ISF IRAM2

Context For professionals moving into governance roles within the financial sector or large multinationals, familiarity with proprietary frameworks is often as important as knowledge of international standards. While ISO 27005 establishes the principles of risk management, the Information Security Forum’s IRAM2 is frequently the specific implementation found in major institutions. You may not need to become a certified IRAM2 practitioner, but you should understand the structure if you intend to work in large-scale enterprise environments. ...

2 min

Static Application Security Testing (SAST)

Context For the mid-career technologist or governance lead, understanding the mechanics of code analysis is less about mastering coding or tooling, and more about understanding where risk is introduced. If you are responsible for product integrity or release management, relying solely on pre-release testing is a failing strategy. This note explains the foundational principles of inspecting code at rest, arguably the first line of defence in a secure development lifecycle. ...

4 min

Value at Risk (VaR)

Value at Risk (VaR) is a statistical measure used to estimate the potential loss of an asset, portfolio, or investment over a specified time period at a given confidence level under normal market conditions. VaR can be used in risk management for risk measurement and assessment. Related pages FAIR, a technique used for cybersecurity and operational risk loss event measurement

1 min

What are Corrective Actions?

Corrective actions are structured processes for addressing and resolving identified issues or nonconformities, aiming to prevent recurrence and promote continuous improvement. They may originate from routine business operations, or from internal or external reviews by regulators, auditors, or other governance functions. What is a Corrective Action Plan? A corrective action addresses a specific issue or deficiency through targeted measures. In contrast, a corrective action plan (CAP) is a comprehensive document that outlines multiple corrective actions, along with their timelines, responsible parties, and the steps required to ensure each item is systematically resolved. ...

1 min

What are the three lines of defence (3LOD)?

Context In regulated industries — particularly financial services, energy, and critical infrastructure — the Three Lines model is the standard vocabulary for governance. It is the primary mechanism organisations use to segregate duties and prevent conflicts of interest. For the professional, understanding this framework is a practical necessity: it clarifies the boundary between operational management and independent oversight. The Three Lines of Defence (3LOD) is a framework used to structure risk management within an organisation. It separates those who own the risk from those who oversee it, and those who provide independent assurance. ...

3 min