Risk Management plays an important role in the implementation of information security, and is one of the requirements that the ISO/IEC 27001 security standard sets for certification. Moreover, parties involved in the handling of personal information are legally required to prepare risk assessments and to review such assessments on a regular basis.
When preparing a risk assessment, it is important to use a systematic method to assess the risk, i.e. a method that ensures that another person performing the same risk assessment reaches the same conclusions.
The results of the risk assessment are useful for guidance and for determining appropriate action, including prioritising actions and controls. The results appear in a statement of applicability or a report that is presented as a confirmation of the state of information security in the operation of the party in question. This is important for managers, clients and regulatory bodies, e.g. the Data Protection Authority, who request information on the security matters of the organisation or company in question.
