Risk assessment is at the heart of the ISMS. Understanding its significance to the overall process is critical, and is one of the keys to project success. The board adopts an information security policy because there are a number of significant risks to the availability, confidentiality and integrity of the organisation’s information, and it mandates the design and deployment of an ISMS in order to ensure that its policy is systematically and comprehensively implemented. The policy must, therefore, reflect the board’s assessment of information security risks and opportunities. This doesn’t mean the board needs to carry out a detailed risk assessment itself, but it does need to set out a clear, overall approach to risk ...

Get Nine Steps to Success: An ISO27001:2013 implementation overview now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.