CIS Logo
tagline: Confidence in the Connected World

CIS RAM Puts the CIS Controls™ into Action

Risk assessments are a valuable tool for gaining insight into your organization’s security posture. They allow you to view potential security threats to the organization and set a plan-of-action before disaster strikes, ensuring better business continuity. Whether it’s an earthquake, a power grid failure, or a DDoS attack, preparation is key to facing threats with a strategic approach – and a risk assessment is a good first step to understanding the threats present to an organization.

CIS® recently released CIS RAM (Center for Internet Security Risk Assessment Method). CIS RAM is an information security risk assessment method that helps organizations implement and assess their security posture against the CIS Controls cybersecurity best practices. CIS RAM provides instructions, examples, templates, and exercises for conducting a cyber risk assessment. Each industry and organization faces a combination of unique and shared cyber threats – CIS RAM helps model a reasonable use of the CIS Controls to address the risks present in any environment.

Security designed for every level

Developed by HALOCK Security Labs in partnership with CIS, CIS RAM provides three separate security approaches to support different levels of organizational capability.

  • New to risk analysis? You can use CIS RAM’s instructions for modeling foreseeable threats against the CIS Controls as your organization applies them.
  • Experienced with cybersecurity? Follow instructions for modeling threats against information assets to determine how the CIS Controls should be configured to protect them.
  • Cyber risk expert? Use CIS RAM’s instructions for analyzing risks based on “attack paths” using CIS’ Community Attack Model.

Combine with other risk assessments

There are multiple risk assessment standards in the cybersecurity world, yet CIS RAM is the first to provide very specific instructions for analyzing information security risk in a way that regulators define as “reasonable” and judges evaluate as “due care.” CIS RAM highlights the balance between the harm a security incident might cause and the burden of safeguards – the foundation of “reasonableness.”

CIS RAM conforms to established information security risk assessment standards, such as ISO 27005, NIST SP 800-30, OCTAVE, and RISK IT. CIS RAM supplements these popular standards by providing detailed instructions and templates for quickly designing and implementing an information security risk assessment.

Getting started

CIS RAM is free to use by anyone looking to improve their own cybersecurity; new users are typically able to design their risk assessment within the first day of following the CIS RAM instructions.

Arrow Download CIS RAM