Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

About Us Leadership Principles Testimonials


secure your organization
Secure Your Organization

secure specific platforms
Secure Specific Platforms

cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments

View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities

CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers




filter by topic
Filter by Topic

View All Resources  
CIS Logo Show Search Expand Menu

3 Things You’ll Learn Conducting a Cyber Risk Assessment with CIS RAM

For organizations who are conducting their first cyber risk assessment, it can be challenging to know where to start. CIS RAM (Center for Internet Security Risk Assessment Method) helps organizations conduct a risk assessment based on established legal principles for reasonableness and information security standards for analyzing risk. Put simply, CIS RAM helps you answer the questions:

  • What are my organization’s risks?
  • How acceptable are these risks?
  • How can we mitigate against potential threats?

In this blog post, we’ll examine three things you’ll learn conducting a cyber risk assessment with CIS RAM.

1. Develop criteria

In order to protect your organization from threats like malware and spearphishing, you’ll need to assess the risk surface. Organizations should start by defining risk assessment criteria. CIS RAM recommends using criteria that can be understood by all parties and describe the risk to the organization as well as any outside parties who may be affected. Collaborate with business leaders and legal counsel to ensure that any risk criteria are developed in a way that can be understood by all.

 Questions about CIS RAM? Email controlsinfo@cisecurity.org.

2. Evaluate acceptable risk

CIS RAM helps organizations understand which risks are acceptable. In order for a risk to be acceptable per CIS RAM, it must be both appropriate and reasonable:

  • Appropriate risk: The likelihood of an impact must be acceptable to all foreseeably affected parties.
  • Reasonable risk: The risk posed by a safeguard must be less than or equal to the risk it protects against.

By putting risks in context, organizations can identify gaps in their security processes. For example, one organization might measure the likelihood of the risk of Business Email Compromise (BEC) as a 6 on a scale of 10 (6/10). However, the risk of the safeguard – in this case, training employees to avoid the BEC scam – is 2/10. Because the risk of the safeguard is lower than the risk of the scam itself, the risk of BEC for this organization would be unacceptable.


3. Model appropriate safeguards

CIS RAM helps teams examine multiple risks to an environment, including cyber risks, and determine an appropriate course of action for each. By balancing risks and safeguards, organizations are able to effectively assess risks and review solutions for each. When one security control, solution, or safeguard doesn’t work, it’s easy to model another, recalculate, and try again.

Join the CIS RAM Community on CIS WorkBench

Taking the next step

Ready to conduct a cyber risk assessment? Download CIS RAM for step-by-step processes, example walk-throughs, and more. It’s free for any organization to use to conduct a cyber risk assessment.