The changing global economy, together with recent corporate and IT governance developments, all provide the context within which organisations have to assess risks to the information assets on which their organisations, and the delivery of their business plan objectives, depend. Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment process in relation to identified risks and specific information assets. Risk assessment is, therefore, the core competence of information security management.

Introduction Chapter 1: Risk Management Risk management: two phases Enterprise risk management Chapter 2: Risk Assessment Methodologies Publicly available risk assessment standards Qualitative versus quantitative Quantitative risk analysis Qualitative risk analysis - the ISO27001 approach Other risk assessment methodologies Chapter 3: Risk Management Objectives Risk acceptance or tolerance Information security risk management objectives Risk management and PDCA Chapter 4: Roles and Responsibilities Senior management commitment The (lead) risk assessor Other roles and responsibilities Chapter 5: Risk Assessment Software Gap analysis tools Vulnerability assessment tools Penetration testing Risk assessment tools Risk assessment tool descriptions Chapter 6: Information Security Policy and Scoping Information security policy Scope of the ISMS Chapter 7: The ISO27001 Risk Assessment Overview of the risk assessment process Chapter 8: Information Assets Assets within the scope Grouping of assets Asset dependencies Asset owners Sensitivity classification Are vendors assets? What about duplicate copies and backups? Identification of existing controls Chapter 9: Threats and Vulnerabilities Threats Vulnerabilities Technical vulnerabilities Chapter 10: Impact and Asset Valuation Impacts Defining impact Estimating impact The asset valuation table Business, legal and contractual impact values Reputation damage Chapter 11: Likelihood Risk analysis Information to support assessments Chapter 12: Risk Level The risk scale Boundary calculations Mid-point calculations Chapter 13: Risk Treatment and the Selection of Controls Types of controls Risk assessment and existing controls Residual risk Risk transfer Optimising the solution Chapter 14: The Statement of Applicability Drafting the Statement of Applicability Chapter 15: The Gap Analysis and Risk Treatment Plan Gap analysis Risk Treatment Plan Chapter 16: Repeating and Reviewing the Risk Assessment Appendix 1: Carrying out an ISO27001 Risk Assessment using vsRiskA' How the tool actually works Training requirements Start using vsRiskA' for your risk assessment Identify the assets Identify the risks Assess the risks Identify and evaluate options for the treatment of risks Select control objectives and controls for treatment of the risks Appendix 2: ISO27001 Implementation Resources Books by the Same Authors ITG Resources