Perform the risk assessment (RA) for the scope of the ISMS

Once the scope of the ISMS has been defined it is necessary for certification (and advisable anyway) to perform a risk assessment in order to determine the organisation's exposure to risk and determine the best way to manage this.

There are many ways of performing a risk assessment, and all that ISO 27001 requires is that 'An appropriate risk assessment shall be undertaken'. It is left to the organisation implementing security to determine what is 'appropriate'. For a discussion on risk management see section 5 below

This process will produce the Risk Assessment Document.

An Introduction To Information, Network and Internet Security
Perform the risk assessment (RA) for the scope of the ISMS Once the scope of the ISMS has been defined it is necessary for certification (and advisable anyway) to perform a risk assessment in order to determine the organisation's exposure to risk and determine the best way to manage this. There are many ways of performing a risk assessment, and all that ISO 27001 requires is that 'An appropriate risk assessment shall be undertaken'. It is left to the organisation implementing security to determine what is 'appropriate'. For a discussion on risk management see section 5 below This process will produce the Risk Assessment Document.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security