Be honest: When was the last time you stared at a risk matrix wondering whether the likelihood of a ransomware attack on that specific server should be rated “low” or “medium”? We all know those endless Excel sheets where we try to predict the future—only to end up surprised anyway.
At the end of November 2025, the Swiss Federal Office for Cybersecurity (BACS) published a new approach that tackles exactly this challenge: the Cyber Security and Resilience Method (CSRM).
Seasoned security professionals may initially raise an eyebrow. Another framework? Do we really need something new on top of ISO/IEC 27001, NIST CSF, BSI Grundschutz and the rest?
But anyone who takes the time to read the accompanying documents will notice: the approach is far from misguided. And while many elements aren’t entirely new, they are packaged in a practical and business-friendly way.
In this article, we break down the CSRM into its core components, compare it with classical methods, and examine whether this could become the new gold standard for planning and steering cybersecurity efforts in Swiss organizations.
What Exactly Is the CSRM?
The CSRM is not a rigid framework but a structured method to strengthen an organization’s cyber-resilience—regardless of size or industry. It is strongly inspired by the NIST Cybersecurity Framework (CSF) but extends it with key aspects, especially the process-centric view known from Business Continuity Management (BCM).
The major differentiator: CSRM explicitly abandons probability-based risk assessments. Instead of guessing how likely an event is, the method asks:
What must not happen under any circumstances?
Another requirement: combining hardware and software components into logical units called IT protection objects. This isn’t entirely new either, but other standards often leave “assets” open to interpretation.
The 5-Step CSRM Process at a Glance
The method follows a clear path that forces IT security experts and business leaders to sit at the same table (something we’ve been wanting for years):
- Analyse critical business activities
Everything begins with the business. Which processes—service delivery or production—are critical to achieving the organization’s strategic and economic objectives?
- Identify IT protection objects
Which IT resources (hardware, platforms, applications, data) support these processes? Instead of assessing every single asset individually, multiple components are aggregated into protection objects.
- Determine protrection requirements
This step is binary: Does a violation of confidentiality, integrity, or availability cause an unacceptable deviation from the process objective? If yes, the protection requirement is high.
- Security Design
For protection objects with elevated protection requirements, a threat modelling process (e.g., STRIDE-LM) is conducted, and additional technical and organizational measures (TOMs) are defined.
- Implementation
Baseline requirements (mandatory for all protection objects) and any additional measures (based on the security design) are implemented.
CSRM vs. BCM and ISO 27001: What’s the Difference?
For CISOs and security managers, this comparison is crucial. Does CSRM replace my ISMS or my BCM?
The Business Impact Analysis (BIA) question
Traditional Business Continuity Management (BCM) and IT Service Continuity Management (ITSCM) typically start with a detailed BIA. CSRM incorporates this idea: Step 1 is essentially a focused BIA.
The concept of zeroing in on critical processes and clarifying technical dependencies (Step 2) is also not new. But since BIAs in practice often lack focus or technical depth, CSRM’s explicit push here is welcome.
There are, however, material differences.
For example:
- CSRM does not rely on traditional BCM metrics like RTO or RPO.
- Instead, it demands defining the maximum allowable deviation from process objectives.
CSRM also applies exclusively to cyber risks, whereas BCM covers a much broader spectrum.
Where BCM often uses classical risk analyses (including likelihood), CSRM evaluates risks without probability and relies on threat modelling instead.
ISO 27001 and the «Paper Tiger» problem
ISO 27001 is the leading standard for certifications globally and in Switzerland. While lean implementations are absolutely feasible, some organizations end up creating documentation monsters—paper-heavy, process-heavy, and only partly reflected in reality.
A quick comparison:
- ISO 27001
Based on the PDCA cycle. Requires comprehensive risk assement
- CSRM
A hands-on guide for pratical action. Defines baseline requirements that must always be implemented—no debate about whether backups or malware protection are “worth the risk”. Is not a management system but a work tool. Can complement an ISO ISMS or serve as an “ISMS light” for newcomers
So, Does the Method Deliver? An Evaluation
No method is perfect. Here’s our take on what CSRM does well and where it faces limitations.
The Positives (Pro)
- Praktisch in der Anwendung: A clear, structured method with step-by-step guidance. Templates and tools are planned (but not yet released).
- Eliminates the illusion of probability: With zero-days and supply-chain attacks on the rise, guessing likelihoods is futile. CSRM says: If the impact is unacceptable, we protect. Period.
- Resilience-first mindset: It’s not just about keeping attackers out but ensuring the business keeps running, even after an incident. Given today’s threat landscape, this mindset is essential.
- Clear communication between business and IT: Processes and objectives translate neatly into protection objects and measures.
Challenges (Con)
- Cultural shift required: Moving from asset lists to aggregated protection objects requires a mindset shift. Organizations with inventory lists tied strictly to hardware serial numbers must learn to abstract.
- No certification (yet): ISO certifications build customer trust. CSRM is currently an internal improvement method.
- Duplication risk: Organizations with mature ISO 27001 systems and full ICT Minimal Standard adoption may hesitate to rework documentation. BACS offers mappings, but effort remains.
- Not as lightweight as it seems: ACSRM requires substantial documentation: Process diagrams, structured data, protection object descriptions, lists of associated components, threat-modelling outputs, TOMs, and object-specific security concepts.
FAQ: Frequently Asked Questions About CSRM
Is CSRM mandatory?
No. It may eventually replace the ICT Minimal Standard for certain critical infrastructures (energy sector, etc.), but regulators must decide this.
Does CSRM replace ISO 27001?
No. ISO 27001 is an international management standard.
CSRM is a method for achieving cyber resilience.
However, CSRM can support ISO compliance, particularly in risk treatment and control selection.
Is CSRM suitable for SMEs?
Absolutely. By eliminating probability assessments and relying on baselines plus clear “if-then” logic for critical processes, CSRM is far more approachable than a full ISO implementation.
Conclusion
The Cyber Security and Resilience Method (CSRM) breaks away from the pseudo-precision of traditional risk models and focuses on what truly matters: keeping business processes alive and ensuring resilience in the face of attacks.
Its strong emphasis on resilience is timely. In a world where we must assume systems will be breached, the ability to recover and continue operations is more valuable than the most sophisticated firewall.
For IT security leaders, the takeaway is simple:
Explore the method. Even if you don’t adopt it fully, the concepts of aggregated protection objects and the shift away from probability can provide powerful inspiration for strengthening your security architecture against ransomware and other threats.
Managed SASE
Managed Infrastructure
Analytics as a Service
Information Security as Service
Security Strategy
Security Architecture
Technology Consulting
GRC
Security Awareness
Cyber Resilience
Network Security
Content Security
Application Security
Cloud Security
Infrastructure Security
OT Security
Endpoint Security
Security Analytics
Team
Working at ensec
Facts and Figures
