There are software tools that have been designed to assist in risk assessment and, although the Standard does not mandate their use, it is practically impossible to carry out and maintain a useful risk assessment for an organisation that has more than about four workstations without using such a tool. It is essential that the risk assessment be completed methodically, systematically and comprehensively. An appropriate software tool designed with ISO 27001 in mind and kept up to date in terms of changing information security issues can be effective in this process.

The risk assessment is a complex and data-rich process and is made enormously simpler if you can use ready-made databases of threats and vulnerabilities. ...

Get Information Security Risk Management for ISO 27001/ISO 27002, third edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.