Open frameworks and standards for cyber risk assessment

Home page
Open frameworks and standards for cyber risk assessment

This module outlines some of the key open-source methods for assessing (rather than managing) cyber risks, ranging from the NIST model to ENISA’s European approach, and including the ISO/IEC 27001:2022 standard. The module consists of an initial theoretical section and a second section focused on analysing a wide range of practical applications in both IT and OT contexts. The course is divided into two parts to be completed remotely: the first is a 16-hour theory module; the second is a 24-hour practical module, making a total of 40 hours. 

Would you like to take the course via e-learning, available 24/7? Register on the platform

Topics

NIST cyber risk assessment; ENISA cyber risk assessment (including for SMEs); Cyber risk assessment in accordance with the ISO/IEC 27001:2022 standard; At least two use cases in the IT sector; One use case in the industrial OT sector; One use case in the civil OT sector (e.g. smart cities)

Target

  • staff from the private and public sectors of organisations operating at national level, as well as those covered by NIS 2 and DORA
  • Master’s and PhD students
  • staff in IT and computer engineering or other management, economic and technological fields

Course structure

Module 1 - CYBER RISK ASSESSMENT – NIST
16 hours
  • Introduction to the NIST Cybersecurity Framework (CSF): Core, Implementation Tiers,
    and Profiles
  • Risk identification: asset criticality, threat intelligence and vulnerability assessment
  • Classification of controls: identity and access management, protection, detection, response and recovery
  • Metrics and performance indicators for risk monitoring
  • Simulation of a risk framework for a small IT organisation (e.g. a SaaS provider)
Module 2 - CYBER RISK ASSESSMENT – ENISA
16 hours
  • ENISA guidelines for risk management
  • Adapting the ENISA approach to SMEs: simplicity and scalability
  • ENISA for risk management (Cybersecurity Threat Landscape)
  • Focus on the European context and support for SMEs in meeting regulatory requirements
  • Risk assessment for a small manufacturing business (OT sector). (Example of use)
  • Identification of key vulnerabilities and prioritisation of actions
Module 3 - CYBER RISK ASSESSMENT - STANDARD ISO/IEC 27001:2022
16 hours
  • Overview of changes introduced in the 2022 version
  • ISO risk assessment process: risk identification, analysis, evaluation and treatment
  • Risk ownership and continuous risk monitoring
  • The role of Annex A in strengthening operational security
  • ISO risk analysis for a complex corporate network with remote access (e.g. a multinational company)
Workshop
16 hours

Development of case studies

  • Case study 1:
    IT – e-commerce company
    Objective: Creating a cyber risk assessment for an e-commerce company
  • Case study 2:
    Cloud infrastructure
    Objective: ENISA guidelines implementation in a cloud environment
  • Case study 3:
    Industrial OT
    Objective: Carrying out a cyber risk assessment for an OT industrial facility

Case study 4:
Civil OT – Smart City (es. Traffick management)
Objective: Assessing risks in a smart city context

Open frameworks and standards for cyber risk assessment

Index

Request more information

Request more information

Fill in all sections of the form and click CONFIRM.

You may also be interested in…

Retail frameworks and standards for cyber risk assessment

Common criteria for information technology security evaluation