Pragmatic information risk management (part 2)

In part 1, I discussed BIA/BCM as a means to focus on the organisation's most important information.

The next step in the pragmatic IRM approach is to explore examine risks affecting that information. An appreciaiton of the importance of various information risks to the business is key to determining which information security controls might be 'essential', 'necessary' (the ISO27k term), 'important', 'appropriate', 'optional', 'unnecessary' or 'inappropriate'.