CHAPTER 5: OVERVIEW OF THE RISK ASSESSMENT PROCESS

ISO27001 says that ‘criteria against which risk will be evaluated’ must be contained within the ISMS policy (ISO 27001 clause 4.2.1 - b3). Within the context provided by the policy, the organization must identify a suitable risk assessment methodology that takes into account identified business, information security, legal and regulatory requirements (4.2.1 -c1) and must ensure that the criteria for accepting risks and for identifying the acceptable level of risks are defined (4.2.1 - c2).

ISO27001 says that the organization’s risk assessment methodology – which should reflect the organization’s risk appetite and/or sit within the existing Enterprise Risk Management (‘ERM’) structure – must ...

Get Risk Assessment for Asset Owners now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.