4 Steps to Customize a Risk Framework

August 23, 2022 | By IANS Faculty

While many popular frameworks are known to drive value to organizations seeking to improve their risk management posture, customizing key elements to consider your company’s maturity, culture, strategic priorities and threats is a winning combination.  

To develop and deploy an effective cybersecurity framework, the key is to start with a foundational framework and then customize additional elements or components so that it best aligns with your organization.  

This piece details how to customize a foundational risk framework to ensure it aligns closely with your organization’s priorities. 

Choosing a Risk Management Framework 

Developing a risk management framework for your organization is essential for equipping your leadership with the information it needs to make decisions that allow a healthy balance of risk management and innovation. Most organizations start by choosing a foundational framework, such as NIST, ISO or CIS, that best suits their organization both as it is today and where it plans to be in the future. 

For example, technology has rapidly become a critical part of how businesses operate and deliver value to their customers. For technology-centric organizations, the NIST framework (with its outcome-based approach) is often quite relevant and a good starting point. On the other hand, ISO is globally recognized and commonly used by organizations that collect sensitive information. It is often required by vendors and can be a good foundation for data-centric organizations. 

However, beyond considering these basic criteria, you should take other additional steps to ensure the framework you choose is best suited for your organization’s needs.  


READ: Risk Management Terminology for InfoSec Teams 


4 Steps to Risk Framework Customization

As you begin to develop your framework, it is important to consider key foundational components about your company and how they inform the framework that is chosen and how it is used. 

1. Focus on the Organization’s Mission Statement 

First, become familiar with the company’s vision and mission statements. These are important because they provide insight into what the company aspires to accomplish (vision) and how it plans to work to get there (mission). Understanding what the company aspires to be and plans to do is critical because it will influence the activities of key leaders and their teams. It will also help refine your framework so that it positions leadership to shape well-constructed strategic plans. 

For example, Amazon’s mission statement is, “To serve consumers through online and physical stores and focus on selection, price and convenience.” As such, Amazon’s leaders would benefit from having a strong third-party risk management program, structured approaches to pricing and a mature privacy program, in addition to be being tuned into customer sentiment. 

2. Do a SWOT Analysis 

The second step is to create an inventory of your company’s strengths, weaknesses, opportunities and threats (SWOT) to help identify other core areas to focus on. 

The SWOT analysis should be performed for key business areas commonly mapped out as front office, back office, technology, compliance, finance and people functions. The results of the exercise often highlight opportunities for focus in the risk framework, including fraud, customer sentiment, product development challenges and noncompliance with rapidly evolving regulations related to privacy or money movement. 

3. Assess Your Security Maturity 

Next, assess your organization’s level of maturity as it relates to information security. You can do this by interviewing your CISO and information security domain leaders and reviewing incident history trends over the past three years. Partner with the head of your security operations function and review the most recurring incidents and their root causes. For example, supply chain attacks are on the rise, so it’s a good idea to speak with the leader of your third-party risk management function to determine how well vendors are managed. 

Based on your findings, use best practices that focus on these areas to supplement the larger framework you end up selecting for your organization. For example, if you find your organization has high third-party risk, it would be great to complement your plan with NIST SP 800-161 Rev. 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. 

4. Pay Attention to Culture   

Lastly, be mindful of your company’s culture. How are decisions made? How has the business’s relationship with information security evolved? Assess whether your organization tends to operate in environments that are more structured or flexible.

Cybersecurity risk management frameworks tend to be quite similar in what they seek to accomplish, but the methodologies vary. While NIST is known for being flexible, CIS takes a much more prescriptive approach and ISO offers a globally recognized certification and is a good option for more mature organizations. 


READ: Build a Strong GRC Maturity Roadmap to Align with the Business 


Tips for Choosing a Risk Framework 

Being intentional about the risk framework you choose for your organization is wise. And the key areas outlined above are critical in deciding the approach you’ll take. Remember to: 

  • Be future-focused: Start with your company’s mission and vision. 
  • Consider your current posture: Perform a SWOT analysis to determine areas that may need increased areas of focus. 
  • Reflect on culture and maturity: Both are significant contributing factors to finding the right risk framework fit. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice. 


Access time-saving tools and helpful guides from our Faculty.


IANS + Artico Search

2022 CISO Compensation Benchmark Study

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.