The next planning step is the information security risk assessment. Risk assessment is dealt with in clauses 4.2.1.c, d, f and g of ISO27001, supported by the guidance of ISO27002 Clause 4.

This is the second area in which the two standards are directly complementary. While ISO27001 specifies the risk assessment steps that must be followed, ISO27002 provides further guidance, in its Clause 4, on the risk assessment process, but deliberately does not provide detailed guidance on how the individual assessment itself is to be conducted. This is because every organisation is encouraged to choose the approach which is most applicable to its industry, complexity and risk environment.

Link to ISO/IEC 27005

ISO27005 has been ...

Get ISO27001 / ISO27002 A Pocket Guide now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.