New Report on National Risk Management Preparedness: a Guideline for Critical Information Infrastructure Governance

By Enisa - European Network And Information Security Agency, PRNE
Tuesday, May 17, 2011

BRUSSELS and HERAKLION, Greece, May 19, 2011 - ENISA (the European Network and Information Security Agency
ENISA) has launched a new publication on National Risk Management (NRM)
preparedness. The report sets out the essential elements as a guideline for
the governance of NRM in relation to a country's Critical Information
Infrastructure (CII). In particular, the report presents a workflow to
develop and implement an NRM processes.

The relationship between NRM and the management of information
security risk in individual CII stakeholder organisations is identified in
this new Agency report. It determines three essential NRM processes that need
to be implemented by national governments, as follows:

- Process 1: Define NRM Policy.

- Process 2: Coordinate and Support Implementation [of
risk management in CII stakeholder organisations].

- Process 3: Review, Reassess and Report [on NRM].

Each of these three processes is supported by a number of activities. The
report identifies a total of twelve detailed activities. These activities
include among others; to set the vision, establish the NRM organisation,
promote standards, create awareness, as well as to analyse errors and
incidents. The framework for the governance of NRM enables governments and
other national CII stakeholders to gain an overview of the elements that are
required to build such a programme; and to understand the relationships
between these elements.

The guidelines feature a questionnaire that allows governments
to assess their strengths and weaknesses in relation to NRM preparedness by
using a use a five-level capability maturity measurement.

The report can be used in practice by national governments to:

- Identify strengths and weaknesses in the implementation of NRM in their

- Assist in the development of a framework for the governance of NRM;

- Help the government to assist CII stakeholder organisations in
developing their own risk management processes; and

- Assess the country's NRM preparedness through the use of a defined
testing process.

Background: CIIP Communication by the European Commission (

For full paper (

(Due to the length of these URLs, it may be necessary to copy and paste
these hyperlinks into your Internet browser's URL address field. Remove the
space if one exists.)

For interviews, or further details: Ulf Bergstrom, Spokesman, ENISA,
press at, Mobile: +30-6948-460-143, or Dr. Louis Marinos,
Expert, riskmanagement at

will not be displayed