O'Reilly logo

Information Security Risk Management for ISO27001/ISO27002 by Steve Watkins, Alan Calder

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

CHAPTER 1: RISK MANAGEMENT9

‘Risk’, says NIST,10 is the ‘net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence’.11 ISO27001, the international information security standard, doesn’t define risk, although it does provide definitions for the whole range of risk-related activities. ISO/IEC 27000:2009 Information Security Management Systems – Overview and Vocabulary (ISO27000) defines risk in the same way as does ISO Guide 73:2002,12 which is that risk is the ‘combination of the probability of an event and its occurrence’.

The NIST definition of risk is in line with that used in ISO27000, and is the first indicator that a risk assessment that will meet the requirements of ISO27001 will ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required