CHAPTER 1: RISK MANAGEMENT
“Risk”, says NIST,7 is the “measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of: (i) the adverse impact that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.”8 ISO/IEC 27000:2018 Information security management systems – Overview and vocabulary (ISO 27000) defines risk as the “effect of uncertainty on objectives”, with a subsidiary note stating that “Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence”.
The NIST definition of risk is in line with that used in ISO 27000, and is the first indicator that ...
Get Information Security Risk Management for ISO 27001/ISO 27002, third edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
