Context
For professionals moving into governance roles within the financial sector or large multinationals, familiarity with proprietary frameworks is often as important as knowledge of international standards. While ISO 27005 establishes the principles of risk management, the Information Security Forum’s IRAM2 is frequently the specific implementation found in major institutions. You may not need to become a certified IRAM2 practitioner, but you should understand the structure if you intend to work in large-scale enterprise environments.
What is ISF IRAM2?
IRAM2 (Information Risk Assessment Methodology version 2) is a risk assessment framework developed by the Information Security Forum (ISF).
Unlike open standards such as NIST SP 800-30 or ISO 27005, IRAM2 is a proprietary methodology. Full access to the tools, spreadsheets, and detailed documentation is restricted to ISF member organisations. Consequently, it is most commonly encountered in large banks, insurers, and FTSE 100/Fortune 500 companies that hold ISF membership.
The methodology is noted for its rigour and is designed to support complex risk environments rather than small-to-medium enterprises.
The Process
The methodology follows a linear, six-phase lifecycle:
- Scoping: Defining the boundaries of the assessment.
- Business Impact Assessment (BIA): Determining the potential consequences of disruption or loss.
- Threat Profiling: Identifying relevant threat actors and vectors.
- Vulnerability Assessment: Evaluating control weaknesses.
- Risk Evaluation: Calculating the likelihood and impact to derive a risk rating.
- Risk Treatment: Deciding on acceptance, avoidance, transfer, or mitigation.