Monday, December 29, 2008

Does ISO/IEC 27001 define the methodology for risk assessment?

The standard specifies only that the organization should use a systematic approach to risk assessment (method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable level). A specific methodology is not prescribed.
Several methodologies are published and available for use. These include
1. ISO/IEC 13335 (Management of information and communications technology security )
2. NIST SP 800-30 (Risk Management Guide for Information Technology Systems)

No comments:

Post a Comment