Risk Assessment Framework Comparison 2026: NIST RMF, ISO 27005, and COSO ERM Explained

Last updated: 2026-05-04 — ComplianceStack Editorial Team

Every regulated organization needs a risk assessment methodology — but the choice between NIST RMF, ISO 27005, and COSO ERM is not obvious. Each framework was designed for a different primary audience, operates on different risk language, and produces different outputs. NIST SP 800-37 Rev 2 is the standard for federal agencies and contractors; ISO 27005:2022 is the international information security risk standard; COSO ERM 2017 is the dominant enterprise risk management framework for publicly traded companies. Understanding what each framework does — and doesn't do — is the foundation of a defensible risk program. This guide covers all three, explains how they align with regulatory requirements, and helps compliance teams choose the right framework for their environment. For a broader look at how risk analysis fits into a compliance program, see the Compliance Risk Analysis Guide 2026.

NIST Risk Management Framework (SP 800-37 Rev 2)

The NIST Risk Management Framework (RMF), documented in NIST Special Publication 800-37 Revision 2 (published December 2018), is a seven-step lifecycle process for managing information security and privacy risk. It is mandatory for U.S. federal agencies under FISMA (44 U.S.C. §3551) and is the de facto standard for federal contractors handling Controlled Unclassified Information (CUI) under DFARS 252.204-7012 and the CMMC framework.

The seven RMF steps are: (1) Prepare — establish risk management context, assign roles, identify mission priorities; (2) Categorize — classify the information system using FIPS 199 criteria (Confidentiality, Integrity, Availability impacts at Low/Moderate/High levels); (3) Select — choose security controls from NIST SP 800-53 Rev 5 tailored to the categorization; (4) Implement — deploy selected controls and document the implementation; (5) Assess — evaluate control effectiveness against defined assessment procedures in NIST SP 800-53A; (6) Authorize — the Authorizing Official accepts residual risk and issues an Authority to Operate (ATO); (7) Monitor — ongoing control monitoring, continuous assessment, and system-level reporting.

Key outputs: System Security Plan (SSP), Security Assessment Report (SAR), Plan of Action and Milestones (POA&M), and the Authorization Decision. These artifacts are audited by inspectors general, DCSA, and CMMC third-party assessment organizations (C3PAOs).

Who should use NIST RMF: Federal agencies, DoD contractors handling CUI, healthcare organizations pursuing FedRAMP authorization, and any organization where regulatory compliance with FISMA/CMMC is required. The RMF is prescriptive and documentation-heavy — appropriate for environments where demonstrating control effectiveness to a government auditor is the primary goal. For the full risk analysis methodology context, see the Compliance Risk Analysis Guide 2026.

ISO 27005:2022 — Information Security Risk Management

ISO/IEC 27005:2022 is the international standard for information security risk management, part of the ISO 27000 family, providing guidance for implementing the risk assessment and treatment requirements of ISO/IEC 27001:2022 (Clause 6.1 — Actions to Address Risks and Opportunities). The 2022 revision replaced the 2018 version's asset-based approach with a scenario-based approach better suited to modern threat landscapes including supply chain attacks and cloud-based risks.

ISO 27005:2022 follows a process model with four core activities: Risk Identification — identifying information assets, threats, vulnerabilities, and existing controls; Risk Analysis — estimating the likelihood and consequence of risk scenarios to produce risk levels; Risk Evaluation — comparing risk levels against risk criteria to determine treatment priority; Risk Treatment — selecting from four options: risk modification (implement controls), risk retention (accept), risk avoidance (eliminate the activity), or risk sharing (transfer or insure).

ISO 27005 does not prescribe a specific control catalog. Organizations typically align their control selection to Annex A of ISO/IEC 27001:2022, which contains 93 information security controls across four themes: Organizational, People, Physical, and Technological.

Regulatory alignment: ISO 27001 certification (which uses ISO 27005 methodology) is recognized under the EU NIS2 Directive (Article 21), accepted as a GDPR security measure demonstration, and referenced in the EU Cybersecurity Act. Many healthcare and financial regulators accept ISO 27001 certification as evidence of a mature risk program. For organizations with EU operations, ISO 27005/27001 provides the broadest cross-border regulatory coverage. See how vendor risk analysis requirements fit this framework in the Compliance Risk Analysis Guide 2026.

COSO ERM 2017 — Enterprise Risk Management Framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management — Integrating with Strategy and Performance framework (2017) is the dominant ERM framework for public companies and is directly referenced in SEC guidance on enterprise risk disclosure. Unlike NIST RMF and ISO 27005, COSO ERM covers all enterprise risks affecting strategy achievement — financial, operational, compliance, reputational, and strategic — not just information security.

The framework organizes around five components and twenty principles:

Governance and Culture (Principles 1–5): Board risk oversight, operating structure, commitment to core values, talent attraction, and accountability. The board is expected to actively oversee — not merely receive reports on — enterprise risk.

Strategy and Objective-Setting (Principles 6–9): Applying ERM in strategic planning, defining risk appetite, evaluating business context, and identifying risks to achievement of objectives. Risk appetite — the amount of risk an organization is willing to accept in pursuit of value — is a COSO concept widely referenced in SOX compliance discussions and SEC risk factor disclosures.

Performance (Principles 10–14): Identifying risks, assessing severity (likelihood × impact), prioritizing responses, implementing treatments, and developing a portfolio view of risk.

Review and Revision (Principles 15–17): Monitoring substantial change, reviewing ERM performance, and pursuing improvement.

Information, Communication, and Reporting (Principles 18–20): Leveraging information systems, communicating risk information internally and externally, and reporting on risk, culture, and performance.

Regulatory alignment: COSO ERM 2017 is referenced in SEC staff guidance on risk factor disclosures under Regulation S-K. Public companies using COSO ERM align their enterprise risk disclosures with SEC expectations. For more on how risk programs support compliance reporting, see the Compliance Risk Analysis Guide 2026.

Side-by-Side Comparison: NIST RMF vs ISO 27005 vs COSO ERM

Understanding the structural differences between frameworks before choosing one:

Scope: NIST RMF focuses on information systems (IT risk). ISO 27005 focuses on information security risks to the organization's information assets. COSO ERM covers all enterprise risks — financial, operational, compliance, reputational, and strategic — making it the broadest scope of the three.

Prescriptiveness: NIST RMF is the most prescriptive — it specifies categorization criteria (FIPS 199), control catalogs (SP 800-53), assessment procedures (SP 800-53A), and required documentation artifacts. ISO 27005 is guidance-based — it describes a process without mandating specific methods or tools. COSO ERM is principles-based — it defines what mature ERM looks like without specifying implementation mechanics.

Primary audience: NIST RMF is designed for IT security teams and government auditors. ISO 27005 targets information security managers and certification auditors. COSO ERM targets boards, C-suites, and SEC/investor disclosure.

Regulatory drivers: NIST RMF is required for FISMA compliance and drives CMMC, FedRAMP, and DoD contractor certification. ISO 27005 supports ISO 27001 certification recognized under GDPR and NIS2. COSO ERM is referenced in SEC Regulation S-K guidance and is the standard for public company enterprise risk reporting.

Implementation cost: NIST RMF implementation for a mid-sized federal contractor: $200,000–$500,000+ annually. ISO 27001/27005 certification: $50,000–$150,000 initial, $20,000–$50,000 annually. COSO ERM implementation varies by existing maturity.

Combination strategies: Many organizations run multiple frameworks. A public company with DoD contracts may run NIST RMF for IT systems, COSO ERM for enterprise risk governance, and ISO 27001 for customer-facing security assurance. Use the Compliance Gap Analyzer to identify which framework requirements apply to your regulatory profile.

Selecting the Right Framework for Your Regulatory Environment

The right framework choice depends on your regulatory obligations, industry sector, and primary risk audience.

Federal agencies and federal contractors: NIST RMF is mandatory under FISMA (44 U.S.C. §3551) and CMMC. Build your risk program on SP 800-37 Rev 2 with SP 800-53 Rev 5 controls. COSO ERM can supplement for enterprise reporting.

Multinational organizations with EU operations: ISO 27001/27005 provides the broadest multi-jurisdiction coverage — GDPR compliance evidence, NIS2 alignment, and acceptance by European financial and telecom regulators. Layer COSO ERM for SEC disclosure if publicly traded in the U.S.

U.S. public companies without federal contracts: COSO ERM is the natural fit for SEC alignment. For information security specifically, consider ISO 27005 methodology or the NIST Cybersecurity Framework (CSF 2.0, published February 2024) as lighter-weight alternatives to the full NIST RMF.

Healthcare organizations: HIPAA's Security Rule risk analysis requirement (45 CFR §164.308(a)(1)) does not mandate a specific framework but requires an accurate and thorough assessment. NIST SP 800-66 Rev 2 (HIPAA Security Rule guidance, published February 2023) references NIST RMF concepts. ISO 27005 methodology is equally acceptable. COSO ERM adds value for organizations with enterprise risk committees and board-level oversight structures.

Framework convergence: NIST has published mapping guidance between SP 800-53 and ISO 27001 Annex A controls (NISTIR 8278) that simplifies maintaining multiple framework alignment simultaneously. For organizations assessing third-party vendor risk as part of their framework, see the Third-Party Vendor Risk Management Guide.

Building a Risk Assessment That Survives Regulatory Audit

Regardless of which framework you choose, a defensible risk assessment shares characteristics that regulators and auditors universally look for:

Defined scope with documented rationale: State clearly what is in scope — which systems, which processes, which locations, which data types. Document why certain items are excluded. Scope gaps are a primary audit finding source under all three frameworks.

Documented methodology: Describe how likelihood and impact are measured. Use consistent, defined scales. Document who made the assessments, on what evidence, and at what date. An undocumented methodology produces results that collapse under adversarial questioning.

Specific threat and vulnerability enumeration: List concrete threats (phishing, ransomware, insider theft, supply chain compromise) and specific vulnerabilities (missing MFA, unpatched systems, excessive access rights). NIST SP 800-30 Rev 1 provides structured threat and vulnerability catalogs applicable across all three frameworks.

Residual risk acceptance with named accountable parties: After controls are documented, record who accepted residual risk at what level and on what date. NIST RMF requires an Authorizing Official ATO. COSO ERM requires Board/C-suite risk appetite documentation. ISO 27001 requires management-accepted risk treatment plans.

Annual review cadence: HIPAA requires review on material changes. NIST RMF requires continuous monitoring with periodic reassessment. ISO 27001 requires annual management review. COSO ERM expects risk profile updates at each strategic planning cycle. The Compliance Risk Analysis Guide 2026 covers review frequency requirements by regulatory framework.

Frequently Asked Questions: Risk Assessment Framework Comparison

Is NIST RMF required for private companies not holding government contracts?
No — unless you contract with the federal government and handle Controlled Unclassified Information (CUI), which triggers DFARS 252.204-7012 and CMMC requirements that mandate NIST SP 800-171/800-53 controls. Private companies without federal contracts may choose any defensible framework. For organizations processing personal data of EU residents, ISO 27005 methodology aligns better with GDPR compliance evidence requirements. For HIPAA-covered entities, see the Compliance Risk Analysis Guide 2026 for how HIPAA risk analysis requirements align with NIST guidance. If you are a public company, COSO ERM aligns with SEC risk disclosure expectations under Regulation S-K.

Can an organization use multiple risk frameworks simultaneously?
Yes — and many large regulated organizations do. The most common combination is COSO ERM for enterprise risk governance and SEC disclosure, plus either NIST RMF or ISO 27005 for information security risk management. These frameworks address different audiences: COSO ERM communicates to boards and investors; NIST RMF and ISO 27005 serve technical security teams and auditors. The overhead of multiple frameworks is manageable when you maintain a single integrated risk register that maps to each framework's requirements rather than running fully separate processes. NIST's published crosswalk between SP 800-53 and ISO 27001 Annex A (NISTIR 8278) is the most practical tool for dual-framework programs.

What is the difference between a risk assessment and a business impact analysis (BIA)?
A risk assessment identifies threats, vulnerabilities, likelihood, and impact across the organization's assets and objectives — the output is a prioritized risk register used to drive control investment. A business impact analysis (BIA) focuses specifically on the consequences of operational disruptions — which processes are critical, what is the Maximum Tolerable Downtime (MTD), what are Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). BIAs are inputs to business continuity planning (ISO 22301) and disaster recovery programs. Under NIST RMF, both are required: the risk assessment drives control selection; the contingency planning controls (CP-2 through CP-10 in SP 800-53) drive the BIA and continuity plan. Use the Compliance Gap Analyzer to assess whether your program covers both.

More Risk Analysis Resources

• Risk Analysis Framework Guide
• Compliance Gap Analyzer (Free)
• Free 5-Minute Compliance Quiz
• Regulatory Deadline Tracker
• Remediation Action Plan ($49)
• Find a Risk Analysis Compliance Consultant