A risk assessment of a business always starts with data collection. The end objective is identifying and then implementing a corrective action plan that will improve data security in a cost-effective way, that is the right fit for the business.
The question in any risk assessment is how do you get from point A (current state) to point B (cost effective security that is the right fit for your business).
The key to cost-effective security is data collection.  Let’s recall that compliance regulation like PCI DSS 2 and the certifiable information security management standard ISO 27001 are based on fixed control frameworks. It’s easy to turn the risk analysis exercise into a check this/check that exercise, which by definition, is not guaranteed to get you to point B since the standard was never designed for your business. This is where we see the difference between ISO 27001 and ISO 27002.
ISO/IEC 27002 is an advisory standard meant to be applied to any type and size of business according to the particular security risks they face.
ISO/IEC 27001 (Information technology – Security techniques – Information security management systems – Requirements) is a certifiable standard. ISO/IEC 27001 specifies a number of firm requirements for establishing, implementing, maintaining and improving an ISMS (information security management standard), and specifies a set of 133 information security controls. These controls are derived from and aligned with ISO/IEC 27002 – this enables a business to implement the security controls that fit their business,and help them prepare for formal certification to ISO 27001.
Let me explain the importance of data collection by telling a story.
After reading this article in the NY Times  An Annual Report on one mans life, I was reminded about a story I read about Rabbi Joseph Horowitz (the “Alter from Novardok”) (1849–1919), relating his practice of writing a daily report on his life.
One of the things I learned from the musical director of the JP Big Band, Eli Benacot, is the importance of knowing where you are really holding in terms of your musical capabilities.  Many musicians, it turns out, have the wrong self-perception of their capabilities.  Sometimes, one sees a professional musician who is convinced of his proficiency and even within an ensemble he (or she) is incapable of really hearing how poorly they actually play.
Many times we feel secure but are not, or don’t feel secure when we really are. For example – a company may feel secure behind a well-maintained firewall but if employees are bringing smart phones and flash drives to work, this is an attack vector which may result in a high level of data loss risk. On the other hand – some people are afraid of flying and would prefer to drive, when in fact, flying is much safer than driving.
After we collect the data and organize it in a clear way, we then have the ability to understand where we are really holding.  That is the first step to building the correct security portfolio.
So, let’s return to the Rabbi Joseph Horowitz, who wrote a daily and annual report on his life. Here is his insight to implementing change – certainly a startling approach for information technology professionals who are used to incremental, controlled change:

“Imagine this scenario: A person decides that he wants to kasher his kitchen. But he claims, ‘Changing my dishes all at once involves throwing out an entire set and buying a brand new one. That’s quite an expense at one time. I’ll go about the kashering step by step. Today I’ll throw out one plate and replace it with a new one, tomorrow with a second and the next day with a third.’
“Of course, once a new plate is mixed with the old ones, it becomes treife like the rest. To kasher a kitchen, one must throw out all of his old dishes at once.
“The same holds true in respect to changing one’s character traits or way of life. One must change them in an instant because there is no guarantee that the anxieties and pressures that deter him on any given day will not deter him the following day, too, since anxieties and pressures are never ending. ”
(Madreigat Ha’adam, Rav Yosef Yoizel Horowitz).