IRAM2 RISK EVALUATION AND RISK

Summary Tool
TREATMENT ASSISTANT
PRACTITIONER GUIDE
 IRAM2 RISK EVALUATION AND
RISK TREATMENT ASSISTANT
Practitioner Guide
JULY 2017

PUBLISHED BY
Information Security Forum Limited
Tel: +44 (0)20 3875 6868
Email: info@securityforum.org
Web: www.securityforum.org

PROJECT TEAM
Nick Frost – Lead
Tal Hirsch – Contributor
Andrew Reza – Contributor

REVIEW AND QUALITY ASSURANCE

Eleanor Thrower

DESIGN
Shane Kearney

WARNING
This document is confidential and is intended for the attention of, and use by, either organisations that are
Members of the Information Security Forum (ISF) or by persons who have purchased it from the ISF direct.
If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF
on info@securityforum.org. Any storage or use of this document by organisations which are not Members of
the ISF or who have not validly acquired the report directly from the ISF is not permitted and strictly prohibited.
This document has been produced with care and to the best of our ability. However, both the Information Security
Forum and the Information Security Forum Limited accept no responsibility for any problems or incidents arising
from its use.

CLASSIFICATION
Restricted to ISF Members, ISF Service Providers and non-Members who have acquired the report from the ISF.

2 IRAM2 Risk Evaluation and Risk Treatment Assistant: Practitioner Guide Information Security Forum
 CONTENTS
1. INTRODUCTION5

2. BEFORE YOU START 6

3. USING THE RISK EVALUATION AND RISK TREATMENT ASSISTANT 8

4. PHASE E: RISK EVALUATION 10

5. PHASE F: RISK TREATMENT 16

6. FURTHER INFORMATION 18

Information Security Forum IRAM2 Risk Evaluation and Risk Treatment Assistant: Practitioner Guide 3
 IRAM2 AT A GLANCE

Phases Objectives Steps

A Develop an understanding of the characteristics of the

A.1 Develop a profile of the environment
Scoping organisation as a whole and of the environment to be assessed
A.2 Develop the scope for the assessment
Define and agree the scope of the environment to be assessed

B
Assess potential business impact to an organisation should B.1 Identify the information assets
Business Impact information assets be compromised B.2 Assess business impact
Assessment

C Profile and prioritise all threats that are relevant to the

C.1 Populate the threat landscape
environment being assessed C.2 Profile threats
Threat C.3 Produce a prioritised threat landscape
Identify the potential ways that the highest priority threats could
Profiling manifest to cause harm to the environment being assessed C.4 Scope and map the threat events
C.5 Identify and map the information asset(s)
impacted by each threat event

Identify the controls that are applicable to the environment being
D assessed and understand their relevance to the in-scope threat events
Determine the extent to which each control has been implemented in
Vulnerability the environment being assessed
Assessment Understand the strength of the controls that are in place to protect the
environment against the in-scope threat events
D.1 Select controls applicable to the environment
being assessed
D.2 Map controls to in-scope threat events and
determine relevance
D.3 Assess the implementation of controls
D.4 Determine the control strength for each
combination of threat event and component

E E.1 Derive the likelihood of success

E.2 Derive the residual likelihood
Risk Derive the residual risk rating for each risk
E.3 Determine the residual business impact rating
Evaluation
E.4 Derive the residual risk rating

F F.1 Evaluate each risk against the risk appetite

Risk Determine a risk treatment approach for each identified risk F.2 Create a risk treatment plan
Treatment F.3 Execute the risk treatment plan and validate results

4 IRAM2 Risk Evaluation and Risk Treatment Assistant: Practitioner Guide Information Security Forum
 1 2 3 4 5 6

1 INTRODUCTION

Welcome to the IRAM2 Risk Evaluation and Risk Treatment Assistant Practitioner Guide.
This guide is one of a series designed to show you all the necessary steps to perform an information risk
assessment using the IRAM2 Assistants.

The IRAM2 Assistants complement the IRAM2 methodology and together provide risk practitioners with a
simple, practical yet rigorous approach to conducting information risk assessments.

IRAM2 consists of six phases which are supported by four assistants as shown in Figure 1.

Figure 1: How the phases of IRAM2 are supported by the assistants

A B C D E F
IRAM 2 phase

Scoping Business Impact Threat Vulnerability Risk Risk

Assessment Profiling Assessment Evaluation Treatment
IRAM 2 Assistant

Scoping and BIA Threat Profiling Vulnerability Assessment Risk Evaluation and
Assistant Assistant Assistant Risk Treatment Assistant

The assistants provide the practitioner with improved:

‒‒ efficiency: by automating parts of the methodology that would otherwise require a greater amount of
manual effort
‒‒ accuracy: by enabling in-depth analysis to enhance business decision making
‒‒ consistency: by delivering specific templates that can be applied for enterprise-wide information risk
assessments
‒‒ methods of communication: by leveraging report templates to convey the key risks to stakeholders.

HOW THIS GUIDE HELPS

This guide has been produced to support the practitioner’s use of the Risk Evaluation and Risk Treatment
Assistant and provides:
‒‒ step-by-step instructions for completing Phase E: Risk Evaluation and Phase F: Risk Treatment of the
IRAM2 process
‒‒ examples of populated worksheets
‒‒ notes and tips on how to efficiently conduct risk assessments.

READERSHIP
This guide has been written for practitioners familiar with the IRAM2 process. Each assistant is supplemented
by a practitioner guide and a prerecorded webinar. These can be downloaded from the IRAM2 community
on ISF Live.

Information Security Forum IRAM2 Risk Evaluation and Risk Treatment Assistant: Practitioner Guide 5
 1 2 3 4 5 6

2 BEFORE YOU
START
This section details the information you need to know before getting started with the
Risk Evaluation and Risk Treatment Assistant.

EXCEL COMPATIBILITY
The Risk Evaluation and Risk Treatment Assistant has been developed using Microsoft Excel 2016. Testing of the
assistants has been conducted by the ISF Global Team and a user testing group of selected Members using Excel
2016, Excel 2013 and Excel 2010. All bugs identified during the testing were resolved by the development team.

MACROS
For the assistant to function correctly and securely, macros need to be enabled. The practitioner should follow
the steps below:
1. Click: File > Options > Trust Center > Trust Center Settings (to the right) > Macro Settings > Disable all
macros with notification, as shown in Figure 2.
2. Open the assistant. A security warning will appear under the Excel ribbon asking the practitioner to enable
content. Click the 'Enable Content' button as shown in Figure 3. Macros will now run in this assistant only.

Figure 2: Disabling all macros with notification in the assistant

Figure 3: Enabling the secure use of macros in the assistant

Click to enable the secure use

of macros in the assistant.

6 IRAM2 Risk Evaluation and Risk Treatment Assistant: Practitioner Guide Information Security Forum
 1 2 3 4 5 6

WORKSHEETS
Visible and hidden worksheets are used for the effective operation of the assistant. To ensure that errors are
not introduced and the assistant functions correctly, do not delete or rename the worksheets.

TWO RULES FOR DATA INPUT

The practitioner should ensure that data input during the assessment satisfies the following criteria:
‒‒ Structure: the worksheets are structure sensitive and should retain the same page layout and number
of columns to be processed.
‒‒ Spaces: blank rows indicate end-of-file. Ensure that there are no blank rows within data sets.

DATA REFRESH
When data is altered during the assessment any worksheet that uses this data as an input will not be updated
automatically. Worksheets will need to be revisited and updates applied as necessary. For example, if at the
end of the assessment a revised set of control strength ratings are imported (i.e. in the Import Control Strength
worksheet) it will require the Risk Evaluation, Risk Appetite and Risk Treatment worksheets to be revisited and
completed again.

HELP
The ISF has a dedicated email address which Members can use to submit queries: IRAM@securityforum.org.

The ISF will reply to queries promptly and address any bugs that are identified in an unmodified version
of the Risk Evaluation and Risk Treatment Assistant.
Note The ISF cannot address bugs identified in the Risk Evaluation and Risk Treatment Assistant where the software
code has been modified.

Information Security Forum IRAM2 Risk Evaluation and Risk Treatment Assistant: Practitioner Guide 7
 1 2 3 4 5 6

3 USING THE RISK EVALUATION

AND RISK TREATMENT
ASSISTANT
This section provides the practitioner with information on the structure and navigation
of the Risk Evaluation and Risk Treatment Assistant.

STRUCTURE
The Risk Evaluation and Risk Treatment Assistant consists of a series of worksheets that guide the practitioner
through the fifth and sixth phases of IRAM2. The worksheet titles and how they should be used by the
practitioner are described below.

Phase E
‒‒ Import PTL: import the prioritised threats from the Threat Profiling Assistant to access the information
that builds the Risk Evaluation worksheet.
‒‒ Import Asset TE Map: import the mapped threat events to information assets and components from the
Threat Profiling Assistant to access the information that builds the Risk Evaluation worksheet.
‒‒ Import Control Strength: import the control strength ratings for each threat event from the Vulnerability
Assessment Assistant to access the information that builds the Risk Evaluation worksheet.
‒‒ Risk Evaluation: derive the residual risk ratings based on the risk factors (likelihood of success, residual
likelihood and residual business impact rating).
‒‒ Reference tables: present the Risk factor reference tables that are used to derive the likelihood of success,
residual likelihood and residual risk using the Risk factor reference tables.
‒‒ RE Summary: present a summary of the findings from the risk evaluation activities.

Phase F
‒‒ Risk Appetite: agree and record the organisation’s risk appetite for each category of risk.
‒‒ Risk Treatment: review the information required to determine the appropriate treatment options
(e.g. mitigate, accept) and management of the treatment (e.g. treatment action owner(s), target date
of completion, status).

8 IRAM2 Risk Evaluation and Risk Treatment Assistant: Practitioner Guide Information Security Forum
 1 2 3 4 5 6

NAVIGATION AND FUNCTION BUTTONS

To ensure automated processing of information is performed, the practitioner is advised to use the navigation
and function buttons described below.

Button Description

Moves the practitioner to the next worksheet.

Next

Moves the practitioner to the previous worksheet.

Back

Executes a task within the Risk Evaluation and Risk Treatment Assistant (e.g. to import the
relevant information from the Threat Profiling Assistant).

Start

Presents or hides the applicable control references from the control library.

Control
references

Prioritises the risks once the residual risk rating has been derived.

Prioritise

Exports the worksheet for use in other assessments (e.g. results from the risk evaluation).

Export

Takes the practitioner to the Risk factor reference tables, where the ratings can be adjusted.

Reference
tables

Presents or hides the detailed risk information (e.g. threat strength and likelihood of initiation).

Detailed
info

Moves the practitioner back to the Risk Evaluation worksheet.

Return

Information Security Forum IRAM2 Risk Evaluation and Risk Treatment Assistant: Practitioner Guide 9
 1 2 3 4 5 6

4 PHASE E:
RISK EVALUATION
IMPORT PTL
This worksheet requires the practitioner to select and import the results of a prioritised threat landscape
from an Threat Profiling Assistant. To import the results, click the Start button. A pop-up window will appear
asking the practitioner to select the appropriate file and if they wish to proceed. Click ‘Yes’ and a second pop-
up window will appear requesting the file containing the prioritised threats to be selected. The practitioner
should navigate to the appropriate Threat Profiling Assistant and click ‘OK’. The results of the prioritised threat
landscape will be transferred to the worksheet, as shown in Figure 4.

Figure 4: Example of a populated Import PTL worksheet

Threats in
prioritised order.

To progress to the next step in the process, the practitioner should click the Next button to continue to the
Import Asset TE Map worksheet.

IMPORT ASSET TE MAP

This worksheet requires the practitioner to select and import the mapped threat events to information assets
and components from the Threat Profiling Assistant.

To import the results, click the Start button. A pop-up window will appear asking the practitioner to select the
appropriate file and if they wish to proceed. Click ‘Yes’ and a second pop-up window will appear requesting the
file containing mapped threat events to information assets and components to be selected. The practitioner
should navigate to the appropriate Threat Profiling Assistant and click ‘OK’. The results of the mapped threat
events to information assets and components are transferred to the worksheet, as shown in Figure 5.

10 IRAM2 Risk Evaluation and Risk Treatment Assistant: Practitioner Guide Information Security Forum
 1 2 3 4 5 6

Figure 5: Example of a populated Import Asset TE Map worksheet

To progress to the next step in the process, the practitioner should click the Next button to continue to the
Import Control Strength worksheet.

IMPORT CONTROL STRENGTH

This worksheet requires the practitioner to select and import the control strength ratings from the Vulnerability
Assessment Assistant.

To import the results, click the Start button. A pop-up window will appear asking the practitioner to select the
appropriate file and if they wish to proceed. Click ‘Yes’ and a second pop-up window will appear requesting
the file containing control strength ratings to be selected. The practitioner should navigate to the appropriate
Vulnerability Assessment Assistant and click ‘OK’. The results of the control strength ratings are transferred to
the worksheet, as shown in Figure 6.

Figure 6: Example of a populated Import Control Strength worksheet

To display details of the control references for each control strength rating, the practitioner should click the
Control references button.

To progress to the next step in the process, the practitioner should click the Next button to continue to the Risk
Evaluation worksheet.

Information Security Forum IRAM2 Risk Evaluation and Risk Treatment Assistant: Practitioner Guide 11
 1 2 3 4 5 6

RISK EVALUATION
The Risk Evaluation worksheet presents the information required to derive the residual risk rating. There are
a series of automated and manual steps required to derive the residual risk rating. To begin, the practitioner
should click the Start button.

The following columns will be automatically populated based on previously imported data:
‒‒ Threat
‒‒ Threat event
‒‒ Information asset
‒‒ Component
‒‒ Highest impact ratings for confidentiality
‒‒ Highest impact ratings for integrity
‒‒ Highest impact ratings for availability
‒‒ Threat strength (TS)
‒‒ Control strength
‒‒ Likelihood of initiation (LoI)
‒‒ Likelihood of success (LoS)
‒‒ Residual likelihood.

The practitioner should now manually select the appropriate information attribute and impact scenario by
referencing the Highest impact ratings column for confidentiality, integrity or availability.

The practitioner should then select a rating for residual impact. This requires a comparison of threat strength
and control strength ratings using the LoS matrix as shown in Figure 7.

Figure 7: Example of using the LoS matrix to determine residual impact

Threat strength

Negligible Low Moderate High

High Negligible Negligible Low Moderate

Control Moderate Negligible Low Moderate High

strength Low Low Low High High

Negligible Low Moderate High High

Apply ‘realistic’ impact scenario Apply ‘worst-case’ impact scenario

where threat strength is low, or is where threat strength is high and
counterbalanced by control strength. control strength is low.

Note The boundaries delineating realistic from worst-case (as shown in Figure 7) should be reviewed by the practitioner
and adjusted if required.

For more information on determining residual impact, please refer to page 49 of the IRAM2 Methodology.

12 IRAM2 Risk Evaluation and Risk Treatment Assistant: Practitioner Guide Information Security Forum
 1 2 3 4 5 6

The selection of the residual impact rating will then automatically generate a residual risk rating as shown in
Figure 8.
Note The residual risk rating is derived from the residual risk matrix in the Reference Tables worksheet.

Figure 8: Example of a populated Risk Evaluation worksheet

The practitioner can change a derived residual risk rating result by clicking on the cell and selecting the
appropriate rating.
Note When a practitioner adjusts a residual risk rating a pop-up window will appear asking the practitioner to unprotect
the worksheet. The practitioner should right-click on the Risk Evaluation tab, select the option 'Unprotect Sheet' and
change the residual risk rating.

Tip The practitioner should provide a description in the Rationale column if a residual risk rating has been adjusted.

Once residual risk ratings have been reviewed the practitioner should click the Prioritise button to re-sort the
risks according to the residual risk ratings.

After completing the Risk Evaluation worksheet, the practitioner can either proceed to:
‒‒ the RE Summary worksheet by clicking the Next button
‒‒ the Reference Tables worksheet (should the practitioner wish to adjust the ratings in the LoS matrix the
residual risk matrix or the residual likelihood matrix).

For more information on risk evaluation, please refer to page 45 of the IRAM2 Methodology.

Information Security Forum IRAM2 Risk Evaluation and Risk Treatment Assistant: Practitioner Guide 13
 1 2 3 4 5 6

REFERENCE TABLES
The risk factor reference tables are used to derive the risk factors; LoS, residual likelihood, and residual risk.

The practitioner can change the values in these tables by clicking on the relevant cell, and chose the appropriate
rating from the drop-down box as shown in Figure 9.

Figure 9: Making changes to the risk factor reference tables

The practitioner can change the

values by clicking on the cells
and selecting the revised rating.

When this has been completed the practitioner should save the work by clicking on the ‘Save’ icon in the
Excel ribbon.

Should the practitioner change values in the risk factor reference tables, the results of the changes will be
applied in the Risk Evaluation worksheet (e.g. LoS, residual likelihood, residual risk rating).

To return to the Risk Evaluation worksheet click the Return button.

To progress to the RE Summary worksheet, the practitioner should first click the Return button and then click
the Next button.

14 IRAM2 Risk Evaluation and Risk Treatment Assistant: Practitioner Guide Information Security Forum
 1 2 3 4 5 6

RE SUMMARY
The RE Summary worksheet presents key details from the Risk Evaluation phase. These include:
‒‒ Residual likelihood: represents the percentage of residual likelihood ratings (e.g. high, moderate, low
and negligible).
‒‒ Residual impact: represents the percentage of residual impact ratings (e.g. high, moderate, low and negligible).
‒‒ Residual risk: represents the percentage of residual risk ratings (e.g. high, moderate, low and negligible).
‒‒ Number of residual risk ratings per information asset: represents the number of residual risks for each
information asset (e.g. high, moderate, low and negligible).
‒‒ Number of residual risk ratings per component: represents the number of residual risks for each component
(e.g. high, moderate, low and negligible).

The summary worksheet has been designed for stakeholder review. The practitioner can include additional
information in the Risk assessment recommendations column at the top of the worksheet, as shown in Figure 10.
Note To make changes in the Risk Evaluation Summary worksheet the practitioner will need to make the necessary
adjustments in the applicable worksheet.

Figure 10: Example of a populated Risk Evaluation Summary worksheet

Click the Next button to continue to the Risk Appetite worksheet.

Information Security Forum IRAM2 Risk Evaluation and Risk Treatment Assistant: Practitioner Guide 15
 1 2 3 4 5 6

5 PHASE F:
RISK TREATMENT
RISK APPETITE
The practitioner can either define the risk appetite in the Risk Evaluation and Risk Treatment Assistant or by
importing an existing risk appetite by clicking on the Import button and following the instructions. All impact
categories listed in the Risk Appetite worksheet should be the same as those listed in the business impact
reference table (BIRT) from the Scoping and BIA Assistant. Figure 11 presents a populated Risk Appetite
worksheet.
Note Risk appetite can also be defined in the Scoping and BIA Assistant.

Figure 11: Example of a populated Risk Appetite worksheet

The practitioner can select the risk

appetite by clicking on the cell.

To progress to the Risk Treatment worksheet, the practitioner should click the Next button.

RISK TREATMENT
To start the risk treatment activities, the practitioner should click the Start button. A pop-up window will
appear asking the practitioner if they wish to proceed. Click the ‘Yes’ button and the relevant information will
be transferred through to the worksheet, including an automatic rating that determines if the residual risk
rating exceeds the risk appetite, as shown in Figure 12.

Note The automatic calculation to determine if the residual risk exceeds the risk appetite is a new feature
in the Risk Evaluation and Risk Treatment Assistant.

For more information on risk appetite, please refer to page 53 of the IRAM2 Methodology.

16 IRAM2 Risk Evaluation and Risk Treatment Assistant: Practitioner Guide Information Security Forum
 1 2 3 4 5 6

Figure 12: Example of a populated Risk Treatment worksheet

For residual risks that exceed the risk appetite, the practitioner needs to determine:
‒‒ treatment options (e.g. avoid, mitigate, transfer)
‒‒ treatment actions (e.g. apply new controls, enhance existing controls, outsource the service)
‒‒ treatment owners (i.e. name of appropriate individuals to manage the agreed treatment actions)
‒‒ target date of completion
‒‒ status (e.g. not started, ongoing, completed).
Tip The Risk Treatment worksheet in the Risk Evaluation and Risk Treatment Assistant should be completed in a workshop
environment facilitated by the practitioner involving the appropriate stakeholders.

Note If additional information in the Risk Treatment worksheet is required (e.g. threat strength, control strength, likelihood
of initiation), the practitioner should click on the Detailed information button.

To complete the information risk assessment, the practitioner may wish to export the results of the agreed
Risk Treatment worksheet (i.e. to be recorded/stored in an information risk register).

Information Security Forum IRAM2 Risk Evaluation and Risk Treatment Assistant: Practitioner Guide 17
 1 2 3 4 5 6

6 FURTHER
INFORMATION
For further information on using the Risk Evaluation and Risk Treatment Assistant the ISF has
provided the following supporting information:
‒‒ IRAM2 prerecorded webinars: to demonstrate how to use the assistants in four short videos
‒‒ IRAM2 Methodology: to detail the steps in the ISF’s latest methodology for information risk assessment
in a full report
‒‒ IRAM2 Executive Summary: to describe the benefits of using IRAM2 in a four-page high-level document
‒‒ IRAM2 case studies: to share practical examples of how Members are using IRAM2 to establish or enhance
their information risk assessment capability
‒‒ the IRAM2 community: to enable Members to share experiences and provide feedback on the methodology
and the assistants.

The ISF has a dedicated email address which Members can use to submit queries: IRAM@securityforum.org.

18 IRAM2 Risk Evaluation and Risk Treatment Assistant: Practitioner Guide Information Security Forum
ABOUT ISF
Founded in 1989, the Information Security Forum (ISF)
is an independent, not-for-profit association of leading
organisations from around the world. It is dedicated
to investigating, clarifying and resolving key issues in
cyber, information security and risk management and
developing best practice methodologies, processes and
solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing

in-depth knowledge and practical experience drawn
from within their organisations and developed through
an extensive research and work programme. The ISF
provides a confidential forum and framework, which
ensures that Members adopt leading-edge information
security strategies and solutions. And by working
together, Members avoid the major expenditure
required to reach the same goals on their own.

FOR FURTHER
INFORMATION CONTACT:
Information Security Forum
Tel: +44 (0)20 3875 6868
Email: info@securityforum.org
Web: www.securityforum.org

REFERENCE: ISF 17 07 10
Copyright © 2017 Information Security Forum Limited. All rights reserved.