What is ISO 27005?
ISO 27005 is the international standard that describes how to conduct an information security risk assessment in accordance with the requirements of ISO 27001.
Risk assessments are one of the most important parts of an organisation’s ISO 27001 compliance project. ISO 27001 requires you to demonstrate evidence of information security risk management, risk actions taken and how relevant controls from Annex A have been applied.
ISO 27005 is applicable to all organisations, regardless of size or sector. It supports the general concepts specified in ISO 27001, and is designed to assist the satisfactory implementation of information security based on a risk management approach.
ISO 27001 and ISO 27002 2022 updates
ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.
Organisations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).
For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organisation, please visit ISO 27001 and ISO 27002: 2022 updates
Download your copy of ISO 27001:2022 here
Download your copy of ISO 27002:2022 here
Complete error-free and compliant risk assessments with vsRisk
vsRisk is the leading information security risk assessment tool by Vigilant Software. Vigilant Software, is an IT Governance sister company.
Find out more
What is information security risk management?
Information security risk management is integral to information security management. It defines the process of analysing what could happen and what the consequences might be, and helps organisations determine what should be done and when to reduce risk to an acceptable level.
Information security risk management should be a continual process that contributes to:
- Identifying and assessing risk.
- Understanding risk likelihood and the consequences for the business.
- Establishing a priority order for risk treatment.
- Stakeholder involvement in risk management decisions.
- The effectiveness of risk treatment monitoring; and
- Staff awareness of risks and the actions being taken to mitigate them.
Organisations should adopt a systematic approach to information security risk to accurately determine their information security needs.
The 6 key components of the risk management process:
1. Context establishment:
The risk management context sets the criteria for how risks are identified, who is responsible for risk ownership, how risks impact the confidentiality, integrity, and availability of the information, and how risk impact and likelihood are calculated.
2. Risk assessment:
Many organisations choose to follow an asset-based risk assessment process comprising five key stages:
1) Compiling information assets.
2) Identifying the threats and vulnerabilities applicable to each asset.
3) Assigning impact and likelihood values based on risk criteria.
4) Evaluating each risk against predetermined levels of acceptability.
5) Prioritising which risks need to be addressed, and in which order.
3. Risk treatment:
There are four ways to treat a risk:
1) ‘Avoid’ the risk by eliminating it entirely.
2) ‘Modify’ the risk by applying security controls.
3) ‘Share’ the risk with a third party (through insurance or outsourcing).
4) ‘Retain’ the risk (if the risk falls within established risk acceptance criteria).
4. Risk acceptance:
Organisations should determine their own criteria for risk acceptance that consider existing policies, goals, objectives, and shareholder interests.
5. Risk communication and consultation:
Effective communication is pivotal to the information security risk management process. It ensures that those responsible for implementing risk management understand the basis on which decisions are made, and why certain actions are required. Sharing and exchanging information about risk also facilitates agreement between decision makers and other stakeholders on how to manage risk.
Risk communication activity should be performed continually, and organisations should develop risk communication plans for normal operations as well as emergency situations.
6. Risk monitoring and review:
Risks are not static and can change abruptly. Therefore, they should be continually monitored to quickly identify changes and maintain a complete overview of the risk picture.
Organisations should also keep a close eye on:
- Any new assets included within the risk management scope.
- Asset values that require modification in response to changing business requirements.
- New threats, whether external or internal, that have yet to be assessed; and
- Information security incidents.
Why should organisations adopt ISO 27005?
Unlike other popular risk management standards that adopt a one-size-fits-all approach, ISO 27005 is flexible in nature and allows organisations to select their own approach to risk assessment based on their specific business objectives.
ISO 27005 follows a simple, repeatable structure with each of the main clauses organised into the following four sections:
- Input: the information necessary to perform an action.
- Action: the activity itself.
- Implementation guidance: any additional detail.
- Output: the information that should have been generated by the activity.
This consistent approach helps to ensure that organisations have all the information required before beginning any risk management activity.
ISO 27005 also supports ISO 27001 compliance, as the latter standard specifies that any controls implemented within the context of an ISMS (information security management system) should be risk based. Implementing an ISO 27005-compliant information security risk management process can satisfy this requirement.