ISO/IEC 27005:2011 Information technology — Security techniques — Information security risk management (second edition)
The ISO27k standards are deliberately risk-aligned, meaning that organizations are encouraged to assess the security risks to their information as a prelude to treating them in various ways. Dealing with the highest risks first makes sense from the practical implementation and management perspectives.
Scope of the standard
Abstract from the 2008 1st edition: “ISO/IEC 27005 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2008. ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.”
ISO/IEC 27005 revised and superseded the Management of Information and Communications Technology Security (MICTS) standards ISO/IEC TR 13335-3:1998 plus ISO/IEC TR 13335-4:2000.
Content of the standard
At around 60 pages, ISO/IEC 27005 is a heavyweight standard although the main part is just 24 pages, the rest being mostly annexes with examples and further information for users. There is quite a lot of meat on the bones, reflecting the complexities in this area.
Although the standard defines risk as “a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event”, the risk analysis process outlined in the standard indicates the need to identify information assets at risk, the potential threats or threat sources, the potential vulnerabilities and the potential consequences (impacts) if risks materialize. Examples of threats, vulnerabilities and impacts are tabulated in the annexes; although incomplete, these may prove useful for brainstorming risks relating to information assets under evaluation. It is clearly implied that automated system security vulnerability assessment tools are insufficient for risk analysis without taking into account other vulnerabilities plus the threats and impacts: merely having certain vulnerabilities does not necessarily mean your organization faces unacceptable risks if the corresponding threats or business impacts are negligible in your particular situation.
The standard includes a section and annex on defining the scope and boundaries of information security risk management which should, I guess, be no less than the scope of the ISMS.
The standard doesn't specify, recommend or even name any specific method (such as those listed in the ISO27k FAQ), although it does specify a structured, systematic and rigorous method of analyzing risks through to creating the risk treatment plan.
The standard deliberately remains agnostic about quantitative and qualitative risk assessment methods, essentially recommending that users choose whatever methods suit them best, and noting that they are both methods of estimating, not defining, risks. Note the plural - 'methods' - the implication being that different methods might be used for, say, a high-level risk assessment followed by more in-depth risk analysis on the high risk areas. The pros and cons of quantitative vs qualitative methods do get a mention, although the use of numeric scales for the qualitative examples is somewhat confusing.
The steps in the process are (mostly) defined to the level of inputs -> actions -> outputs, with additional “implementation guidance” in similar style to ISO/IEC 27002.
The standard incorporates some iterative elements e.g. if the results of an assessment are unsatisfactory, you loop-back to the inputs and have another run through. For those of us who think in pictures, there are useful figures giving an overview of the whole process and more detail on the risk assessment -> risk treatment -> residual risk bit.
Status of the standard
ISO/IEC JTC1/SC 27 fast-tracked a revision of this standard to reflect changes in:
ISO 31000:2009 - risk management - principles and guidelines.
ISO 31010:2009 - risk management - risk assessment techniques.
ISO Guide 73:2009 - risk management vocabulary.
In particular, closer alignment with ISO 31000 should help organizations that wish to manage their information security risks in similar fashion to the way they manage other risks.
The second edition of ISO/IEC 27005 was published in 2011.
A project to revise the standard earlier than normal is under way, in order to re-align ISO/IEC 27003, 27004 and 27005 with the 2013 versions of ISO/IEC 27001 and 27002, and the current release of ISO 31000 concerning corporate risk management in general.
Nearly 100 pages of comments have been received on the WD. Several are concerned with improving the alignment with ISO 31000 and Guide 73, for instance “impact” may be dropped in favour of “consequence” - maybe not!
Read more about selecting suitable information security risk analysis methods and tools in the ISO27k FAQ.
A graphic remarkably similar to the one I described as an “Analog Risk Assessment” (ARA) metric has been proposed for the standard, along with a general move to describe and compare risks in terms of the combination of probability of their occurrence and the business consequences if they were to occur. I am still developing useful new applications for the ARA approach, and plan to write a paper on it as soon as I have the time.