prioritized based on the organization’s goals and
objectives. The value of the asset could be based
on cost or replacement cost of the asset or
operational and reputational impact of
unavailability.
2. Identifying and prioritizing risk—This involves
conducting risk assessment for the assets by
identifying risk based on the enterprise risk
assessment methodology. The methodology
should involve determining risk level based on
threats, vulnerabilities, impact, probabilities and
value of assets. Risk level is determined for the
identified risk and matched with the risk
“
ESRM HELPS AN
ENTERPRISE IMPROVE THE
”
MATURITY OF ITS SECURITY
PROCESS.
2 ISACA JOURNAL VOL 5
acceptable value. Risk areas that exceed the
acceptable value are called high risk and risk that
match or are below acceptable value are called
low/acceptable risk. The processes of identifying
high risk areas and listing them in order for
mitigation is called prioritizing risk.
3. Mitigating the prioritized risk—Controls that are
determined high risk need to be brought to an
acceptable level. This process is called risk
mitigation. Risk mitigation is one type of risk
treatment; the other three types are accept, avoid
and transfer. In risk acceptance, risk scenarios
are accepted based on an organization’s risk
tolerance level/risk appetite. Risk can be
transferred through insurance and outsourcing.
Avoidance of risk is accomplished by changing
or ceasing certain operations. In risk mitigation,
the probability or impact of risk is reduced by
additional controls such that the risk level gets
reduced to an acceptable level. Examples of risk
mitigation measures include electronic access
controls, video surveillance, security awareness
training and data loss prevention (DLP).
4. Continuous improvement of the security
program—The ESRM cycle is based on an iterative
approach of assessment, mitigation and
monitoring to continuously improve the four
processes. Investigations and analysis,
information sharing and incident response
contribute to continuous improvement. Incident
response is a process of responding to incidents
and tracking them until their resolution as per the
defined timelines. Continuous improvement can be
analyzed by tracking incidents over a period of
time and comparing the incidents that occurred
and the resolution time with the previous cycle.
Lessons learned from incidents should also be fed
back into the security program through its
continuous improvement process.
Emerging risk can be determined through
investigation and analysis. In this process, root
causes are identified, mitigation controls are devised
and prioritized and response time is monitored.
Sharing of security information with asset owners
and stakeholders forms an important part of
the continuous improvement process. This helps
security professions send and receive information
from asset owners, which contributes to
continuous improvement.
© 2020 ISACA. All rights reserved. www.isaca.org
ESRM addresses mitigating risk from physical
security, cybersecurity, information security, loss
prevention, organizational resilience, brand protection,
travel risk, supply chain security, business continuity,
crisis management, threat management, fraud risk
management and workplace violence prevention. Its
approach is shown in figure 1.
The ESRM program for an organization can be
started with an assessment using the ASIS ESRM
maturity assessment tool,2 where the rating for
various categories is based on the current people,
process and governance scores. The current people
and process scores are shown in figure 2.
A governance score consists of a risk rating and
thresholds set by the enterprise risk governance
committee. The assessment tool consists of
different categories that include program strategy,
program governance, understanding and
awareness, program implementation and
application, program management and
advancement, and alignment of security risk
mitigation activity. Each category has different
controls and, for each control, a people score,
process score and governance score between one
and five should be given to get the enterprise score.
The values and definitions of an enterprise score
are shown in figure 3. An average score for each of
the six categories is given for people, processes
and governance, respectively, by the online tool. The
current level score and the recommended level is
Figure 2—People and Process Scores
5 ESRM performance metrics are measured and
optimized.
4 Cross-functional teams are adequately staffed for
ESRM, performance for these teams is measured
and ESRM development/training programs are in
place for teams across the organization.
3 Cross-functional teams are in place, ESRM
knowledge is transferred between teams, and
roles/responsibilities regarding risk knowledge are
well-defined.
2 Cross-functional teams are mostly in place, and
roles/responsibilities regarding risk knowledge are
generally understood.
1 Risk knowledge is limited to a few key personnel, with
no cross-training between security teams/groups and
departments.
People Score
Source: ASIS International, Enterprise Security Risk Management Guidelines, USA, 2019. Used with permission.
© 2020 ISACA. All rights reserved. www.isaca.org
also provided by the tool for each of the six
categories. Areas covered under each of the six
Enjoying
categories include:
this article?
1. Program strategy—This includes the security
department’s mission, goals and a formal • Read Risk IT
commitment to using ESRM and communicating Framework, 2nd
it to the relevant stakeholders. Strategy involves Edition.
adopting a formal risk model (e.g., International www.isaca.org/
Organization for Standardization [ISO], COBIT®, risk-it-f2
American National Standards Institute [ANSI]), • Learn more about,
allotting resources and developing skills for discuss and
implementation. collaborate on risk
2. Program governance—This includes instituting a
management in
governance committee, setting up acceptable
ISACA’s Online
risk limits for the enterprise, defining scope and
Forums.
communicating the maturity levels.
https://engage.isaca.
org/onlineforums
3. Understanding and awareness—Awareness
training should be given to executives, leaders of
all functions and departments, security
personnel, and third-party personnel under scope.
4. Program implementation and application—This
involves identifying assets and their owners,
prioritizing assets, determining impact,
evaluating risk levels and documenting risk
mitigation plans.
5. Program management and advancement—This
includes reviewing and updating risk mitigation
plans and status reports at regular intervals and
delivering them to asset owners, executive
management and the security department.
5 ESRM/risk processes are reviewed and
proactively improved based on measurable
results.
4 ESRM/risk processes are measured
against established metrics.
3 ESRM/risk processes are defined and
documented as a standardized process
across the organization.
2 ESRM/risk processes exist and are
repeatable.
1 ESRM/risk processes do not exist or are
performed in an ad hoc manner.
Process Score
ISACA JOURNAL VOL 5 3
 6. Alignment of security risk mitigation activity— security risk areas of an enterprise, and this
This includes developing and defining roles and framework is designed in such a way that it can
responsibilities and monitoring and integrate well with the enterprise risk management
communicating risk mitigation activities and framework. This is because an enterprise score
incident management. from the ESRM maturity assessment tool uses
defined people and process scores and leaves the
Periodic reviews and audits help assess the status
governance score to be defined by the particular
of ESRM and continuous improvement.
enterprise. None of the other standards have a
Communications with external and internal
provision to determine the risk management rating
stakeholders on the performance of risk
at an enterprise level. This helps an enterprise
management make the governance process
assess the maturity level of security risk
of an enterprise effective.
management and determine the road ahead
through the ESRM tool.
ISO 27005 is a standard for information security
risk management, which describes how risk should
The results of a simulated enterprise that has used
be assessed and managed and provides a risk
the ESRM tool and completed the survey is shown
matrix to determine risk levels of various risk areas.
in figure 4.
ISO 31000 and the Committee of Sponsoring
Organizations of the Treadway Commission (COSO)
The enterprise score is calculated and the current
only discuss risk management and principles for an
average score of each category determined. In this
enterprise.3 ESRM specifically addresses managing
example, even though the enterprise score is in the

Figure 3—Enterprise Score

5 Optimized: It is a characteristic of processes at this level that the focus is on continually improving process
performance through both incremental and innovative technological changes/improvements.

4 Managed: It is characteristic of processes at this level that, using process metrics, management can
effectively control the as-is process (e.g., for software development). In particular, management can
identify ways to adjust and adapt the process to particular projects without measurable losses of quality or
deviations from specifications. Process capability is established from this level.

3 Defined: It is characteristic of processes at this level that there are sets of defined and documented standard
processes established and subject to some degree of improvement over time. These standard processes are
in place (i.e., they are the as-is processes) and used to establish consistency of process performance across
the organization.

2 Repeatable: It is characteristic of processes at this level that some processes are repeatable, possibly with
consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that
existing processes are maintained during times of stress.

1 Ad Hoc: It is characteristic of processes at this level that they are (typically) undocumented and in a state of
dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. This
provides a chaotic or unstable environment for the processes.

0 Non-Existent/Not Wanted: The requirement is non-existent in the environment and/or not desired.

Figure 4—People, Process and Governance Average Score and Recommended Score
Requirements Current Score Average Recommended
Program strategy 3 3
Program governance 3 3
Understanding and awareness 4 3
Program implementation and application 2 3
Program management and advancement 3 3
Alignment of security risk mitigation activity 3 3
Enterprise Score: 3 “defined”

4 ISACA JOURNAL VOL 5

desired level, the enterprise did not achieve the
recommended score in the program
implementation and application category and
achieved an above-recommended score in
understanding and awareness (figure 4). The ESRM
survey not only calculates the overall enterprise
score, but it also informs which area an enterprise
needs to improve and what level the enterprise has
achieved in each category. From this, an enterprise
can revise and implement strategies to improve its
ESRM and achieve required scores of performance.
Endnotes
1 Professional Standards Board; “Guideline:
Enterprise Security Risk Management,”
ASIS International, September 2019
2 ASIS International; “ESRM Maturity
Assessment Survey,” https://www.asis
online.org/publications—resources/esrm/
esrm-survey/
3 International Organization for Standardization,
ISO 31000:2018 Risk Management—Guideline,
Switzerland, February 2018, https://www.
iso.org/standard/65694.html
ISACA JOURNAL VOL 5 5