Information security risk assessments
Information security management can be described as the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investment. As a result, the identification, mitigation, and management of risks to information security are vital for the future sustainability of any organization.
ISO 27001 and risk assessments
The international information security management standard, ISO 27001, lays out the requirements for developing, implementing, and maintaining an information security management system (ISMS).
ISO 27001 explicitly requires compliant organizations to carry out risk assessments based on the agreed risk acceptance criteria that must be used when analyzing risk. Risk assessments must produce consistent, valid, and comparable results.
Information security management decisions are entirely driven by the specific decisions made as a result of a risk assessment. Risk assessments enable expenditure on controls to be balanced against the business harm likely to result from security failures.
The risk assessment sits at the core of ISO 27001 and supports the continual improvement of the ISMS, a key requirement for ISO 27001 registration.
Risk assessment resources
Risk assessment standards
ISO/IEC 27005:2011—The international standard that provides guidelines for information security risk management, ISO 27005 is designed to complement ISO 27001 and assist in the satisfactory implementation of information security based on a risk management approach.
NIST SP 800-53—NIST Special Publication 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. The security rules cover 17 areas including access control, incident response, business continuity, and disaster recovery.
Risk assessment and risk management training
Learn the techniques to undertake an information security risk assessment and apply best-practice risk management strategies based on the guidance outlined in ISO 27005 and ISO 27001.
Risk assessment software
It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO 27001 without using a specialist information security risk assessment tool. IT Governance recommends vsRisk™, a professional information security risk assessment tool that has been specifically designed to carry out a risk assessment that meets the requirements of ISO 27001.
vsRisk is available in two formats:
vsRisk is straightforward and easy to use, and it can save you a significant amount of money that you might otherwise spend on consultancy advice at this stage of the project.