Contact Us: +44 (0) 845 070 1750 

New Search
Information
Online Shop

ISO 27001 Main Info Page >>> ISO27001 Risk Assessments

 

ISO 27001 Risk Assessments

ISO 27000 Standards | Books | Training | Toolkits | Consultancy | Our Complete ISO 27001 Catalogue


Risk assessment is the core competence of information security management. On this page we will discuss what risk assessments are, risk management tools and risk management standards.

 

What is on this page:

Understanding Risk Assessments

In today’s information economy, the protection of information assets – ‘information security’ – is rapidly overtaking physical asset protection as a fundamental board governance responsibility. Information security management (defined as ‘the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximise return on investments and business opportunities’), is becoming a critical business discipline, in both the private and public sectors.

 

ISO 27001 is a specification that sets out the requirements for an Information Security Management System (ISMS). ISO 27001 is explicit in requiring a risk assessment to be carried out before any controls are selected and implemented and is equally explicit that the selection of every control must be justified by a risk assessment. The risk assessment must, for each asset within scope, identify the threat/vulnerability combinations that have a likelihood of impacting the confidentiality, availability or integrity of that asset - from a business, compliance or contractual perspective.

 

Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment in relation to identified risks and specific information assets. Risk assessment enables expenditure on controls to be balanced against the business harm likely to result from security failures.

 

To build your knowledge of Risk Assessments, IT Governance recommends the following books as a sensible starting point:

Risk Assessment Tools

It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO 27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few. There are two standalone tools that IT Governance recommends:

Free Trials of Risk Assessment Tools

By providing you details below you can receive a free demo version of vsRisk and RA2. Once you have submitted your information we will email you with download instructions.

 

 

Click here to view the vsRisk product page.

 

Click here to view the RA2 product page.

Risk Assessment Standards

An ISMS developed and based on risk acceptance/rejection criteria, and using third party accredited certification to provide an independent verification of the level of assurance, is an extremely useful management tool. Such an ISMS, offers the opportunity to define and monitor service levels internally as well as in contractor/partner organisations, thus demonstrating the extent to which there is effective control of those risks for which directors and senior management are accountable.

 

There are a number of other information security and risk assessment standards that support or are similar to ISO 27001, including:

  • ISO 27005:2011
  • BS7799-3
  • ISO/IEC TR 13335-3:1998
  • NIST SP 800-26 and NIST SP 800-30
  • The UK Risk Assessment Standard

ISO27005

ISO/IEC 27005:2011 (ISO 27005) provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001. ISO 27005 is designed to assist the satisfactory implementation of information security based on a risk management approach.

 

Buy the ISO 27005 Standard (hardcopy) here.

Buy the ISO 27005 Standard (download) here.

ISO27001 Risk Assessments
Featured Product
UK Shipping prices lower than ever
Subscribe to our newsletter
Our clients
Read the latest from IT Governance on the IT Governance Blog
Top 5 Sellers
Latest News
Alan Calder's Blog