With the launch of ISO/IEC 27001:2013, we are getting asked quite a few recurring questions here at IT Governance. One of the questions we are being asked is can you employ ISO/IEC 27005 with ISO/IEC 27001:2013?
The simple answer to this is yes. Whilst the standards are not wholly aligned, the asset-based method for undertaking a risk assetment is still as much as valid with the 2013 edition of 27001 as it was with the 2005 edition. ISO/IEC 27001:2013 merely mandates that you may use other methods for a risk assessment besides an asset-based approach.
Based on the knowledge we have of standards development and the timelines involved, we see ISO/IEC 27005 being revised over the next year to 18 months. This revision should bring ISO/IEC 27005 into alignment with ISO/IEC 27001:2013.
The other members of the ISO/IEC 27000 family of standards should be revised over the next couple of years to be aligned with ISO/IEC 27001:2013. At the current time (autumn 2013), the only other standard that is available in the ISO/IEC 27000 family of standards that is fully aligned with ISO/IEC 27001:2013 is ISO/IEC 27002:2013. Though the other tandards in the ISO/IEC 27000 family still have a valuable contribution to make in the form of advice and guidance.