With the rapid development of Information technology, society economy depends on the information and information system much more. The security events increase quickly and security issues tend to be serious. We must take more attention on the information security situation. Information security is not only about security technology and products, but also information security management.Information security management is to identify the risk through risk assessment model. So-called security is to reduce the risk to an acceptable degree through risk management policy and security controls. Risk assessment is the first thing in information security management system. The result of risk assessment affects security policy, resource, manpower, organization operation and business. The risk assessment is the key and guarantee of information security management.Based on the theory of risk assessment and ISO 27001, we analysis and contrast the common risk assessment models and method, a better risk assessment model and method is presented.the new model and method combine colse information security management system and evaluate more accurately. We have put into practice and verified in the insurance agent, and pass the international authentication of 27001. |