The right selection and deployment of controls along with the risk attitude and culture of an organization is what determines the management of the company’s Information Security Risk.
All the cross-functional business requirements need to be taken into consideration before designing an integrated set of risk mitigation controls and measures that can be implemented and maintain the effectiveness of the business. These need to be designed in a way such that all financial, operational, legal and compliance obligations are fulfilled.
The right professionals can evaluate the organization’s position in a multitude of ways; be it the traditional ISO 27001 Gap Analysis, formal assessments against Government frameworks such as HMG Security Policy Framework (SPF) or a more detailed review focused on cost optimization.
It is highly recommended that organization’s implement the ISO 27001 Code of Practice for Information Security Management. It sets out the guidelines on how to practically implement an Information Security Management System (ISMS). Risk can be managed to business acceptable standards if it has the following characteristics: