ISO IEC 27002:2005 pdf download.Information technology一Security techniques一Code of practice for information security management
4.1 Assessing security risks
Risk assessments should identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. The results should guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks. The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of the organization or individual information systems.
Risk assessment should include the systematic approach of estimating the magnitude of risks (risk analysis) and the process of comparing the estimated risks against risk criteria to determine the significance of the risks (risk evaluation).
Risk assessments should also be performed periodically to address changes in the security requirements and in the risk situation, e.g. in the assets, threats, vulnerabilities, impacts, the risk evaluation, and when significant changes occur. These risk assessments should be undertaken in a methodical manner capable of producing comparable and reproducible results.
The information security risk assessment should have a clearly defined scope in order to be effective and should include relationships with risk assessments in other areas, if appropriate.
The scope of a risk assessment can be either the whole organization, parts of the organization, an individual information system, specific system components, or services where this is practicable,realistic, and helpful. Examples of risk assessment methodologies are discussed in ISO/IEC TR 13335-3 (Guidelines for the Management of IT Security: Techniques for the Management of IT Security).
4.2 Treating security risks
Before considering the treatment of a risk, the organization should decide criteria for determining whether or not risks can be accepted. Risks may be acepted if, for example, it is assessed that the risk is low or that the cost of treatment is not cost-effective for the organization. Such decisions should be recorded.
For each of the risks identified following the risk assessment a risk treatment decision needs to be made. Possible options for risk treatment include:
a) applying appropriate controls to reduce the risks;
b) knowingly and objectively accepting risks, providing they clearly satisfy the organization' s policy and criteria for risk acceptance;
c) avoiding risks by not allowing actions that would cause the risks to occur;
d) transferring the associated risks to other parties, e.g. insurers or suppliers.
For those risks where the risk treatment decision has been to apply appropriate controls, these controls should be selected and implemented to meet the requirements identified by a risk assessment. Controls should ensure that risks are reduced to an acceptable level taking into account:
a) requirements and constraints of national and international legislation and regulations;
b) organizational objectives;
c) operational requirements and constraints;ISO IEC 27002 pdf download.