Risk assessment identifies, analyzes, and evaluates information security risks so the organization can decide how to treat them.
Practical questions
- What assets, processes, or services are in scope?
- What threats and vulnerabilities apply?
- What could happen?
- What would the impact be?
- How likely is it?
- Is the risk acceptable?
- What treatment is needed?
Link to Annex A
Annex A controls are selected based on risk treatment needs. The Statement of Applicability records the applicability and justification of controls.
Related notes
- Risk
- Iso27001
- Isms
Note Metadata
Aliases: Information Security Risk Assessment
Source: 01 Fundamentals/Risk Assessment.md
Related Notes
- Annex A and the Statement of Applicability
- Control Attributes and Risk Treatment Effects
- Information Security Management System
- Information Security Policy
- Statement of Applicability
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.11 - Return of Assets
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.13 - Labelling of Information
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.17 - Authentication Information
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.21 - Managing Information Security in the ICT Supply Chain
- ISO 27001 A.5.22 - Monitoring, Review and Change Management of Supplier Services
- ISO 27001 A.5.23 - Information Security for Use of Cloud Services
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- ISO 27001 A.5.27 - Learning from Information Security Incidents
- ISO 27001 A.5.29 - Information Security During Disruption
- ISO 27001 A.5.30 - ICT Readiness for Business Continuity
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- ISO 27001 A.5.32 - Intellectual Property Rights
- ISO 27001 A.5.33 - Protection of Records
- ISO 27001 A.5.34 - Privacy and Protection of PII
- ISO 27001 A.5.35 - Independent Review of Information Security
- ISO 27001 A.5.5 - Contact with Authorities
- ISO 27001 A.5.6 - Contact with Special Interest Groups
- ISO 27001 A.5.7 - Threat Intelligence
- ISO 27001 A.5.8 - Information Security in Project Management
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- A.5 Organizational Controls MOC
- ISO 27001 A.6.1 - Screening
- A.6 People Controls MOC
- ISO 27001 A.7.1 - Physical Security Perimeters
- ISO 27001 A.7.10 - Storage Media
- ISO 27001 A.7.11 - Supporting Utilities
- ISO 27001 A.7.12 - Cabling Security
- ISO 27001 A.7.13 - Equipment Maintenance
- ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment
- ISO 27001 A.7.2 - Physical Entry
- ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities
- ISO 27001 A.7.5 - Protecting Against Physical and Environmental Threats
- ISO 27001 A.7.6 - Working in Secure Areas
- ISO 27001 A.7.8 - Equipment Siting and Protection
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- A.7 Physical Controls MOC
- A.5.7 Audit Evidence Pack
- A.5.8 Audit Evidence Pack
- A.5.9 Audit Evidence Pack
- ISO 27001 A.8.12 - Data Leakage Prevention
- ISO 27001 A.8.13 - Information Backup
- ISO 27001 A.8.14 - Redundancy of Information Processing Facilities
- ISO 27001 A.8.15 - Logging
- ISO 27001 A.8.16 - Monitoring Activities
- ISO 27001 A.8.19 - Installation of Software on Operational Systems
- ISO 27001 A.8.2 - Privileged Access Rights
- ISO 27001 A.8.20 - Networks Security
- ISO 27001 A.8.21 - Security of Network Services
- ISO 27001 A.8.22 - Segregation of Networks
- ISO 27001 A.8.23 - Web Filtering
- ISO 27001 A.8.24 - Use of Cryptography
- ISO 27001 A.8.25 - Secure Development Life Cycle
- ISO 27001 A.8.26 - Application Security Requirements
- ISO 27001 A.8.27 - Secure System Architecture and Engineering Principles
- ISO 27001 A.8.3 - Information Access Restriction
- ISO 27001 A.8.30 - Outsourced Development
- ISO 27001 A.8.31 - Separation of Development Test and Production Environments
- ISO 27001 A.8.32 - Change Management
- ISO 27001 A.8.33 - Test Information
- ISO 27001 A.8.4 - Access to Source Code
- ISO 27001 A.8.6 - Capacity Management
- ISO 27001 A.8.7 - Protection Against Malware
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- ISO 27001 A.8.9 - Configuration Management
- A.8 Technological Controls MOC
- A.6 People Controls Implementation Guide
- ISMS Implementation Roadmap
- ISO 27001 Implementer Guide
- ISO 27005 Risk Management Guide
- ISO 27005 Risk Process Notes
- EXAM-002 - Statement of Applicability
- EXAM-007 - Preventive vs Detective vs Corrective Controls
- ISO 27001 Knowledge Base
- ISO 27005 Knowledge Base
- Asset Threat Vulnerability Risk Control Evidence Data Model
- Application Security Requirements Register
- Authentication Exception and Compensating Control Record
- Configuration Exception and Risk Acceptance Record
- Cryptographic Controls Policy
- Cryptographic Legal Requirements Assessment
- Cryptographic Use Case and Algorithm Register
- ICT Supply Chain Risk Register
- Information and Associated Asset Inventory
- Information Security Continuity Requirements
- Legal and Contractual Requirements Register
- Monitoring Detection Use Case Register
- Network Security Architecture and Zoning Standard
- Office Room and Facility Security Assessment
- Physical and Environmental Threat Assessment
- Physical Security Zone Register
- PII Inventory and Privacy Requirements Matrix
- Project Security Requirements Register
- Remote Working Risk Assessment
- Supplier Security Risk Assessment
- Technical Compliance Review Plan
- Threat Intelligence Register
- Vulnerability Exception and Risk Acceptance Record
- Vulnerability Management Procedure
- Wireless Network Security Assessment
- ISO 27001 Overview