We identified, in Chapter 1, the probability that most organisations already have in place a range of risk assessment approaches, driven perhaps by regulation as much as by the board’s desire to meet its fiduciary duties to shareholders and other stakeholders in the organisation.

Risk acceptance or tolerance

An organisation’s risk acceptance criteria (which we discussed in Chapter 1) are defined in its overall approach to risk management and are contained in its information security policy.

ISO27001 says that the ISMS policy must ‘align with the organization’s strategic risk management context’ (clause 4.2.1 – b3) or its ERM framework, if it already has one in place. What this means is that the organisation, ...

Get Information Security Risk Management for ISO27001/ISO27002 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.