CIS RAM v2.1 Core Document Online.22.01
CIS RAM v2.1 Core Document Online.22.01
CIS RAM v2.1 Core Document Online.22.01
Method (RAM)
Version 2.1
Core Document
January 2022
CIS gratefully acknowledges the contributions provided by HALOCK To further clarify the Creative
Security Labs and the DoCRA Council in developing CIS RAM and the CIS Commons license related to
RAM Workbook. the CIS Controls and CIS RAM
Core, you are authorized to copy
Significant contributions to Version 2.1 of CIS RAM were made by: and redistribute the content
as a framework for use by you,
Editor within your organization and
Chris Cronin, Partner, HALOCK Security Labs outside of your organization for
non-commercial purposes only,
Contributors provided that (i) appropriate credit
Aaron Piper, CIS is given to CIS, and (ii) a link to the
David Andrew, Partner, HALOCK Security Labs license is provided. Additionally,
Jim Mirochnik, Partner, HALOCK Security Labs if you remix, transform or build
Paul Otto, Attorney, Hogan Lovells US LLP upon the CIS Controls or CIS RAM
Robin Regnier, CIS Core, you may not distribute the
Terry Kurzynski, Partner, HALOCK Security Labs modified materials. Commercial
Valecia Stocchetti, CIS use of the CIS Controls or CIS
RAM Core is subject to the prior
approval of the Center for Internet
Security, Inc. (CIS).
All references to tools or other products in this document are provided for informational purposes only, and do not
represent the endorsement by CIS of any particular company, product, or technology.
Forward...................................................................................................................................................................................................................................................................... iii
Who is This Risk Assessment Method For?.............................................................................................................................................iv
What This Document Provides..........................................................................................................................................................................................v
Glossary.....................................................................................................................................................................................................................................................................vi
Style Conventions in This Document............................................................................................................................................................... viii
Acronyms and Abbreviations.............................................................................................................................................................................................. ix
The objective of the Center for Internet Security® Risk Assessment Method (CIS
RAM) is to help enterprises plan and justify their implementation of CIS Critical
Security Controls® (CIS Controls®) Versions 7.1 and 8, whether those Controls are
fully or partially operating. Few enterprises can apply all of the CIS Controls in all
environments and protect all information assets. Some Controls offer effective
security, but at the cost of necessary efficiency, collaboration, utility, productivity, or
available funds and resources.
Laws, regulations, and information security standards all consider the need to
balance security against an enterprise’s purpose and its objectives, and require
risk assessments to find and document that balance. The risk assessment method
described here provides a basis for communicating cybersecurity risk among
security professionals, business management, legal authorities, and regulators using
a common language that is meaningful to all parties.
CIS designed and prioritized the CIS Controls so that they would prevent or detect
the most common causes of cybersecurity events, as determined by a community
of information security professionals. As a result, the CIS Controls have risk
considerations at their core.
Since risks vary from one enterprise to the next, the risk analysis methods described
in this document will assist enterprises in applying sensible and practical CIS
Controls so that they reasonably and defensibly address each enterprise’s unique
risks and resources.
CIS RAM Core (this document) serves as a foundation for other documents in the
CIS RAM family of documents. CIS RAM Core is useful to individuals and enterprises
that wish to understand the principles and practices supporting the CIS RAM
family of documents. CIS RAM Core is also useful for enterprises and cybersecurity
practitioners who are experienced at assessing risk, and who are able to quickly
adopt its principles and practices for their environment.
Supplemental documents in the CIS RAM family will demonstrate methods for
conducting risk assessments. One document for each Implementation Group (IG1,
IG2, and IG3) will be the anchors in the CIS RAM family. Other topics that may be
useful to the community include:
• Estimating expectancy and impact using both qualitative and quantitative models
• Estimating impacts using qualitative and quantitative models
• Combining the principles and practices of CIS RAM with other risk assessment
methods, such as Factor Analysis of Information Risk (FAIR) and Applied
Information Economics (AIE)7
• Measuring and reporting risk to nontechnical executives
Members of the CIS RAM Community who have developed methods for extending
CIS RAM into these and other areas are welcome to participate in developing these
and similar modules.
Each of the documents in the CIS RAM family of documents have material to help
users accomplish their risk assessments, and include:
• Examples
• Templates
• Exercises
• Background material
• Further guidance on risk analysis techniques
7 https://hubbardresearch.com/about/applied-information-economics/
The CIS RAM Core is a “bare essentials” version of CIS RAM that provides the
principles and practices of CIS RAM risk assessments to help users rapidly
understand and implement the risk assessment method.
The user will need to use professional judgment (either theirs, or the judgment
of specialized practitioners) to conduct the risk assessment. Professional
judgment will help:
Appropriate A condition in which risks to information assets will not foreseeably create harm that
is greater than what the enterprise or interested parties can tolerate.
Asset Class A group of information assets that are evaluated as one set based on their similarity.
Devices, applications, data, users, and network devices are examples, all of which fall
under the category of enterprise assets.
Burden The negative impact that a Safeguard may pose to the enterprise, or to others.
Business Owners Personnel who own business processes, goods, or services that information
technologies support (customer service managers, product managers, sales
management, etc.).
CIS Critical Security A prioritized set of actions to protect information assets from threats, using technical
Controls (CIS Controls) or procedural CIS Safeguards.
CIS Safeguard Technical or procedural protections that prevent or detect threats against
information assets. CIS Safeguards are implementations of the CIS Controls.
Constituents Individuals or enterprises that may benefit from effective security over information
assets, or may be harmed if security fails.
Due Care The amount of care that a reasonable person would take to prevent foreseeable
harm to others.
Duty of Care The responsibility to ensure that no harm comes to others while conducting activities,
offering goods or services, or performing any acts that could foreseeably harm others.
Expectancy The estimation that if an incident were to occur that it would be due to the threat
described in the analysis.
Expectancy Score The score — usually ranked from ‘1’ to ‘3’ or ‘1’ to ‘5’ — associated with the expectancy.
Impact The harm that may be suffered when a threat compromises an information asset.
Impact Criteria The rules used to define impacts.
Impact Score The magnitude of impact that can be suffered. This is stated in plain language and
is associated with numeric scales, usually from ‘1’ to ‘3’ or ‘1’ to ‘5’. For example, CIS
RAM for IG1 uses Impact Scores ranging from ‘1’ to ‘3,’ whereas CIS RAM for IG2 and
IG3 use Impact Scores ranging from ‘1’ to ‘5.’
Impact Type A category of impact that estimates the amount of harm that may come to a party or
a purpose. CIS RAM describes three impact types: Mission, Objectives (Operational
or Financial), and Obligations.
Information Asset Information or the systems, processes, people, and facilities that facilitate
information handling.
Inherent Risk The impact that would occur when a threat compromises an unprotected asset.
Maturity Score A score to designate the reliability of a Safeguard’s effectiveness against threats,
ranked from ‘1’ to ‘5’.
Observed Risk The current risk as it appears to the risk assessor.
Probability The product of quantitative analysis that estimates the expectancy of an event as a
percentage within a given time period.
This document uses textual formatting to indicate the context of certain words and phrases. The following table
documents these intentional uses.
CIS RAM Core uses the Duty of Care Risk Analysis Standard8 (DoCRA) as its foundation. DoCRA presents risk
evaluation methods that are familiar to legal authorities, regulators, and information security professionals to create
a “universal translator” for these disciplines. The standard includes three principles and 10 practices that guide risk
assessors in developing this universal translator for their enterprise. The three principles state the characteristics
of risk assessments that align to regulatory and legal expectations. The 10 practices describe features of risk
assessments that make the three principles achievable. DoCRA describes the principles and practices as follows9:
Principles
1 Risk analysis must consider the interests of all parties that may be harmed
by the risk.
2 Risks must be reduced to a level that would not require a remedy to any party.
3 Safeguards must not be more burdensome than the risks they protect against.
Practices
2 Tolerance thresholds are stated in plain language and are applied to each factor in
a risk analysis.
3 Impact and expectancy scores have a qualitative component that concisely states
the concerns of interested parties, authorities, and the assessing organization.
4 Impact and expectancy scores are derived by a quantitative calculation that
permits comparability among all evaluated risks, safeguards, and against risk
acceptance criteria.
5 Impact definitions ensure that the magnitude of harm to one party is equated with
the magnitude of harm to others.
6 Impact definitions should have an explicit boundary between those magnitudes
that would be acceptable to all parties and those that would not be.
7 Impact definitions address; the organization’s mission or utility to explain why the
organization and others engage risk, the organization’s self-interested objectives,
and the organization’s obligations to protect others from harm.
8 Risk analysis relies on a standard of care to analyze current controls and
recommended safeguards.
9 Risk is analyzed by subject matter experts who use evidence to evaluate risks
and safeguards.
10 Risk assessments cannot evaluate all foreseeable risks. Therefore, risk
assessments re-occur to identify and address more risks over time.
CIS RAM for IG1, IG2, and IG3 will all include these activities, but will vary from one
another in how risks are modeled:
• CIS RAM for IG1 will model risks using the CIS Controls as the basis for each
risk analysis. IG1 enterprises will not have expert resources to help them model
risks, so the Control-based risk analysis will help enterprises model risks by
first asking, “We should use all of these recommended Safeguards, but how
much and why?”
• CIS RAM for IG2 will model risks using assets or asset classes as the basis
for each analysis. IG2 enterprises will have capable technical experts on-hand
who will be guided to consider how to protect each asset or asset class against
foreseeable threats. The asset-based risk analysis will help enterprises model
risks by first asking, “We should protect all of these assets, but with which
Safeguards and why?”
• CIS RAM for IG3 will model risks using foreseeable threats as the basis for
each analysis. IG3 enterprises will have cybersecurity experts available to them
who will be guided to consider how foreseeable threats would operate in their
enterprise. The threat-based analysis will help enterprises model risks by first
asking, “We should prepare for these threats, but using which Safeguards on
which assets and why?”
CIS RAM Core evaluates risk using “Risk = Impact x Expectancy.” This calculation
will evaluate both currently observed risks and recommended CIS Safeguards
so that risk assessors can compare them and determine whether recommended
Safeguards are “reasonable.”
Risk assessors will define their Risk Assessment Criteria by creating definitions for
“Impact” and “Expectancy.” Users should refer to the workbooks that are provided
with each CIS RAM module (for IG1, IG2, and IG3) for criteria examples.
Impacts will consider the enterprise’s Mission (the benefit that interested parties
gain from the enterprise), their Operational Objectives (the enterprise’s goals), and
their Obligations (to protect others from harm). Impact Scores will state levels of
magnitude (‘1’ through ‘5’) to help risk assessors consistently estimate the impact
that may occur from a threat. Impacts are defined in the model provided below.
Table 1. Impact Criteria definition Magnitudes ‘1’ and ‘2’ are shaded to reference acceptably low magnitudes.
guidelines
Readers will notice variations in how CIS RAM for IG1, IG2, and IG3 use impact
criteria. For example, each IG version will provide the option for defining and
using “Financial Objectives.” This will help enterprises compare budget requests
to threshold limits for each magnitude and to ensure that they are comfortable
spending some amount of money against the impact they are trying to avoid.
Additionally, CIS RAM for IG1 uses only three levels of magnitude to simplify the
analysis for IG1 enterprises, whereas CIS RAM for IG2 and IG3 use all five levels
of magnitude.
When enterprises use qualitative impact estimates, they may use Impact Threshold
values as Impact Scores (e.g., if an Impact Threshold of ‘3’ describes the estimated
impact of a risk, then the score ‘3’ may be used in the risk analysis).
If enterprises use quantitative impact estimates, they may apply Impact Thresholds
as bands across ranges of impacts that would be acceptable, unacceptable, high,
and catastrophic. This allows enterprises to compare impacts to each other, even
if they use dissimilar metrics (whether qualitative estimates using Impact Scores
for each Impact Threshold, or a variety of quantitative units, such as dollars, time,
percentages of harm, or population counts). Shown below in Figure 1 is an example
of how this could be applied.
Error
Facility
Malware
Media
PoS
Ransomware
Social Engineering
System
Third Party
Web
Enterprises that use percentages of probability may use a similar model, but
will want to express foreseeability in terms of probabilistic ranges, as shown
below in Table 3.
As of CIS RAM Core v2.1, CIS RAM is migrating to the term “Expectancy” rather than
“Likelihood.” “Expectancy” does not imply probability that an incident may happen
within a given time period, as “likelihood” and “probability” do. Rather, it implies that
we know a security incident will occur, but we expect it to occur via a foreseeable
threat. CIS RAM 2.1 automates the estimation of security incidents by comparing the
commonality of reported threats to the reliability of Safeguards that would prevent
them. Therefore, “expectancy” is a more appropriate term.
After using common language terms to describe a variety of Impact Types and
Expectancies, enterprises will have the basis for Risk Acceptance. By selecting
the minimal Expectancy and Impact that they would want to prevent, they would
conversely define risk levels that they would accept. For example, an enterprise that
would invest against risks that are “Expected, but not common” (Expectancy is ‘3’)
and that would cause an unacceptably high Impact (Impact is ‘3’ or above), their
Acceptable Risk Criteria could be stated like this:
3 × 3 = 9
…therefore…
Acceptable Risk < 9
The same enterprise could also express that same Risk Acceptance quantitatively
like this (where their acceptable Impact Thresholds are: “12.2% of value loss” for
their Mission, “$10,000” for their Operational Objectives, and “99 people” for their
Obligations):
With clearly defined criteria for analyzing and accepting risk, risk assessors may
estimate risks using consistent scoring and plain-language statements that are easy
to communicate, and simple to calculate and compare.
While enterprises may choose their Risk Acceptance Criteria in versions IG2 and IG3,
IG1 provides default Risk Acceptance Criteria of ‘below 6’ out of ‘9.’
Risks are modeled by associating information assets with the CIS Safeguards that
protect them, the vulnerabilities that may be present, and the threats that may
compromise the information assets. While other CIS RAM documents describe
different ways to model risks, CIS RAM Core describes the component steps in
analyzing risks, regardless of the sequence of those steps.
At this point, the risk assessor has formed a story about the security of its
information assets that should be protected by CIS Controls. Some Controls
indicate vulnerabilities that may allow foreseeable threats to compromise the assets.
However, the enterprise still needs to know the acceptability and relative importance
of the risks. The risk assessor is now ready to estimate the Expectancy and Impact of
those risks.
Since the risk assessor has Impact and Expectancy Criteria already defined, they can
select Expectancy and Impact Values based on the descriptions in the definitions.
Estimating Expectancy and Impact can be challenging for many risk assessors.
While laws and regulations do not require “accurate” risk forecasting, enterprises are
best served by sound estimations. Guidance for estimating Expectancy and Impact
Table 7. Risk Analysis guidelines is provided in additional documentation in the CIS RAM family of documents.
CIS Safeguard # The unique CIS Safeguard identifier, as published in the CIS Controls.
CIS Safeguard Title The title of the CIS Safeguard, as published in the CIS Controls.
Implementation Group (IG) The Implementation Group (IG1, IG2, IG3), as published in the CIS Controls.
Asset Class The asset class, as published in the CIS Controls.
Asset Name An optional field used to input the name of an individual asset to distinguish its risks
from other Asset Class risks.
Our Implementation A brief description of how the Safeguard is already implemented and operated in the
enterprise.
Evidence of Proof to show how the Safeguard is already implemented and operated in the
Implementation enterprise.
Vulnerabilities An optional field used to record vulnerabilities with a specific asset.
Safeguard Maturity A score of ‘1’ through ‘5’ designating the reliability of a Safeguard’s effectiveness
Score against threats.
VCDB Index An automatically calculated value to represent how common the related threat is as
a cause for reported cybersecurity incidents.
Expectancy Score An automatically calculated value to represent how commonly the related threat
would be the cause of a cybersecurity incident, given your current Safeguard.
Impact to Mission The magnitude of harm that a successful threat would cause to your Mission.
Impact to Operational The magnitude of harm that a successful threat would cause to your Operational
Objectives Objectives.
Impact to Financial The magnitude of harm that a successful threat would cause to your Financial
Objectives Objectives.
Impact to Obligations The magnitude of harm that a successful threat would cause to your Obligations.
Risk Score The product of the Expectancy and the highest of the three (or four, if using Impact
to Financial Objectives) Impacts.
Risk Level An evaluation of the risk as negligible, acceptable, unacceptable, high, or
catastrophic.
Each enterprise and environment will need to make choices about which CIS
Safeguard they will use to address a risk, but will also need to evaluate their
recommended CIS Safeguards to determine whether they would effectively reduce
risks while not creating new, unacceptable risks. That step is taken care of by
evaluating the recommendations using the same Risk Assessment Criteria that were
used to evaluate the risk.
Risk assessors must be careful to not assume that new Safeguards will necessarily
reduce all risks. While improved Controls or new Safeguards may reduce risks in
one area (traditionally thought of as “residual risk”), they also potentially create risks
in other areas. This is why CIS RAM uses the phrase “Safeguard Risk” instead of
“Residual Risk.”
Common examples of Safeguards that increase risks are: new security controls that
slow productivity, encouraging personnel to find unsafe workarounds, stringent
access controls for information that is needed in critical situations (such as clinical
care, emergency response, or monitoring volatile systems and processes), data
protections that impede collaboration and research, encryption that prevents
monitoring, or controls that are excessively expensive.
These can all be considered “Safeguard Risks” that may harm an enterprise’s
Mission, Objectives, and Obligations. All of the CIS Controls that the enterprise
would use to address the risks are good controls. However, security practitioners
should implement the Controls so that they meet the objective for reducing risks
while not posing new risks.
Risk Treatment Option A statement about whether the enterprise will accept or reduce the risk.
Risk Treatment Safeguard The unique CIS Safeguard identifier, as published in the CIS Controls.
Risk Treatment The title of the CIS Safeguard, as published in the CIS Controls.
Safeguard Title
Risk Treatment The description of the CIS Safeguard, as published in the CIS Controls.
Safeguard Description
Our Planned A brief description of how the Safeguard will be implemented and operated in
Implementation the enterprise.
Risk Treatment Safeguard A score of ‘1’ through ‘5’ designating the planned reliability of a Safeguard’s
Maturity Score effectiveness against threats.
Risk Treatment Safeguard An automatically calculated value to represent how commonly the related threat
Expectancy Score would be the cause of a cybersecurity incident, given the planned Safeguard.
Risk Treatment Safeguard The magnitude of harm that a successful threat would cause to your Mission.
Impact to Mission
Risk Treatment The magnitude of harm that a successful threat would cause to your
Safeguard Impact to Operational Objectives.
Operational Objectives
Risk Treatment Safeguard The magnitude of harm that a successful threat would cause to your Financial
Impact to Financial Objectives.
Objectives
Risk Treatment Safeguard The magnitude of harm that a successful threat would cause to your Obligations.
Impact to Obligations
Risk Treatment The product of the Expectancy and the highest of the three Impacts, given the
Safeguard Risk Score planned Safeguard.
Reasonable and A determination of whether the planned Safeguard is reasonable and acceptable.
Acceptable
Risk Treatment An estimate of how much the Safeguard is expected to cost.
Safeguard Cost
Implementation Quarter When the Safeguard is planned for completion of implementation (which quarter).
Implementation Year When the Safeguard is planned for completion of implementation (which year).
1 As stated in Principle 2, “Risks must be reduced to a level that would not require
a remedy to any party.” Risk assessors automatically adhere to this principle by
acknowledging “Safeguard Risk Acceptability.”
2 Also recall Principle 3, “Safeguards must not be more burdensome than the risks
they protect against.” Risk assessors can determine whether a recommended
safeguard is overly burdensome by seeing if the Safeguard Risk is higher than the
original risk.
1 Enterprises that choose to reduce an acceptable risk should know whether the
Safeguard Risk is higher than the original risk, even if they are both acceptably
low. Why try to remedy an acceptable condition by making another condition
that is worse?
CIS RAM provides a model of cybersecurity risk analysis that helps enterprises
combine the interests of business, legal and regulatory authorities, and information
security practitioners. This model provides a basis for consensus by providing equal
attention and care to the interests of all parties that may be impacted by risk.
Enterprises that use CIS RAM can then develop a plan as well as expectations
for securing an environment reasonably, even if the CIS Safeguards are not
comprehensively implemented for all information assets.
The full CIS RAM family of documents provides many examples, exercises, and
background materials to help become familiar with the reasoning and processes
behind the method. As CIS RAM users become practitioners, they will be asked
to explain why CIS RAM is an appropriate risk assessment method. CIS RAM
practitioners should be able to address the business, legal, and regulatory principles
that support the method so they can assure interested parties that their interests are
being fairly addressed.
The Center for Internet Security, Inc. (CIS) makes the connected world a safer
place for people, businesses, and governments through our core competencies of
collaboration and innovation. We are a community-driven nonprofit, responsible
for the CIS Critical Security Controls® and CIS Benchmarks™, globally recognized
best practices for securing IT systems and data. We lead a global community of IT
professionals to continuously refine these standards to proactively safeguard against
emerging threats. Our CIS Hardened Images® provide secure, on-demand, scalable
computing environments in the cloud. CIS is home to the Multi-State Information
Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat
prevention, protection, response, and recovery for U.S. State, Local, Tribal, and
Territorial (SLTT) government entities, and the Elections Infrastructure Information
Sharing and Analysis Center® (EI-ISAC®), which supports the cybersecurity
needs of U.S. election offices. To learn more, visit CISecurity.org or follow us on
Twitter: @CISecurity.
DoCRA Council
The DoCRA Council maintains and educates risk practitioners on the use of the
Duty of Care Risk Analysis (DoCRA) Standard that CIS RAM is based on. While
DoCRA is applicable to evaluation of information security risk, it is designed to be
generally applicable to other areas of business that must manage risk and regulatory
compliance. (www.docra.org)
Well known for their IT assurance standards and certifications, ISACA provides an
information security risk management framework known as Risk IT. Risk IT bases
its risk analysis method on ISO 31000, and adds risk governance and response to
the analysis to provide a lifecycle of IT risk management. (https://www.isaca.org/
resources/it-risk)
Binary Risk Analysis is published as version 1.0. The analysis method is presented
as a worksheet and an application at the hosting website. The BRA provides
risk analysts with a concise and consistent process for evaluating information
security risks by breaking down the components of a threat scenario, including
the capabilities to defend against variably robust and common threats. (http://
binary.protect.io)
FAIR Institute
The FAIR Institute maintains and educates risk analysts on the use of Factor Analysis
of Information Risk. The FAIR method is similar to BRA in that it provides a consistent
method for evaluating information risk based on characteristics of the components of
information risks. (https://www.fairinstitute.org/)
All references to tools or other products in this document are provided for informational purposes only, and do not
represent the endorsement by CIS of any particular company, product, or technology.
CIS
cisecurity.org
[email protected]
518-266-3460
Center for Internet Security
@CISecurity
TheCISecurity
cisecurity