‘Risk’, says NIST,10 is the ‘net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence’.11 ISO27001, the international information security standard, doesn’t define risk, although it does provide definitions for the whole range of risk-related activities. ISO/IEC 27000:2009 Information Security Management Systems – Overview and Vocabulary (ISO27000) defines risk in the same way as does ISO Guide 73:2002,12 which is that risk is the ‘combination of the probability of an event and its occurrence’.

The NIST definition of risk is in line with that used in ISO27000, and is the first indicator that a risk assessment that will meet the requirements of ISO27001 will ...

Get Information Security Risk Management for ISO27001/ISO27002 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.