Abstract
The growing complexity of cyber threats demands that organizations implement robust risk management strategies to protect their information systems. ISO 27001 is a widely recognized standard for establishing an Information Security Management System (ISMS), which provides a structured framework for assessing and managing information security risks. However, the dynamic and evolving nature of cyber threats calls into question whether ISO 27001 fully aligns with modern risk science principles, particularly in addressing uncertainties and emerging risks. This thesis explores the effectiveness of ISO 27001's risk assessment process in the context of contemporary risk science.
The research focuses on key risk science concepts, such as general knowledge (GK), specific knowledge (SK), and resilience management, to assess whether they can improve the adaptability and effectiveness of ISO 27001’s risk management strategies. By comparing ISO 27001 with the principles of modern risk science, this study identifies areas where the standard may fall short in addressing uncertain and complex risks, particularly those posed by advanced cyber threats. The findings suggest that while ISO 27001 provides a strong foundation for information security management, its risk assessment process could be enhanced by incorporating more flexible and dynamic strategies, such as continuous risk monitoring and knowledge-based risk assessments.
This thesis concludes by recommending the integration of contemporary risk science principles into ISO 27001 to improve its capacity to manage the uncertainties of modern cyber risks. Future research directions include exploring how ISO 27001 can further incorporate resilience and adaptability mechanisms, as well as investigating the role of emerging technologies in enhancing information security frameworks.