In the knowledge economy, organisations have to be able to protect their information assets. Information security management has, therefore, become a critical corporate discipline. The international code of practice for an information security management system (ISMS) is ISO27002. As the code of practice explains, information security management enables organisations to “ensure business continuity, minimise business risk, and maximise return on investments and business opportunities”. The requirements for an ISMS are specified in ISO27001. Under ISO27001, a risk assessment has to be carried out before any controls can be selected and implemented, making risk assessment the core competence of information security management.
This book provides information security and risk management teams with detailed, practical guidance on how to develop and implement a risk assessment in line with the requirements of ISO27001. Drawing on international best practice including ISO/IEC 27005 and BS7799-3, the book explains in detail how to do an information security risk assessment. It covers key topics, such as risk scales, threats and vulnerabilities, selection of controls, and roles and responsibilities. It includes advice on choosing risk assessment software. The guidance will enable your organisation to achieve optimum return on investment when selecting and implementing information security controls.