The standard specifies only that the organization should use a systematic approach to risk assessment (method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable level). A specific methodology is not prescribed.
Several methodologies are published and available for use. These include
1. ISO/IEC 13335 (Management of information and communications technology security )
2. NIST SP 800-30 (Risk Management Guide for Information Technology Systems)
No comments:
Post a Comment