Information Risk Management

Information technology has become one of the most important success factors for the implementation of corporate goals. However, finding a sufficient balance between investment and residual risk has so far been a very difficult and hardly comprehensible task. Risk, transparency and cost accuracy must be clearly and comprehensibly designed.

The objectives of IT risk management must be derived from the business strategy in order to be able to cover the desired amount of IT for corporate success.

The results of IT risk management are measures to achieve the desired or defined level of IT performance.

IT risk management thus answers the following questions in a comprehensible and transparent manner:

  • Which threats can arise from the use of IT for the company?
  • How much IT does the company really need?
  • How secure is IT?

IT managers/CIO and CISO must ensure transparency for their own benefit and prepare their investment proposals on a management basis so that they do not fall victim to the management's incomprehension.

CRISAM® stands for "Corporate Risk Application Method" and is a holistic approach for implementing a company-wide IT risk management process. CRISAM® consists of both a procedure method and an evaluation method, both of which are covered by the CRISAM® software.

CRISAM® serves to derive traceable requirements for information technology from strategy, organization and (business) processes. Operational risks from the operation of the IT systems are compared with the resulting security requirements. Deviations of the actual performance (assessed operational risks of IT) from the target (requirements derived from the company) are identified as potential threats from IT deployment. The necessary control process, which identifies deviations from the specified target value and compensates them with suitable measures, is implemented in the company as a continuous risk management process.

Risks are assessed using the CRISAM® approach in the form of a quantitative indicator in line with the Standard & Poor's insurance rating approach. "AAA" or "BB" are well-established terms in the financial world today. CRISAM®'s risk assessment is based on this rating model introduced by Standard&Poors. Their advantage now is that IT becomes measurable and comparable and that IT can be aligned with corporate goals.

The rating ratio is generally known in management and can be interpreted by persons without specific IT know-how. This enables risks from the use of IT to be brought into relation to the financial, market and other risk factors in the company.

CRISAM® tests the performance of your IT. The principle is simple and clear. CRISAM® evaluates your entire IT from the application to the IT processes to the power supply in relation to the state of the art. This is documented by numerous recognized sources and confirmed by court-certified experts. Assessments based on the state of the art may, under certain circumstances, result in liability for both the management and its representatives arising from negligence. For IT risk management, CRISAM® obtains information on the state of the art from the German basic protection manual of the BSI, the ISO 27000 series of standards, ITIL, Cobit and the Austrian safety manual.

CRISAM® provides all recorded data as well as their results and analyses transparently and for different groups of recipients through the prefabricated and customizable reports. 

For more information on CRISAM®, please visit