ISO 17799 places risk management at the heart of the information security management process.

ISO 17799 is about management of risk, which is accomplished by developing a risk management and mitigation strategy, whereby assets, threats, and vulnerabilities are identified and the commensurate risk is quantified. Controls can then be selected to avoid, transfer, or reduce risk to an acceptable level. Security risk assessment is a method to maximize use of finite organizational assets based on measurable risk and organizational risk tolerance. Risk assessment steps are as follows:

Identify Assets - An asset can be a tangible item, such as hardware, or intangible, such as an organizational database. Assets must be identified, and ownership must be established. A relative value must also be established for each asset so importance can be established when risks are quantified.

Identify Threats to the Assets - Threats exploit or take advantage of asset vulnerabilities to create risks. Threats to each asset must be identified. There can be multiple threats for each asset. Identification of threats must be realistic. Only those threats that have a significant probability or extreme harm should be considered. For example, a threat to the organizational database may be theft or alteration.

Identify Vulnerabilities to the Assets - Vulnerabilities are recognized deficiencies in assets that can be exploited by threats to create risk. An asset may have multiple vulnerabilities. For example, the vulnerability to an organization's database may be a poor access control or insufficient backup.

Determine Realistic Probability - Probabilities for each threat/vulnerability combination should be determined. Combinations with statistically insignificant probability may be ignored.

Calculate Harm - Harm (sometimes referred to as impact) may be quantified numerically to reflect damage from a successful exploit. This value allows the rating on a relative scale of the seriousness of a given risk independent of its probability.

Calculate Risk - Evaluation and mitigation of risk is the goal of the ISO 17799 ISMS. Mathematically, risk can be expressed as: Probability x Harm = Risk. This calculation results in a numeric rating of asset-based risk for a given set of threats and vulnerabilities. This numerical interpretation allows prioritization of finite risk-mitigating resources.

Controls mitigate risks identified in the Security Risk Assessment. The selection of controls is predicated on availability of assets and management's ability to accept certain risks in lieu of implementing controls. Regardless of which model is used to establish the security framework, an Information Security Management System is fundamental in engaging effective and appropriate controls to protect information assets. Without a management system and ongoing commitment from senior management it is difficult to commit resources and ensure information security is appropriately embedded in the business.

We implement the ISMS based on the Deming Wheel model introduced in BS7799-2002 Part 2 (PDCA - Plan, Do, Check & Act), which is a de-facto methodology and ensures that the correct components are engaged, evaluated, monitored and improved on a continuous basis.