It hasn’t been long since a new ISO/IEC 27005:2011 standard was published when it’s already been praised by industry experts.
ISO/IEC 27005:2011 provides guidelines for information security risk management and supports the general concepts specified in ISO/IEC 27001. The new Standard is designed to assist the satisfactory implementation of information security based on a risk management approach. In order to gain a complete understanding of ISO/IEC 27005:2011, managers and directors first need to have a knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002.
This Standard is applicable to all types of organisations (e.g. commercial enterprises, government agencies, non-profit organisations) which intend to manage risks that could compromise the organisation’s information security.
Here is what the industry expert, Alan Calder, says:
“The new ISO/IEC 27005:2011 is a much better standard than was the 2008 version – first, it is a better written, more coherent standard. Second, it is aligned with the risk management standard ISO31000, which makes it easier to integrate Enterprise Risk Management approaches with information security risk management. Third, it provides good, practical guidance on carrying out the risk assessment required by ISO27001, together with clear guidance on risk scales. Fourth, it has good guidance on threats, vulnerabilities, likelihoods and impacts. ISO27005 should become standard additional guidance on risk assessment – the ISMS core competence – for all organisations tackling ISO27001.”
ISO standards revealed
ISO 27001 provides a framework for an information security management program within an organisation (an information security management system, or “ISMS”) and an auditable specification, whereby an organisation can have its ISMS certified. ISO 27002:2005 is the former ISO 17799:2005 that was originally established in 2000. It provides many of the information security best practices, control objectives, and policy guidance we need to run within the afore-mentioned ISO 27001 ISMS. Because all information security analysis, controls, and processes are essentially a product of risk management, ISO/IEC 27005:2011 provides the framework for how to apply proper risk management within the 27001/27002/27003 ISMS.
Who can benefit from ISO standards?
The ISO standards are applicable to all sectors of industry and commerce and are not confined to information held digitally. It addresses the security of information in whatever form it is held.
Where there is ISO 27005:2011 there is Vigilant
Vigilant Software has been set up specifically with the aim of making information security management straightforward and affordable for all through transforming the traditionally complex process of risk management, and therefore, enabling organisations worldwide to be compliant with ISO 27001.
IT Governance is a distributor of extremely useful ISO standards, including said ISO/IEC 27005:2011, which is now available for immediate download on our website.