企業組織為求提高資訊安全及個人資料保護之管控措施，選擇導入管理制度ISO 27001(國際標準組織International Organization for Standardization, ISO)及BS 10012 (英國標準British Standard)等國際標準；導入制度時作業十分繁瑣，而風險評鑑是建立管理制度時必要的項目之一，若同時導入二種制度，風險評鑑作業即須執行二次，且花費重複的成本，故本研究將以政府A機關之個案，研究整合ISO 27001及BS 10012之風險評鑑方法論，以減少花費工作人時為目的。 本研究依照政府機關相關法令法規之要求事項，及CNS 27005、CNS 31000風險管理框架做為風險評鑑架構，以流程方式盤點資訊資產及個人資料檔案，並訂定符合資訊資產及個人資料檔案之衝擊及風險情境構面，做為整合ISO 27001及BS 10012風險評鑑之因子。研究發現政府A機關依照本研究導入整合風險評鑑方法論後，僅需執行一次風險評鑑作業，可減少約29%盤點及風險評鑑作業之工作人時及33%教育訓練之工作人時，進而減少企業組織之人工時成本。 In order to improve information security and personal data protection, business organizations have chosen to introduce ISO 27001 and BS 10012 management systems and other international standards. The introduction of these systems can be quite complicated, and risk assessment is one of the necessary items for establishing the management system. If two systems are introduced simultaneously, the risk assessment must be implemented twice, which will incur repeated costs. Therefore, this study investigated the integration of the risk assessment methods for ISO 27001 and BS 10012 based on the case study of government agency A, with the aim of reducing man-hour costs. With the requirements of relevant government laws and regulations and the risk management framework of CNS 27005 and CNS 31000 as the risk assessment architecture, this study made an inventory of the information assets and personal data files in the form of flow process, and stipulated the aspects of impact and risk scenario conforming to the information asset and personal data files to serve as the factors for integrating the ISO 27001 and BS 10012 risk assessments. This study found that government agency A only had to implement one risk assessment after introducing the integrated risk assessment methodology, which saved about 29% of inventory and risk assessment man-hours, and 33% of educational training man-hours, consequently decreasing the man-hour cost of the business organizations.