We identified, in chapter 1, the probability that most organisations already have in place a range of risk assessment approaches, driven perhaps by regulation as much as by the board’s desire to meet its fiduciary duties to shareholders and other stakeholders in the organisation.

Risk acceptance or tolerance

An organisation’s risk acceptance criteria (which we discussed in chapter 1) are defined in its overall approach to risk management and are contained in its information security policy.

ISO 27001 says that the ISMS policy must be “compatible with the strategic direction of the organization” (Clause 5.1),which may include the organisation’s ERM framework if it already has one in place. What this means ...

Get Information Security Risk Management for ISO 27001/ISO 27002, third edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.