CIS Risk Assessment Method (RAM) v2.1 for Implementation Group 2 (IG2) Workshop

Previously Presented on Tuesday, February 8, 2022 | 2:00 p.m. EST

CIS RAM v2.1 (Center for Internet Security® Risk Assessment Method) is an information risk assessment method designed to help justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). CIS RAM, a free tool, provides step-by-step instructions, examples, templates, and exercises for conducting risk assessments so that they meet the requirements of established information security risk assessment standards, legal authorities, and regulators.

Download the CIS RAM v2.1 Brochure

CIS RAM v2.1 provides three different approaches to support enterprises of three levels of capability, in alignment with the CIS Controls Implementation Groups (IGs): IG1, IG2, and IG3. The second of many documents in the CIS RAM v2.1 family, CIS RAM v2.1 for IG2, is now available for download and will help enterprises in IG2 to build and improve upon their cybersecurity program. IG2 assists enterprises managing IT infrastructure of multiple departments with differing risk profiles, aiming to help them cope with increased operational complexity.

Through an ongoing partnership, CIS RAM v2.1 was developed by HALOCK Security Labs with CIS. HALOCK had been providing CIS RAM methods for several years with a positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018. CIS is a founding member of the DoCRA Council that maintains the risk analysis standard that CIS RAM v1.0 is built upon.

Join the CIS RAM Community on CIS WorkBench.

Download CIS RAM v2.1

What Attendees Learned

  • An overview of how to conduct a risk assessment using CIS RAM 2.1 for IG2.
  • A step-by-step tutorial of the activities an IG2 enterprise will take to conduct a risk assessment using CIS RAM 2.1, including:
    • How to complete the Impact Criteria Survey
    • Defining Impact Areas (Mission, Operational Objectives, Financial Objectives, Obligations)
    • Defining Impact Magnitudes (Negligible, Acceptable, Unacceptable, High, Catastrophic)
    • How to complete the Enterprise Parameters
    • Defining criteria for Impact, Expectancy, Risk Acceptance, and Inherent Risk
    • How to complete a Risk Register
    • Identifying and evaluating risks using the CIS Controls
    • Understanding Risk Treatment to reduce risks to an acceptable level
    • How you can apply both a quantitative and qualitative approach to a CIS RAM risk assessment




Valecia Stocchetti is a Sr. Cybersecurity Engineer for the CIS Controls at the Center for Internet Security. Valecia comes to CIS from the eCommerce field where she worked complex financial fraud cases. She is a graduate from the University of Albany with a degree in Digital Forensics. Prior to joining the CIS Controls team, Valecia worked in the MS/EI-ISAC Computer Emergency Response Team (CERT), where she managed CERT and spearheaded multiple forensic investigations and incident response engagements for the MS/EI-ISAC SLTT community. In her current role, she works with various attack models and data, including the MITRE ATT&CK framework, to help validate and prioritize the CIS Controls. Valecia holds many certifications, including GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), and GIAC Security Essentials Certification (GSEC). While she enjoys all things InfoSec, she particularly finds the Cybercrime and Espionage fields fascinating, which is what led her to this career in the first place.


Chris Cronin is a partner at HALOCK Security Labs and Chair of the DoCRA Council. He is the principal author of the DoCRA Standard and CIS RAM, Center for Internet Security’s Risk Assessment Method. Chris’ clients include Fortune 100 companies, large and mid-sized organizations, start-ups, litigators, and regulators. Since 2010 Chris has helped his clients manage their information security risks to an evidence-based, reasonable level. Chris’ work as an expert witness has helped his clients, regulators, and litigators evaluate the reasonableness of security controls and programs during regulatory oversight or post-breach legal action. Chris is frequent speaker and cybersecurity writer. He collaborates with peers in industry collaboratives and think tanks, including Sedona Conference, to help bring equity and due care to cybersecurity and risk management.