ISO/IEC 27005:2018 – Information technology — Security techniques — Information security risk management (third edition) – Brief Overview of Standard.

Abstract

“This document provides guidelines for information security risk management. This document supports the general concepts specified in ISO/IEC  27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this document. This document is applicable to all types of organisations (e.g. commercial enterprises, government agencies, non-profit organisations) which intend to manage risks that can compromise the organisation’s  information security.”

Introduction

The ISO27k standards are overtly risk-aligned, meaning that organisations are supposed to identify and assess risks to their information (which are called “information security risks” in the ISO27k standards) as a prelude to dealing with (“treating”) them in various ways.

Dealing with the most significant information risks as priorities makes sense from the practical implementation and management perspectives. Turning that on its head, failing to prioritise addressing the most significant risks represents a governance failure, arguably negligence or mismanagement.

Scope of the standard

The standard ‘provides guidelines for information security risk management and ‘supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.’

It cites ISO/IEC 27000  as a normative (essential) standard and mentions ISO/IEC 27001ISO/IEC 27002, and ISO 31000 in the content. NIST standards are referenced in the bibliography.

Content of the standard

At 66 pages, this is a substantial standard although around two-thirds is comprised of annexes with examples and additional information.

The standard doesn’t specify, recommend or even name any specific risk management method. It does however imply a continual process consisting of a structured sequence of activities, some of which are iterative:

  • Establish the risk management context (e.g. the scope, compliance obligations, approaches or methods to be used, and relevant policies and criteria such as the organisation’s risk tolerance or appetite);
  • Quantitatively or qualitatively assess (i.e. identify, analyse and evaluate) relevant information risks, taking into account the information assets, threats, existing controls and vulnerabilities to determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’;
  • Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share [with third parties]) the risks appropriately, using those ‘levels of risk’ to prioritize them;
  • Keep stakeholders informed throughout the process; and
  • Monitor and review risks, risk treatments, obligations and criteria on an ongoing basis, identifying and responding appropriately to significant changes.

Extensive appendices provide additional information, primarily examples demonstrating the recommended approach.

The fourth edition will have the following main clauses (aside from the usual introduction, definitions etc.):

  • Information security risk management – describes the iterative (ongoing, ‘whack-a-mole’) process of identifying, assessing and treating information [security] risks, comprising both strategic/long-term and operational/medium-short-term cycles.
  • Context establishment – despite the heading, clause 6 largely specifies how to determine various criteria relating to information [security] risks e.g. risk acceptance criteria.  The organisation’s business context for information risk and security management is covered in clause 10.
  • Information security risk assessment process – another lengthy clause lays out the process of systematically identifying, analysing, evaluating and prioritising information [security] risks.
  • Information security risk treatment process – describes risk treatment largely in terms of using information security controls to mitigate information [security] risks, with brief and biased outlines of the other treatment options. The standard tackles the thorny issue of how to use ISO/IEC 27001:2013 Annex A describing its use as an incomplete set of possible controls to be checked for relevance to each of the information [security] risks that are to be mitigated.
  • Operation – a short clause mentions that information [security] risks and treatments should be reviewed regularly or when changes occur.
  • Leveraging related ISMS processes – this is basically a re-hash and amplification of ISO/IEC 27001, offering implementation advice in a similar style to ISO/IEC 27003.  I don’t really know why it is included in ISO/IEC 27005.

Annexes – additional information such as a cautious explanation of how to determine risk ‘levels’ combining probabilities and impacts of various situations, plus examples of types of threats and vulnerabilities.

Status of the standard

The first (2008) and second (2011) editions are ancient history.

The third edition of ISO/IEC 27005 was published in 2018 – supposedly a temporary stop-gap measure with very limited changes e.g. citing the 2013 edition of ISO/IEC 27001.

A project to revise/rewrite the third edition floundered and was cancelled … then re-started. Development of the fourth edition of ‘27005 is in progress. 

The fourth edition will have a new title: “Information technology – Information security, cybersecurity and privacy protection – Guidance on managing information security risks” and a new scope:

“This document provides guidance to assist organisations to:

– fulfil the requirements of ISO/IEC 27001:2013 concerning actions to address risks;

– perform information security risk management activities, specifically information security risk assessment and treatment.”

 The fourth edition is at Final Draft International Standard stage and is on track for publication in September 2022.

Further reading

Read more about selecting suitable information risk analysis methods and management tools in the ISO27k FAQ.

For purchasing an official copy of this standard, please visit www.iso.org

Shopping Cart
💬 Need help?