The bulk of data protection laws and regulations require that security and privacy controls be established based upon the organization’s existing and unique risks. Many organizations struggle to find a way to effectivevly determine the risks that exist for their businesses. Often what results is similar to taking a shot in the dark to determine risks.

I’ve found many information security practitioners are not aware of the recently published risk management standard, ISO/IEC 27005:2008.
Check it out; it has some great and useful ideas and recommendations.

Tags: awareness and training, Information Security, ISO/IEC 27005:2008, IT compliance, IT training, policies and procedures, privacy training, risk management, security training

This entry was posted on Saturday, November 29th, 2008 at 7:30 pm and is filed under Information Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.