Hmmm, first look at ISO27001. Then build as asset list, and for each asset, build a risk register of risks based on the lack of each and every control - which may be '£0 per year / Not applicable' for some assets+controls tuples. Now audit (in order of cost per year), to a) validate the evidencable effectiveness of any existing control implementation(s) against that asset (e.g. access management on the web server), and b) determine the Return on Investment of improving the implementation of the control (e.g. manditory complex passwords, 2-factor authentication etc.).
Once you're done, you should be able to make sense of these articles, which make much more sense post a broad & deep risk management exercise...
I *love* 'Quick wins', though they are not the end of a process, they help get the wheels moving:
This is a nice way to easily 'eat' ISO27001, though it's very focused around defense against malicious agents. Theft, Fire, Flood and human error aren't as sexy as foreign super-skillz h4k0rs, but are just as deadly to a business.
and finally, for those that like to think that everything is just finding the right tool, without actually ensuring the tools are reducing the biggest risks enough to be worth while, this is a great tool list:
....just remember that Defense-in-Depth is about ensuring that multiple controls overlap and cross validate each other. For example, AntiVirus should prevent malicious code being run, but when it fails, a NIDS system needs to spot the unusual network behaviour and be effective at isolating the problem.
Reliance on one tool to cover a control area has been proven to be very stupid - cars have seat belts and crumple zones, and you're a blindly optimistic fantasist if you think that one tool or risk mitigation implementation is going to 100% effective, 100% of the time.