An ISO 27001-compliant information security management system (ISMS) developed and maintained according to risk acceptance/rejection criteria is an extremely useful management tool, but the risk assessment process is often the most difficult and complex aspect to manage, and it often requires external assistance.
ISO 27001 explicitly requires compliant organizations to carry out risk assessments based on agreed risk acceptance criteria that must be used when analyzing risk.
This green paper seeks to explain and unravel some of the issues surrounding the risk assessment process.
- The three stages of the ISO 27005 risk assessment process: risk identification, analysis, and evaluation
- Risk assessment and the ISO 27001 Statement of Applicability
- How to use risk assessments to achieve maximum benefits from minimum security costs
- How risk assessments fit into the continuous improvement cycle