Third edition of this Standard published in July 2018 but rarely referenced in ISMS documentation
This Standard will be, or should be, of particular interest to:
- IT Managers and those who implement and maintain an ISMS for their organization,
- Consultants and Advisers who develop, implement and maintain ISMSs, and
- Lead Auditors who wish for a deeper understanding of how risk should be addressed in an ISMS.
Those expecting to find techniques and methods for managing risk will be disappointed as the Standard focuses on the issues and the thinking that should preceed the selection of risk management tools and methods (you'll find that in our ISO 27001 Courses).
The best choice for risk management tools and methods remains IEC 31010:2009 Risk management - Risk assessment techniques with 20+ really useful tools explained with examples. This is the 'Gold Standard' for risk management. But back to ISO 27005:2018 ...
The Contents table, summarised below, tells the whole story. All of the activities mentioned in ISO 27001 are treated one-by-one and then explained in clear, simple terms.
- 6 Overview of the information security risk management process
- 7 Context establishment
- 7.1 General considerations
- 7.2 Basic criteria
- 7.3 Scope and boundaries
- 7.4 Organization for information security risk management
- 8 Information security risk assessment
- 8.1 General description of information security risk assessment
- 8.2 Risk identification
- 8.3 Risk analysis
- 8.4 Risk evaluation
- 9 Information security risk treatment
- 9.1 General description of risk treatment
- 9.2 Risk modification
- 9.3 Risk retention
- 9.4 Risk avoidance
- 9.5 Risk sharing
- 10 Information security risk acceptance
- 11 Information security risk communication and consultation
- 12 Information security risk monitoring and review
- 12.1 Monitoring and review of risk factors
- 12.2 Risk management monitoring, review and improvement
Annex A: Defining the scope and boundaries of the information security risk management process
Annex B: Identification and valuation of assets and impact assessment
Annex C: Examples of typical threats
Annex D: Vulnerabilities and methods for vulnerability assessment
Annex E: Information security risk assessment approaches
Annex F: Constraints for risk modification
Throughout copious examples are given and these are the true value in this Standard. Even the vexed question of 'Vulnerability' versus 'Threat' is is clearly explained in simple English. For those professionally interested in ISO 27001 and all things about Information Security, this Standard is essential reading.
For more information, and perhaps to buy a copy of the new Standard, go to the ISO Website.
A good source of information on all things to do with ISO 27001 is iso27001security.com.
What then does ISO 27005 achieve?
It provides the framework for managing risk that you can customize to suit your individual needs. ISO 27001 is intended to be applied to all types of organization and there is no 'one size fits all' approach upon which to depend. You need to custimoze information security management for maximum benefit. And the involvement of your (proposed) Information Security Team in developing a information risk management framework from the outset is a great way to get buy-in and commitment to your ISO 27001 Project. Don't ignre this Standard, please.
Note: Originally published in July 2018; revised and updated in April 2021.