ISO 27005:2018 Information Security Management Systems Risk Management

information-security-mba1

Third edition of this Standard published in July 2018

This Standard will be of particular interest to:

  • IT Managers and those who implement and maintain an ISMS for their organization,
  • Consultants and Advisers who develop, implement and maintain ISMSs, and
  • Lead Auditors who wish for a deeper understanding of how risk should be addressed in an ISMS.

Those expecting to find techniques and methods for managing risk will be disappointed as the Standard focuses on the issues and the thinking that should preceed the selection of risk management tools and methods.

The best choice for risk management tools and methods remains IEC 31010:2009 Risk management - Risk assessment techniques with 20+ really useful tools explained with examples.  This is the 'Gold Standard' for risk management.   But back to ISO 27005:2018 ...

The Contents table, summarised below, tells the whole story.  All of the activities mentioned in ISO 27001 are treated one-by-one and then explained in clear, simple terms.

  • 6 Overview of the information security risk management process
  • 7 Context establishment 
  • 7.1 General considerations 
  • 7.2 Basic criteria 
  • 7.3 Scope and boundaries 
  • 7.4 Organization for information security risk management
  • 8 Information security risk assessment
  • 8.1 General description of information security risk assessment 
  • 8.2 Risk identification 
  • 8.3 Risk analysis 
  • 8.4 Risk evaluation
  • 9 Information security risk treatment
  • 9.1 General description of risk treatment
  • 9.2 Risk modification 
  • 9.3 Risk retention 
  • 9.4 Risk avoidance
  • 9.5 Risk sharing 
  • 10 Information security risk acceptance 
  • 11 Information security risk communication and consultation
  • 12 Information security risk monitoring and review
  • 12.1 Monitoring and review of risk factors
  • 12.2 Risk management monitoring, review and improvement

Gap Analysis Tool ISO 27001
But as is so often the case in ISO Standards the best has been kept 'til last - the Annexes.  These are:

Annex A: Defining the scope and boundaries of the information security risk management process

Annex B: Identification and valuation of assets and impact assessment

Annex C: Examples of typical threats

Annex D: Vulnerabilities and methods for vulnerability assessment

Annex E:  Information security risk assessment approaches

Annex F: Constraints for risk modification

Throughout copious examples are given and these are the true value in this Standard.  Even the vexed question of 'Vulnerability' versus 'Threat' is is clearly explained in simple English.  For those professionally interested in ISO 27001 and all things about Information Security, this Standard is essential reading.

 

For more information, and perhaps to buy a copy of the new Standard, go to the ISO Website.

A good source of information on all things to do with ISO 27001 is iso27001security.com.

 

Choices of ISO 9001 Course

 

Related Articles

Information Security Matters

Security Standards other than ISO 27001

 

Written by Dr John FitzGerald

Director and founder of deGRANDSON Global. After 15 years in the manufacturing industry, John has spent the past 25 years training, consulting and auditing ISO 9001 and other management systems.

Related Articles…