All organizations today have to respond to a rapidly changing and increasingly threatening range of information security risks - risks which can, if unmitigated, lead to severe financial, regulatory and reputation damage for organizations. Information security investment and control decisions should be specifically driven by the outcome of a risk assessment process that identifies risks to specific information assets. Risk assessment is, in fact, the core competence of information security management. International standards, including ISO/IEC 27001:2005, ISO17799, BS7799-3 and NIST SP 800-30, provide overlapping guidance on risk assessment. This book provides clear, practical and comprehensive guidance on developing a risk management methodology that meets the requirements of ISO27001, the information security management standard, and on carrying out a risk assessment that will help achieve corporate risk management objectives. It is essential reading for anyone involved generally in enterprise risk management and in information security specifically.