A framework for the management of information security risks

This paper looks at the development of a framework for information security risk assessments within an organisation. A risk framework is a convenient and communicable tool that can be used to describe the principles and essential components of the security risk management process of an organisation. The framework shows how significant risks can be identified, assessed and treated. It also explains the measures that can be taken to mitigate or 'treat' the risk exposure of the organisation for the future. The risk framework will provide a common language, which can be used by all of the parties that are involved in the process, from the members of the board, through the security and audit staffs, to the end users of the systems, as a vehicle for communication and improved understanding. In addition, a risk framework will provide a high level outline for the way in which an organisation will implement information security risk management and define the roles of the key participants in the process.