Chapter 3. Risk Assessment
Any organisation pursuing ISO27001 certification for its information security management system will need an approach to risk assessment that meets the requirements of ISO/IEC27001:2005. Clause 4.2.1 b) of ISO27001 requires the organisation to take an explicitly risk-based approach to the selection and operation of information security controls.
Risk management is a discipline for dealing with non-speculative risks, those risks from which only a loss can occur. In other words, speculative risks can be seen as the subject of an organisation’s business strategy whereas non-speculative risks, which can reduce the value of the assets with which the organisation undertakes its speculative business activity, ...