What is ISO/IEC 27005?

ISO/IEC 27005:2018 – Information technology — Security techniques — Information security risk management

ISO/IEC 27005:2018 (otherwise known as ISO 27005) is the international standard that describes how to conduct an information security risk assessment in accordance with the requirements of ISO 27001. When working with ISO 27005, knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this document.

ISO 27005 is applicable to all organizations. The standard supports the general concepts specified in ISO 27001, and is designed to assist in the implementation of information security based on a risk management approach.

Why is ISO/IEC 27005 essential?

Risk assessments are one of the most important parts of an organization’s ISMS compliance project. ISO 27001 requires you to demonstrate evidence of information security risk management, risk actions taken and how relevant controls from Annex A have been applied.

ISO 27005 allows your organization to acquire the skills and knowledge necessary to initiate the implementation of an ISMS process. Overall, it proves that you are able to identify, assess, analyze, evaluate and treat various information security risks. In addition, it enables you to support organizations, prioritize risks, and tackle actions necessary to reduce and mitigate them.

What is information security risk management?

Information security risk management is essential for the ISMS. It defines a process of analyzing to allow your organization to understand what may happen and what the consequences may be. This allows organizations to determine what should be done and when to reduce risk to an acceptable level. Risk management should be a continuous process which will contribute to: 

• Identifying and assessing risk
• Understanding risk likelihood and the consequences
• Establishing a priority order for risk treatment
• Stakeholder involvement in risk management decisions
• The effectiveness of risk treatment monitoring
• Staff awareness of risks and the actions being taken to mitigate them

Benefits of ISO/IEC 27005 Information Security Risk Management

There are ISO/IEC 27005 training courses available to gain a certificate. The training is a great way to assist you and your organization to gain the necessary expertise for implementing an ISMS based on a risk management approach, ensure that your organization is conforming to legal and regulatory requirements, manage an information security and risk management team, and align your ISMS objectives with ISRM process objectives.