What is ISO 27005?
ISO 27005 is the international standard that describes how to conduct an information security risk assessment in accordance with the requirements of ISO 27001.
Risk assessments are one of the most important parts of an organization’s ISO 27001 compliance project. ISO 27001 requires you to demonstrate evidence of information security risk management, risk actions taken and how relevant controls from Annex A have been applied.
ISO 27005 is applicable to all organizations, regardless of size or sector. It supports the general concepts specified in ISO 27001, and is designed to assist the satisfactory implementation of information security based on a risk management approach.
What is information security risk management?
Information security risk management is integral to information security management. It defines the process of analyzing what could happen and what the consequences might be, and helps organizations determine what should be done and when to reduce risk to an acceptable level.
Information security risk management should be a continual process that contributes to:
- Identifying and assessing risk
- Understanding risk likelihood and the consequences for the business
- Establishing a priority order for risk treatment
- Stakeholder involvement in risk management decisions
- The effectiveness of risk treatment monitoring
- Staff awareness of risks and the actions being taken to mitigate them.
Organizations should adopt a systematic approach to information security risk to accurately determine their information security needs.
The ISO 27005 risk management process
Although ISO 27005 does not specify any specific risk management methodology, it does imply a continual information risk management process based on six key components:
1. Context establishment
2. Risk assessment
3. Risk treatment
4. Risk acceptance
5. Risk communication and consultation
6. Risk monitoring and review
1. Context establishment: The risk management context sets the criteria for how risks are identified, who is responsible for risk ownership, how risks impact the confidentiality, integrity, and availability of the information, and how risk impact and likelihood are calculated.
2. Risk assessment: Many organizations choose to follow an asset-based risk assessment process comprising five key stages:
I. Compiling information assets
II. Identifying the threats and vulnerabilities applicable to each asset
III. Assigning impact and likelihood values based on risk criteria
IV. Evaluating each risk against predetermined levels of acceptability
V. Prioritizing which risks need to be addressed, and in which order
3. Risk treatment: There are four ways to treat a risk:
I. ‘Avoid’ the risk by eliminating it entirely
II. ‘Modify’ the risk by applying security controls
III. ‘Share’ the risk with a third party (through insurance or outsourcing)
IV. ‘Retain’ the risk (if the risk falls within established risk acceptance criteria)
4. Risk acceptance: Organizations should determine their own criteria for risk acceptance that consider existing policies, goals, objectives, and shareholder interests.
5. Risk communication and consultation: Effective communication is pivotal to the information security risk management process. It ensures that those responsible for implementing risk management understand the basis on which decisions are made, and why certain actions are required. Sharing and exchanging information about risk also facilitates agreement between decision makers and other stakeholders on how to manage risk.
Risk communication activity should be performed continually, and organizations should develop risk communication plans for normal operations as well as emergency situations.
6. Risk monitoring and review: Risks are not static and can change abruptly. Therefore, they should be continually monitored in order to quickly identify changes and maintain a complete overview of the risk picture.
Organizations should keep a close eye on:
- Any new assets included within the risk management scope
- Asset values that require modification in response to changing business requirements
- New threats, whether external or internal, that have yet to be assessed
- Information security incidents
Why should organizations adopt ISO 27005?
Unlike other popular risk management standards that adopt a one-size-fits-all approach, ISO 27005 is flexible in nature and allows organizations to select their own approach to risk assessment based on their specific business objectives.
ISO 27005 follows a simple, repeatable structure with each of the main clauses organized into the following four sections:
- Input: the information necessary to perform an action
- Action: the activity itself
- Implementation guidance: any additional detail
- Output: the information that should have been generated by the activity
This consistent approach helps to ensure that organizations have all the information required before beginning any risk management activity.
ISO 27005 also supports ISO 27001 compliance, as the latter standard specifies that any controls implemented within the context of an ISMS (information security management system) should be risk based. Implementing an ISO 27005-compliant information security risk management process can satisfy this requirement.