Topic-specific policies
ISO/IEC 27005

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


Hot stuff ISO/IEC 27005:2022 < Click the link to buy the standard — Information security, cybersecurity and privacy protection — Guidance on managing information security risks (fourth edition)



“This document provides guidance to assist organizations to: fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; [and] perform information security risk management activities, specifically information security risk assessment and treatment ...”
[Source: ISO/IEC 27005:2022]


The ISO27k standards are overtly risk-aligned, meaning that organisations are supposed to identify and assess risks to their information (called “information security risks” in the ISO27k standards) as a prelude to dealing with (“treating”) them in various ways.

Dealing with the most significant information risks as priorities makes sense from the practical implementation and management perspectives. Turning that on its head, failing to prioritise addressing the most significant risks represents a governance failure, arguably negligence or mismanagement.


Scope of the standard

The standard guides organisations interpreting and fulfilling ISO/IEC 27001:2022’s requirements to address (assess and treat) their information [security] risks.  It can also be used independently of ISO/IEC 27001: it is a valuable approach to managing information risks regardless of the framework.


Content of the standard

This is a substantial, weighty standard offering ~70 pages of copious, detailed advice on:

  1. Information security risk management - describes the iterative (ongoing, ‘whack-a-mole’) process of identifying, assessing and treating information [security] risks, comprising both strategic/long-term and operational/medium-short-term cycles.
  2. Context establishment - despite the heading, clause 6 largely concerns methods for determining risk criteria.  The organisation’s business context for information risk and security management is covered in clause 10.
  3. Information security risk assessment process - another lengthy clause lays out the process of systematically identifying, analysing, evaluating and prioritising information [security] risks.
  4. Information security risk treatment process - described largely in terms of using information security controls to ‘modify’ (mitigate or maintain) information [security] risks, barely mentioning the other risk treatment options (avoidance, sharing and acceptance).
  5. Operation - a short clause mentions that information [security] risks and treatments should be reviewed regularly or when changes occur.
  6. Leveraging related ISMS processes - this is basically a re-hash and amplification of ISO/IEC 27001, offering implementation advice in a similar style to ISO/IEC 27003.
  7. Annex - additional information on risk criteria and practical advice such as examples of threats and vulnerabilities.


Status of the standard

The first (2008) and second (2011) editions are ancient history.

The third edition (2018) was supposedly a temporary stop-gap measure with very limited changes ... that proved tricky to update until ...

The fourth edition, published in 2022, has a new title and scope, and thoroughly revised content to:

  • Align the standard with and support ISO/IEC 27001:2022 (particularly in clause 10) and ISO 31000:2018 (e.g. adopting common terminology);
  • Introduce scenario-based risk assessment;
  • Contrast event-based and asset-based approaches to risk identification;
  • Consolidate the third edition’s annexes into one.


Further reading

Read more about selecting suitable information risk analysis methods and management tools in the ISO27k FAQ.

ISO 31000 Risk management - Guidelines (free!) is a popular and well-respected standard, describing a systematic risk management approach suitable for many types of risk. You may also appreciate ISO/TR 31004 Risk management - Guidance for the implementation of ISO 31000 and ISO/IEC 31010 Risk management - Risk assessment techniques.


Personal comments

Given that the entire ISO27k approach is risk-aligned, identifying, evaluating and treating information risks is fundamental.

The standard tackles the thorny issue of how to use ISO/IEC 27001 Annex A describing its use as an incomplete set of possible controls to be checked for relevance to mitigate the organisation’s identified information [security] risks - in other words, a controls-based approach to information risk management, supplementing the scenario-, event- and asset-based approaches mentioned elsewhere.  Adopting all four approaches may be costly but there are advantages in exploring information risks from various perspectives.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT LtdContact us re Intellectual Property Rights