UPDATE > Feb 27, 2012: CPI-RISC Information Risk Framework v1.3 is available. Link below has been updated.

In cooperation with the Business Information Security Competency Center, NOUVEL has released the CPI-RISC White Paper.

The Continuous Process Improvement–Risk, Information Security, and Compliance (CPI-RISC) methodology is a pragmatic, standards-based, business-oriented approach to information security. NOUVEL developed CPI-RISC to help organizations create sustainable information security programs and demonstrate measurable improvement over time.

CPI-RISC uses a continuous process improvement cycle, adapted for information security. The three steps are:

The first step is to Assess Risk. Risks are assessed in the context of the business environment, organized by business function, and prioritized based upon their impact to critical business processes.

The second step, Implement Information Security, takes the risks identified in the first step, and addresses them using an ISO 27001-like Information Security Management System (ISMS).

The third step, Verify Compliance, provides assurance to the organization that the information security program is effectively managing IT- and information-related risk.

The methodology is based on well-known industry standards: ISO 27001, ISO 27002, ISO 27005, the SANS Institute 20 Critical Security Controls, and the Software Engineering Institute Capability Maturity Model.

In addition to the White Paper, an Information Risk Framework and Implementation Guide are also available for download.

—Jim Herbeck

CPI-RISC White Paper: PDF file (available soon)

CPI-RISC Information Risk Framework: PDF file (English)