The third edition of this Standard was published in July 2018 but it's rarely referenced in ISMS documentation.
What is ISO 27005 for?
ISO 27005 provides the framework for managing risk that you can customize your methods to suit your individual needs.
ISO 27001 vs ISO 27005
ISO 27001 is intended to be applied to all types of organizations and there is no 'one size fits all' approach upon which to depend. You need to use a specific approach to each sector to achieve maximum benefit.
The involvement of your (proposed) Information Security Team in developing an information risk management framework (as guided by ISO 27005) from the outset is a great way to get buy-in and commitment to your ISO 27001 Project. Don't ignore this Standard, please.
Who Should Take ISO 27005 Training?
ISO 27005 (also known as IEC 27005) will be, or should be, of particular interest to:
- IT Managers and those who implement and maintain an ISMS for their organization,
- Consultants and Advisers who develop, implement and maintain ISMSs, and
- Lead Auditors who wish for a deeper understanding of how risk should be addressed in an ISMS.
Those expecting to find techniques and methods for managing risk will be disappointed as ISO 27005 focuses on the issues and the thinking that should precede the selection of risk management tools and methods (you'll find that in our ISO 27001 Courses).
The best choice for risk management tools and methods remains IEC 31010:2009 Risk management - Risk assessment techniques. With 20+ really useful tools explained with examples, this is the 'Gold Standard' for risk management.
ISO 27005:2018 Clauses
The Contents table, summarised below, tells the whole story. All of the activities mentioned in ISO 27001 are treated one-by-one and then explained in clear, simple terms.
- ISO 27005 Clause 6 Overview of the information security risk management process
- ISO 27005 Clause 7 Context establishment
- ISO 27005 Clause 7.1 General considerations
- ISO 27005 Clause 7.2 Basic criteria
- ISO 27005 Clause 7.3 Scope and boundaries
- ISO 27005 Clause 7.4 Organization for information security risk management
- ISO 27005 Clause 8 Information security risk assessment
- ISO 27005 Clause 8.1 General description of information security risk assessment
- ISO 27005 Clause 8.2 Risk identification
- ISO 27005 Clause 8.3 Risk analysis
- ISO 27005 Clause 8.4 Risk evaluation
- ISO 27005 Clause 9 Information security risk treatment
- ISO 27005 Clause 9.1 General description of risk treatment
- ISO 27005 Clause 9.2 Risk modification
- ISO 27005 Clause 9.3 Risk retention
- ISO 27005 Clause 9.4 Risk avoidance
- ISO 27005 Clause 9.5 Risk sharing
- ISO 27005 Clause 10 Information security risk acceptance
- ISO 27005 Clause 11 Information security risk communication and consultation
- ISO 27005 Clause 12 Information security risk monitoring and review
- ISO 27005 Clause 12.1 Monitoring and review of risk factors
- ISO 27005 Clause 12.2 Risk management monitoring, review and improvement
ISO 27005 Annexes
- Annex A: Defining the scope and boundaries of the information security risk management process
- Annex B: Identification and valuation of assets and impact assessment
- Annex C: Examples of typical threats
- Annex D: Vulnerabilities and methods for vulnerability assessment
- Annex E: Information security risk assessment approaches
- Annex F: Constraints for risk modification
Throughout, copious examples are given and these are the true value in this Standard. Even the vexed question of 'Vulnerability' versus 'Threat' is clearly explained in simple English. For those professionally interested in ISO 27001, and all things about Information Security, this Standard is essential reading.
ISO 27005 Resources
For more information, and perhaps to buy a copy of the new Standard, go to the ISO Website.
A good source of information on all things to do with ISO 27001 is iso27001security.com.
Note: Originally published in July 2018; revised and updated in April 2021.