CRAMM

History

CRAMM (CCTA Risk Analysis and Management Method) was created in 1987 by the Central Computing and Telecommunications Agency (CCTA) of the United Kingdom government. CRAMM is currently on its fifth version, CRAMM Version 5.0. It comprises three stages, each supported by objective questionnaires and guidelines. The first two stages identify and analyze the risks to the system. The third stage recommends how these risks should be managed. The three stages of CRAMM are as follows:

Stage 1 The establishment of the objectives for security by:

Stage 2 The assessment of the risks to the proposed system and the requirements for security by:

Stage 3 Identification and selection of countermeasures that are commensurate with the measures of risks calculated in Stage 2. CRAMM contains a very large countermeasure library consisting of over 3000 detailed countermeasures organised into over 70 logical groupings.

Deployment

CRAMM is in use by NATO, the Dutch armed forces, and corporations working actively on security, like Unisys, RAC. CRAMM is offered in English, Dutch and Czech version.

References