ISO 27001 Clause 6.1.2 Information security risk assessment process | Infosavvy
Required activity The organization defines and applies an information security risk assessment process. Explanation The organization defines an information security risk assessment process that: Establishes and maintains; The Risk acceptance criteria; Criteria for performing information security risk assessments, which may include criteria for assessing the consequence and likelihood, and rules for the determination of the extent of risk; Ensures that repeated information security risk assessments produce consistent, valid and comparable results. The information security risk assessment process is then defined along the subsequent sub-processes: Identification of data security risks: Identify risks related to the loss of confidentiality, integrity and availability for information within the scope of the ISMS; Identify the Risk owners related to these risks, i.e. identify and appoint persons with the acceptable authority and responsibility for managing...