CIS RAM FAQ

What is CIS RAM?

CIS RAM is an information security risk assessment method that helps organizations design and evaluate their implementation of the CIS Controls™. CIS RAM provides instructions, examples, templates, and exercises for conducting risk assessments so they meet the requirements of established information security risk assessment standards, legal authorities, and regulators. Because information risks vary from one organization to the next, CIS RAM helps model “reasonable” uses of the CIS Controls to address the mission, objectives, and obligations of each environment.

Who created CIS RAM?

CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK had been providing CIS RAM methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM in 2018. CIS is a founding member of the DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.

Who is CIS RAM for?

CIS RAM provides three different approaches to support organizations of three levels of capability. Organizations that are new to risk analysis can use instructions for modeling foreseeable threats against the CIS Controls as the organization generally applies them. Experienced organizations can follow instructions for modeling threats against information assets to determine how the CIS Controls should be configured to protect them. Expert organizations are provided instructions for analyzing risks based on “attack paths” (similar to “kill chains”) using CIS’ Community Attack Model.

Is CIS RAM a replacement for the other risk assessment standards?

CIS RAM conforms to established information security risk assessment standards, such as ISO 27005, NIST SP 800-30, OCTAVE, and RISK IT. These standards all use similar forms of risk modeling. But CIS RAM supplements these standards by providing very detailed instructions and templates for quickly designing and conducting an information security risk assessments. As a result, CIS RAM risk assessments support established standards, and produce analysis that regulators and legal authorities expect to see.

Why another risk assessment method?

While there are multiple, established risk assessment standards, CIS RAM is the first to provide very specific instructions for analyzing information security risk in a way that regulators define as “reasonable,” and judges evaluate as “due care.” CIS RAM emphasizes balance between the harm that security incidents may cause others and the burden of safeguards; the foundation of “reasonableness.”

Does the risk assessment take long to complete?

New users are able to design their risk assessment within their first day of following the CIS RAM instructions, including analysis of several risks. The amount of time the organization takes after that largely depends on the scope of their assessment, and the level of instructions they are following.

Isn’t a gap assessment good enough?

Because the CIS Controls are already prioritized by their criticality in preventing cyber attacks, a CIS Controls gap assessment already has risk built in.  However, each organization faces its own risks, and has its own level of resources to invest against security incidents. CIS RAM helps organizations determine whether their use of CIS Controls is sufficient against the likelihood of impacts in their environment, and whether proposed safeguards are more burdensome than the risk they are designed to prevent. This helps translate security concerns into business terms, and helps regulators and legal authorities determine whether safeguards are reasonable and demonstrate due care.

Aren’t risk assessments just subjective exercises?

Risk assessments have often been conducted as guess-work, using “high,” “medium,” and “low” rankings of identified gaps. CIS RAM helps organizations associate risk scores with the potential of harm that may come to themselves and to others. Additionally, CIS RAM provides guidance on estimating foreseeability so both impacts and likelihoods can be communicated in simple language to technical and non-technical people.

Why is CIS RAM so large?

CIS RAM includes three sets of detailed instructions for organizations of varying risk assessment capabilities. Each organization will select a section of the CIS RAM that applies most to them, so typical users will only read a portion of the document. And because CIS RAM provides many detailed illustrations to guide its readers step-by-step, a risk assessment can typically be designed within a day, and risk analysis can start right away. Organizations that wish to understand the basics and full lifecycle of a CIS RAM risk assessment may first read CIS RAM Express Edition. The Express Edition may provide some experienced organizations all they need to start their “duty of care”-based risk assessment.

What if my organization supplements CIS Controls with other standards?

The risk analysis methods described in CIS RAM conform to established security frameworks, such as ISO 27000, NIST Special Publications, the NIST Cybersecurity Framework, and risk assessment requirements described in PCI DSS. Security controls that come from these and other standards can effectively be risk assessed using the CIS RAM methods. And because CIS RAM aligns with risk assessment guidance for regulations such as the HIPAA Security Rule, Gramm Leach Bliley Act’s Safeguards Rule, Federal Trade Commission guidance on risk assessments, Massachusetts 201 CMR 17.00, GDPR, and 23 NYCRR Part 500, specifications from these regulations can also be included in a CIS Controls risk assessment.

Can I use a different risk assessment method to assess CIS Controls?

Yes. CIS does not require CIS RAM as the sole method for assessing information security risk. CIS does recommend reviewing the Principles and Practices listed in CIS RAM and CIS RAM Express Edition to be sure that information security risk assessments are meaningful to non-technical management, to regulators, and to legal authorities.

Why use the CIS RAM Download Link?

We have set up a sign in process as part of the CIS RAM download in which we ask for some basic information about the downloader, and to offer the opportunity to sign up to be informed of developments on the CIS Controls and CIS RAM.  We use the information to better understand how CIS RAM is being used and who is using them; this information is extremely helpful to us as we update CIS RAM and develop associated documents like the CIS RAM Workbook and our guides.

Is CIS RAM free?

Yes, CIS RAM is free to use by anyone to improve their own cybersecurity.

Where can I get more information?

Questions can be sent to controlsinfo@cisecurity.org.