• Home |
• Online Shop |
• Contact Us |
• Featured Products |
• New Products |
• My Account |
• My Basket |
• About Us |
• Links |

ISO 27001 Risk Assessment

In the world of SOX, COSO and Basel2, IT risk management has become a hot IT topic over the last few years. As organizations become increasingly dependent on information technology and intellectual capital assets, the key areas of IT risk are usually seen as:

• IT infrastructure and network security – rising from concerns about hackers, terrorists, cyber-criminals, insiders, outsiders, viruses, and so on
• Data integrity, confidentiality and privacy – rising from regulatory and market pressure around protecting personal (e.g. data protection legislation), and corporate data (e.g. fair disclosure regulations), as well as financial and operational data (e.g. Sarbanes Oxley)
• Business continuity – rising from concerns about the capability to continue in business after a natural or man-made disaster
• IT management – rising from concerns about project failure, poor IT operational performance, inadequate IT infrastructure, etc

Information Risk and ISO 27001

The information security standard, ISO/IEC 27001:2005, is specifically risk-based. In line with NIST SP800-30 and NIST SP800-26, it recommends, in effect, that organizations implement information security controls prioritized by, and in proportion to, the business and information risks they identify. While OCTAVE (Operationally Critical Threat, Asset & Vulnerability Evaluation) is a clear risk assessment methodology, information security risk assessment can also now follow the guidelines contained in BS7799-3:2006.

Information Security Risk Management for ISO27001/ISO27002 provides the most comprehensive guidance on the subject.

Risk assessment is an asset-level activity that is virtually impossible, for any but the smallest of organizations, without a risk assessment database and specialist tool such as vsRisk™.