UnixTime

Research Note

Risk Assessment

Risk assessment identifies, analyzes, and evaluates information security risks so the organization can decide how to treat them.

On this page

Risk assessment identifies, analyzes, and evaluates information security risks so the organization can decide how to treat them.

Practical questions

  • What assets, processes, or services are in scope?
  • What threats and vulnerabilities apply?
  • What could happen?
  • What would the impact be?
  • How likely is it?
  • Is the risk acceptable?
  • What treatment is needed?

Annex A controls are selected based on risk treatment needs. The Statement of Applicability records the applicability and justification of controls.

  • Risk
  • Iso27001
  • Isms

Note Metadata

Aliases: Information Security Risk Assessment

Source: 01 Fundamentals/Risk Assessment.md