Risk Assessment for Asset Owners: A Pocket GuideAll organizations face risks to information and information assets. Many organizations seek to identify and control those risks, usually as part of a structured approach to information security risk management. ISO/IEC27001:2005 is an international standard specification for an Information Security Management System (or 'ISMS'). Organizations that develop an ISMS in line with the specification of ISO27001 can receive external, third- party certification that their ISMS conforms to the standard, and such a certificate can have significant commercial, financial and compliance benefits. ISO/IEC17799:2005 is the international Code of Practice for information security; it provides detailed guidance to support the specification contained in ISO27001 but is not, itself, a specification. This Pocket Guide to the ISO27001 risk assessment is designed to assist asset owners and others who are working within an ISO27001/ISO17799 framework to deliver a qualitative risk assessment. It also conforms with the guidance provided in BS7799-3:2006 and NIST SP 800-30. |
