O'Reilly logo

Information Security Risk Management for ISO27001/ISO27002 by Steve Watkins, Alan Calder

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

CHAPTER 3: RISK MANAGEMENT OBJECTIVES

We identified, in Chapter 1, the probability that most organisations already have in place a range of risk assessment approaches, driven perhaps by regulation as much as by the board’s desire to meet its fiduciary duties to shareholders and other stakeholders in the organisation.

Risk acceptance or tolerance

An organisation’s risk acceptance criteria (which we discussed in Chapter 1) are defined in its overall approach to risk management and are contained in its information security policy.

ISO27001 says that the ISMS policy must ‘align with the organization’s strategic risk management context’ (clause 4.2.1 – b3) or its ERM framework, if it already has one in place. What this means is that the organisation, ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required