Skip to Main Content
This website uses cookies. View our cookie policy

Completing your Information Security Risk Assessment

Conducting an information security risk assessment is the foundation of information security management. Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment in relation to identified risks and specific information assets or risks.

A risk assessment enables expenditure on controls to be balanced against the business harm that may result from security failures.

Information security is rapidly overtaking physical asset protection or physical security as a fundamental IT governance responsibility.

Information security management is defined as 'the protection of information from a wide range of threats in order to ensure business continuity, minimise business risk, and maximise return on investments (ROI) and business opportunities', and is becoming a critical business discipline globally, in both the private and public sectors.

ISO/IEC 27001 is a specification setting out the requirements for an information security management system (ISMS).

ISO27001 is explicit in requiring a risk management process be used to review and confirm the selection of security controls in light of regulatory, legal and contractual obligations, and other business objectives.

An ISMS developed and based on risk acceptance/rejection criteria, and using accredited third party certification to provide an independent verification of the level of assurance, is an extremely useful management tool. An ISMS offers the opportunity to define and monitor service levels internally as well as in contractor/partner organisations, thus demonstrating the extent to which there is effective control of those risks for which directors and senior management are accountable.

There are a number of other information security and risk assessment standards that support or are similar to ISO27001, including:

ISO27001 provides a practical solution to the requirements of a range of international data protection and privacy laws and regulations.

ISO 27001 also helps organisations to counter the increasingly sophisticated and varied range of information security threats more cost-effectively.

As a result, a growing number of private and public sector organisations around the world are seeking certification to ISO 27001, with an annual ISO 27001 certification growth rate of over 13%.

Read the following informative blogposts on conducting ISO27001-compliant risk assessments: