Your shopping cart is currently empty.
Completing your Information Security Risk Assessment
Conducting an information security risk assessment is the foundation of information security management. Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment in relation to identified risks and specific information assets or risks.
A risk assessment enables expenditure on controls to be balanced against the business harm that may result from security failures.
Information security is rapidly overtaking physical asset protection or physical security as a fundamental IT governance responsibility.
Information security management is defined as 'the protection of information from a wide range of threats in order to ensure business continuity, minimise business risk, and maximise return on investments (ROI) and business opportunities', and is becoming a critical business discipline globally, in both the private and public sectors.
ISO/IEC 27001 is a specification setting out the requirements for an information security management system (ISMS).
ISO27001 is explicit in requiring a risk management process be used to review and confirm the selection of security controls in light of regulatory, legal and contractual obligations, and other business objectives.
An ISMS developed and based on risk acceptance/rejection criteria, and using accredited third party certification to provide an independent verification of the level of assurance, is an extremely useful management tool. An ISMS offers the opportunity to define and monitor service levels internally as well as in contractor/partner organisations, thus demonstrating the extent to which there is effective control of those risks for which directors and senior management are accountable.
There are a number of other information security and risk assessment standards that support or are similar to ISO27001, including:
- ISO/IEC 27032 (cyber security)
- NIST SP 800
- ISO 27005
- Cloud Controls Matrix
- Twenty Critical Controls for Cyber Security
ISO27001 provides a practical solution to the requirements of a range of international data protection and privacy laws and regulations.
ISO 27001 also helps organisations to counter the increasingly sophisticated and varied range of information security threats more cost-effectively.
As a result, a growing number of private and public sector organisations around the world are seeking certification to ISO 27001, with an annual ISO 27001 certification growth rate of over 13%.
Read the following informative blogposts on conducting ISO27001-compliant risk assessments:
- Conducting risk assessments with ISO27001 – a primer
- The lead risk assessor’s role in risk assessments
- Getting started with risk assessments: choosing the appropriate risk assessment methodology
- Conducting an asset-based risk assessment in ISO27001:2013
- Identifying assets in an asset-based risk assessment
- The information security risk assessment: identifying threats
- Assigning impact and likelihood values in an asset-based information security risk assessment