What is the purpose of ISO 27005?
Jessica Doering

June 12, 2024



 min reading time

What is Information Security Risk Management (ISO 27005) under ISO 27001?

ISO 27005... okay, another one!

First, let us introduce it to you! Its name is "Information technology - Security techniques - Information security risk management". As such, this standard helps organizations manage the risks associated with information security. Sounds familiar at first. 

But wait. Why do I need yet another standard for this when I'm really aiming for ISO 27001, the big player? A fair question! Let's take a look at this "Huh?"! 

What is ISO 27005 and who needs this standard?

ISO 27005 is a global standard that specifies how to perform an information security risk assessment in accordance with ISO 27001. The lovely relationship with ISO 27001! Okay, we are on the right track.... 

The official wording of ISO 27005: "This document provides guidelines for information security risk management. This document supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.

Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this document."

The International Organization for Standardization also recommends the use of ISO 27005. "Recommends" ... Yes. But at the word "recommendation," every other person thinks: yes, that's good, but a recommendation is not an obligation. 

But actually, this standard is aimed at all structures affected by cyber risks and the constant growth of data in their services. Okay, that still sounds like a "recommendation." Cyber risk has become such a common word, after all. It is what it is. But don't be biased! 

This standard describes the methods required to formally identify, assess, and remediate information security vulnerabilities.

It is intended to ensure that organizations design, implement, administer, monitor, and manage their information security controls and other precautions in an appropriate and risk-based manner. In other words, it is designed to help your organization build an ISMS (Information Security Management System).

Like all standards in the ISO series, ISO 27005 does not provide a clear path to compliance. It suggests recommended practices that are compatible with any standard information security management system.

ISO 27005 does, however, specify HOW to conduct an information security risk assessment in accordance with ISO 27001. Specifically, ISO 27005 aims to support the satisfactory implementation of information security based on a risk management approach. And risk assessments are an essential part of the ISO 27001 compliance program, this is not new! Even less new, but never mentioned often enough, is the fact that ISO 27001 basically allows you to demonstrate a risk assessment of your information security management, mitigation strategies, and the use of required Annex A controls. In practice, this information security standard is used to ensure the confidentiality of data and the availability and integrity of an organization's key information assets, and it ensures that your ISMS resulting from the implementation of the standard addresses threats comprehensively and appropriately.

Like ISO 27002, ISO 27005 can be considered a little sister or little brother, covering the risk management part of the standard. The mission of ISO 27005, then, is to define risk management best practices that are primarily tailored to information security risk management, with a focus on meeting the standards required by ISO 27001 for an ISMS

But how exactly does a risk assessment work?

Let's take a closer look at the steps of the risk assessment process (ISO 27005):

Information Security Risk Assessment

Risk assessment methodology

As mentioned earlier, there is no rock-solid procedure, but you should adapt your approach to the needs of your organization.

To this end, you need to review a number of things. First, you should look at the context of your organization. This consists of your legal, regulatory and contractual obligations. You also need to consider your goals related to information security and the business in general, as well as stakeholder needs and expectations. Then you move on to the risk criteria. This is an agreed-upon method for measuring risks, usually based on the impact they cause and the likelihood of their occurrence.

These criteria must be clearly defined and universally understood. Logically, this serves to make two risk assessments comparable.

Finally, you need to define your risk acceptance criteria. Not every risk is avoidable or foreseeable...., but you can define what residual risk you "want" to expose yourself to. For example, a broken little toe may be tolerable, but the femur makes next year's marathon a distant memory!

So at what level does a risk need to be treated? Impact criteria correspond to the minimum level of consequences above which a risk must be considered, or risk acceptance criteria represent a threshold below which the risk can be tolerated.

Risk Assessment 

First, the elements at risk are determined. This includes the organization as a whole, but also information systems, services, and data groups. Then you need to identify the threats and vulnerabilities related to these elements. Vulnerability management hello again.... ISO 27002 and ISO 27005 happen to have the same genes...., but ultimately there are some differences.... like siblings.

ISO 27005 requires you to match these threats and their occurrences with the security requirements of your structure. This entire process should help you set priorities according to the evaluation criteria established in step one.

ISO 27005 helps identify cybersecurity vulnerabilities, but does not provide a scale for risk assessment!  The responsible party(ies) must develop their own assessment system. This system can be based on qualitative or quantitative assessment methods, the latter based on measurable costs. In practice, qualitative analyses tend to be used due to the lack of ISO standard specifications.

The standard does not dictate how you should assess risk - high to low, 1 to 10, 1 to 100, or otherwise. It doesn't matter as long as everyone responsible for risk assessment uses the same approach.

Risk Treatment 

Using the list of information assets, the risks associated with them must now be determined, taking into account the previously determined results. 

For example: laptops are stolen, employees are working remotely from a cozy café in Montana, using the free wi-fi of the café operator, who is more known for his white mocha with oat milk than his penchant for information security! At the same time, a few patrons stand in line, looking bored at the monitor of the tired (time difference) remote worker juggling highly sensitive data. Everything screams "I don't care what could happen!". But chance makes up for it. Stupidly, there's a tourist hacker in the queue right now, and since hackers are always looking for a challenge.... yeah, boom. Coincidences do happen! 

At this point, IT security objectives need to be established. Once those objectives are established, you can design specifications that will help develop measures to address the risks. Some risks are simply more serious than others, so you need to clearly define which risks you should pay the most attention to. 

In ISO 27005, designing these measures means comparing a risk to the cost of addressing it. This type of risk assessment gives you a consistent and comparable assessment of the threats your organizations face.

There are four ways for organizations to manage risk:

- Modify the risk by implementing security controls to reduce the likelihood of its occurrence and/or the damage it causes.

- Maintain the risk by accepting that it falls within the previously established risk acceptance criteria or by making exception decisions.

- Avoiding the risk by changing the circumstances that cause the risk.

- Sharing the risk with a partner, such as a financial firm or a third party that is better able to manage the risk.

According to ISO 27001, all risks must have an owner who is responsible for approving risk treatment plans and taking on the residual risk. The risk treatment owner may be a different person than the asset owner.

Risk Acceptance

The risk treatment strategy and residual risks must go through an "acceptance phase," which means that the entire treatment plan must be approved by the practice's top management. During this phase, department heads may question costs they believe are too high or consider accepting certain risks. These exceptions must be justified.

In theory, the ISO 27005 methodology ends here. 

To summarize: It provides an overview of the risks you have identified, the scenarios you have developed, the risk analyzes you have performed, and the treatment strategies you have established. ISO 27005 includes a detailed description of the risk management process and a detailed description of each risk management step. These explanations, along with the annex to ISO 27005, which includes a sample threat catalog, provide a useful guide to properly establishing information security risk management and a good foundation for implementing the requirements of the mother of the ISO 27000 series - ISO 27001. Mom would be proud.

So get your certification with us! Book a consultation!

Focus on building Security with Compliance in the background

Secfix has the largest EU auditors network and minimizes time, effort and cost through its platform.

non-binding and free of charge

Other Articles

Jessica Doering

Jess is the marketing mind at Secfix. She loves every dog on this planet!

ISO 27001

Risk management

ISO 27001
ISO 27001
Risk management
Risk management