CHAPTER 5: OVERVIEW OF THE RISK ASSESSMENT PROCESS
ISO27001 says that ‘criteria against which risk will be evaluated’ must be contained within the ISMS policy (ISO 27001 clause 4.2.1 - b3). Within the context provided by the policy, the organization must identify a suitable risk assessment methodology that takes into account identified business, information security, legal and regulatory requirements (4.2.1 -c1) and must ensure that the criteria for accepting risks and for identifying the acceptable level of risks are defined (4.2.1 - c2).
ISO27001 says that the organization’s risk assessment methodology – which should reflect the organization’s risk appetite and/or sit within the existing Enterprise Risk Management (‘ERM’) structure – must ...
Get Risk Assessment for Asset Owners now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
