return to tools

Information Risk Assessment Methodology 2 (IRAM2)

Identify, assess and treat your information risk
Download the executive summary

IRAM2 is a unique methodology for assessing and treating information risk. It includes guidance for risk practitioners to implement the six-phase process, consisting of Scoping, Business Impact Assessment, Threat Profiling, Vulnerability Assessment, Risk Evaluation, and Risk Treatment.

As a fundamental information risk management technique, IRAM2 will help organisations to:

  • Apply a simple, practical, yet rigorous approach: Focus on simplicity and practicality, while embedding rigour throughout the assessment process. This enables consistent results and a depth of analysis that enhances business decision-making.
  • Speak a common language: Provide a common vocabulary and framework, enabling information risk practitioners and management to form a unified view of information risk across different areas of the business, and better integrate into enterprise risk management.
  • Focus on the business perspective: Guide information risk practitioners’ analysis so that information risk is assessed from the perspective of the business. The end result is a risk profile that reflects a view of information risk in business terms.
  • Obtain a greater coverage of risks: Enable a broader and more comprehensive risk coverage, thereby reducing the chance that a significant risk will be overlooked.
  • Focus on the most significant risks: Allow key business and technology stakeholders to obtain a clear picture of where to focus resources, in order to deal with information risks that are most significant to the organisation.
  • Engage with key stakeholders: Empower information risk practitioners to engage with key business, risk and technology stakeholders in an organised and enterprise-aware manner.

IRAM2 is supported by four IRAM2 Assistants, each accompanied by a practitioner guide, that help automate one or more phases of the methodology. Additionally, IRAM2 is supported by the IRAM2 WebApp, which is an online assessment tool for performing information risk assessments using the ISF IRAM2 information risk assessment methodology.

To find out more about an ISF Member that has benefitted from using IRAM2 click here.