The risk assessment process

It is up to the organisation to define what risk assessment methodology or tools that it uses - ISO 27001 does not mandate any. The risk assessment must be relevant to the defined scope and consider any services that cross the boundary of the ISMS. Common problems here are to either get too involved in the risk process or get into too much detail so that the organisation is forever re-assessing risks or that the risk assessment does not cover the risks to an appropriate depth. Whatever process is used there must be traceability between the risk assessment results and the SoA to ensure that all risks are addressed by controls in the SoA unless the organisation is prepare to accept the level of risk identified.

A further discussion on the risk process is given in Section 5 below.

An Introduction To Information, Network and Internet Security
The risk assessment process It is up to the organisation to define what risk assessment methodology or tools that it uses - ISO 27001 does not mandate any. The risk assessment must be relevant to the defined scope and consider any services that cross the boundary of the ISMS. Common problems here are to either get too involved in the risk process or get into too much detail so that the organisation is forever re-assessing risks or that the risk assessment does not cover the risks to an appropriate depth. Whatever process is used there must be traceability between the risk assessment results and the SoA to ensure that all risks are addressed by controls in the SoA unless the organisation is prepare to accept the level of risk identified. A further discussion on the risk process is given in Section 5 below.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security