8.2 Security risk assessment

Section 8.2 requires organizations to systematically identify, analyze and evaluate security threats, vulnerabilities and associated consequences that could affect their objectives, determining likelihood and impact to produce a documented risk assessment that forms the basis for selecting appropriate security controls.