ISO/IEC 27005 "Information technology — Security techniques — Information security risk management" is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) providing good practice guidance on managing risks to information. It is a core part of the ISO/IEC 27000-series of standards, commonly known as ISO27k.
The standard offers advice on systematically identifying, assessing, evaluating and treating information security risks - processes at the very heart of an ISO27k Information Security Management System (ISMS). It aims to ensure that organizations design, implement, manage, monitor and maintain their information security controls and other arrangements rationally, according to their information security risks.
The current third edition of ISO/IEC 27005 was published in 2018. A fourth edition is being drafted and is due to be published at the end of 2022.
ISO/IEC 27005 does not specify or recommend specific risk management methods in detail. Instead it discusses the process in more general/overall terms, drawing on the generic risk management method described by ISO 31000 i.e.:
- Identify and assess the risks;
- Decide what to do about the risks (how to 'treat' them) ... and do it;
- Monitor the risks, risk treatments etc., identifying and responding appropriately to significant changes, issues/concerns or opportunities for improvement;
- Keep stakeholders (principally the organization's management) informed throughout the process.
Within that broad framework, organizations are encouraged to select/develop and use whichever information risk management methods, strategies and/or approaches best suit their particular needs - for example:
- Identifying the possibility of various incidents, situations or scenarios that would compromise or harm the confidentiality, integrity and/or availability of information;
- Assessing threats to, vulnerabilities within and business impacts potentially arising from incidents involving IT systems and networks, plus manual information processing, information on paper or expressed in words and pictures, plus intangible information such as knowledge, intellectual property etc.;
- Considering factors that are wholly within the organization's control, entirely outside its control, or partially controllable;
- Determining the absolute or relative values of various forms, types or categories of information to the organization, in particular information and information processing that is critical to the achievement of important business objectives;
- Sizing-up information risks using quantitative or qualitative/comparative methods to estimate/determine the probability/likelihood of various types of incident and the organizational impacts if they were to occur;
- Considering and managing information risks in relation to other kinds (e.g. strategic, commercial/market, product, IT, health and safety, and legal/regulatory compliance risks);
- Applying/adapting risk management methods and approaches already used by the organization, adopting good practices, or developing new/hybrid approaches;
- Deciding whether to avoid the risks (typically by not starting or pulling out of risky activities), share them with third parties (e.g. through cyber-insurance or contractual clauses), mitigate them using information security controls, or retain/accept them, applying risk appetite/tolerance criteria;
- Prioritizing according to the significance or nature of the risks, and the cost-effectiveness or other implications of the risk treatments under consideration, planning to treat them accordingly, allocating resources etc.;
- Mitigating information risks by reducing their probability and/or impact in various ways e.g. selecting automated, manual, physical or administrative controls that are preventive, detective or corrective;
- Dealing with uncertainties, including those within the risk management process itself (e.g. the occurrence of unanticipated incidents, unfortunate coincidences, errors of judgment and partial or complete failure of controls);
- Gaining assurance through testing, assessment, evaluation, reviews, audits etc. that the chosen risk treatments are appropriate and remain sufficiently effective in practice;
- Complying with relevant requirements or obligations that are imposed on, or voluntarily accepted by, the organization through various laws, regulations, contracts, agreements, standards, codes etc. (e.g. privacy laws, PCI-DSS, ethical and environmental considerations);
- Learning from experience (including incidents experienced by the organization plus near-misses, and those affecting comparable organizations) and continuously improving.
The ISO/IEC 27000-series of standards are applicable to all types and sizes of organization - a very diverse group, hence it would not be appropriate to mandate specific approaches, methods, risks or controls for them all. Instead, the standards provide general guidance under the umbrella of a management system. Managers are encouraged to follow structured methods that are relevant to and appropriate for their organization's particular situation, rationally and systematically dealing with their information risks.
Identifying and bringing information risks under management control helps ensure that they are treated appropriately, in a way that responds to changes and takes advantage of improvement opportunities leading over time to greater maturity and effectiveness of the ISMS.
Structure and content of the standard
ISO/IEC 27005:2018 has the conventional structure common to other ISO/IEC standards, with the following main sections:
- Overview of the information security risk management process
- Context establishment
- Information security risk assessment
- Information security risk treatment
- Information security risk acceptance
- Information security risk communication and consultation
- information security risk monitoring and review
And six appendices:
- Defining the scope and boundaries of the information security risk management process
- Identification and valuation of assets and impact assessment
- Examples of typical threats
- Vulnerabilities and methods for vulnerability assessment
- Information security risk assessment approaches
- Constraints for risk modification