iso27diy-corp/Corpus/Sparks/Introduction for Organizational Structures.md

Introduction for Organizational Structures

Identifying information security requirements, according to ISO 27000:2018 C.4.5.2:

Information security requirements can be identified through an understanding of the following:

a) identified information assets and their value;

b) business needs for information processing, storage and communication;

c) legal, regulatory, and contractual requirements.

Conducting a methodical assessment of the risks associated with the organization’s information assets involves analysing threats to information assets, vulnerabilities to and the likelihood of a threat materializing to information assets, and the potential impact of any information security incident on information assets. The expenditure on relevant controls is expected to be proportionate to the perceived business impact of the risk materializing.