ISO 27005

What is ISO 27005?

ISO 27005 is the international standard that describes how to conduct an information security risk assessment in accordance with the requirements of ISO 27001. 

Risk assessments are one of the most important parts of an organisation’s ISO 27001 compliance project. ISO 27001 requires you to demonstrate evidence of information security risk management, risk actions taken and how relevant controls from Annex A have been applied.

ISO 27005 is applicable to all organisations, regardless of size or sector. It supports the general concepts specified in ISO 27001, and is designed to assist the satisfactory implementation of information security based on a risk management approach.

ISO 27001 and ISO 27002 2022 updates

ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.

Organisations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).

For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organisation, please visit ISO 27001 and ISO 27002: 2022 updates

Download your copy of ISO 27001:2022 here

Download your copy of ISO 27002:2022 here

Complete error-free and compliant risk assessments with vsRisk

vsRisk is the leading information security risk assessment tool by Vigilant Software. Vigilant Software, is an IT Governance sister company. 

Find out more

What is information security risk management?

Information security risk management is integral to information security management. It defines the process of analysing what could happen and what the consequences might be, and helps organisations determine what should be done and when to reduce risk to an acceptable level.

Information security risk management should be a continual process that contributes to:

  • Identifying and assessing risk.
  • Understanding risk likelihood and the consequences for the business.
  • Establishing a priority order for risk treatment.
  • Stakeholder involvement in risk management decisions.
  • The effectiveness of risk treatment monitoring; and
  • Staff awareness of risks and the actions being taken to mitigate them.  

Organisations should adopt a systematic approach to information security risk to accurately determine their information security needs.

The ISO 27005 risk management process

Although ISO 27005 does not specify any specific risk management methodology, it does imply a continual information risk management process based on six key components:

  1. Context establishment
  2. Risk assessment
  3. Risk treatment
  4. Risk acceptance
  5. Risk acceptance
  6. Risk monitoring and review:
ISO 27005 risk management process

The 6 key components of the risk management process:

1. Context establishment:

The risk management context sets the criteria for how risks are identified, who is responsible for risk ownership, how risks impact the confidentiality, integrity, and availability of the information, and how risk impact and likelihood are calculated.

2. Risk assessment:

Many organisations choose to follow an asset-based risk assessment process comprising five key stages:

1) Compiling information assets.
2) Identifying the threats and vulnerabilities applicable to each asset.
3) Assigning impact and likelihood values based on risk criteria.
4) Evaluating each risk against predetermined levels of acceptability.
5) Prioritising which risks need to be addressed, and in which order.

3. Risk treatment:

There are four ways to treat a risk:

1) ‘Avoid’ the risk by eliminating it entirely.
2) ‘Modify’ the risk by applying security controls.
3) ‘Share’ the risk with a third party (through insurance or outsourcing).
4) ‘Retain’ the risk (if the risk falls within established risk acceptance criteria).

4. Risk acceptance:

Organisations should determine their own criteria for risk acceptance that consider existing policies, goals, objectives, and shareholder interests.

5. Risk communication and consultation:

Effective communication is pivotal to the information security risk management process. It ensures that those responsible for implementing risk management understand the basis on which decisions are made, and why certain actions are required. Sharing and exchanging information about risk also facilitates agreement between decision makers and other stakeholders on how to manage risk.

Risk communication activity should be performed continually, and organisations should develop risk communication plans for normal operations as well as emergency situations.

6. Risk monitoring and review:

Risks are not static and can change abruptly. Therefore, they should be continually monitored to quickly identify changes and maintain a complete overview of the risk picture.

Organisations should also keep a close eye on:

  • Any new assets included within the risk management scope.
  • Asset values that require modification in response to changing business requirements.
  • New threats, whether external or internal, that have yet to be assessed; and  
  • Information security incidents.  

Why should organisations adopt ISO 27005?

Unlike other popular risk management standards that adopt a one-size-fits-all approach, ISO 27005 is flexible in nature and allows organisations to select their own approach to risk assessment based on their specific business objectives.

ISO 27005 follows a simple, repeatable structure with each of the main clauses organised into the following four sections:

  1. Input: the information necessary to perform an action.
  2. Action: the activity itself.
  3. Implementation guidance: any additional detail.
  4. Output: the information that should have been generated by the activity.

This consistent approach helps to ensure that organisations have all the information required before beginning any risk management activity.

ISO 27005 also supports ISO 27001 compliance, as the latter standard specifies that any controls implemented within the context of an ISMS (information security management system) should be risk based. Implementing an ISO 27005-compliant information security risk management process can satisfy this requirement.

ISO 27005 training

Certified Information Security Risk Management training course

If you are responsible for implementing and maintaining an ISO 27001-compliant ISMS and want to develop your practical risk management skills, this course is the perfect starting point.

The course will teach you:

  • All about the ISO 27005 information risk management standard.
  • The key information security risk assessment processes.
  • The skills and knowledge required to implement an information risk management programme based on ISO 27005:2018; and
  • How to communicate, monitor and review risk management activities. 

Book your place

ISO 27005 Risk Assessment Software

Error-free and ISO 27001-compliant risk assessments

vsRisk is the leading information security risk assessment tool that helps you complete error-free risk assessments year after year.

With vsRisk you can:

  • Import assets or create your own.
  • Establish your risk acceptance criteria and customise the likelihood and impact scales of individual risks.
  • Once the settings have been configured, the built-in wizard guides you through each step of the risk assessment process.
  • Identify risks by selecting threats and vulnerabilities from built-in databases.
  • Record how you plan to respond to each risk.
  • Apply the necessary controls from built-in libraries to treat risks.
  • Generate audit-ready reports, including the SoA and risk treatment plan.

View vsRisk

PROTECT YOUR
BUSINESS
THIS WINTER