Search in ISMS Guides


Sunday, July 29, 2007

0.3 How to establish security requirements

It is essential that an organization identifies its security requirements. There are three main sources of
security requirements.
1. One source is derived from assessing risks to the organization, taking into account the
organization’s overall business strategy and objectives. Through a risk assessment, threats to
assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential
impact is estimated.
2. Another source is the legal, statutory, regulatory, and contractual requirements that an
organization, its trading partners, contractors, and service providers have to satisfy, and their
socio-cultural environment.
3. A further source is the particular set of principles, objectives and business requirements for
information processing that an organization has developed to support its operations.

No comments: