CIS RAM FAQ

What is CIS RAM?

CIS RAM is an information security risk assessment method that helps enterprises design and evaluate their implementation of the CIS Critical Security Controls® (CIS Controls®). CIS RAM provides instructions, examples, templates, and exercises for conducting risk assessments so that they meet the requirements of established information security risk assessment standards, legal authorities, and regulators. Since information risks vary from one enterprise to the next, CIS RAM helps model “reasonable” uses of the CIS Controls to address the Mission, Objectives, and Obligations of each environment.

Who created CIS RAM?

CIS RAM was developed by HALOCK Security Labs in partnership with the Center for Internet Security. HALOCK had been providing CIS RAM methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now CIS RAM v2.0 in 2021. CIS is a founding member of the DoCRA Council that maintains the risk analysis standard which CIS RAM is built upon. The DoCRA Council is made up of member organizations that require standards of practice in risk analysis and risk management, and have an interest in the methods used for analyzing risks and safeguards that reduce risk. DoCRA presents risk evaluation methods that are familiar to legal authorities, regulators, and information security professionals to create a “universal translator” for these disciplines.

What is CIS RAM Core?

The CIS RAM Core is a “bare essentials” version of the CIS RAM that provides the principles and practices of CIS RAM risk assessments, and is designed to help readers rapidly understand and implement the risk assessment method. It is also useful for enterprises and cybersecurity practitioners who are experienced at assessing risk, and who are able to quickly adopt its principles and practices for their environment. CIS RAM Core serves as a foundation for other documents in the CIS RAM family.

What is the CIS RAM family of documents?

CIS RAM provides three different approaches to support enterprises of three levels of capability.  For individuals who need more direction than they will find in CIS RAM Core, supplemental documents in the CIS RAM family will demonstrate methods for conducting risk assessments. One document for each Implementation Group (IG1, IG2, and IG3) will be the anchors in the CIS RAM family. Each of these documents includes material to help readers accomplish their risk assessments, and include examples, templates, exercises, background material, and further guidance on risk analysis techniques.

Who can conduct an assessment using CIS RAM?

The reader will need to use professional judgment (either their own, or that of specialized practitioners) to conduct the risk assessment. Professional judgment will help determine the scope of the assessment in order to:  define the enterprise’s Mission, Objectives, and Obligations; decide which risks will be evaluated; identify vulnerabilities and foreseeable threats; estimate their Expectancy and Impact; and recommend Risk Treatment Safeguards.

Are there other topics that are covered in the CIS RAM family of documents?

Yes. Other topics that may be useful to the community, and will be incorporated into CIS RAM, include:

  • Estimating the Expectancy and Impact of threats using both qualitative and quantitative models
  • Combining the principles and practices of CIS RAM with other risk assessment methods, such as Factor Analysis for Information Risk (FAIR) and Applied Information Economics (AIE)
  • Measuring and reporting risk to non-technical executives

Is CIS RAM a replacement for the other risk assessment standards?

No. CIS RAM conforms to and supplements established information security risk assessment standards and methods, such as ISO 27005, NIST Special Publications 800-30, and Risk Information Technology. By conforming to these standards and methods, CIS RAM ensures that the reader will conduct risk assessments in conformance to established (or authoritative) practices. By supplementing these methods, CIS RAM helps its readers evaluate risks and safeguards using the concept of “due care” and “reasonable safeguards” that the legal community and regulators use to determine whether enterprises act as a “reasonable person.” In addition, CIS RAM supports the cost-benefit analysis definitions for reasonableness used by U.S.-based regulators, litigators, and the legal community in general.

Why another risk assessment method?

While there are multiple established risk assessment standards, CIS RAM is the first to provide very specific instructions for analyzing information security risk in a way that regulators define as “reasonable,” and that judges evaluate as “due care.” CIS RAM emphasizes balance between the harm that security incidents may cause others and the burden of safeguards. This balance is the foundation of “reasonableness.”

Does the risk assessment take long to complete?

New users are able to design their risk assessment within their first day of following the CIS RAM instructions, including analysis of several risks. The amount of time the enterprise takes after that largely depends on the scope of their assessment, and the level of instructions they are following.

Isn’t a gap assessment good enough?

Since the CIS Controls are already prioritized by their criticality in preventing cyber-attacks, a CIS Controls gap assessment already has risk built in.  However, each enterprise faces its own risks, and has its own level of resources to invest in protecting against security incidents. CIS RAM helps enterprises determine whether their use of CIS Controls is sufficient against the Expectancy of Impacts in their environment, and whether proposed safeguards are more burdensome than the risk they are designed to prevent. This helps translate security concerns into business terms, and helps regulators and legal authorities determine whether safeguards are reasonable and demonstrate due care.

Aren’t risk assessments just subjective exercises?

Risk assessments have often been conducted as guess-work, using “high,” “medium,” and “low” rankings of identified gaps. CIS RAM helps enterprises associate risk scores with the potential of harm that may come to themselves and to others. Additionally, CIS RAM provides guidance on estimating foreseeability, so both Impacts and Expectancies can be communicated in simple language to technical and non-technical people.

Can I use a different risk assessment method to assess the CIS Controls?

Yes. CIS does not require CIS RAM to be the sole method for assessing information security risk. CIS does recommend reviewing the Principles and Practices listed in CIS RAM Core to be sure that information security risk assessments are meaningful to non-technical management, to regulators, and to legal authorities.

Where can I ask questions about CIS RAM?

CIS WorkBench offers a community dedicated to helping enterprises with the implementation and use of CIS RAM.  Sign up and start a discussion in the CIS RAM Community.

Is CIS RAM free?

Yes. CIS RAM is free to use for anyone looking to improve their own cybersecurity posture.

Where can I get more information?

Questions can be sent to [email protected].