Drawing on international best practice, including ISO/IEC 27005, NIST SP800-30 and BS7799-3, this book explains in practical detail how to carry out an information security risk assessment. It covers key topics, such as risk scales, threats and vulnerabilities, selection of controls, and roles and responsibilities, and includes advice on choosing risk assessment software.
Benefits of a risk assessment
- Stop the hacker. With a proper risk assessment, you can select appropriate controls to protect your organisation from hackers, worms and viruses, and other threats that could potentially cripple your business.
- Achieve optimum ROI. Failure to invest sufficiently in information security controls is ‘penny wise, pound foolish’, since, for a relatively low outlay, it is possible to minimise your organisation’s exposure to potentially devastating losses. With the aid of a methodical risk assessment, you can select and implement your information security controls to ensure that your resources will be allocated to countering the major risks to your organisation. In this way, you will optimise your return on investment.
- Build customer confidence. Protecting your information security is essential if you want to preserve the trust of your clients and to keep your business running smoothly from day to day.
- Comply with corporate governance codes. Information security is a vital aspect of enterprise risk management (ERM). An ERM framework is required by various corporate governance codes, such as the Turnbull Guidance contained within the UK’s Combined Code on Corporate Governance, and the American Sarbanes-Oxley Act (SOX) of 2002, and standards such as ISO310000.
Plan and carry out a risk assessment to protect your business information. Buy this book today.
1: Risk Management
2: Risk Assessment Methodologies
3: Risk Management Objectives
4: Roles and Responsibilities
5: Risk Assessment Software
6: Information Security Policy and Scoping
7: The ISO27001 Risk Assessment
8: Information Assets
9: Threats and Vulnerabilities
10: Impact and Asset Valuation
12: Risk Level
13: Risk Treatment and the Selection of Controls
14: The Statement of Applicability
15: The Gap Analysis and Risk Treatment Plan
16: Repeating and Reviewing the Risk Assessment
Appendix 1: Carrying Out an ISO272001 Risk Assessment using VSRisk
Appendix 2: ISO27001 Implementation Resources