CERT-RMM doesn't replace an organization's best practices: Rather, it provides a process structure into which they can be inserted and managed. The organization can then conduct an appraisal to measure whether the implemented practices are providing the expected results.
CERT-RMM has two primary objectives:
- Establish the convergence of operational risk and resilience management activities such as security, business continuity, and aspects of IT operations management into a single model.
- Apply a process improvement approach to operational resilience management through the definition and application of a capability-level scale that expresses increasing levels of process improvement.
The model combines aspects of IT operations management with operational risk and resilience management, such as security and business continuity. The model does the following:
- provides a process definition, expressed in more than 20 process areas across four categories: enterprise management, engineering, operations management, and process management
- focuses on four essential operational assets: people, information, technology, and facilities
- includes processes and practices that define a scale of four capability levels for each process area: Incomplete, Performed, Managed, and Defined
- serves as a meta-model that includes references to common codes of practice such as ISO 27000, ISO 2230, ITIL, CobiT, and SO24762
- includes process metrics and measurements that can be used to ensure that operational resilience processes are performing as intended
- facilitates an objective measurement of capability levels via a structured and repeatable appraisal method
From this page, you can download these CERT-RMM materials:
- CERT Resilience Management Model V1.0
- CERT Resiliency Engineering Framework V0.95R, the draft version of CERT-RMM
- Code of Practice Crosswalk, a supplement to the draft version, that describes the connection between the framework's capabilities and processes, and the codes of practice that are commonly used by organizations in an operational setting