< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27005:2018 — Information technology — Security techniques — Information security risk management (third edition)
“This document provides guidelines for information security risk management. This document supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this document. This document is applicable to all types of organisations (e.g. commercial enterprises, government agencies, non-profit organisations) which intend to manage risks that can compromise the organisation's information security.”
[Source: ISO/IEC 27005:2018]
The ISO27k standards are overtly risk-aligned, meaning that organisations are supposed to identify and assess risks to their information (which are called “information security risks” in the ISO27k standards) as a prelude to dealing with (“treating”) them in various ways.
Dealing with the most significant information risks as priorities makes sense from the practical implementation and management perspectives. Turning that on its head, failing to prioritise addressing the most significant risks represents a governance failure, arguably negligence or mismanagement.
Scope of the standard
The standard ‘provides guidelines for information security risk management’ and ‘supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.’
It cites ISO/IEC 27000 as a normative (essential) standard, and mentions ISO/IEC 27001, ISO/IEC 27002 and ISO 31000 in the content. NIST standards are referenced in the bibliography.
Content of the standard
At 66 pages, this is a substantial standard although around two-thirds is comprised of annexes with examples and additional information.
The standard doesn't specify, recommend or even name any specific risk management method. It does however imply a continual process consisting of a structured sequence of activities, some of which are iterative:
- Establish the risk management context (e.g. the scope, compliance obligations, approaches or methods to be used and relevant policies and criteria such as the organisation’s risk tolerance or appetite);
- Quantitatively or qualitatively assess (i.e. identify, analyse and evaluate) relevant information risks, taking into account the information assets, threats, existing controls and vulnerabilities to determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’;
- Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share [with third parties]) the risks appropriately, using those ‘levels of risk’ to prioritize them;
- Keep stakeholders informed throughout the process; and
- Monitor and review risks, risk treatments, obligations and criteria on an ongoing basis, identifying and responding appropriately to significant changes.
Extensive appendices provide additional information, primarily examples demonstrating the recommended approach.
The fourth edition will have the following main clauses (aside from the usual introduction, definitions etc.):
5. Information security risk management - describes the iterative (ongoing, ‘whack-a-mole’) process of identifying, assessing and treating information [security] risks, comprising both strategic/long-term and operational/medium-short-term cycles.
6. Context establishment - despite the heading, clause 6 largely specifies how to determine various criteria relating to information [security] risks e.g. risk acceptance criteria. The organisation’s business context for information risk and security management is covered in clause 10.
7. Information security risk assessment process - another lengthy clause lays out the process of systematically identifying, analysing, evaluating and prioritising information [security] risks.
8. Information security risk treatment process - describes risk treatment largely in terms of using information security controls to mitigate information [security] risks, with brief and biased outlines of the other treatment options. The standard tackles the thorny issue of how to use ISO/IEC 27001:2013 Annex A describing its use as an incomplete set of possible controls to be checked for relevance to each of the information [security] risks that are to be mitigated.
9. Operation - a short clause mentions that information [security] risks and treatments should be reviewed regularly or when changes occur.
10. Leveraging related ISMS processes - this is basically a re-hash and amplification of ISO/IEC 27001, offering implementation advice in a similar style to ISO/IEC 27003. I don’t really know why it is included in ISO/IEC 27005.
Annexes - additional information such as a cautious explanaton of how to determine risk ‘levels’ combining probabilities and impacts of various situations, plus examples of types of threats and vulnerabilities.
Status of the standard
The first (2008) and second (2011) editions are ancient history.
The third edition of ISO/IEC 27005 was published in 2018 - supposedly a temporary stop-gap measure with very limited changes e.g. citing the 2013 edition of ISO/IEC 27001.
A project to revise/rewrite the third edition floundered and was cancelled ... then re-started. Development of the fourth edition of ‘27005 is in progress.
The fourth edition will have a new title: “Information technology - Information security, cybersecurity and privacy protection - Guidance on managing information security risks” and a new scope:
“This document provides guidance to assist organisations to:
- fulfil the requirements of ISO/IEC 27001:2013 concerning actions to address risks; and
- perform information security risk management activities, specifically information security risk assessment and treatment.”
The fourth edition remains on track for publication in September 2022.
Read more about selecting suitable information risk analysis methods and management tools in the ISO27k FAQ.
Given that the entire ISO27k approach is risk-aligned, identifying, evaluating and treating information risks is fundamental. The fourth edition of ISO/IEC 27005 is due to be published at about the same time as the next release of ISO/IEC 27001. The revision of ‘27005 was intended to support the updated ISMS specification and rewritten Annex A controls catalogue ... but significant problems and delays on the ‘27005 revision project mean the fourth edition will cite the previous (2013) versions of those standards, making it out of date before it is even published. What a mess, a travesty! At least until the subsequent edition of ‘27005 is released, the risk-based ISO27k standards are destined to remain without a clear, up-to-date (if not cutting-edge) standard on information risk management, leaving the suite fundamentally flawed.
SC 27 has missed the opportunity to reframe this standard to cover information risk management, defining ‘information risk’ along the lines of “risk pertaining to information” in place of the undefined, unhelpful and frankly misleading phrase ‘information security risk’.
There are lots of areas where this standard could offer useful advice. If it were mine, I would rewrite ‘27005 from scratch to:
- Explain what ‘information risk’ is, for starters - defining it formally (properly), clearly, helpfully and without the torture and ambiguity of the current gibberish, and then explaining it in more accessible and understandable terms;
- Outline the organisational/business context for information risk management - how it relates to the management of other kinds of risk, and how risk management supports management and governance of the organisation, not least supporting and enabling achievement of the organisation’s strategic/business goals;
- Outline the core risk management process roughly along these lines:
- Elaborate on each of those 8 core activities in more depth, offering pragmatic advice on suitable methods and approaches (e.g. the four ways to treat risk; how to measure, evaluate and compare risks; how to spot and react to changes, and how to predict changes using trends, statistical techniques and situational awareness);
- Describe the process management and governance aspects e.g.:
- Scoping and setting objectives;
- Clarifying roles, responsibilities and accountabilities;
- Resourcing: forming, supporting, monitoring managing, guiding, controlling ... a competent core team of specialists, with strong links to related experts and functions (internal and external to the organisation) and the business at large;
- Planning, prioritising, re-planning (responding dynamically to changes and opportunities that arise), liaising and coordinating with other teams and organisations, and handling issues;
- Documenting the work, reviewing, discussing and authorising/approving key decisions, generating and using suitable metrics etc.
- Explain the links to related concepts, citing relevant standards and methods e.g.:
- Sound reasons for consciously and deliberately taking risks - the upside or opportunities arising;
- Accountability and responsibility, plus the concept of information [asset, risk and security] ownership;
- IT or cyber-risks - specifically relating to networks, IT systems, data, applications, coding and technology;
- Non-IT/cyber information risks e.g. those relating to people, intellectual property, tangible assets, compliance, supplier relations (such as cloud) and more;
- Mitigating information risks using information security controls, where appropriate (noting that controls are not necessarily appropriate, despite what infosec pro’s commonly believe and imply);
- Business continuity management and cyberinsurance;
- Supplier/partner/customer relationship management and the community, social and societal aspects of information risk, and ethics.
- An appendix, perhaps, with advice on different methods, systems and approaches for information risk management, risk assessment, risk analysis, risk treatment etc. including those from other fields e.g. commercial risks, health and safety risks, environmental risks, technology (especially but not only IT) risks, innovation risks, strategic risks, relationship risks, project risks, financial risks ...
- Links to supporting resources, such as online databases and standards concerning typical threats, vulnerabilities, impacts and controls.
British Standards suggested that ISO/IEC 27005 should be largely replaced by BS7799-3:2017 which would bring ISO27k neatly back to its roots, but that is evidently not going to happen.
< Previous standard ^ Up a level ^ Next standard >