ISO/IEC 27005
ISO/IEC 27005:2022 — Information security, cybersecurity and privacy protection — Guidance on managing information security risks
(fourth edition)
Abstract
ISO/IEC 27005 "provides guidance to assist organizations to: fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; [and] perform information security risk management activities, specifically information security risk assessment and treatment ...”
[Source: ISO/IEC 27005:2022]
Introduction
The ISO27k standards are overtly risk-aligned, meaning that organisations are supposed to identify and assess risks to their information (called “information security risks” in the ISO27k standards, despite that term being undefined) as a prelude to dealing with (“treating”) them in various ways.
Dealing with the most significant information risks as priorities makes sense from the practical implementation and management perspectives. Turning that on its head, failing to prioritise addressing the most significant risks represents a governance failure, arguably negligence or mismanagement.
Scope
The standard guides organisations interpreting and fulfilling ISO/IEC 27001’s requirements to address (identify, evaluate and treat) their information [security] risks.
The approach is generic, flexible and not specific to an ISO/IEC 27001 Information Security Management System. It could be used, for instance, in conjunction with NIST's Cyber Security Framework or SP800-53, GDPR, NIS2 or SOC2, or (with minor adaptations) to guide the proactive management of business risks, safety risks, supply chain risks etc.
Structure
Main clauses:
5: Information security risk management - introduces the concept of strategic (long term) and operational (short term) cycles, plus ad hoc responses to changes
6: Context establishment - determining stakeholders (e.g. risk owners), their objectives or requirements (e.g. risk appetite) and risk management methods
7: Information security risk assessment process - lengthy clause lays out the process of systematically identifying, analysing, evaluating and prioritising risks.
8: Information security risk treatment process - decide what to do, document it and do it.
9: Operation assessing and treating risks - short clause mentions that information [security] risks and treatments should be reviewed regularly or when changes occur.
10: Leveraging related ISMS processes - basically a re-hash and amplification of ISO/IEC 27001, offering implementation advice in a similar style to ISO/IEC 27003.
Annex A: Examples of techniques in support of the risk assessment process - risk matrices/heat-maps and risk modelling.
Status
The first (2008), second (2011) and third (2018) editions are ancient history.
The current fourth edition was published in 2022.
ISO/IEC JTC 1/SC 27/WG 1 is preparing to revise ISO/IEC 27005:2022 by considering various approaches or options, such as whether a multi-part standard might be worthwhile. Its deliberations will presumably flow into a scope for the revision project in due course.
Commentary
Given that ISO27k is risk-based, identifying, evaluating and treating information risks is obviously fundamental to the approach. Each organisation is expected to consider the relevance and significance of its unique set of risks, tailoring its response to suit its business situation or context.
With the fourth edition, ISO/IEC 27005 tackles the thorny issue of how to use ISO/IEC 27001 Annex A. The annex is described as an incomplete set of possible controls to be checked for relevance to mitigate the organisation’s identified information [security] risks - in other words, a controls-based approach to information risk management, supplementing the risk-, scenario-, event- and asset-based approaches mentioned elsewhere. There are advantages in exploring information risks from different perspectives.
The standard primarily concerns using information security controls to ‘modify’ (mitigate or maintain) information [security] risks. Other equally valid risk treatment options (risk avoidance, sharing and acceptance) are barely even mentioned, heavily biasing the entire approach.
ISO’s Technical Committee for Risk Management looks likely to review/clarify the definition of ‘risk’ in ISO 31000 (“effect of uncertainty on objectives”) and may also offer guidance on ‘opportunities’. It is possible the two terms will be distinguished, rather than being portrayed as flip sides as at present. I hope that will eventually make things easier for ISO27k and the other management systems standards, but it may stir the already muddy waters.