Risk management headache? ISO 27005 could be the cure.

Tony Drewitt our Risk Management Consultant and Trainer reflects on the crucial role of risk management in information security management and how ISO/IEC 27005  can help you tackle it effectively.

Risk is arguably one of the most commonly used words in business, but what does it actually mean?

There are many English dictionary definitions, many centred around “a situation involving exposure to danger” and whilst some people talk about up-side, or positive risk, it is generally accepted that in business, risk is all about the chance that something will go wrong, and how badly.

But of course there is uncertainty in everything we do; and therefore risk. Sometimes there is uncertainty about whether something good will happen, but that just means that there is also a chance that it won’t; which is bad.

Risk and corporate governance

The big thing about risk in business today is corporate governance. People responsible for running companies are simply not allowed, when something goes wrong, to say “we didn’t think of that”, or “its never happened before”. Those are two quite common responses both when something has gone wrong and also when it hasn’t; when senior managers are asked to do something about risk management.

For many, when they do finally look at risk, thinking switches immediately from chance to result. The likely impact of a risk dominates thinking where previously it was the probability of a threat materialising that was the dominant factor.

Many organisations assess risk intuitively; that is to say they simply decide whether an activity, or situation, is very risky, not very risky, or somewhere in between.

This intuitive approach can be applied to information security risk – but it can be very difficult to evaluate risk effectively in this area. The challenge is two-fold; understanding what information security actually is and knowing how to assess and respond to the related risks in a logical way, that will stand scrutiny should the worst happen.

Information security managers, and those doing the job as part of a broader role, often need some help in identifying the most effective way to manage this specific set of risks, which is where ISO 27005 can help.

How ISO 27005 can help

Where ISO 27001 presents a broad blueprint for dealing with information security, ISO 27005 takes it much further and delivers the detail of information security risk assessment, in a way that the results integrate easily into an ISO 27001 compliant information security management system (ISMS).

ISO 27005 provides a detailed and valuable insight into effective information security risk management. And since ISO 27001 calls for a risk based approach, there cannot be a better basis for it!


Tony Drewitt has just delivered the first ISO 27005 Risk Management training course which combines internationally accepted good practice in risk management with information security, enabling participants to acquire the skills to implement this critical component of information security management.

This new course adds to the ISO 27001 learning pathway, which provides everything you need to plan, implement and maintain ISO27001 compliance in your organisation. The course content is perfect for information security managers, ISMS Lead Implementers, risk managers and consultants who require an in-depth understanding of risk management. It will also covers risk management principles that will enhance broader risk management roles and projects.

>> Find out more about ISO 27005 training