CHAPTER 3: RISK MANAGEMENT OBJECTIVES

We identified, in chapter 1, the probability that most organisations already have in place a range of risk assessment approaches, driven perhaps by regulation as much as by the board’s desire to meet its fiduciary duties to shareholders and other stakeholders in the organisation.

Risk acceptance or tolerance

An organisation’s risk acceptance criteria (which we discussed in chapter 1) are defined in its overall approach to risk management and are contained in its information security policy.

ISO 27001 says that the ISMS policy must be “compatible with the strategic direction of the organization” (Clause 5.1),which may include the organisation’s ERM framework if it already has one in place. What this means ...

Get Information Security Risk Management for ISO 27001/ISO 27002, third edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.