ENISA
Sinopse: The purpose of this document is to provide a coherent overview of published standards that address aspects of risk management and subsequently describe methodologies and tools that can be used to conform with or implement these standards.
The Regulation (EU) 2019/881 (Cybersecurity Act) states that ‘ENISA shall facilitate the establishment and take-up of European and international standards for risk management and for the security of ICT products, ICT services and ICT processes’. (Article 8.5)
This analysis is intended to contribute to the achievement of this goal. It is based on a compiled, comprehensive inventory of standards in the area of cybersecurity risk management and methodologies related to standards. This publication provides guidance to EU Institutions, bodies and agencies on the availability of standards and methodologies relevant to the management of cybersecurity risk and outlines possible gaps in these domains, enabling the
relevant EU institutions, bodies and agencies to initiate activities to close these gaps in order to further implement the cybersecurity policies stemming from the legislation.
Furthermore, this publication can also be used by organisations as a library of risk management standards and methodologies for their endeavour to implement risk management within their organisation or in their developments of cybersecurity certification schemes.
Standards are developed and defined through a process of sharing knowledge and building consensus among technical experts nominated by interested parties and other stakeholders.
When it comes to developing and establishing standards, a large variety of players exist.
Naturally, there is competition between these players but they also cooperate in many instances, in particular when there is a common interest.
Standards are voluntary which means that there is no automatic legal obligation to apply them.
However, laws and regulations may refer to standards and even make compliance with them compulsory. This document aims also at providing a brief introduction to the main players when it comes to standards in the area of risk management, introducing the main characteristics of the different document types published by these players, and introducing the inventory of Risk Management Standards presented in the Annex A.
To help this targeted audience in understanding the risk management process and its associated standards, this document is structured in chapters that cover the relevant areas.
Based on the analysis provided in section 5 and making a distinction between risk management standards and risk management methodologies, we propose in section 6 a series of recommendations on the use of risk management standards for various groups of stakeholders – EU decision makers, European SDOs, and ENISA itself.
