Clement Dupuis over at cccure.org put me on to a new infosec risk management handbook from an organization I haven't come across before - a Swiss organization called the Security Officers Management and Analysis Project. The handbook is described as "high level informations" containing 14 core pages on risk management, both in general and specifically in relation to information security - in fact, it probably has more to say on information security management than risk management. It aims to describe "how to plan, implement and manage an information security risk strategy and ISMS (Information Security Management System) activities." The language is rather naive in places but this could easily be due to its being translated into English, and the meaning comes through. For example: "A security officer never should be the owner of an asset. Even if this could look like a good idea, it is not. At the end the security officer would be responsible for all the assets which he obviously can not be." It is loosely structured around ISO 17799 / ISO 27001.
The accompanying Information Security Risk Assessment Guide is still in development with a 31-page draft already available. The guide looks as if it will focus on risk management in greater depth than the handbook. At the moment, it is little more than a collection of placeholders, ideas and notes to be explained/expanded later.
Both documents are released under the GNU Free Documentation License giving recipients the freedom to create and sell derivative works provided they reference the originator, retain section headings etc. SOMAP are actively inviting readers to get involved with and contribute to the project. If their appeal succeeds, the project has the potential to clear up an area of information security management that remains poorly served by other works. Although maybe a dozen information security risk management methods are in use worldwide, they seem to be the realm of specialists rather than general practice in the field.
More risk management resources