The European Union Agency for Cybersecurity (ENISA) published its Risk Management Standards report on March 16, 2022.
The report's primary objective was to produce an organized overview of all published standards that address aspects of risk management. Subsequently, ENISA aimed to describe the various methodologies organizations can use to implement the risk management frameworks it covers.
This article will summarize all critical sections of the ENISA risk management report, introduce terms and definitions vital to understanding risk management practices, and provide more information on how UpGuard can help organizations establish and maintain robust risk management programs.
What is ENISA?
The European Union (EU) established ENISA in 2004 to elevate cybersecurity awareness and cyber hygiene across Europe. The EU significantly strengthened ENISA’s jurisdiction and role by enacting the EU Cybersecurity Act.
Under the EU Cybersecurity Act, the union tasked ENISA with implementing European standards for cybersecurity, risk management, IT security, and the security of ICT products, services, and processes. The EU also entrusted the agency with educating European organizations on the importance of cybersecurity best practices and how to implement standards into their cybersecurity programs.
ENISA’s publication, Risk Management Standards, aims to pursue the strategic and efficient achievement of both aforementioned goals. The agency used the report to compile a comprehensive inventory of risk management methodologies to educate and guide all EU institutions and organizations.
Organizations can view additional risk management reports ENISA has published at www.enisa.europa.eu
What is Risk Management?
Cybersecurity risk management is the ongoing process of identifying, assessing, and responding to cyber risks.
To successfully manage risks across their attack surface, organizations must diligently identify the appearance of risks, accurately assess the impact and likelihood of these risks, and aggressively determine how to treat individual risks.
Organizations often divide risk management into localized processes concerned with precise subsets of overall cybersecurity risk. For example, third-party risk management (TPRM) and vendor risk management (VRM) are two forms of risk management that include strategies to protect organizations from the inherent risks of third-party service providers, vendors, and other partnerships within an organization’s supply chain.
Information security risk management (ISRM) is another form of risk management that provides risk assessment and risk treatment strategies for risks associated with the confidentiality, security, and availability of an organization’s information technology and data assets.
While ENISA’s report touches upon TPRM, VRM, ISRM, and other localized forms of risk management, it does so by analyzing the standards and practices of overall cybersecurity risk management.
Recommended Reading: What is Cybersecurity Risk Management? Preventing Cyber Attacks
Standards Vs. Methodologies
Occasionally, in conversations regarding risk management, the difference between “standards” and “methodologies” can become blurred. To avoid confusion, ENISA’s report discloses definitions for each term:
- Standards are documents that are generally established by the consensus of leading professionals at recognized standardization organizations (ISO, IEC, CEN, ETSI, DIN).
- Methodologies are a collection or individual set of principles that adhere to good practices and are used to perform cybersecurity activities or comply with security requirements.
The two terms overlap frequently, as methodologies are sometimes published as standards, and governing bodies sometimes include recommended methodologies alongside their standardized certification schemes.
ENISA’s Risk Management Standards
ENISA organized its risk management report into six sections (including an introduction, terms and definitions, and a recommendation section). Together, these sections introduce and discuss the following critical risk management topics:
- Establishing a risk management process,
- Phases of effective risk management,
- Practical use of risk management strategies,
- Relevant risk management frameworks, and
- Recommendations for risk management implementation
Establishing a Risk Management Process
ENISA’s report states that developing and establishing a risk management process should be a fundamental part of any organization’s cybersecurity program.
More specifically, the report expresses that the most effective risk management processes will address a variety of risks, including:
- Enterprise risk,
- Market risk,
- Credit risk,
- Operational risk,
- Project risk,
- Development risk,
- Supply chain risk, and
- Infrastructure risk
The report also suggests that all organizations assess risks alongside the three main principles of information security: confidentiality, integrity, and availability. For example, to thoroughly evaluate the impact of a supply chain risk, organizations should simultaneously ask themselves how the risk will affect data protection, business continuity, relevant deliverables, and brand reputation.
Phases of Effective Risk Management
In the report, ENISA concludes that all risk management processes should possess three phases: risk identification, risk assessment, and risk treatment. ENISA’s report also urges organizations to establish stakeholder consultation, risk monitoring, and reporting protocols that can help the organization gather information and explore solutions throughout each phase of the risk management process.
During the risk identification phase of the risk management process, organizations should develop protocols to determine an individual risk's scope, context, and criteria.
The scope of risk includes what stakeholders and infrastructures will be affected. In contrast, the context of risk includes what elements will be exposed or corrupted (personal data, sensitive data, supply chain activities, etc.), and risk criteria includes risk type and the tools needed to evaluate, accept, and treat the risk.
Developing effective procedures to identify the scope, context, and criteria of cyber risks is essential because this information will directly determine the severity in which an organization evaluates and treats an individual risk.
The best way for an organization to improve its risk identification strategy is to increase visibility across its internal and external attack surfaces.
The next phase of risk management is risk assessment. During the risk assessment phase, organizations should have risk assessment methods in place to identify the source of a risk, its impact, and the consequences of this impact. These systems are often referred to collectively as risk analysis.
Organizations can strengthen their risk analysis process by eliminating manual, error-prone assessment methods and utilizing flexible risk assessments and industry-recognized security questionnaires.
The final phase of risk management is risk treatment. Organizations should use risk scope, context, and criteria information during this phase to select an adequate risk treatment option.
Organizations with effective decision-making will consider all of the following risk treatment options:
- Risk avoidance: not starting or ending the activity that exposed the organization to the risk
- Risk acceptance: acknowledging or increasing the risk to pursue an opportunity
- Risk mitigation: suppressing the negative impacts of a risk
- Risk sharing: expanding third-party contracts, insurance, etc.
How Can UpGuard Help?
The most robust risk treatment programs utilize mitigation and remediation workflows to minimize a risk's impact on the organization. UpGuard Vendor Risk includes comprehensive vendor risk assessments and intuitive risk management workflows that allow organizations to continually identify, assess, and remediate supply chain risks throughout the vendor lifecycle.
UpGuard Vendor Risk also offers organizations access to automated security questionnaires, objective security ratings, and other critical tools to help elevate their entire risk management process and overall cybersecurity standards.
Practical Use of Risk Management Strategies
In this report section, ENISA distributes five workshops that organizations can complete to test their risk management strategies before facing real-time risks and aggressive cyber threats.
These five workshops include:
- Workshop 1: Scope and security baseline
- Workshop 2: Risk origins
- Workshop 3: Strategic scenarios
- Workshop 4: Operational scenarios
- Workshop 5: Risk Mitigation
The first workshop ENISA mentions in its report aims to get organizations to define their risk tolerance (security baseline) and identify their risk management missions. This step also prompts organizations to identify any cyber threats they fear.
The second and third workshops in the report focus on risk origins and scenarios an organization can use to mitigate risks. By publishing these workshops, ENISA expects organizations to map out common risk origins and target objectives to be mindful of as they further develop their risk management process.
Workshops 3 and 4
Workshop four is very similar to the third. However, the fourth workshop focuses on operational risks and the supporting assets or interfaces that may be affected if a cyber threat follows a particular attack path. During this workshop, organizations can also analyze their systems' interoperability to troubleshoot solutions if a specific technology fails during an attack.
The fifth and final workshop prompts organizations to summarize the results of each previous workshop. ENISA then expects the organization to analyze these results, group common risks and vulnerabilities, and use these working groups to develop additional security measures on an ad hoc basis to improve its overall security posture.
How Can UpGuard Help?
Using UpGuard’s powerful cybersecurity toolkit, organizations can complete all the risk management workshops ENISA recommends and further elevate their risk management process by improving their overall security posture, risk resilience, vendor due diligence processes, and more.
Relevant Risk Management Frameworks
This section of the ENISA report identifies relevant risk management frameworks that provide critical cybersecurity guidelines and certification standards. For each framework it mentions in the report, ENISA also includes the specific type of cybersecurity principles it fosters.
- ISO/IEC 27005: Information security management systems
- ISO 31000: Risk management guidelines
- BSI 7799-3: Guidelines for information security risk management
- NIST SP 800-39: Managing information security risk
- BSI Germany Standard 200-3: Risk analysis based on IT-Grundschutz
After identifying the frameworks above, the report proceeds to compare and contrast each based on the following perspectives:
- Concepts, terms, and definitions
- Risk criteria
- Areas of application
- Level of application
- European vs. international technical specifications
- EU legislation vs. standards
Overall, during its comparison, ENISA concludes that any organization in the business sector can apply each framework it has identified, as each incorporates similar terms and definitions, addresses the importance of determining risk criteria, and provides strategies for effective risk management.
ENISA does clarify that some businesses (especially those working across industries) will find some frameworks more relevant and helpful than others. For example, the ISO publications will provide more details pertinent to ICT security, whereas the BSI publication will be more appropriate to businesses working in German markets.
On a similar note, ENISA mentions that none of the five relevant frameworks it identified were published by the EU and, therefore, have no legal basis throughout the European Union. However, the report does recognize ISO 31000 as being the most relevant framework internationally.
Recommendations For Risk Management Implementation
The final section of ENISA’s report proposes recommendations for various stakeholders, including policymakers of EU member states, European standards developing organizations (SDOS), and itself. The most critical of the 16 recommendations are summarized below:
- Cybersecurity education should be included in all educational stages (early childhood, lifelong learning, and professional life)
- When necessary, EU policymakers should make specific risk management/risk assessment methodologies mandatory in particular business sectors
- European standards organizations should adopt ISO/IEC 31000 and ISO/IEC 27005 as European norms
- Efforts should be taken to address gaps in ICT security
- ENISA should publish updated reports covering risk management standards on a regular basis
- ENISA should establish a mechanism for assisting EU institutions
How Can UpGuard Help Organizations with Risk Management?
UpGuard can help any organization streamline all three phases of its risk management process. By utilizing UpGuard’s all-in-one cybersecurity solution, organizations can accurately identify risks across their supply chain, effectively assess risks using custom risk assessment tools, and treat risks using intuitive risk mitigation and remediation workflows.
Organizations looking to elevate their third-party risk management practices can utilize UpGuard Vendor Risk to access the following features:
- Robust and customizable risk assessments,
- Objective and accurate security ratings,
- Flexible security questionnaires,
- Tailor-made vendor reports,
- 24/7 vendor monitoring and more