The original Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method was developed with large organizations in mind (300 employees or more), but size is not the only consideration. For example, large organizations generally have a multi-layered hierarchy and are likely to maintain their own computing infrastructure, along with the internal ability to run vulnerability evaluation tools and interpret results in relation to critical assets.

The original OCTAVE Method uses a three-phased approach to examine organizational and technology issues, assembling a comprehensive picture of the organization's information security needs. It consists of a series of workshops, either facilitated or conducted by an interdisciplinary analysis team of three to five of the organization's own personnel. The method takes advantage of knowledge from multiple levels of the organization, focusing on

  • identifying critical assets and threats to them
  • identifying the vulnerabilities, both organizational and technological, that expose those threats, creating risk to the organization
  • developing a practice-based protection strategy and risk mitigation plan to support the organization's mission and priorities

These activities are supported by a catalog of good or known practices, as well as surveys and worksheets that can be used to elicit and capture information during focused discussions and problem-solving sessions.


Assessing Information Security Risk Using the OCTAVE Approach is a three-day training course in which participants use a case study to perform each activity in the OCTAVE Allegro method as well as learn about risk assessment preparation, tailoring, and prioritization of identified risks for response.  OCTAVE and OCTAVE-S are not covered in the course.  This course is also available in eLearning.

Additional background and conceptual knowledge can also be found in the book Managing Information Security Risks.

Register to Download

The OCTAVE Method Implementation Guide provides everything that an analysis team needs to use the OCTAVE method to conduct an evaluation.


The .zip file includes a complete set of resources necessary to perform an information security assessment based on the original OCTAVE method.

Introductory Material
The purpose of and introduction to the OCTAVE method, including a preparation guide and tailoring guidelines

Method Material
A summary, detailed guidelines, worksheets, slides, and notes for every activity

Additional Materials
An asset profile workbook, catalog of practices, OCTAVE data flow, complete examples of results, and more