What is the Risk Assessment for ISO 27001?
One of the requirements of the ISO 27001 standard is Clause 6.1.2 – Information Risk Assessment. This clause requires an organisation to establish and maintain information security risk assessment processes that include the risk acceptance and assessment criteria.
The requirement also stipulates that the assessments should be consistent, valid and produce ‘comparable resources’ (clearly describing the approach being taken).
Organisations are required to then apply these assessment processes to identify risks associated with confidentiality, integrity and availability (commonly referred to as CIA) of the information assets within the defined scope of the ISMS.
The risks will then need to be assigned to risk owners within the organisation, each of whom will then need to determine the level of risk, assess the potential consequences if the risk was to occur and also, decide on the ‘likelihood’ of the occurrence of the risk.
Once this risk has been evaluated, it must then be managed in accordance with the previously documented risk management plan.