1. Introduction
    1. Licensing
    2. System Requirements
    3. Setup and Installation
  2. Getting Started
    1. Creating a Database
    2. RM Studio Users/Contacts
    3. Email Configuration
    4. Web Module Setup
    5. Web Module Update
  3. Navigating RM Studio
    1. Main Menu
      1. Save Function
      2. Import External Data
        1. Import Assets
      3. Clear User Cache
      4. Security
      5. Properties
      6. Languages
      7. Registration
      8. User Manual
      9. Manage Checkouts
      10. About
      11. Application Style
    2. Navigation Tree
    3. Tabs
    4. The Grid
    5. Context & Flow
  4. Common Entities
    1. Business Entities
      1. Asset Details - Basic Information tab
      2. Asset Details - Risks tab
      3. Asset Details - Categories tab
      4. Asset Details - Business Entities tab
    2. Contacts
    3. Teams
    4. Categories
    5. Assets
    6. Threats
    7. Standards/Controls
      1. How to: Standards, Regulations, Controls
      2. Standards Implementation Comparison
    8. Documents
  5. Gap Analysis
    1. How to: Gap Analysis
    2. Reporting
  6. Risk Assessment
    1. How to: Risk Assessment
      1. Working with Assets
      2. Evaluation Values
      3. Evaluating Risks
      4. Various Definitions
      5. Risk Assessment Reporting
    2. Risk Owner Tasks
    3. Risk Profile
  7. Web Module
    1. Dashboard
    2. My Tasks
    3. Reports
    4. Standards/Regulations
    5. Documents
    6. Incidents
    7. Risk Owner Web Solution
  8. Control Assessment
    1. Control Assessment Templates
    2. Control Assessment
    3. Reports - Control Assessment
  9. Risk Treatment
    1. How to: Risk Treatment
      1. Risk Treatment Templates
      2. Risk Criteria
      3. Asset Level
      4. Controls Tab
      5. Scheduling a Future Control
      6. Future Controls Tab
      7. Overview
      8. Reload Assets, Threats and Controls
    2. Risk Treatment Reports
  10. STPA
    1. STPA Projects
    2. Models and Diagrams
      1. How to: Create CS Models
      2. How to: Create CS Diagram
        1. Diagram Elements
        2. Models Progress Check
    3. Analyses
      1. How to: Define Purpose of Analysis
      2. Losses
      3. Hazards
      4. Relationship
      5. Constraints
      6. How to: Identify UCAs
      7. How to: Identify Loss Scenarios
        1. Loss Scenario Progress Check
    4. Reporting
    5. Global Properties
  11. Business Continuity Management Module
    1. Organization
      1. New Organization
      2. Stakeholders
      3. Resources/Processes
        1. Impact Analysis
        2. Requirements
    2. Incident Response/Recovery
      1. Associated Threats
      2. Plans
        1. Steps
      3. Maintenance
        1. Test plans
        2. Test Results
    3. Templates
    4. Maintenance
    5. Reports BCM
  12. Database Settings
    1. Database Upgrade
    2. Add Existing
    3. Remove
    4. Migrate
    5. Backup
    6. Restore
  13. Glossary
  14. Calculations


RM Studio uses a calculation algorithm that can be modified by the user, depending on what factors are evaluated, factor values, computing with addition or multiplication, and providing a risk score as a percentage or integer. The Risk Profiles in the Assessment and Treatment module provides the user a default profile or customization to meet the user’s unique needs.

Here is an example of using the Asset factor evaluations from ISO 27001: Confidentiality, Integrity, Availability; and the Threat factor evaluations of Impact and Probability. The calculations use a 1 – 5 factor value for each factor and the computation uses addition:

risk calculation addition

Here is an example of using the Asset factor evaluations from ISO 27001: Confidentiality, Integrity, Availability; and the Threat factor evaluations of Impact and Probability. The calculations use a 1 – 5 factor value for each factor and the computation uses multiplication:

risk calculations multiplication


Inherent risk is the raw or untreated risk, which is the natural level of risk intrinsic in a business activity or process without implementing any procedures to reduce the risk.

In RM Studio Risk Assessment, after assessing the factor values for the Assets, you will calculate the Inherent risk for the organizations assets.


Residual risk is “the risk remaining after risk treatment”, according to ISO 27001 definitions provided.

In RM Studio you first identify the risks relevant to your business in the Risk Assessment. In the Risk Treatment RM Studio builds for you, the controls you evaluated in the Gap Analysis are applied to the identified risks and you need to determine if the risk are mitigated and how to continue to treat the risks you find unacceptable. Treating the risks doesn’t completely eliminate all the risks, some risks will remain at a certain level, and this is what residual risks are. The point is, the organization needs to know exactly whether the planned treatment is enough or not.

Residual risks are usually assessed in the same way as you perform the initial risk assessment using the same methodology, including the same assessment scales. What is different is that you need to take into account the influence of controls (and other mitigation methods), so the likelihood of an incident is usually decreased and sometimes even the impact is smaller. RM Studio adds the controls to the Risk Treatment based on the control to threat mapping established previously or by default.

Below is the matrix used for establishing the security risk of an Asset in relation to the Threat it is under. This matrix is a supplement to the risk calculation section covered previously in this manual.

It’s important to realize that when using the security risk calculation with regards to controls, it is possible to score the security risks down to minimal. What this means is that you have done everything you possibly can to minimize the security risk “with regards to the Standard”. You have implemented all the controls which are associated with the threats you have defined in your risk assessment. Please keep in mind that this does not mean that you don’t have security risk but it only means that you have done everything in your power, based on the Standards, to hedge against known threats.

Suggest Edit