ISO 27001 Risk Assessment
In the world of SOX, COSO and Basel2, IT risk management has become a hot IT topic over the last few years. As organizations become increasingly dependent on information technology and intellectual capital assets, the key areas of IT risk are usually seen as:
-
IT infrastructure and network security – rising from concerns about hackers, terrorists, cyber-criminals, insiders, outsiders, viruses, and so on
-
Data integrity, confidentiality and privacy – rising from regulatory and market pressure around protecting personal (e.g. data protection legislation), and corporate data (e.g. fair disclosure regulations), as well as financial and operational data (e.g. Sarbanes Oxley)
-
Business continuity – rising from concerns about the capability to continue in business after a natural or man-made disaster
-
IT management – rising from concerns about project failure, poor IT operational performance, inadequate IT infrastructure, etc
Information Risk and ISO 27001
The information security standard, ISO/IEC 27001:2005, is specifically risk-based. In line with NIST SP800-30 and NIST SP800-26, it recommends, in effect, that organizations implement information security controls prioritized by, and in proportion to, the business and information risks they identify. While OCTAVE (Operationally Critical Threat, Asset & Vulnerability Evaluation) is a clear risk assessment methodology, information security risk assessment can also now follow the guidelines contained in BS7799-3:2006.
Information Security Risk Management for ISO27001/ISO17799 provides the most comprehensive guidance on the subject.
Risk assessment is an asset-level activity that is virtually impossible, for any but the smallest of organizations, without a risk assessment database and specialist tool such as vsRisk™.
