ISO27k-aligned security awareness service
ISO/IEC 27005
Creative security awareness materials

Creative security awareness materials for your ISMS

Copyright © 2016 IsecT Ltd.

ISO/IEC 27005:2011 Information technology — Security techniques — Information security risk management  (second edition)

Introduction

The ISO27k standards are deliberately risk-aligned, meaning that organizations are encouraged to assess the security risks to their information (called “information security risks” in the standards, but in reality they are simply information risks) as a prelude to treating them in various ways. Dealing with the highest risks first makes sense from the practical implementation and management perspectives.

Scope of the standard

The standard ‘provides guidelines for information security risk management’ and ‘supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.’

It cites ISO/IEC 27000 and the 2005 version of ISO/IEC 27001 as normative (essential) standards, and also mentions ISO/IEC 27002 in the scope section.

The next version may be broader in scope than merely addressing the risk management requirements identified in ISO/IEC 27001 ... but changing scope was not a stated objective of the revision project.

Content of the standard

At around 70 pages, ISO/IEC 27005 is a heavyweight standard although the main part is just 26 pages, the rest being mostly annexes with examples and further information for users.

The standard doesn't specify, recommend or even name any specific risk management method. It does however imply a continual process consisting of a structured sequence of activities, some of which are iterative:

  • Establish the risk management context (e.g. the scope, compliance obligations, approaches/methods to be used and relevant policies and criteria such as the organization’s risk tolerance or appetite);
  • Quantitatively or qualitatively assess (i.e. identify, analyze and evaluate) relevant information risks, taking into account the information assets, threats, existing controls and vulnerabilities to determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’;
  • Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share [with third parties]) the risks appropriately, using those ‘levels of risk’ to prioritize them;
  • Keep stakeholders informed throughout the process; and
  • Monitor and review risks, risk treatments, obligations and criteria on an ongoing basis, identifying and responding appropriately to significant changes.

Extensive appendices provide additional information, primarily examples to demonstrate the recommended approach.

Status of the standard

The second edition of ISO/IEC 27005 was published in 2011. It reflects the general corporate or enterprise-wide risk management standard ISO 31000:2009 “Risk management - Principles and guidelines” in the specific context of risks to or involving information.

A project to revise the standard is in progress, re-aligning ISO/IEC 27003, 27004 and 27005 with the 2013 versions of ISO/IEC 27001 and 27002, plus the latest version of ISO 31000.  If the revision project succeeds (which is not certain), the next version of 27005 will be substantially different. WD5 is nearly 100 pages long (half main body, half annexes) making this a meaty standard offering stacks of advice e.g. noting that information risks can be analyzed by asset-threat-vulnerability, scenario-based/event-driven, quantitative and/or qualitative approaches.  The 3rd edition is now at CD stage, although several national bodies do not consider it stable enough or ready for CD as yet and some raised concerns that the project has lost sight of its original goal (it was only supposed to be updating the standard for ISO/IEC 27001:2013).  It is possible that the revision project may be cancelled and re-started ...

It has been proposed to cancel the 27005 revision project, having irretrievably lost its way.  It has run out of time to submit the CD version by the end of this year, and needs to be re-started with an agreed scope (e.g. just risk assessment and risk treatment) and purpose to the project.

Meanwhile, a defect report has been submitted to SC27 recommending that ISO/IEC 27005:2011 be withdrawn pending its revision which will take time, given technical issues/errors relating to the significant changes introduce in ISO/IEC 27001:2013. It is not simply a matter of updating a few cross-references: parts of it need to be rewritten.

November The project to revise 27005 may develop a new standard “Guidance on managing  information security risks and opportunities” - a new title directly referring to the relevant section of ISO/IEC 27001:2013.  The project proposal is ambiguous re its relationship to ISO 31000 though.

December update An extensive technical corrigendum has been drafted in an attempt to avoid withdrawing the 2011 standard pending its revision.

Further reading

Read more about selecting suitable information risk analysis methods and management tools in the ISO27k FAQ.

Personal comments

A color-coded two-dimensional graphic remarkably similar to the one I described as an “Analog Risk Assessment” (ARA) metric was at one point proposed for inclusion in the standard, then reverted to a typical risk matrix with a mathematical calculation based on adding ordinal numbers assigned to levels of likelihood and consequence.  However, simple arithmetic is invalid for ordinals, making this approach technically invalid (although commonplace).  Furthermore, cells in the body of the risk matrix are colored red for unacceptable or uncolored for acceptable, totally ignoring wide variations in each category. In fact I find the very concept of categorizing likelihoods, consequences, risks and acceptability unnecessary and unhelpful, compared to simply ranking them relative to each other on continuous scales.  Risks don’t fit into neat little boxes, and often extend over substantial ranges since both probabilities and impacts can only be estimated, and a given ‘risk’ may in fact consist of a family of related incidents.