Faced with growing pressure from regulators (DORA, NIS2) and boards of directors, security and risk teams must justify their priorities with recognised methods. Two approaches dominate: FAIR, an American quantitative method standardised by The Open Group, and ISO 27005, a qualitative method rooted in the ISO 27000 family. How do you choose? And more importantly, do you really need to choose?
What is FAIR?
FAIR (Factor Analysis of Information Risk) is a quantitative method published as an Open Group standard (O-RT and O-RA). It breaks risk down into two main components: loss event frequency (LEF) and loss magnitude (LM). Each component is further refined by sub-factors: threat event frequency, vulnerability, primary losses, secondary losses.
FAIR expresses risk in monetary terms, with statistical distributions (often simulated by Monte Carlo over 10,000 to 100,000 iterations) that produce annual loss exceedance curves (LEC). For example: "There is a 10% chance this risk will cost more than €2.4M over a year, median value €800k."
What is ISO 27005?
ISO 27005:2022 is the risk management method associated with ISO 27001. It follows the cycle of risk identification, analysis, evaluation and treatment. Traditionally qualitative, it uses scales (low, medium, high, critical) and likelihood × impact matrices.
The 2022 version introduces more mature concepts: risk scenarios based on threat sources, primary and supporting assets, explicit risk criteria. ISO 27005 integrates with EBIOS Risk Manager (ANSSI) in many French contexts.
Detailed comparison
| Criterion | FAIR | ISO 27005 |
|---|---|---|
| Nature | Quantitative (€/$) | Qualitative / semi-quantitative |
| Origin | Open Group, 2005 | ISO/IEC, 2008 (v2022) |
| Unit of measure | Annualised losses, distributions | Risk levels |
| Target audience | Board, CFO, CISO | CISO, audit, certification |
| Entry effort | High (data, calibration) | Moderate |
| Learning curve | Steep (statistics, Monte Carlo) | Gentle |
| Regulatory recognition | Strong in US, growing in EU | Native ISO 27001, NIS2 |
| Tooling | RiskLens, FAIR-U, spreadsheets | Numerous, including EBIOS RM |
| Cross-company comparability | High (€/$) | Low (subjective scales) |
FAIR strengths and limits
Strengths:
- Translates risk into business language (euros, dollars)
- Enables return on investment (ROI) analysis of controls
- Compatible with advanced statistical modelling (lognormal, PERT, bootstrap distributions)
- Aligns security, finance and top management on a common vocabulary
Limits:
- Demands historical data and expert calibration
- Risk of "illusory precision" if assumptions are not challenged
- Less suited to rare and catastrophic risks (black swans)
- Requires solid training (Open FAIR, FAIR Institute certifications)
ISO 27005 strengths and limits
Strengths:
- Massive adoption, recognised by ISO 27001 certifications
- Natural integration with ISMS and security policies
- Covers the full cycle (identification to improvement)
- Lower initial implementation cost
Limits:
- Subjective scales (what counts as "high" varies between assessors)
- Difficult to aggregate and compare risks of different natures
- Poorly suited to fine-grained budget trade-offs
- Tendency toward bureaucratisation if poorly tooled
How to choose
The choice depends on target audience and maturity level:
- Start-up or SME beginning an ISMS: ISO 27005 is more accessible and aligns with ISO 27001 certification
- Large enterprise subject to DORA: FAIR delivers the financial quantification expected by regulators and boards
- Public sector: EBIOS RM (aligned with ISO 27005) remains the ANSSI reference
- Organisation with a CISO reporting to the CFO: FAIR creates a common language
- ISO 27001/22301 certification project: ISO 27005 is unavoidable
The hybrid approach: best of both worlds
In practice, mature organisations combine both methods. ISO 27005 structures the overall process (exhaustive identification, asset mapping, treatment) while FAIR is applied to the 20 to 50 top risks that concentrate financial exposure. This approach satisfies both ISO auditors and finance leadership.
Learn more
ResiPlan natively supports 36 risk methodologies, including ISO 27005, ISO 31000, EBIOS RM, FAIR with an integrated Monte Carlo engine, Bow-Tie and fault trees. Teams can model the same scenario qualitatively and quantitatively, producing both the risk matrix for the ISO audit and the annualised loss curve for the board.
- Risk Manager solution (36 methodologies)
- EBIOS RM: Complete Guide to the 5 Workshops
- CISO and operational resilience solution
- Pricing and demo
Sources: Open Group Standard O-RT/O-RA, ISO/IEC 27005:2022, EBIOS Risk Manager (ANSSI 2018), FAIR Institute benchmarks 2025.