The Continuous Process Improvement–Risk, Information Security, and Compliance (CPI-RISC) Methodology is the pragmatic, business-oriented, standards-based approach to information security.


Many businesses and organizations are aware they have inadequate information security. Most are attempting to address the issue, but there are many obstacles to success. Often, the largest obstacle is not knowing how to systematically address information security in a way that makes sense for the organization. As a result, many organizations spend money on information security, but at the end of the year have difficulty showing how they’ve improved security and reduced information risk.

CPI-RISC was developed to help organizations create sustainable information security programs and demonstrate measurable improvement over time.

CPI-RISC uses a continuous process improvement cycle, adapted for information security. The three steps are:

The methodology is based on well-known industry standards from ISO, the SANS Institute, and the Software Engineering Institute.


Recent Publications

Introduction to CPI-RISC

An introduction to the methodology that explains why it was developed and how it works.

PDF file (available soon)

CPI-RISC Information Risk Framework

The CPI-RISC Information Risk Framework (IRF) was developed as a tool to assess and treat information- and IT-related risks.

PDF file (English)