CERT-RMM has two primary objectives:
- Establish the convergence of operational risk and resilience management activities such as security, business continuity, and aspects of IT operations management into a single model.
- Apply a process improvement approach to operational resilience management through the definition and application of a capability-level scale that expresses increasing levels of process improvement.
The model combines aspects of IT operations management with operational risk and resilience management, such as security and business continuity. The model does the following:
- provides a process definition, expressed in more than 20 process areas across four categories: enterprise management, engineering, operations management, and process management
- focuses on four essential operational assets: people, information, technology, and facilities
- includes processes and practices that define a scale of four capability levels for each process area: Incomplete, Performed, Managed, and Defined
- serves as a meta-model that includes references to common codes of practice such as ISO 27000, ISO 2230, ITIL, CobiT, and SO24762
- includes process metrics and measurements that can be used to ensure that operational resilience processes are performing as intended
- facilitates an objective measurement of capability levels via a structured and repeatable appraisal method
CERT-RMM doesn't replace an organization's best practices: Rather, it provides a process structure into which they can be inserted and managed. The organization can then conduct an appraisal to measure whether the implemented practices are providing the expected results.
From the Download page, you can download these CERT-RMM materials:
- CERT-RMM V1.0 process areas
- CERT-RMM V1.0 generic goals and practices
- CERT-RMM V1.0 glossary
- Addendum to CERT-RMM V1.0 and CERT-RMM V1.1, Measures for Managing Operational Resilience