ISO27001 certification information security risk assessment is the premise of implementing risk assessment. In order to ensure the controllability of the assessment process and the objectivity of the assessment results, adequate preparations and planning activities for information security risk assessment should be made before the implementation of information security risk assessment. include:

  (1) Determine the objectives of information security risk assessment

   In the preparation stage of ISO27001 information security risk assessment, the objectives of risk assessment should be clarified to provide guidance for the process of information security risk assessment. Information security requirements are the information security requirements that an organization must meet in order to ensure the normal and effective operation of its business. By analyzing the relevant laws and regulations that the organization must comply with, the organization's confidentiality, integrity, and availability of information security in its business processes To determine the objectives of the information security risk assessment.

  (2) Determine the scope of information security risk assessment

   An established ISO27001 information security risk assessment may only target a subset of the organization's total assets, and the scope of the assessment must be clear. The most important description of the scope is the description of the evaluation boundary. The scope of the assessment may be a single system or multiple related systems. A better approach is to describe the scope of a risk assessment in terms of physical and logical boundaries.

  (3) Forming an appropriate evaluation management and implementation team

   In the preparation stage of the assessment, the assessment organization should set up a special assessment team to specifically carry out the information security risk assessment of the organization. Team members should include assessment unit leaders, information security risk assessment experts, technical experts, and representatives from management, business units, human resources, IT systems, and users.

  (4) Conduct system research

   System research is the process of identifying what is being assessed. The risk assessment team should conduct sufficient systematic research to lay the foundation for the selection of information security risk assessment basis and methods, and the implementation of assessment content. The research content should at least include: business strategy and management system, main business functions and requirements; network structure and network environment, including internal and external connections, system boundaries; main hardware and software: data and information, system and data sensitivity Sex; people who support and use the system.

  (5) Determine the basis and method of information security risk assessment

The ISO27001 information security risk assessment basis includes existing international or national information security standards, the requirements and systems of the business system of the organization's industry competent authority, the security requirements of the organization's information system interconnection unit, and the real-time or performance of the organization's information system itself. request etc. According to the risk basis of information security assessment, and comprehensively considering the purpose, scope, time, effect, quality of assessors and other factors of information security K-risk assessment, select a specific risk calculation method, and implement the requirements for the safe operation of the system according to the organization's business. Determine Relevant assessment and judgment basis, so that it can be adapted to the organizational environment and security requirements.

  (6) Develop an information security risk assessment plan

  The contents of ISO27001 information security risk assessment plan generally include: Team organization: including assessment team members, organizational structure, roles, responsibilities, etc. Work plan, work plan for each stage of information security risk assessment, including work content, work form, work results, etc., time schedule, and project implementation time schedule.

  (7) Obtain support from top management for information security risk assessment

ISO27001 information security risk assessment requires relevant financial and human support. Management must show support for assessment activities in an explicit way, make commitments to resource allocation, and give sufficient rights to the information security risk assessment team. Information security risk evaluation activities can be carried out smoothly.

  After preparing for risk assessment, it is necessary to identify assets, threats and vulnerabilities of the current information security system of the enterprise.

   In addition, before conducting an information security risk assessment on an enterprise, if we want to ensure the smooth implementation of the enterprise information security risk assessment process and the true and effective risk assessment results, the most important point is to first formulate a risk assessment strategy for the enterprise's information security management. A good risk assessment strategy is the key to the successful design of the risk assessment model. At the same time, a good risk assessment strategy needs to include the causes of enterprise information security risks and the scope and purpose of risk assessment operations.

   Since the information security risk factors of an enterprise include external risk factors and internal risk factors, these risk factors are always faced by the enterprise in its daily work. Risk factors are the latent reasons for the occurrence of enterprise information security risk accidents. Risk factors are mainly factors that cause the size and frequency of enterprise information security risk accidents, and are the internal and indirect reasons for the threat and loss of enterprise information security risks. Therefore, it is necessary to regularly and quantitatively evaluate these risks to determine their degree of risk.