Risk and context
Risk tree...for Certification This being the 3rd in the series about information and cyber security risk; but who's counting? ISO/IEC 27001:2013 (27K1:13) sets out the requirements for an information security management system (ISMS). ISO tells us that an ISMS is: a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. There are some key words and phrases within that statement: Sensitive company information, Secure, People, processes, and IT systems, Risk management process. Starting at the top; information, sensitive information to be more precise that if not protected (kept secure) could perhaps result in a negative consequence. Keep in mind though, risk is not just about the negative, it is also about opportunities. Can 'sensitive' (whatever that means) information actually protect itself, or is there a need t...