Information security risk assessment for ISO 27001 8.2
ISO 27001 Clause 8. 2 – Information security risk assessment
The organisation must perform risk assessments as determined in the work carried out under section 6.1 where the organization should define and apply an information security risk assessment process with defined information security risk and acceptance criteria. It must also include the criteria to carry out the assessments in order to ensure consistent, valid, and comparable results. The risk assessment process must include risk identification, analyses, and evaluation, and the process must be kept as documented information that includes the outcomes of those assessments.
Ready to take action?
Discover how ISMS.online can help you achieve or improve on your ISMS objectives
The ISO 27001 requirements are listed below:
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement
The ISO 27001 Annex A Controls are listed below:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Need ISO 27001 policies and controls for your ISMS?
ISMS.online includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you up to 77% head start with ISO 27001 documentation.
Ready to take action?
Discover how ISMS.online can help you achieve or improve on your ISMS objectives