< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27005:2018 — Information technology — Security techniques — Information security risk management (third edition)
The ISO27k standards are deliberately risk-aligned, meaning that organizations are encouraged to assess risks to their information (called “information security risks” in the ISO27k standards, but in reality they are simply information risks) as a prelude to treating them in various ways. Dealing with the most significant information risks first makes sense from the practical implementation and management perspectives.
Scope of the standard
The standard ‘provides guidelines for information security risk management’ and ‘supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.’
It cites ISO/IEC 27000 as a normative (essential) standard, and mentions ISO/IEC 27001, ISO/IEC 27002 and ISO 31000 in the content. NIST standards are referenced in the bibliography.
Content of the standard
At 66 pages, ISO/IEC 27005 is a substantial standard although around two-thirds is comprised of annexes with examples and additional information.
The standard doesn't specify, recommend or even name any specific risk management method. It does however imply a continual process consisting of a structured sequence of activities, some of which are iterative:
- Establish the risk management context (e.g. the scope, compliance obligations, approaches/methods to be used and relevant policies and criteria such as the organization’s risk tolerance or appetite);
- Quantitatively or qualitatively assess (i.e. identify, analyze and evaluate) relevant information risks, taking into account the information assets, threats, existing controls and vulnerabilities to determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’;
- Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share [with third parties]) the risks appropriately, using those ‘levels of risk’ to prioritize them;
- Keep stakeholders informed throughout the process; and
- Monitor and review risks, risk treatments, obligations and criteria on an ongoing basis, identifying and responding appropriately to significant changes.
Extensive appendices provide additional information, primarily examples to demonstrate the recommended approach.
Status of the standard
The first (2008) and second (2011) editions are ancient history.
The third edition of ISO/IEC 27005 was published in 2018 - supposedly a temporary stop-gap measure with very limited changes e.g. citing the 2013 edition of ISO/IEC 27001.
A project to revise/rewrite the third edition floundered and was cancelled ... then re-started. Development of the fourth edition of ‘27005 is in progress. Hopefully, the fourth edition of ISO/IEC 27005 will be published at about the same time as the next release of ISO/IEC 27001, supporting the updated ISMS specification ... but that’s not certain. The fourth edition is at 2nd Committee Draft stage, with a new title: “Information security, cybersecurity and privacy protection - Guidance on managing information security risks” and a new scope:
“This document provides guidance to assist organizations to:
a) fulfil the requirements of ISO/IEC 27001 concerning actions to address risks, specifically to perform information security risk assessment and treatment, and
b) perform information security risk management activities.”
The revision is coming along nicely. The problematic background clause is to be rewritten. The fourth edition is due to be published at the end of 2022.
Read more about selecting suitable information risk analysis methods and management tools in the ISO27k FAQ.
The draft fourth edition is likely to have the following main clauses:
- Risks relating to the outcome(s) of the ISMS - I’m not sure, yet, what this clause will say.
- Information security risk management - describes the classic ISO27k approach to identifying, evaluating, treating and monitoring/managing information [security] risks.
- Context establishment - deals with (furthers!) the muddle around whether this standard, and clause 6 of ISO/IEC 27001, is meant to cover information [security] risks, risks to the ISMS, or both. This lengthy clause also explains about setting objectives and criteria for managing information [security] risks. I’m not sure what this has to do with ‘context’ as in the business or organizational context for managing information risks, which is what ‘27001 means by context.
- Information security risk assessment process - another lengthy clause lays out the process of systematically identifying, analyzing, evaluating and prioritizing information [security] risks.
- Information security risk treatment process - describes risk treatment largely in terms of using information security controls to mitigate information [security] risks, with brief and biased outlines of the other treatment options. The standard tackles the thorny issue of how to use ISO/IEC 27001 Annex A describing its use as an incomplete set of possible controls to be checked for relevance to each of the information [security] risks that are to be mitigated.
- Operation - a short clause mentions that information [security] risks and treatments should be reviewed regularly or when changes occur
- Leveraging related ISMS processes - despite the title, this clause is basically a re-hash and amplification of ISO/IEC 27001, offering implementation advice in a similar style to ISO/IEC 27003. I don’t know why it is to be included in ISO/IEC 27005.
SC 27 has missed the opportunity to reframe this standard to cover information risk management, defining ‘information risk’ as “risk pertaining to information” in place of the undefined and unhelpful phrase ‘information security risk’. Given that the entire ISO27k approach is supposedly risk-aligned, identifying, evaluating and treating information risks is fundamental. There are lots of areas where it could offer useful advice e.g.:
- Explain what ‘information risk’ is, for starters - defining it formally (properly), clearly, helpfully and without the torture and ambiguity of the current gibberish, and then explaining it in more accessible and understandable terms;
- Outline the organizational/business context for information risk management - how it relates to the management of other kinds of risk, and how risk management supports management and governance of the organization;
- Outline the core risk management process roughly along these lines:
- Elaborate on each of those activities in more depth, offering pragmatic advice on suitable methods and approaches (e.g. the four ways to treat risk; how to measure, evaluate and compare risks; how to spot and react to changes, and how to predict changes using trends, statistical techniques and situational awareness);
- Describe the process management and governance aspects e.g. scoping and setting objectives, planning and resourcing, forming a competent team, documenting the work, reviewing and authorizing things, and handling issues;
- Explain the links to related concepts, citing relevant standards e.g.:
- Sound reasons for consciously and deliberately taking risks - the upside or opportunities arising;
- Accountability and responsibility, plus the concept of information [risk] ownership;
- IT or cyber-risks - specifically relating to networks, IT systems, data, applications, coding and technology;
- Non-IT/cyber information risks e.g. those relating to people, intellectual property, tangible assets, compliance and more;
- Mitigating information risks using information security controls, where appropriate (noting that security controls are not necessarily necessary, despite what infosec pro’s commonly think);
- Business continuity management and cyberinsurance;
- Cloud, supplier/partner/customer relationship management and the community, social and societal aspects of information risk.
- An appendix, perhaps, with advice on different methods, systems and approaches to information risk management, risk assessment, risk analysis, risk treatment etc. including those from other fields e.g. commercial risks, health and safety risks, environmental risks, technology risks, innovation risks, strategic risks, relationship risks, project risks, financial risks ...
Meanwhile, it has been suggested (by British Standards) that ISO/IEC 27005 should be largely replaced by BS7799-3:2017 ... which has the merit of expediency, and would bring ISO27k neatly back to its roots.
< Previous standard ^ Up a level ^ Next standard >