Risk Management Frameworks

UK, US and international risk management frameworks organised by scope.

General / Enterprise Risk Management

Frameworks applicable across industries for broad organisational risk management.

Framework	Origin	Description	Link
ISO 31000	International (ISO)	International standard providing principles and guidelines for risk management applicable to any organisation regardless of size or industry. Focuses on integrating risk management into governance and decision-making.	iso.org/iso-31000-risk-management
COSO ERM	US (COSO)	Enterprise Risk Management framework that integrates risk management with strategy and performance. Emphasises governance, culture, and aligning risk appetite with strategic goals. Updated in 2017.	coso.org/guidance-erm
ISO 27005	International (ISO)	Information security risk management standard. Provides guidelines for establishing a systematic approach to information security risk management supporting ISO 27001.	iso.org/standard/80585.html

Cybersecurity Frameworks

UK-Specific

Framework	Origin	Description	Link
NCSC Cyber Assessment Framework (CAF)	UK (NCSC)	Framework for organisations responsible for essential services to assess cyber security posture. Based on 14 principles across 4 objectives. Now integrated into NHS DSPT for Category 1 organisations.	ncsc.gov.uk/collection/caf
Cyber Essentials	UK (NCSC)	Government-backed certification scheme focusing on 5 technical controls to protect against common cyber attacks. Required for many government contracts.	ncsc.gov.uk/cyberessentials
Cyber Essentials Plus	UK (NCSC)	Enhanced version of Cyber Essentials with independent verification through technical testing.	ncsc.gov.uk/cyberessentials
NCSC 10 Steps to Cyber Security	UK (NCSC)	High-level guidance covering key areas from risk management to incident management. Good starting point for SMEs.	ncsc.gov.uk/collection/10-steps
IASME Governance	UK (IASME)	Certification framework designed for SMEs demonstrating strong governance and data protection. Delivered by IASME Consortium in partnership with NCSC.	iasme.co.uk

US-Specific

Framework	Origin	Description	Link
NIST Cybersecurity Framework (CSF) 2.0	US (NIST)	Voluntary framework with 6 core functions: Govern, Identify, Protect, Detect, Respond, Recover. Version 2.0 released February 2024 added Govern function. Applicable to all organisations.	nist.gov/cyberframework
NIST Risk Management Framework (RMF)	US (NIST)	Comprehensive 7-step process for managing security and privacy risk. Required for US federal agencies under FISMA. Documented in SP 800-37.	csrc.nist.gov/projects/risk-management
NIST SP 800-53	US (NIST)	Security and privacy controls catalogue for information systems. Release 5.2.0 (August 2025) includes AI-related controls.	csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
NIST SP 800-171	US (NIST)	Protecting Controlled Unclassified Information (CUI) in non-federal systems. Required for DoD contractors.	csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
CIS Controls v8.1	US (CIS)	18 prioritised security controls providing prescriptive, actionable guidance. Updated June 2024 to align with NIST CSF 2.0. Maps to HIPAA, PCI DSS, NIST and more.	cisecurity.org/controls
CMMC 2.0	US (DoD)	Cybersecurity Maturity Model Certification required for DoD contractors. 3 levels based on NIST 800-171 controls.	dodcio.defense.gov/CMMC/

International

Framework	Origin	Description	Link
ISO/IEC 27001:2022	International (ISO)	International standard for Information Security Management Systems (ISMS). Certifiable framework covering people, processes, and technology.	iso.org/standard/27001
ISO/IEC 27002:2022	International (ISO)	Code of practice providing guidance on implementing controls from ISO 27001 Annex A.	iso.org/standard/75652.html

AI Risk Management

Framework	Origin	Description	Link
NIST AI RMF 1.0	US (NIST)	Voluntary framework for managing AI-related risks. Released January 2023. Four core functions: Govern, Map, Measure, Manage. Includes AI RMF Playbook for implementation guidance.	nist.gov/itl/ai-risk-management-framework
ISO/IEC 42001:2023	International (ISO)	World's first AI Management System standard. Certifiable framework addressing ethical considerations, transparency, and responsible AI governance. Published December 2023.	iso.org/standard/42001
EU AI Act	EU	Risk-based regulation categorising AI systems. Phased enforcement from 2024-2026. Applies to organisations offering AI systems in EU regardless of location.	artificialintelligenceact.eu
OECD AI Principles	International (OECD)	Five core principles establishing global consensus on responsible AI governance adopted in 2019.	oecd.org/digital/artificial-intelligence
IEEE 7000-2021	International (IEEE)	Standard for ethical system design addressing values-based engineering for AI and autonomous systems.	standards.ieee.org/ieee/7000/6781

Privacy Frameworks

Framework	Origin	Description	Link
NIST Privacy Framework	US (NIST)	Voluntary framework for managing privacy risk. Complements NIST CSF with Identify-P, Govern-P, Control-P, Communicate-P, Protect-P functions.	nist.gov/privacy-framework
ISO/IEC 27701:2025	International (ISO)	Extension to ISO 27001/27002 for privacy information management. Provides mapping to GDPR.	iso.org/standard/27701
UK GDPR / Data Protection Act 2018	UK	UK data protection legislation post-Brexit. Enforced by ICO.	ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources
EU GDPR	EU	General Data Protection Regulation governing personal data processing. Applies to any organisation handling EU citizen data.	gdpr.eu
CCPA/CPRA	US (California)	California Consumer Privacy Act / California Privacy Rights Act. State-level privacy regulation.	oag.ca.gov/privacy/ccpa

IT Governance Frameworks

Framework	Origin	Description	Link
COBIT 2019	International (ISACA)	IT governance and management framework from ISACA. Aligns IT with business goals, supports audit and compliance. Flexible integration with other standards.	isaca.org/resources/cobit
ITIL 4	UK (Axelos)	IT service management best practices framework. Focuses on creating value through IT services.	axelos.com/certifications/itil-service-management

Quantitative Risk Analysis

Framework	Origin	Description	Link
FAIR (Factor Analysis of Information Risk)	US (FAIR Institute)	Quantitative risk analysis framework expressing cyber risk in financial terms. Provides taxonomy, methodology and computational model for risk quantification. Now an Open Group standard.	fairinstitute.org
FAIR-CAM	US (FAIR Institute)	Controls Analytics Model providing mappings from FAIR to control frameworks like NIST CSF and CIS Controls.	fairinstitute.org/fair-cam
OCTAVE	US (CMU CERT)	Operationally Critical Threat, Asset, and Vulnerability Evaluation. Qualitative framework for identifying and managing information security risks. OCTAVE Allegro is the lightweight variant.	sei.cmu.edu/our-work/octave

Healthcare-Specific

UK

Framework	Origin	Description	Link
NHS DSPT (Data Security and Protection Toolkit)	UK (NHS England)	Annual self-assessment tool for organisations accessing NHS patient data. Based on National Data Guardian's 10 data security standards. Category 1 organisations now use CAF alignment.	dsptoolkit.nhs.uk

US

Framework	Origin	Description	Link
HIPAA	US (HHS)	Health Insurance Portability and Accountability Act. Federal law requiring protection of sensitive patient health information.	hhs.gov/hipaa
HITRUST CSF	US (HITRUST Alliance)	Certifiable framework harmonising healthcare-specific requirements with HIPAA, ISO 27001, NIST and others.	hitrustalliance.net

Financial Services / Payment

Framework	Origin	Description	Link
PCI DSS v4.0	International (PCI SSC)	Payment Card Industry Data Security Standard. Required for any organisation processing card payments. Version 4.0 effective from 2024.	pcisecuritystandards.org
SOC 2	US (AICPA)	Service Organisation Control auditing framework based on 5 Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy. Type I and Type II reports.	aicpa-cima.com/topic/audit-assurance/
SOC 1	US (AICPA)	Internal control reporting relevant to user entities' financial reporting (ICFR).	aicpa-cima.com/topic/audit-assurance/
Basel III/IV	International (BCBS)	Banking sector framework for capital adequacy, liquidity management, and risk assessment.	bis.org/bcbs
DORA	EU	Digital Operational Resilience Act. ICT risk management for EU financial entities. Fully enforced from January 2025.	eiopa.europa.eu/digital-operational-resilience-act-dora
GLBA	US	Gramm-Leach-Bliley Act. Requires financial institutions to explain data sharing practices and safeguard sensitive data.	ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act
SOX	US	Sarbanes-Oxley Act. Financial reporting and internal control requirements for public companies.	sec.gov/spotlight/sarbanes-oxley.htm

Critical Infrastructure / OT

Framework	Origin	Description	Link
IEC 62443	International (IEC)	Industrial automation and control systems security. Multiple parts covering risk assessment (62443-3-2) and requirements (62443-3-3).	iec.ch/cyber-security
NERC CIP	US (NERC)	Critical Infrastructure Protection standards for North American bulk electric system.	nerc.com/standards/reliability-standards/cip
UK NIS Regulations	UK	Network and Information Systems Regulations. Implements NIS Directive for operators of essential services.	ncsc.gov.uk/collection/nis-directive
NIS2 Directive	EU	Updated EU directive expanding scope of NIS. Applies to essential and important entities. Member states must transpose by October 2024.	digital-strategy.ec.europa.eu/en/policies/nis2-directive

Cloud-Specific

Framework	Origin	Description	Link
CSA CCM (Cloud Controls Matrix)	International (CSA)	Security control framework for cloud environments. Used with CAIQ (Consensus Assessments Initiative Questionnaire).	cloudsecurityalliance.org/research/cloud-controls-matrix
FedRAMP	US (GSA)	Federal Risk and Authorization Management Program. Required for cloud services used by US federal agencies.	fedramp.gov

Government / Federal (US)

Framework	Origin	Description	Link
FISMA	US	Federal Information Security Modernization Act. Requires federal agencies to implement information security programs based on NIST guidance.	cisa.gov/federal-information-security-modernization-act
NIST SP 800-37	US (NIST)	Risk Management Framework for Information Systems and Organizations. Detailed implementation of RMF process.	csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
NIST SP 800-39	US (NIST)	Managing Information Security Risk at organisation, mission/business, and system levels.	csrc.nist.gov/publications/detail/sp/800-39/final

Mapping Resources

Many frameworks provide official mapping documents to help organisations align multiple standards:

Resource	Link
NIST CSF to ISO 27001 Mapping	nist.gov/cyberframework/informative-references
CIS Controls Mappings	cisecurity.org/controls/cis-controls-navigator
UK Cyber Governance Code to various frameworks	gov.uk/government/publications/cyber-governance-mapping
PCI DSS to NIST CSF	pcisecuritystandards.org/resources
NIST AI RMF Crosswalks	nist.gov/itl/ai-risk-management-framework

Quick Selection Guide

If you need...	Consider...
UK government contracts	Cyber Essentials / Cyber Essentials Plus
NHS data access	DSPT (with CAF for Category 1)
US federal work	NIST RMF, FISMA, SP 800-53
DoD contracts	CMMC, NIST SP 800-171
Card payment processing	PCI DSS
Healthcare data (US)	HIPAA, HITRUST
SaaS/cloud services	SOC 2, ISO 27001
AI systems	NIST AI RMF, ISO 42001
EU operations	GDPR, NIS2, EU AI Act
Quantifying cyber risk	FAIR
General starting point	NIST CSF 2.0, CIS Controls
Enterprise risk management	ISO 31000, COSO ERM

Last updated: January 2026