The international standard ISO/IEC 27001:2017 (ISO 27001) provides the specifications of a best-practice ISMS (information security management system) – a risk-based approach to corporate information security risk management that addresses people, processes and technology.
Clause 6.1.2 of the Standard sets out the requirements of the information security risk assessment process. Organisations must:
• Establish and maintain certain information security risk criteria.
• Ensure that repeated risk assessments “produce consistent, valid and comparable results”
• Identify the information security risks
• Analyse the information security risks
• Evaluates the information security risks
It is important that organisations “retain documented information about the information security risk assessment process” so that they can demonstrate that they comply with these requirements.
They will also need to follow a number of steps – and create relevant documentation – as part of the information security risk treatment process.