This website uses cookies. View our cookie policy
Select regional store:

Information security risk assessments

Information security management can be described as the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investment. As a result, the identification, mitigation, and management of risks to information security are vital for the future sustainability of any organization.


ISO 27001 and risk assessments

The international information security management standard, ISO 27001, lays out the requirements for developing, implementing, and maintaining an information security management system (ISMS).

ISO 27001 explicitly requires compliant organizations to carry out risk assessments based on the agreed risk acceptance criteria that must be used when analyzing risk. Risk assessments must produce consistent, valid, and comparable results.

Information security management decisions are entirely driven by the specific decisions made as a result of a risk assessment. Risk assessments enable expenditure on controls to be balanced against the business harm likely to result from security failures.

The risk assessment sits at the core of ISO 27001 and supports the continual improvement of the ISMS, a key requirement for ISO 27001 registration.


Risk assessment resources

Risk assessment standards

  • ISO/IEC 27005:2011—The international standard that provides guidelines for information security risk management, ISO 27005 is designed to complement ISO 27001 and assist in the satisfactory implementation of information security based on a risk management approach.
  • NIST SP 800-53—NIST Special Publication 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. The security rules cover 17 areas including access control, incident response, business continuity, and disaster recovery.

Useful knowledge


Risk assessment and risk management training

Learn the techniques to undertake an information security risk assessment and apply best-practice risk management strategies based on the guidance outlined in ISO 27005 and ISO 27001.


Risk assessment software

It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO 27001 without using a specialist information security risk assessment tool. IT Governance recommends vsRisk™, a professional information security risk assessment tool that has been specifically designed to carry out a risk assessment that meets the requirements of ISO 27001.

vsRisk is available in two formats:

vsRisk is straightforward and easy to use, and it can save you a significant amount of money that you might otherwise spend on consultancy advice at this stage of the project.