CIS Risk Assessment Method (RAM) v2.1 for CIS Controls v8
CIS recently released the CIS Risk Assessment Method (RAM) v2.1, a risk assessment method designed to help enterprises justify investments for implementing the CIS Critical Security Controls (CIS Controls). This version supersedes CIS RAM v2.0, which was first released in October 2021. CIS RAM helps enterprises define their acceptable level of risk, and then manage that risk once the CIS Controls have been implemented.
How is CIS RAM v2.1 Structured?
CIS RAM v2.1 is made up of a family of documents. The first, CIS RAM Core, is a “bare essentials” version of CIS RAM that provides the principles and practices of CIS RAM risk assessments to help readers rapidly understand and implement CIS RAM. In addition to CIS RAM Core, one document for each Implementation Group (IG) – IG1, IG2, and IG3 (coming soon) – are available for both v8 and v7.1 of the CIS Controls. Each document includes a workbook with a corresponding guide, and features examples, templates, exercises, background material, and further guidance on risk analysis techniques. To date, CIS has released several documents in the CIS RAM v2.1 family, including: CIS RAM Core v2.1, CIS RAM v2.1 for IG1, and CIS RAM v2.1 for IG2. CIS RAM v2.1 for IG3 is currently under development.
What’s New in CIS RAM v2.1?
While minor enhancements were made throughout CIS RAM Core v2.1, CIS RAM v2.1 for IG1, and CIS RAM v2.1 for IG2, one major change was also made. As of CIS RAM v2.1, we are migrating to the term “Expectancy” (rather than “Likelihood”), which is formally defined in CIS RAM as the estimation that if an incident were to occur that it would be due to the threat described in the analysis. “Expectancy” does not imply probability that an incident may happen within a given time period, as “likelihood” and “probability” do. Rather, it implies that we know a security incident will occur, but we expect it to occur via a foreseeable threat. CIS RAM v2.1 automates the estimation of security incidents by comparing the commonality of reported threats to the reliability of Safeguards that would prevent them. Therefore, “expectancy” is a more appropriate term.
This change was decided during the development of CIS RAM v2.0 for IG2. Since the original CIS RAM v2.0 documents were released in October 2021 using the term “Likelihood,” we decided to upgrade all CIS RAM v2.0 documents to v2.1, rather than starting a new minor version in the middle of releasing the CIS RAM family of documents. As a result, this change will bring consistency and clarity to enterprises that wish to use any of the CIS RAM v2.1 documents to conduct a risk assessment. Additionally, for those that may have already begun a risk assessment using v2.0 for IG1, and wish to switch to v2.1, we are confident that it will be a smooth transition.
Why CIS RAM v2.1?
If your enterprise experiences a breach and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonableness.” Enterprises must use safeguards to ensure that risk is reasonable to the enterprise and appropriate to other interested parties at the time of the breach.
CIS RAM provides a method for evaluating risk by calculating the expectancy of an impact to customers, business objectives, and external entities (regulators, vendors, etc.). It also provides a method to “draw a line” at an enterprise’s acceptable risk definition, with risks below the line adhering to “due care,” and risks above the line requiring risk treatment. Together these principles provide enterprises with a concise and defendable process to accept or address risk.
Risk analysis helps shape and customize controls to address the internal and external challenges that enterprises face. Too often, enterprises rely on gap assessments to determine the severity of their vulnerabilities. Gap assessments, audits, and maturity assessments imply that your gaps need to be remediated completely.
CIS RAM enables you to apply just the right amount of security — not too much, not too little — striking a balance between keeping your enterprise safe and ensuring you can conduct business as usual. Remediating all gap assessment deficiencies can lead to over-securing and over-investing, while remediating risks identified in a CIS RAM assessment can lead to applying just the right amount of security and investment. In short, CIS RAM Risk Assessments validate reasonable implementation, helping you determine what is reasonable to implement and what is not.
CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now v2.1 in 2022. CIS is a founding member of the nonprofit DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.
Taking the Next Step
Ready to conduct a cyber risk assessment? Download CIS RAM for step-by-step processes, example walk-throughs, and more. It’s free for any organization to use to conduct a cyber risk assessment.
Questions about CIS RAM? Email [email protected]