We’ve already looked at the ISO 27001 risk assessment in the context of the ERM framework and in relation to the PDCA process model. This chapter provides an overview of the steps that ISO 27001 specifically requires, identifies some gaps, and introduces the additional best-practice guidance available in ISO 27002, ISO 27005 and BS 7799-3.37

We want to remind readers, at this point, that there is an important difference between a specification and a code of practice. A specification, such as ISO 27001, sets out specific requirements that, if followed, will allow a management system to receive a third-party certificate of conformity. A code of practice, such as ISO 27002, ISO 27005 or BS 7799-3, provides ...

Get Information Security Risk Management for ISO 27001/ISO 27002, third edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.