信息的重要性被人们广泛接受,信息安全问题也随之产生,日益受到人们的重视。由于遭受网络黑客、病毒（包含木马）、恶意代码、物理故障、人为破坏等各方面的威胁,信息安全问题所导致的损失成倍地增长。对于这些大量的风险，有必要进行风险控制与管理。风险评估则是风险管理的第一步，也是信息安全的基础。风险评估的目的在于识别这些不可控因素被外力利用而造成损失的可能性，从而为信息安全管理控制措施的选择提供依据。风险评估与管理涉及到一定的方法与措施,ISO27000系列标准作为信息安全管理的国际标准,广泛地涵盖了几乎所有的安全议题,提供了一套综合的信息安全管理的最佳实施规则,非常适合于作为大多数情况下的参考基准，因此研究基于ISO27000系列标准的基线评估方法与软件具有很高的价值。 本文首先对信息安全管理及ISO27000系列标准进行了深入研究，并进行了风险评估方法的分析与比较，然后介绍了已有的一些风险评估的软件并作了小结。接下来，设计了基于ISO27000系列标准的基线风险评估的方法，提出了问卷体系设计的思路，将ISO27002标准的11个信息安全管理领域作为问卷模块的分类依据、每个问题则来源于每个领域内的各个控制目标与控制措施，问题题型按照问题本身的特点分为单选和多选，此外，还提出了分值的设置以及风险值计算的方法。依据此思路，按照ISO27002标准风险管理的要求，完成了问卷体系的构建工作，每个领域内根据风险控制目标与控制措施的不同，构建数量不等的多个问题。在此基础上，本文进行了评估软件的系统设计，分析了系统的各个主要功能模块，并对数据库作了设计，分析了需要用到各个表的功能及其之间的关系，最后开发实现了基线风险评估的软件。 本文创新之处在于提出了基于ISO27000系列标准的信息安全风险基线评估的方法并以此构建了知识库，在之基础上开发了基于ISO27002标准的基线风险评估的软件，使风险评估与管理工作得以更好进行。

In today's environment of globalization, the importance of information to be widely accepted, however, the issue of information security has resulted and being paid more and more attention to. As the threats of network hackers, Trojans, viruses, malicious code, physical failures, vandalism and others, the loss of information security caused by which has grown exponentially. For a large number of these risks, there is a need for risk control and management. Risk assessment is the first step in risk management as well as information security. The purpose of risk assessment to identify those factors is not controllable by external forces caused by the use of the possibility of loss, so as to information security management controls provide the basis for the choice. Risk assessment and management in connection with certain methods and measures, ISO27000 series of standards for information security management as an international standard, widely covered by almost all the security issues, provides a comprehensive set of information security management best practice rules, is very suitable for in most cases. As a result, the research of the baseline assessment methods and software based on ISO27000 series of standards has a strong value. This article carried out first information security management and ISO27000 series of standards and methods of risk assessment analysis and comparison in-depth research, and then introduced a number of existing risk assessment software and made a summary of them. Next, it designed the baseline risk assessment methods based on the ISO27000 series of standards, the design put forward the idea of a questionnaire system to ISO27002 standards for 11 areas of information security management module as the classification of the questionnaires, each question from each area of the various control objectives and control measures, the question of questionnaires in accordance with the characteristics of the problem itself is divided into radio and multi-selection, in addition to setting a value, as well as Value-at-Risk calculation. Based on this idea it completed a questionnaire system, including a number of questions ranging from the number of the risk control objectives and the different control measures in accordance with each area. On this basis, this paper conducted an assessment software system design, made the design analysis of the system for each of the major functional modules of the database, and analysis of the various tables needed functions and the relationship between them. The achievement of the final work is the development of the risk assessment software. Innovation in this paper is making an information security baseline risk assessment method based on the ISO27000 series of standards and building a knowledge base, and developing a baseline risk assessment software based on the ISO27002 standards to enable risk assessment and management to better carried out.