Information Security Risk Assessment Based on Analytic Hierarchy Process
With the higher level of business informatisation, information security issues become more and more complex. Thus, ISO27001, which had been established based on BS 7799 of British Standards Institution, was published in 2005 as the international standard of information security. It has become the set of standard specifications for enterprises to follow to evaluate, build up, and implement information security systems. The possibility of information security risks of high-tech manufacturing industries increases under exposure of high level of business informatisation. Information security systems can be approached and well managed by implementing it with ISO27001. It also can minimize the risks of business operations and improve the professional skills of information technology employees. The principle concept of ISO27001 is based on risk management which fits into the "Plan-Do-Check-Act" (PDCA) model and successive reduces risks. The most important factor of this process is risk evaluation and assessment which determines if the risks can be effectively controlled. The bottleneck of the company of this case study, after performing the risk evaluation and assessment for two years, is the high-value information assets can no longer to be reduced. This was a questionnaire-based study. The results were analyzed in order to adjust and obtain a comprehensive risk evaluation and assessment method. A suitable and reasonable method will be developed by rearranging the items and their weights according to the characteristics of the company. Thus, the risks will be controlled and reduced once again.