ISF FIRM methodology
Full title: FIRM: Fundamental Information Risk Management
Overview: FIRM: is a research-based methodology for measuring and managing information risk across enterprises of all types and sizes. It is published in the form of two volumes. The first, illustrated on the left, describes the methodology and the reasoning behind it; and explains how to gain support for the approach, and get it up and running. The second presents definitions, case studies and worked examples of FIRM: forms to help get a FIRM: risk management process established.
Note: On publication, the ISF management team recognized that FIRM: represented a fundamental breakthrough in managing information risk (hence its name) and opined that its development "elevates the information security profession to a higher plane".
Since its publication, it has been used to conduct many thousands of evaluations, and has proven highly effective. By virtue of Citicus directors' role in its development, Citicus Limited has an exclusive perpetual license to provide FIRM: automation for sale to ISF members and more widely.
Published by: Information Security Forum (ISF)
Date published: March 2000
Status: Available to IFS Members
Citicus role: A founder of Citicus developed FIRM: for and in conjunction with the ISF and was the principal author of its implementation guide. Other founder directors carried out additional research and / or provided informed comment that contributed to its development.