ISO 27005:2018 Information Security Risk Management

Risk Management Team-1

Third edition of this Standard published in July 2018 but rarely referenced in ISMS documentation

This Standard will be, or should be, of particular interest to:

  • IT Managers and those who implement and maintain an ISMS for their organization,
  • Consultants and Advisers who develop, implement and maintain ISMSs, and
  • Lead Auditors who wish for a deeper understanding of how risk should be addressed in an ISMS.

Those expecting to find techniques and methods for managing risk will be disappointed as the Standard focuses on the issues and the thinking that should preceed the selection of risk management tools and methods (you'll find that in our ISO 27001 Courses).

The best choice for risk management tools and methods remains IEC 31010:2009 Risk management - Risk assessment techniques with 20+ really useful tools explained with examples.  This is the 'Gold Standard' for risk management.   But back to ISO 27005:2018 ...

The Contents table, summarised below, tells the whole story.  All of the activities mentioned in ISO 27001 are treated one-by-one and then explained in clear, simple terms.

  • 6 Overview of the information security risk management process
  • 7 Context establishment 
  • 7.1 General considerations 
  • 7.2 Basic criteria 
  • 7.3 Scope and boundaries 
  • 7.4 Organization for information security risk management
  • 8 Information security risk assessment
  • 8.1 General description of information security risk assessment 
  • 8.2 Risk identification 
  • 8.3 Risk analysis 
  • 8.4 Risk evaluation
  • 9 Information security risk treatment
  • 9.1 General description of risk treatment
  • 9.2 Risk modification 
  • 9.3 Risk retention 
  • 9.4 Risk avoidance
  • 9.5 Risk sharing 
  • 10 Information security risk acceptance 
  • 11 Information security risk communication and consultation
  • 12 Information security risk monitoring and review
  • 12.1 Monitoring and review of risk factors
  • 12.2 Risk management monitoring, review and improvement

Gap Analysis Tool ISO 27001
But as is so often the case in ISO Standards the best has been kept 'til last - the Annexes.  These are:

Annex A: Defining the scope and boundaries of the information security risk management process

Annex B: Identification and valuation of assets and impact assessment

Annex C: Examples of typical threats

Annex D: Vulnerabilities and methods for vulnerability assessment

Annex E:  Information security risk assessment approaches

Annex F: Constraints for risk modification

Throughout copious examples are given and these are the true value in this Standard.  Even the vexed question of 'Vulnerability' versus 'Threat' is is clearly explained in simple English.  For those professionally interested in ISO 27001 and all things about Information Security, this Standard is essential reading.


For more information, and perhaps to buy a copy of the new Standard, go to the ISO Website.

A good source of information on all things to do with ISO 27001 is

What then does ISO 27005 achieve?

It provides the framework for managing risk that you can customize to suit your individual needs.  ISO 27001 is intended to be applied to all types of organization and there is no 'one size fits all' approach upon which to depend.  You need to custimoze information security management for maximum benefit.  And the involvement of your (proposed) Information Security Team in developing a information risk management framework from the outset is a great way to get buy-in and commitment to your ISO 27001 Project.  Don't ignre this Standard, please.

Choose from five ISO 27001 Courses


Related Articles

Information Security Matters

Security Standards other than ISO 27001

Note: Originally published in July 2018; revised and updated in April 2021.

Written by Dr John FitzGerald

Director and founder of deGRANDSON Global. After 15 years in the manufacturing industry, John has spent the past 25 years training, consulting and auditing ISO 9001 and other management systems.

Subscribe to Email Updates


Recent Posts

Posts by Topic