Any organisation pursuing ISO27001 certification for its information security management system will need an approach to risk assessment that meets the requirements of ISO/IEC27001:2013. Clause 6.1.2 of ISO27001 requires the organisation to take an explicitly risk-based approach to the selection and operation of information security controls.10 The approach to risk in ISO2001:2013 can be described as scenario-based rather than asset-based; each risk is treated across the entire organisation rather than on an asset-by-asset basis.

Risk management

Risk management is a discipline for dealing with non-speculative risks – those risks from which only a loss can occur. In other words, speculative risks can be seen as ...

Get Application Security in the ISO 27001:2013 Environment now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.