ISO/IEC 27005:2011 Information technology — Security techniques — Information security risk management (second edition)
The ISO27k standards are deliberately risk-aligned, meaning that organizations are encouraged to assess the security risks to their information as a prelude to treating them in various ways. Dealing with the highest risks first makes sense from the practical implementation and management perspectives.
Scope of the standard
The standard ‘provides guidelines for information security risk management’ and ‘supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.’
It cites ISO/IEC 27000 and the 2005 version of ISO/IEC 27001 as normative (essential) standards, and also mentions ISO/IEC 27002 in the scope section.
Content of the standard
At around 70 pages, ISO/IEC 27005 is a heavyweight standard although the main part is just 26 pages, the rest being mostly annexes with examples and further information for users.
The standard doesn't specify, recommend or even name any specific risk management method. It does however imply a continual process consisting of a structured sequence of activities, some of which are iterative:
Establish the risk management context (e.g. the scope, compliance obligations, approaches/methods to be used and relevant policies and criteria such as the organization’s risk tolerance or appetite);
Quantitatively or qualitatively assess (i.e. identify, analyze and evaluate) relevant risks, taking into account the information assets, threats, existing controls and vulnerabilities to determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’;
Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share [with third parties]) the risks appropriately, using those ‘levels of risk’ to prioritize them;
Keep stakeholders informed throughout the process; and
Monitor and review risks, risk treatments, obligations and criteria on an ongoing basis, identifying and responding appropriately to significant changes.
Extensive appendices provide additional information, primarily examples to demonstrate the recommended approach.
Status of the standard
The second edition of ISO/IEC 27005 was published in 2011. It reflects the general corporate or enterprise-wide risk management standard ISO 31000:2009 “Risk management - Principles and guidelines” in the specific context of risks to or involving information.
A project to revise the standard is in progress, re-aligning ISO/IEC 27003, 27004 and 27005 with the 2013 versions of ISO/IEC 27001 and 27002.
Extensive comments and suggestions have been received on the revision, including discussion of various approaches to risk assessment/analysis. Provided the editors are able to keep the project on track, the next version should be substantially different to the current one and hopefully more pragmatic.
The revised standard is at WD4 stage. WD4 is about 80 pages long with several editor requests for additional input, so this promises to be a substantial standard when released, which seems appropriate given that information risk (or rather ‘information security risk’ as currently expressed) is central to the ISO27k approach. However, the revision is not going terribly well with some concerns being raised about unanticipated changes of approach and style. Well over 100 pages of comments have been received.
A study period looking into cloud computing security risks looks likely to recommend an annex to 27005 rather than a new standard - however, that may not be achieved during the current revision of 27005 given the extent of changes being made already.
Read more about selecting suitable information security risk analysis methods and tools in the ISO27k FAQ.
A color-coded two-dimensional graphic remarkably similar to the one I described as an “Analog Risk Assessment” (ARA) metric was proposed for the standard but has since been dropped. There remains a general move to describe and compare risks in terms of the combination of the likelihood or probability of their occurrence, and the impacts or consequences if they were to occur, in addition (perhaps) to the assessment of asset values, threats and vulnerabilities.