root / Notes / Blue team / Governance risk compliance / Risk management frameworks.md

Risk Management Frameworks

Last Updated: January 5, 2026
blue-teamgrcnistisorisk-assessment

Risk Management Frameworks

Choosing the right yardstick.

1. NIST Cybersecurity Framework (CSF)

The gold standard for most US orgs.

  • 5 Functions:
    1. Identify: Asset Management, Risk Assessment.
    2. Protect: Access Control, Awareness Training.
    3. Detect: Anomalies, Monitoring.
    4. Respond: Mitigation, Analysis.
    5. Recover: Recovery Planning.
  • Use Case: "We need a common language to talk to the Board."

2. ISO 27001

International standard for Information Security Management Systems (ISMS).

  • Focus: Heavy on documentation and PDCA (Plan-Do-Check-Act).
  • Use Case: "We need to prove to European clients we are secure."

3. SOC 2 (Type II)

Auditing procedure that ensures service providers manage data securely.

  • Trust Principles: Security, Availability, Processing Integrity, Confidentiality, Privacy.
  • Use Case: "We are a SaaS company and enterprise customers won't buy without a SOC 2 report."

4. Risk Treatment

Once you find a risk (e.g., "Server is unpatched"), you have 4 choices:

  1. Mitigate: Patch it.
  2. Transfer: Buy Cyber Insurance.
  3. Avoid: Turn off the server.
  4. Accept: Sign a waiver saying "We know it might get hacked, but we need it."