We understand the risk management process as a lifecycle with four steps, starting at the Compliance Scoping.
In this step you define what authority documents you will need and for which you try to achieve compliance with.
During this step you manage your assets, you define the responsibilities and manage the changes since the last assessment.
This step is about measuring the compliance of the implemented controls with the requirements as described in the authority documents chosen during the Compliance Scoping step.
Different assessment measuring strategies can be used to measure the compliance level. Findings are documented for later evaluation and reporting.
The last step contains the evaluation of the findings and the reporting of the facts to the upper management and other interested parties.
An older version of our methodology is published in our Guide. In the published version, the Guide describes two risk analysis methodologies. These are the qualitative and the quantitative methods. There are other methods and this Guide and the SOBF tool are both not restricted to only the current two methodologies. The SOMAP.org project is interested to learn more about other methodologies which could be explained in a later version of the Guide and implemented with the SOBF tool.
SOMAP.org is work in progress and any contribution is welcome. If you are interested in helping out, then please contact the SOMAP.org project via email at email@example.com.