Information Risk Management

Information risk management (IRM) is the process of identifying and assessing risk and thereby reducing the risk to an acceptable level. The process will result in the implementation of controls to maintain the acceptable level.

The risks that need to be identified and assessed can be classified as follows:

• physical risk
• human risk
• equipment risk
• attacks
• disclosure of data
• loss of data
• errors

The ISO 17799 standard titled Code of Practice for Information Security Management has 10 domains that cover all aspects of the IRM:

1. Security Policy
2. Organizational Security
3. Asset Classification and Control
4. Personnel Security
5. Physical and Environmental Security
6. Communications and Operations Management
7. Access Control
8. Systems Development and Maintenance
9. Business Continuity Management
10. Compliance

previous   next