ISO 27001 Clause 6.1.2

Clause 6.1.2 of the ISO 27001 standard requires an organization to establish and maintain an information security risk assessment process that includes both risk acceptance and risk assessment. Assessment should be consistent, valid, and produce comparable results. This means clearly describing the approach being taken and producing a risk methodology that is repeatable so the criteria for assessment is easily understood. Organizations must apply the assessment processes to identify risks associated with confidentiality, integrity, and viability of the information assets. Risks need to be assigned to a risk owner who will determine the level of risk, assess the consequences (should the risk materialize) and determine the likelihood that the risk will occur. Once evaluated, the risk will be prioritized for risk treatment and then managed in accordance with the documented methodology. 

Related Videos