ISO/IEC 27005 explained

ISO/IEC 27005 "Information technology — Security techniques — Information security risk management" is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) providing good practice guidance on managing risks to information.[1] It is a core part of the ISO/IEC 27000-series of standards, commonly known as ISO27k.

The standard offers advice on systematically identifying, assessing, evaluating and treating information security risks - processes at the very heart of an ISO27k Information Security Management System (ISMS). It aims to ensure that organizations design, implement, manage, monitor and maintain their information security controls and other arrangements rationally, according to their information security risks.

The current fourth edition of ISO/IEC 27005 was published in 2022. It was published in October 2022.[2]

Overview

ISO/IEC 27005 does not specify or recommend specific risk management methods in detail. Instead it discusses the process in more general/overall terms, drawing on the generic risk management method described by ISO 31000[3] i.e.:

Within that broad framework, organizations are encouraged to select/develop and use whichever information risk management methods, strategies and/or approaches best suit their particular needs - for example:[4]

Objectives

The ISO/IEC 27000-series of standards are applicable to all types and sizes of organization - a very diverse group, hence it would not be appropriate to mandate specific approaches, methods, risks or controls for them all. Instead, the standards provide general guidance under the umbrella of a management system. Managers are encouraged to follow structured methods that are relevant to and appropriate for their organization's particular situation, rationally and systematically dealing with their information risks.

Identifying and bringing information risks under management control helps ensure that they are treated appropriately, in a way that responds to changes and takes advantage of improvement opportunities leading over time to greater maturity and effectiveness of the ISMS.

Structure and content of the standard

ISO/IEC 27005:2018 has the conventional structure common to other ISO/IEC standards, with the following main sections:[5]

  1. Background
  2. Overview of the information security risk management process
  3. Context establishment
  4. Information security risk assessment
  5. Information security risk treatment
  6. Information security risk acceptance
  7. Information security risk communication and consultation
  8. information security risk monitoring and review

And six appendices:

  1. Defining the scope and boundaries of the information security risk management process
  2. Identification and valuation of assets and impact assessment
  3. Examples of typical threats
  4. Vulnerabilities and methods for vulnerability assessment
  5. Information security risk assessment approaches
  6. Constraints for risk modification

Notes and References

  1. Web site: ISO/IEC 27005:2018 . International Organization for Standardization . 17 April 2021.
  2. Web site: ISO/IEC 27005:2022 . 2023-12-02 . International Organization for Standardization . en.
  3. Web site: ISO 31000 risk management . International Organization for Standardization . 17 April 2021.
  4. Web site: ISO27k FAQ . ISO27001security . 17 April 2021.
  5. Web site: ISO preview of 27005:2018 . International Organization for Standardization . 17 April 2021.