Standard: ISO 31000:2018 — Risk management — Guidelines
Tier: 1 — Foundational
Framework role: Enterprise risk principles; quantitative implementation via FAIR
ISO 31000 provides principles and guidelines for managing risk. The ICT Governance Framework adopts ISO 31000 intent through documented risk processes and a live FAIR (Factor Analysis of Information Risk) engine for quantitative assessment.
| Principle | Framework implementation |
|---|---|
| Integrated | Risk linked to assets, incidents, governance KPIs |
| Structured | FAIR scenarios, calibration tables, SQL schema |
| Customised | Tenant-specific risk models, env-tunable multipliers |
| Inclusive | CISO dashboard, executive metrics |
| Dynamic | Telemetry-driven LEF adjustments (shadow IT, break-glass, incidents) |
| Best available information | Asset register, incident ingest, JIT ledger |
| Human and cultural factors | Break-glass analytics, governance policies |
| Continual improvement | Calibration governance, focus area 4 |
| Component | Location |
|---|---|
| FAIR risk engine | ict-governance-framework/services/fair-risk-engine.js |
| Calibration | fair-risk-calibration.js, fair_model_calibration.sql |
| Scheduler | fair-risk-scheduler.js |
| Framework section | ICT GF § FAIR Risk |
| Target framework | FAIR integration in Target Governance Framework |
| Tests | fair-risk-engine.test.js, fair-risk-calibration.test.js |
| Source | Maturity |
|---|---|
| A007 Risk Management domain | Level 3 (65%) |
| A033 ISO 31000 | 74% claimed |
~72–80% — significant improvement from live FAIR engine and telemetry integration.