< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27005:2018 — Information technology — Security techniques — Information security risk management (third edition)
The ISO27k standards are deliberately risk-aligned, meaning that organizations are encouraged to assess risks to their information (called “information security risks” in the ISO27k standards, but in reality they are simply information risks) as a prelude to treating them in various ways. Dealing with the most significant information risks first makes sense from the practical implementation and management perspectives.
Scope of the standard
The standard ‘provides guidelines for information security risk management’ and ‘supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.’
It cites ISO/IEC 27000 as a normative (essential) standard, and mentions ISO/IEC 27001, ISO/IEC 27002 and ISO 31000 in the content. NIST standards are referenced in the bibliography.
Content of the standard
At 66 pages, ISO/IEC 27005 is a substantial standard although around two-thirds is comprised of annexes with examples and additional information.
The standard doesn't specify, recommend or even name any specific risk management method. It does however imply a continual process consisting of a structured sequence of activities, some of which are iterative:
- Establish the risk management context (e.g. the scope, compliance obligations, approaches/methods to be used and relevant policies and criteria such as the organization’s risk tolerance or appetite);
- Quantitatively or qualitatively assess (i.e. identify, analyze and evaluate) relevant information risks, taking into account the information assets, threats, existing controls and vulnerabilities to determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’;
- Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share [with third parties]) the risks appropriately, using those ‘levels of risk’ to prioritize them;
- Keep stakeholders informed throughout the process; and
- Monitor and review risks, risk treatments, obligations and criteria on an ongoing basis, identifying and responding appropriately to significant changes.
Extensive appendices provide additional information, primarily examples to demonstrate the recommended approach.
Status of the standard
The first and second editions are ancient history.
The third edition of ISO/IEC 27005 was published in 2018. This was a “minor revision”, a temporary stop-gap measure with very limited changes - the main one being that references to ISO/IEC 27001 cite the 2013 edition. Golly.
A project to revise/rewrite the standard floundered and was cancelled ... and then re-started. Development of the fourth edition of ‘27005 is in progress. Hopefully, the fourth edition of ISO/IEC 27005 will be published at about the same time as the next release of ISO/IEC 27001, supporting the updated ISMS specification ... but that’s not guaranteed. A substantial volume of comments including some fundamental issues with the process of information risk management indicate that this project is, once more, tackling a rocky uphill path, in slippers, in Winter.
The fourth edition is at 2nd Committee Draft stage, with a new title: “Information security, cybersecurity and privacy protection - Guidance on managing information security risks and opportunities” and a new scope:
“This document provides guidance to assist organizations to:
a) fulfil the requirements of ISO/IEC 27001 concerning actions to address risks and opportunities, specifically to perform information security risk assessment and treatment, and
b) perform information security risk management activities.”
Read more about selecting suitable information risk analysis methods and management tools in the ISO27k FAQ.
The draft fourth edition looks likely to have the following main clauses:
- Risks and opportunities relating to the outcome(s) of the ISMS - an ambiguous and unhelpful discussion around ‘opportunities’ that (it seems to me) largely misses the point about the value of consciously and deliberately taking chances under various real-world circumstances, the antithesis to the avid risk aversion of most information security professionals (which I guess is why the project team just doesn’t get it, as exemplified by the bizarre statement ”Risks are uncertainties which can make it more difficult to achieve objectives. Opportunities are uncertainties that make it easier to achieve objectives.”).
- Information security risk management - describes the classic ISO27k approach to identifying, evaluating, treating and monitoring/managing information [security] risks.
- Context establishment - deals with (furthers!) the muddle around whether this standard, and clause 6 of ISO/IEC 27001, is meant to cover information [security] risks, risks to the ISMS, or both. This lengthy clause also explains about setting objectives and criteria for managing information [security] risks. I’m not sure what this has to do with ‘context’ as in the business or organizational context for managing information risks, which is what ‘27001 means by context.
- Information security risk assessment process - another lengthy clause lays out the process of systematically identifying, analyzing, evaluating and prioritizing information [security] risks.
- Information security risk treatment process - describes risk treatment largely in terms of using information security controls to mitigate information [security] risks, with brief and biased outlines of the other treatment options. The standard tackles the thorny issue of how to use ISO/IEC 27001 Annex A describing its use as an incomplete set of possible controls to be checked for relevance to each of the information [security] risks that are to be mitigated.
- Operation - a short clause mentions that information [security] risks and treatments should be reviewed regularly or when changes occur
- Leveraging related ISMS processes - despite the title, this clause is basically a re-hash and amplification of ISO/IEC 27001, offering implementation advice in a similar style to ISO/IEC 27003. I don’t know why it is to be included in ISO/IEC 27005.
SC 27 has missed the opportunity to reframe this standard to cover information risk management where ‘information risk’ might be defined along the lines of “risk pertaining to information”, removing the unhelpful term ‘information security risk’. Given that the entire ISO27k approach is supposedly risk-aligned, identifying, evaluating and treating information risks is fundamental. There are lots of areas where it could offer useful advice e.g.:
- Explain what ‘information risk’ is, for starters - defining it formally (properly), clearly, helpfully and without the torture and ambiguity of the current gibberish, and then explaining it in more accessible and understandable terms;
- Outline the organizational/business context for information risk management - how it relates to the management of other kinds of risk, and how risk management supports management and governance of the organization;
- Outline the core risk management process roughly along these lines:
- Elaborate on each of those activities in more depth, offering pragmatic advice on suitable methods and approaches (e.g. the four ways to treat risk; how to measure, evaluate and compare risks; how to spot and react to changes, and how to predict changes using trends, statistical techniques and situational awareness);
- Describe the process management and governance aspects e.g. scoping and setting objectives, planning and resourcing, forming a competent team, documenting the work, reviewing and authorizing things, and handling issues;
- Explain the links to related concepts, citing relevant standards e.g.:
- Sound reasons for consciously and deliberately taking risks - the upside or opportunities arising;
- Accountability and responsibility, plus the concept of information [risk] ownership;
- IT or cyber-risks - specifically relating to networks, IT systems, data, applications, coding and technology;
- Non-IT/cyber information risks e.g. those relating to people, intellectual property, tangible assets, compliance and more;
- Mitigating information risks using information security controls, where appropriate (noting that security controls are not necessarily necessary, despite what infosec pro’s commonly think);
- Business continuity management and cyberinsurance;
- Cloud, supplier/partner/customer relationship management and the community, social and societal aspects of information risk.
- An appendix, perhaps, with advice on different methods, systems and approaches to information risk management, risk assessment, risk analysis, risk treatment etc. including those from other fields e.g. commercial risks, health and safety risks, environmental risks, technology risks, innovation risks, strategic risks, relationship risks, project risks, financial risks ...
Meanwhile, it has been suggested (by British Standards) that ISO/IEC 27005 should be largely replaced by BS7799-3:2017 ... which has the merit of expediency, and brings ISO27k neatly back to its roots.
< Previous standard ^ Up a level ^ Next standard >