We’ve already looked at the ISO 27001 risk assessment in the context of the ERM framework and in relation to the PDCA process model. This chapter provides an overview of the steps that ISO 27001 specifically requires, identifies some gaps, and introduces the additional best-practice guidance available in ISO 27002, ISO 27005 and BS 7799-3.37

We want to remind readers, at this point, that there is an important difference between a specification and a code of practice. A specification, such as ISO 27001, sets out specific requirements that, if followed, will allow a management system to receive a third-party certificate of conformity. A code of practice, such as ISO 27002, ISO 27005 or BS 7799-3, provides ...

Get Information Security Risk Management for ISO 27001/ISO 27002, third edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.