Moving Ahead With Risk-Based SecurityManagement
Risk based management of security has been a central tenet of building a security strategy for many years. But some companies do better than others with actually implementing it. They know the principles but get bogged down in the detail.
One of the potential problems is that there is a plethora of frameworks around which to build a strategy. For example, there are AS/NZS ISO 31000:2009, ISO 27005, COSO and OCEG. Choosing a framework can be difficult, And then there;s the perennial question of whether it is the best one for the particular company, Whether it needs to be adhered to strictly. Whether a change can be made later on to one of the others.
This article suggests that companies need to just get on with it - that they should choose the framework that seems to fit most naturally and then not shy away from change or deviation later on if it isn't working out well.
Every security strategy needs to be customized and the choice of a framework is simply a good starting point.