From: CSO
By Joel Lanz
Recently released COSO-ERM framework provides guidance to enable cyber and information security professionals to communicate risks and threats in language that stakeholders can understand and take action on.
Over a year after I first wrote about the exposure draft, COSO – the same organization that provides the internal control framework used to assess controls for financial reporting and therefore Sarbanes-Oxley compliance for most public companies, has issued the final version of its “Enterprise Risk Management—Integrating with Strategy and Performance (COSO-ERM).” Because the framework is very likely to be used by risk management functions in communicating with executives and board committees, it makes sense for information security practitioners to be aware of language and the approach to risk management used to align and consistently deliver technology risk information to decision makers and those responsible for governance.
Not a replacement for security frameworks
COSO-ERM is not a replacement for existing information security frameworks nor has it been designed to work with these frameworks. COSO-ERM is a business framework that is intended to consider critical business issues to ensure alignment with strategic business objectives and focuses on risk management rather than internal control. It does not specify controls or provide checklists as would the major information security frameworks. Rather COSO-ERM focuses on the ability to enable business to manage risk to an acceptable level within its risk appetite constrains.
Leave a Reply