ISO/IEC 27005 is a guide to risk management, based on the requirements of the ISO/IEC 27001 standard. The standard provides inspiration for assessing and managing risks related to the organization's information, based on an assessment of the likelihood of occurrence of an incident, together with the impact of the incident on the organization.
ISO/IEC 27005 provides guidance on how to carry out a risk assessment, thus gaining an overview of the organization's threats and vulnerabilities and how risks can be addressed based on the organization's risk acceptance. It provides a range of tools for prioritizing risk, thus contributing to ensuring the optimum level of controls within an organization in relation to the value of the information to be protected.
ISO/IEC 27005 is structured along the lines of the generic risk guidance standard, ISO 31000, in which the risk management process is broken down into a number of different stages; establishing context, identifying risks, risk analysis, risk evaluation and risk treatment. Hence, the standard proposes a process to help the organization establish a more systematic approach to risk management.
As ISO/IEC 27005 suggests, it is important that the risk management process is adaptive and flexible as the risk landscape changes as the organization and the outside world change. Risk management is not a task, but an ongoing process that is to be maintained continually.
The standard caters for all types and sizes of organizations, private as well as public, that request a systematic approach to addressing information security risks. The risk management process can be applied at both a strategic and an operational level. It is relevant to everyone who wants to address risk management, whether they merely seek inspiration for their risk management work or they want to build a complete system for the processes. ISO/IEC 27005 has been updated in 2022 and in this connection, focus has been on making the standard as user friendly as possible.
The new edition of ISO/IEC 27005 is expected to be published in late 2022 or the beginning of 2023. The new edition has been even more closely coupled with the ISO/IEC 27001 management standard in that it provides concrete guidance on and examples on how to meet the risk management requirements set out in 27001. Another new feature of the new edition of 27005 is that a well-known asset-based approach to risk management is supplemented by an incident-based approach. Danish Standards has prepared a white paper reviewing the changes in the new edition of the standard.
Yes, the new edition of ISO/IEC 27005 will be translated into Danish. The standard has not been translated into Danish before, but there has been great interest in getting it in Danish. The Danish version is expected to be published in 2023. The process starts as soon as the international version is published.
ISO/IEC 27005 can be used as a source of inspiration for working systematically with risk management for an organization. It can be used with advantage in conjunction with ISO/IEC 27002, which provides guidance to organizations on selecting controls for the implementation of an information security management system (ISMS). ISO/IEC 27002 was updated in 2022 and also a new version of ISO/IEC 27001 is underway in 2022.
New guide for risk management related to cyber and information security is on the way
Danish Standards and the Alexandra Institute are preparing an application guide to help Danish SMEs to focus on and get started with risk management. The guide is based on ISO/IEC 27005, but also takes inspiration from other tools and frameworks based on risk. The guide is expected to become available in early 2023, and will be available from Danish Standards' website.
Owing to increased digitalization, the risk of cyber-attacks and other types of IT crime increases accordingly. Therefore, ISO 27001 on information security is a standard that every company or organization should consider.
ISO/IEC 27002 provides guidance on selecting controls for implementing an information security management system.
In the SoA document, the organization selects from a list of possible measures which measures it wants and does not want to implement to address the identified risks.
The standard on privacy information management, ISO/IEC 27701, ensures proper processing of personal data.
