ISO27001 Risk Assessments

ISO27001 is the international best practice standard for an Information Security Management System (ISMS). At the core of Information Security Management is the competency of Risk Assessment.

In today’s information economy, the protection of information assets – ‘information security’ – is rapidly overtaking physical asset protection as a fundamental board governance responsibility.

You can find out more about Risk Assessment Standards, Risk Assessments, and Risk Assessment Tools by reading this page in full below.

On this page:

• Risk Assessment Standards
• Risk Assessments
• Risk Assessment Tools

Risk Assessment Standards

An ISMS developed and based on risk acceptance / rejection criteria, and using third party accredited certification to provide an independent verification of the level of assurance, is an extremely useful management tool. Such an ISMS, offers the opportunity to define and monitor service levels internally as well as in contractor/partner organisations, thus demonstrating the extent to which there is effective control of those risks for which directors and senior management are accountable.

There are a number of other information security and risk assessment standards that support, or are similar to, ISO27001 including:

• ISO27005:2011
• BS7799-3
• ISO/IEC TR 13335-3:1998
• IST SP 800-26 and NIST SP 800-30
• The UK Risk Assessment Standard

ISO27005:2011

ISO/IEC 27005:2011 (ISO27005) provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001. ISO27005 is designed to assist the satisfactory implementation of information security based on a risk management approach.

Buy the ISO27005 Standard (hardcopy or download) here

Risk Assessments

In today’s information economy, the protection of information assets – ‘information security’ – is rapidly overtaking physical asset protection as a fundamental board governance responsibility. Information security management (defined as ‘the protection of information from a wide range of threats in order to ensure business continuity, minimise business risk, and maximise return on investments and business opportunities’), is becoming a critical business discipline in both the private and public sectors.

ISO27001 is a specification that sets out the requirements for an Information Security Management System (ISMS). ISO27001 is explicit in requiring a risk assessment to be carried out before any controls are selected and implemented, and, is equally explicit that the selection of every control must be justified by a risk assessment.

The risk assessment must, for each asset within scope, identify the threat/vulnerability combinations that have a likelihood of impacting the confidentiality, availability or integrity of that asset - from a business, compliance or contractual perspective.

Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment in relation to identified risks and specific information assets. Risk assessment enables expenditure on controls to be balanced against the business harm likely to result from security failures.

To build your knowledge of Risk Assessments, IT Governance recommends the following books as a sensible starting point:

• Information Security Risk Management for ISO27001 / ISO17799 – this book provides practical guidance on how to develop and implement a risk assessment in line with the requirements of ISO27001.
• Risk Assessment for Asset Owners: A Pocket Guide – this book assists asset owners and others working within an ISO27001 / ISO17799 framework to deliver a qualitative risk assessment.
• Visit our Information Security Risk Management Bookshop.

Risk Assessment Tools

It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few. There's just one risk assessment tool that IT Governance recommends:

• vsRisk – the Cybersecurity Risk Assessment Tool – the Definitive Standalone ISO27001:2005-compliant Cybersecurity Risk Assessment Tool.

Or

• vsRisk - Network Enabled Cybersecurity Risk Assessment Tool - fully accessible from a network.

It’s so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project – which is why one consultancy firm told us:

"Why would we want to use this with our clients when it is going to reduce the number of days we can bill them?"

Would you like to reduce the days your consultants bill you for? Look no further than vsRisk.

• Basel II/III
• Business Continuity Management
• BS25999
• CGEIT
• CISA
• CISM
• CISSP
• CLAS
• Cloud Computing
• COBIT
• Codes of Connection
• Compliance
• CRISC
• Cyber Security
• Data Governance
• Data Protection
• Enterprise Architecture
• Green IT
• Information Security
• ISO 20000
• ISO 22301
• ISO 27001
  • Information Classification Software
  • Fast Track ISO27001 Consultancy
  • Implementing ISO27001
  • ISO27000 Family of Standards
  • New Draft Standards 2013
  • ISO27001 Consultancy
  • ISO27001 & Pen Testing
  • ISO27001 ISMS Toolkits
  • Benefits of ISO27001
  • ISO27001 - Complete ITG Proposition
  • ISO 27001 Feasibility and Gap Analysis Service
  • ISO27001 & Information Security Training
  • ISO27001 Risk Assesments
  • The Complete ISO27001 Learning Path
  • Achieve tScheme Compliance & Boost Your Organisation's Credentials
• ISO 31000
• ISO 38500
• ISO 50001
• IT Audit
• IT Governance
• IT Management Frameworks
• ITIL
• IT Service Management
• Knowledge Management
• M_o_R
• MoV
• MSP
• N3
• P3O
• PCI DSS
• Penetration Testing
• PMBOK
• PRINCE2
• Privacy
• Project Governance
• Risk Management Frameworks
• Security Hardware/Software
• SLAs
• Social Media Governance
• Soft Skills
• Management System Standards
• Technical Services
• TickITplus