For an organization that wants to understand its information security needs, OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability EvaluationSM) is a risk-based strategic assessment and planning technique for security.

OCTAVE is self-directed. A small team of people from the operational (or business) units and the IT department work together to address the security needs of the organization. The team draws on the knowledge of many employees to define the current state of security, identify risks to critical assets, and set a security strategy.

OCTAVE is flexible. It can be tailored for most organizations.

OCTAVE is different from typical technology-focused assessments. It focuses on organizational risk and strategic, practice-related issues, balancing operational risk, security practices, and technology.


As the figure illustrates, the OCTAVE approach is driven by operational risk and security practices. Technology is examined only in relation to security practices.

The OCTAVE criteria define a standard approach for a risk-driven, asset- and practice-based information security evaluation. There are currently two recognized methods that meet the OCTAVE criteria, and other methods are under development by third parties. The recognized methods are

OCTAVE Method: for large organizations

OCTAVE-S: for smaller organizations

Contact us for more information on the OCTAVE approach >>>