This article may rely excessively on sources too closely associated with the subject, potentially preventing the article from being verifiable and neutral. Please help improve it by replacing them with more appropriate citations to reliable, independent, third-party sources. (September 2022) (Learn how and when to remove this template message)

ISO/IEC 27005 "Information technology — Security techniques — Information security risk management" is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) providing good practice guidance on managing risks to information.[1] It is a core part of the ISO/IEC 27000-series of standards, commonly known as ISO27k.

The standard offers advice on systematically identifying, assessing, evaluating and treating information security risks - processes at the very heart of an ISO27k Information Security Management System (ISMS). It aims to ensure that organizations design, implement, manage, monitor and maintain their information security controls and other arrangements rationally, according to their information security risks.

The current third edition of ISO/IEC 27005 was published in 2018. A fourth edition is being drafted[2] and is due to be published at the end of 2022.[3]


ISO/IEC 27005 does not specify or recommend specific risk management methods in detail. Instead it discusses the process in more general/overall terms, drawing on the generic risk management method described by ISO 31000[4] i.e.:

Within that broad framework, organizations are encouraged to select/develop and use whichever information risk management methods, strategies and/or approaches best suit their particular needs - for example:[5]


The ISO/IEC 27000-series of standards are applicable to all types and sizes of organization - a very diverse group, hence it would not be appropriate to mandate specific approaches, methods, risks or controls for them all. Instead, the standards provide general guidance under the umbrella of a management system. Managers are encouraged to follow structured methods that are relevant to and appropriate for their organization's particular situation, rationally and systematically dealing with their information risks.

Identifying and bringing information risks under management control helps ensure that they are treated appropriately, in a way that responds to changes and takes advantage of improvement opportunities leading over time to greater maturity and effectiveness of the ISMS.

Structure and content of the standard

ISO/IEC 27005:2018 has the conventional structure common to other ISO/IEC standards, with the following main sections:[6]

  1. Background
  2. Overview of the information security risk management process
  3. Context establishment
  4. Information security risk assessment
  5. Information security risk treatment
  6. Information security risk acceptance
  7. Information security risk communication and consultation
  8. information security risk monitoring and review

And six appendices:

  1. Defining the scope and boundaries of the information security risk management process
  2. Identification and valuation of assets and impact assessment
  3. Examples of typical threats
  4. Vulnerabilities and methods for vulnerability assessment
  5. Information security risk assessment approaches
  6. Constraints for risk modification


  1. ^ "ISO/IEC 27005:2018". Retrieved 17 April 2021.
  2. ^ "ISO/IEC 27005 forthcoming". Retrieved 17 April 2021.
  3. ^ "ISO/IEC 27005". Retrieved 17 April 2021.
  4. ^ "ISO 31000 risk management". Retrieved 17 April 2021.
  5. ^ "ISO27k FAQ". Retrieved 17 April 2021.
  6. ^ "ISO preview of 27005:2018". Retrieved 17 April 2021.