CHAPTER 3: RISK MANAGEMENT OBJECTIVES
We identified, in chapter 1, the probability that most organisations already have in place a range of risk assessment approaches, driven perhaps by regulation as much as by the board’s desire to meet its fiduciary duties to shareholders and other stakeholders in the organisation.
Risk acceptance or tolerance
An organisation’s risk acceptance criteria (which we discussed in chapter 1) are defined in its overall approach to risk management and are contained in its information security policy.
ISO 27001 says that the ISMS policy must be “compatible with the strategic direction of the organization” (Clause 5.1),which may include the organisation’s ERM framework if it already has one in place. What this means ...