| As a representational information security management system standard in the world, ISO/IEC 27001 gains recognition from more and more countries. At present, the work about consultation of this standard in China is increasing day by day, however, being the key step about implementation of consultation of ISO/IEC 27001, there is no concrete operation about information security risk assessment in this standard, therefore, all the consultation company take its own way, there is not existing a uniform standard.In order to promote the work's development of information security risk assessment, this dissertation discusses the approach of risk assessment, the method of risk identifying, and the method of risk calculation, which are used in an item, and on the basis of above discussion, this dissertation establishes a method of information security risk assessment. In this method, the information security risk assessment for an organization is divided in to two parts, one is the assessment about the whole security status, which adopts the method of baseline assessment, and in the operation mainly depends on the checklist of information security, the other is the assessment about important asset, which adopts the method of particular risk analysis, and in the operation mainly depends on the method based on risk tree analysis. |
PDF Full Text Request