Topic-specific policies
ISO/IEC 27005


Search this site
 

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

Hot stuff ISO/IEC 27005:2022 < Click the link to buy the standard — Information security, cybersecurity and privacy protection — Guidance on managing information security risks (fourth edition)

 

Abstract

“This document provides guidance to assist organizations to: fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; [and] perform information security risk management activities, specifically information security risk assessment and treatment ...”
[Source: ISO/IEC 27005:2022]
 

Introduction

The ISO27k standards are overtly risk-aligned, meaning that organisations are supposed to identify and assess risks to their information (called “information security risks” in the ISO27k standards, despite that term being undefined) as a prelude to dealing with (“treating”) them in various ways.

Dealing with the most significant information risks as priorities makes sense from the practical implementation and management perspectives. Turning that on its head, failing to prioritise addressing the most significant risks represents a governance failure, arguably negligence or mismanagement.

 

Scope of the standard

The standard guides organisations interpreting and fulfilling ISO/IEC 27001:2022’s requirements to address (identify, evaluate and treat) their information [security] risks. It can also be used independently of ISO/IEC 27001: it is a valuable approach to managing information risks regardless of the framework.

 

Content of the standard

This is a substantial, weighty standard offering ~70 pages of copious, detailed advice on:

  1. Information security risk management - describes the iterative (ongoing, ‘whack-a-mole’) process of identifying, assessing and treating information [security] risks, comprising both strategic/long-term and operational/medium-short-term cycles.
  2. Context establishment - despite the heading, clause 6 largely concerns methods for determining risk criteria. The organisation’s business context for information risk and security management is covered in clause 10.
  3. Information security risk assessment process - another lengthy clause lays out the process of systematically identifying, analysing, evaluating and prioritising information [security] risks.
  4. Information security risk treatment process - described largely in terms of using information security controls to ‘modify’ (mitigate or maintain) information [security] risks, barely mentioning the other risk treatment options (avoidance, sharing and acceptance).
  5. Operation - a short clause mentions that information [security] risks and treatments should be reviewed regularly or when changes occur.
  6. Leveraging related ISMS processes - this is basically a re-hash and amplification of ISO/IEC 27001, offering implementation advice in a similar style to ISO/IEC 27003.
  7. Annex - additional information on risk criteria and practical advice such as examples of threats and vulnerabilities.

 

Status of the standard

The first (2008), second (2011) and third (2018) editions are ancient history.

The current fourth edition was published in 2022.

 

Further reading

Read more about selecting suitable information risk analysis methods and management tools in the ISO27k FAQ.

ISO 31000 Risk management - Guidelines (free!) is a popular and well-respected standard, describing a systematic risk management approach suitable for many types of risk. You may also appreciate ISO/TR 31004 Risk management - Guidance for the implementation of ISO 31000 and ISO/IEC 31010 Risk management - Risk assessment techniques.

 

Personal comments

Given that the entire ISO27k approach is risk-aligned, identifying, evaluating and treating information risks is fundamental.

With the fourth edition, the standard tackles the thorny issue of how to use ISO/IEC 27001 Annex A.  The annex is described as an incomplete set of possible controls to be checked for relevance to mitigate the organisation’s identified information [security] risks - in other words, a controls-based approach to information risk management, supplementing the scenario-, event- and asset-based approaches mentioned elsewhere. Adopting all four approaches may be costly but there are advantages in exploring information risks from various perspectives.

Having undertaken a survey, TC262 (ISO’s Technical Committee for Risk Management) is likely to review/clarify the somewhat unhelpful definition of ‘risk’ in ISO 31000:2018 (“effect of uncertainty on objectives”), and may also offer guidance on ‘opportunities’. It is possible the two terms will be distinguished, rather than being portrayed as flip sides as at present. I hope that will eventually make things easier for ISO27k and the other management systems standards, but it may stir the already muddy waters.
 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT Ltd. Contact us re Intellectual Property Rights