ISO/IEC 27005:2011 — Information technology — Security techniques — Information security risk management (second edition)
Although the 2011 version of ISO/IEC 27005 is the latest (current) official release, it still does not reflect the 2013 updates to both 27001 and 27002. The project to update the standard failed and has been restarted. Meanwhile a correction to the 2011 version is in the works as a temporary and partial fix. Read on for more info.
The ISO27k standards are deliberately risk-aligned, meaning that organizations are encouraged to assess the security risks to their information (called “information security risks” in the standards, but in reality they are simply information risks) as a prelude to treating them in various ways. Dealing with the highest risks first makes sense from the practical implementation and management perspectives.
Scope of the standard
The standard ‘provides guidelines for information security risk management’ and ‘supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.’
It cites ISO/IEC 27000 and the 2005 version of ISO/IEC 27001 as normative (essential) standards, and also mentions ISO/IEC 27002 in the scope section.
Content of the standard
At around 70 pages, ISO/IEC 27005 is a heavyweight standard although the main part is just 26 pages, the rest being mostly annexes with examples and further information for users.
The standard doesn't specify, recommend or even name any specific risk management method. It does however imply a continual process consisting of a structured sequence of activities, some of which are iterative:
- Establish the risk management context (e.g. the scope, compliance obligations, approaches/methods to be used and relevant policies and criteria such as the organization’s risk tolerance or appetite);
- Quantitatively or qualitatively assess (i.e. identify, analyze and evaluate) relevant information risks, taking into account the information assets, threats, existing controls and vulnerabilities to determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’;
- Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share [with third parties]) the risks appropriately, using those ‘levels of risk’ to prioritize them;
- Keep stakeholders informed throughout the process; and
- Monitor and review risks, risk treatments, obligations and criteria on an ongoing basis, identifying and responding appropriately to significant changes.
Extensive appendices provide additional information, primarily examples to demonstrate the recommended approach.
Status of the standard
The current second edition of ISO/IEC 27005 was published in 2011. It reflects the general corporate or enterprise-wide risk management standard ISO 31000:2009 “Risk management - Principles and guidelines” in the specific context of risks to or involving information. It is out of date since 27001 was revised in 2013.
A third edition (a “minor revision”) of ‘27005 may be published during 2018. This is a stop-gap measure with limited changes to bring it into line with the current ‘27001.
A project to revise the standard made insufficient progress and was cancelled then re-started. Development of the fourth edition of ‘27005 is now under way. The working title “Guidance on managing information security risks and opportunities” gives a strong hint that it will directly support section 6.1 of ISO/IEC 27001:2013. It will offer guidance, mostly on the information security risk management process: whether opportunities and ISO 31000 get a look-in is unclear at this point.
Read more about selecting suitable information risk analysis methods and management tools in the ISO27k FAQ.
The derailment and cancellation of the first 2011 standard update project created a problem for ISO27k in that it is a suite of risk-aligned standards without an adequate explanation of how to handle information risks. The edifice lacks foundations, quite a predicament. However all is not lost because risk management is broadly-applicable and well covered by many other standards, guidelines and approaches, including several in the domain of information risk management, specifically. One might even argue that 27005 is superfluous.
A root cause of the predicament concerns how SC 27 [mis]interpreted and adapted the boilerplate wording imposed by JTC1 on ISO/IEC 27001 section 6.1 “Actions to address risks and opportunities”. I believe JTC1 intended that section to have addressed risks to and opportunities for the management system, not for information or even information security, a crucial distinction.
Revising 27005 presents a golden opportunity to reframe it as a standard on information risk management where “information risk” would be defined as “risk pertaining to information”. Among other things, that would remove references to “information security risk”, a curiosity of the current standard. What is that, exactly? It is not explicitly defined as a term. A note to the definition of risk in ISO/IEC 27000 refers to it as the “effect of uncertainty on information security objectives”. A note to the definition of objective says, rather enigmatically, “information security objectives are set by the organization, consistent with the information security policy, to achieve specific results.” So, stitching those two together, information security risk is defined as “the effect of uncertainty on information security objectives set by the organization, consistent with the information security policy, to achieve specific results”. Frankly I’m none the wiser, if anything more confused by the tortuous explanation.
< Previous standard ^ Up a level ^ Next standard >