8.2 Information security risk assessment

Clause 8.2 mandates that an organization establish a systematic process to assess information security risks, identifying assets, threats, vulnerabilities and evaluating potential impacts. The documented assessment results must be used to determine appropriate risk-treatment options and feed into the overall risk treatment plan.