The scope of CRAMM
CRAMM is applicable to all types of information systems and networks and can be applied at all stages in the information system lifecycle, from planning and feasibility, through development and implementation to live operation. CRAMM can be used whenever it is necessary to identify the security and/or contingency requirements for an information system or network. This may include:
- During strategy planning, where a high level risk analysis may be required to identify broad security or contingency requirements for the organisation and the relative costs and implications of their implementation
- At feasibility study stage, where a high level risk analysis may be required of potential solutions to identify the broad security or contingency requirements and associated costs of the different options
- During analysis of the detailed business and technical environments, where the security or contingency issues associated with the chosen option can be investigated or refined
- Prior to live running, to ensure that all required physical, procedural, personnel and technical security countermeasures have been identified and implemented
- At any point during live running, where there are concerns about security or contingency issues, eg. in response to a new or increased threat or following a security breach
- As part of regular security management, audit and change management programmes, to monitor both compliance and new requirements.
Application profiles
You may find it useful to read the CRAMM application profiles we've created that describe the benefits CRAMM can introduce to a range of typical projects.
The profiles cover topics such as ISO 27001 compliance, justifying security investment and business continuity strategies.