INFORMATION SECURITY RISK MANAGEMENT FRAMEWORK

Many commentators on information security talk about an Information Security Management System (ISMS). This is really an information security risk management system. The ISO/IEC 27000; 2018 makes this clear in paragraph 4.4, Why an ISMS is important, by stating ‘Risks associated with an organization’s information assets need to be addressed. Achieving information security requires the management of risk, and encompasses risks from physical, human and technology related threats associated with all forms of information within or used by the organization.’

Rather than stating a number of principles which must be adhered to, we believe that a picture is worth a thousand words. Figure 16.1 shows a typical ...

Get Mastering Risk Management now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.