Standard 27005 presents an approach
Establishing the context for the risk analysis
Definition of SSI risk assessment
Choice for SSI risk treatment
Acceptance of risk
Communication and consultation relating to SSI risks
Monitoring and review of SSI risk.
The organization must define its own approach
Methods often requiring training and not adaptable to all situations
Dependence on IS mapping: depth, extent, etc.
Tendency towards completeness
Accumulation of technical measures without overall coherence
Defines a rational approach that has resulted in methods that work
Great flexibility: used in all circumstances, especially during changes
Pragmatic and usable on its own, it can also be suitable for small organizations.