CRAMM is applicable to all types of information systems and networks and can be applied at all stages in the information system lifecycle, from planning and feasibility, through development and implementation to live operation. CRAMM can be used whenever it is necessary to identify the security and/or contingency requirements for an information system or network. This may include:

• During strategy planning, where a high level risk analysis may be required to identify broad security or contingency requirements for the organisation and the relative costs and implications of their implementation
• At feasibility study stage, where a high level risk analysis may be required of potential solutions to identify the broad security or contingency requirements and associated costs of the different options
• During analysis of the detailed business and technical environments, where the security or contingency issues associated with the chosen option can be investigated or refined
• Prior to live running, to ensure that all required physical, procedural, personnel and technical security countermeasures have been identified and implemented
• At any point during live running, where there are concerns about security or contingency issues, eg. in response to a new or increased threat or following a security breach
• As part of regular security management, audit and change management programmes, to monitor both compliance and new requirements.

• contains Express mode for quick analysis
• contains Security Inspection mode to ensure that the required minimum standards are applied and continue to be applied, to maintain an organisation’s focus on the importance of security and as part of an ongoing security education and awareness programme.
• provides you the easy comparison of your compliance level with the standard ISO/IEC 27001:2005
• contains a library of 3500 countermeasures that completely comply with ISO/IEC 27002:2005.