Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

06 The risk assessment and Statement of Applicability - Pg. 79

79 The risk assessment and statement of Applicability 06 establishing security requirements ISO/IEC 27002:2005 identifies three sources for establishing the organization's information security requirements: the risks that the organization faces (dis- cussed further below); the risks arising from the compliance and contractual requirements imposed on the organization in each of the jurisdictions in which it operates (compliance requirements in particular are discussed in Chapter 27); and the `particular set of principles, objectives and business requirements for information processing that an organization has developed to support its oper- ations', which should largely fall out of the IT architecture the organization has previously established. Risks, impacts and risk management All organizations face risks of one sort or another on a daily basis. Risk man- agement is a discipline that exists to deal with non-speculative risks ­ those risks from which only a loss can occur. In other words, speculative risks, those from which either a profit or a loss can occur, are the subject of the organiza- tion's business strategy whereas non-speculative risks, which can reduce the value of the assets with which the organization undertakes its speculative activ- ity, are (usually) the subject of a risk management plan (in ISO27001, a `risk