International standard ISO/IEC 27001:2013 (ISO 27001) provides the specifications for a best-practice ISMS (information security management system) – a risk-based approach to information security risk management that addresses people, processes and technology.

Clause 6.1.2 of the standard sets out the requirements of the information security risk assessment process. Organizations must:

    Ensure that repeated risk assessments “produce consistent, valid and comparable results”.

    Identify “risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system” and identify the owners of those risks.

    Analyze and evaluate information security risks, according to the criteria established earlier.

It is important that organizations “retain documented information about the information security risk assessment process” so that they can demonstrate that they comply with these requirements.

They will also need to follow a number of steps – and create relevant documentation – as part of the information security risk treatment process. ISO 27005 provides guidelines for information security risk assessments and is designed to assist with the implementation of a risk-based ISMS.