The changing global economy, together with recent corporate and IT governance developments, all provide the context within which organisations have to assess risks to the information assets on which their organisations, and the delivery of their business plan objectives, depend. Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment process in relation to identified risks and specific information assets. Risk assessment is, therefore, the core competence of information security management.