ISO 27001 Clause 8. 2 – Information security risk assessment
This is another one of the ISO 27001 clauses that gets automatically completed where the organisation has already evidenced its information security management work in line with requirements 6.1, 6.2 and in particular 7.5 where the whole ISMS is clearly documented.
The organisation must perform information security risk assessments at planned intervals and when changes require it – both of which need to be clearly documented.
Whilst information security risk assessment can be done to a very basic level in a spreadsheet, it is far better to have a tool that makes light work of the risk assessments documentation side as is the case with ISMS.online. There are also many very specialist and expensive security risk assessment applications where one could spend all day thinking about risk assessment let alone its treatment! Our view on whether to use spreadsheets, ISMS.online or a very expensive specialist application is to look at the information value at risk, the capacity, capability and confidence of the resources being applied to the ISMS and the whole ISMS management, not just the risk component. See here for more on the characteristics of the software for an ISMS, and if considering build versus buy on the information security management system solution itself, the business case planner may well be useful to review as well.
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
About ISO 27001
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement