ISO 27005 Risk Management – Where does it fit in the ISMS implementation plan?

Those familiar with the ISO 27001 standard know that risk assessment and risk management are major components for implementing an Information Security Management System (ISMS). They are also essential for achieving compliance with ISO 27001.

Like most core processes, in order to effectively manage risk, you need to select your methodology first and then act – this is where ISO/IEC 27005:2011 comes in. It is the international standard for information security management which defines an information security risk management process. The process consists of context establishment, risk assessment, risk treatment, risk acceptance and risk review. It is also the basis for the UK’s only ISO 27005 Certified ISMS Risk Management Training Course.

At what stage of the ISMS implementation process do you need to apply ISO 27005 guidance?

The ISO 27005 guidance is relevant to all four phases of the ISMS process. If you’ve been on the ISO 27001 ISMS Foundation Training Course or the ISO 27001 ISMS Lead Implementer Masterclass, you’ll be familiar with the ISMS Project Roadmap according to which information security risk management is important at every stage of the Plan-Do-Check-Act cycle. 


Selecting the right risk assessment methodology during the planning stage is important. Whether you choose to use a spreadsheet or a specialised  risk  tool (such as that of vsRisk), you will need to make sure this is the most suitable method for you. The ISO 27005 ISMS Risk Management Training Course teaches you how to select and plan your resources, including managing your staff.

At this stage of your ISMS project, you are required to carry out your risk assessment which is a step-by-step process of its own. You need to identify your assets, threats and vulnerabilities, consider the impacts that would occur if a threat exploits a weakness and eventually determine the risk treatment. Whilst this exercise may sound simpler in theory, it’s a rather comprehensive one and may require some previous experience or training. It is essential that you develop criteria for acceptance of risk and identify the acceptable level of risk. The ISO 27005 ISMS Risk Management Training Course, for example, shows you how to do a risk assessment using real asset data by conducting a one-day exercise (on a computer) using the vsRisk™ information security risk assessment software.


The ‘doing’ stage is all about the implementation of the risk treatment plan.


You are required to continually monitor and review risks using the selected controls.


Maintaining and continually improving your risk assessment and management process is essential for upholding your ISMS and ISO 27001-compliance.

Do you need to undertake risk management training?

If you have been tasked with the role and duties of an Information Security Risk Manager in your organisation, you will benefit significantly from attending the ISO 27005 Certified ISMS Risk Management Training Course.

The criticality and complexity of information security risk management for implementing an ISO27001-compliant ISMS is such that professionals usually need a deeper understanding of the methodology.

Currently, there is only one course in the UK that offers practical training specifically for information security risk managers which is run by IT Governance and awards the CIS RM qualification by IBITGQ. The next course takes place 19-21 June in London. More information is available online at