Cookies Notice. We use cookies on our website. However cookie settings can be changed at any time.

If you continue without changing your settings, we will assume you are consenting to the use of cookies on the SaaSAssurance website. See the privacy page to find out more about cookies.


ISO 27001 risk expressed as threats and vulnerabilities

When it comes to Risk Management, senior management will have to decide on the criteria for accepting information security risks, and will have to sign them off in a board meeting. Before the board meeting, you should prepare an initial Risk Management Framework and a procedure defining how the Risk Assessment will be conducted. When preparing this, if you want to go for certification, make sure to include two things that the ISO standard specifically requires. The Risk Assessment methodology and the Risk Acceptance Criteria. Risk arises from a combination of a threat - for example the thread of flooding - and a vulnerability, for example a floodplain. The risk exists because the threat exploits a vulnerability. Two other factors related to risk are likelihood and impact. How likely is it that the threat will exploit the vulnerability, and what will be the damage or impact if it does. So for example, how likely is it that there will be a flood, and what is the impact if there is a flood. If your business' building is in a flood plain, the likelihood of a flood may be high. But should that building only be a warehouse, the impact of that flood on Information Security may be low. One of the methodologies you could choose to assess the overall risk level, is to multiply impact with likelihood. The product being the risk level. This is just one of the possible risk methodologies for obtaining an overall risk level. You could use your own methodology that may better suit your business.