Posted by Nicolas on Sep 30, 2010
On Tuesday we presented our latest research paper “Questioning the need for separate IT risk management frameworks” at the Informatik 2010 Conference in Leipzig, Germany. The paper challenges the use of IT risk management frameworks such as ISO/IEC 27005 and ISACA Risk IT that are to be employed in parallel to an organisation’s enterprise risk management activities. Instead we suggest to enhance ERM frameworks with IT specifics and use the resulting framework for IT risk. That way the organisation-wide use of synergies is more likely, and a common understanding of risk management activities is furthered.
In our study, a mapping of ISACA Risk IT processes to COSO ERM processes showed that the Risk IT framework does not add value; it does not treat IT specifics in a way that would surpass the contents of COSO ERM. The presentation can be downloaded from http://www.grc-resource.com/resources/informatik2010_presentation.pdf.