The Institute of Risk Management: Risk Management Standard (17 pages)
There are many ways of achieving the objectives of risk management and it would be impossible to try to set them all out in a single document. Therefore it was never intended to produce a prescriptive standard which would have led to a box ticking approach nor to establish a certifiable process. By meeting the various component parts of this standard, albeit in different ways, organisations will be in a position to report that they are in compliance.The standard represents best practice against which organisations can measure themselves.

NIST SP 800-30: Risk Management Guide for Information Technology Systems (55 pages)
This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks.

CERT: OCTAVE^® (Operationally Critical Threat, Asset, and Vulnerability Evaluation^SM)
For an organization that wants to understand its information security needs, OCTAVE is a risk-based strategic assessment and planning technique for security.

NIST SP 800-26: Security Self-Assessment Guide for Information Technology Systems (95 pages)
This document provides a security self-assessment framework to help organizations measure their security risk. The assessment contains three control areas: management, operations and technology. It covers seventeen areas, including access control, incident response, business continuity and disaster recovery.

CERT: Mission Assurance Analysis Protocol (MAAP): Assessing Risk in Complex Environments (59 pages)
The main focus of MAAP is developing advanced risk analysis techniques for highly complex and distributed work processes. However, we believe that MAAP can also be used to analyze risk in virtually all work processes, from very simple workflows to those that are distributed among multiple organizations.

NSW Department of Commerce: Information Security Part 1: Risk Management (84 pages)
The objective of this guideline is to assist agencies in the identification and management of information security risks. The guideline provides direction for information security risk management and the context in which this takes place. The guideline addresses the risk management process in terms of core components, such as: Identifying risks that agencies should recognise and manage, setting objectives and obtaining commitment to information security risk management; The step-by-step information security risk management process, incorporating risk assessment, planning activities, responsibilities and resources; Implementation and operational procedures, increasing awareness of information security risks and measures; Assessing the effectiveness of procedures, maintaining controls and monitoring compliance.

NSW Department of Commerce: Information Security Part 2: Threats and Vulnerabilities (33 pages)
The aim of this section of the Information Security guideline is to assist agencies in the understanding of some of the more common threats and vulnerabilities in relation to information security. The guideline provides examples of the threats posed to information assets and identifies the associated vulnerabilities to consider in the assessment of risk. The guideline addresses the following key areas: The general definition of threats and vulnerabilities in relation to information assets; Environmental threats that result in the loss of availability of information, such as natural disasters, contamination and power fluctuations; Accidental threats arising from human errors and omissions, including fire, communication failures and technical difficulties; A threat, whether it comes from an internal or external source, has the potential to cause harm to information assets, in which it exploits vulnerabilities. A vulnerability can be a weakness in the physical environment, organisation and management, procedures, personnel, operations, software and hardware or communications equipment.

Microsoft: Security Risk Management Guide
This guide helps customers of all types plan, build, and maintain a successful security risk management program. In a four phase process, depicted below, the guide explains how to conduct each phase of a risk management program and how to build an ongoing process to measure and drive security risks to an acceptable level.

Microsoft: Security Assessment Tool
This application is designed to help organizations with fewer than 1,000 employees assess weaknesses in their current IT security environment. It will help identify processes, resources, and technologies that are designed to promote good security planning and risk mitigation practices within your organization.

Jack A. Jones: An Introduction to Factor Analysis of Information Risk (FAIR) (48 pages)
Risk and risk analysis are large and complex subjects. Consequently, in writing this document I’ve had to balance the need to provide enough information so that risk concepts and the FAIR framework are clear and useful, and yet keep the length manageable. The result is what can best be described as an introduction and primer. For example, I’ve limited the scope to only include the human malicious threat landscape, leaving out threat events associated with error, failure, or acts of God.

FEMA Risk Management Series (RMS) Publications
The RMS is a new FEMA series directed at providing design guidance for mitigating multihazard events. The publications are directed at manmade disasters. The objective of the series is to reduce physical damage to structural and nonstructural components of buildings and related infrastructure, and to reduce resultant casualties during conventional bomb attacks, as well as attacks using chemical, biological, and radiological agents. The underlining issue is that improving security in high occupancy buildings will better protect the nation from potential threats by identifying key actions and design criteria to strengthen our buildings from the forces that might be anticipated in a terrorist assault. The intended audience includes architects and engineers working for private institutions, building owners/operators/managers, and state and local government officials working in the building sciences community.

World Bank Technology Risk Checklist
The World Bank Technology Risk Checklist is designed to provide Chief Information Security Officers (CISO), Chief Technology Officers (CTO), Chief Financial Officers (CFO), Directors, Risk Managers and Systems Administrators with a way of measuring and validating the level of security within a particular organization.