CHAPTER 3: RISK ASSESSMENT
Any organisation pursuing ISO27001 certification for its information security management system will need an approach to risk assessment that meets the requirements of ISO/IEC27001:2013. Clause 6.1.2 of ISO27001 requires the organisation to take an explicitly risk-based approach to the selection and operation of information security controls.10 The approach to risk in ISO2001:2013 can be described as scenario-based rather than asset-based; each risk is treated across the entire organisation rather than on an asset-by-asset basis.
Risk management is a discipline for dealing with non-speculative risks – those risks from which only a loss can occur. In other words, speculative risks can be seen as ...