ISO 2700110 min read

ISO 27005: Information Security Risk Management Guide

ISO 27005 provides comprehensive guidance for managing information security risks within an ISO 27001 management system. This standard helps organizations implement the risk assessment and treatment requirements of ISO 27001 with a structured, repeatable methodology.

Key Takeaways

Point Summary
Purpose Guidance for information security risk management
Relationship to ISO 27001 Supports clauses 6.1.2 (risk assessment) and 6.1.3 (risk treatment)
Not certifiable ISO 27005 is guidance only; certification is to ISO 27001
Key phases Context establishment, risk identification, analysis, evaluation, treatment
2022 update Aligned with ISO 27001:2022, simplified structure

Quick Answer: ISO 27005 is the risk management companion to ISO 27001. It provides detailed methodology for identifying, analyzing, evaluating, and treating information security risks. You don't get certified to ISO 27005; you use it to implement the risk management requirements of ISO 27001.

Understanding ISO 27005

What Is ISO 27005?

ISO 27005 is formally titled "Information security, cybersecurity and privacy protection — Guidance on managing information security risks." It provides a structured approach to:

  • Establishing the risk management context
  • Identifying information security risks
  • Analyzing and evaluating risks
  • Selecting and implementing risk treatment options
  • Monitoring and reviewing risks over time

The ISO 27001 Relationship

ISO 27001 requires organizations to:

  • Define and apply an information security risk assessment process (Clause 6.1.2)
  • Define and apply an information security risk treatment process (Clause 6.1.3)
  • Perform risk assessments at planned intervals (Clause 8.2)
  • Implement the risk treatment plan (Clause 8.3)

ISO 27005 provides the "how" for these requirements:

ISO 27001 Requirement ISO 27005 Guidance
Define risk assessment process Complete methodology framework
Identify risks Systematic identification techniques
Analyze risks Likelihood and impact assessment methods
Evaluate risks Criteria for prioritizing risks
Select treatment options Treatment option selection guidance
Implement treatment Implementation considerations
Monitor risks Review and monitoring approach

When to Use ISO 27005

Use Case How ISO 27005 Helps
Implementing ISO 27001 Provides complete risk management methodology
Developing risk methodology Framework adaptable to organizational needs
Training risk assessors Educational resource on risk concepts
Improving existing process Benchmark against structured approach
Audit preparation Demonstrates systematic risk management

The Risk Management Process

Process Overview

ISO 27005 defines a cyclical risk management process:

Risk Management Cycle:

  1. Context Establishment

    • Define scope and boundaries
    • Set risk criteria
    • Establish risk acceptance thresholds

  2. Risk Assessment

    • Risk identification
    • Risk analysis
    • Risk evaluation

  3. Risk Treatment

    • Select treatment options
    • Determine controls
    • Accept residual risk

  4. Risk Monitoring and Review

    • Monitor risk factors
    • Review effectiveness
    • Identify changes

  5. Risk Communication

    • Share risk information
    • Report to stakeholders
    • Document decisions

Context Establishment

Before assessing risks, establish the framework for risk management:

Organizational Context

Element Description
Business objectives What the organization is trying to achieve
Regulatory environment Legal and compliance requirements
Stakeholder expectations Customer, partner, regulator needs
Organizational constraints Budget, resources, culture

Risk Management Scope

Define what is included in the risk assessment:

Scope Element Considerations
Systems Which information systems are included
Data What data types are in scope
Processes Which business processes
Locations Physical and logical boundaries
People Employees, contractors, third parties

Risk Criteria

Establish how risks will be measured:

Likelihood Scale Example:

Level Description Frequency
1 - Rare Unlikely to occur Less than once every 5 years
2 - Unlikely Could occur but not expected Once every 2-5 years
3 - Possible Might occur Annually
4 - Likely Will probably occur Several times per year
5 - Almost Certain Expected to occur Monthly or more

Impact Scale Example:

Level Financial Operational Reputational
1 - Negligible <$10K Minutes Minimal
2 - Minor $10K-$50K Hours Limited
3 - Moderate $50K-$250K Days Notable
4 - Major $250K-$1M Weeks Significant
5 - Severe >$1M Months Severe

Risk Acceptance Criteria

Define what level of risk is acceptable:

Risk Level Calculation Treatment Required
Low 1-4 Generally acceptable
Medium 5-12 Management decision needed
High 15-25 Must be treated

Risk Assessment

Risk Identification

Systematic identification of what could go wrong:

Asset Identification

Identify what needs protection:

Asset Category Examples
Information assets Customer data, financial records, intellectual property
Software assets Applications, operating systems, databases
Physical assets Servers, laptops, network equipment
Services Cloud services, network services, third-party services
People Employees, contractors with knowledge

Threat Identification

Identify what could cause harm:

Threat Category Examples
Deliberate Hacking, malware, insider threats, theft
Accidental Human error, misconfiguration, data loss
Environmental Fire, flood, power failure, natural disasters
Technical System failure, software bugs, capacity issues

Common Threat Sources:

Source Motivation Examples
External attackers Financial gain, espionage Ransomware, data theft
Insiders Financial, revenge, carelessness Data theft, accidental exposure
Competitors Commercial advantage Industrial espionage
Natural events N/A Disasters, pandemics
Technical failures N/A Hardware failures, bugs

Vulnerability Identification

Identify weaknesses that threats could exploit:

Vulnerability Type Examples
Technical Unpatched systems, weak encryption, misconfigurations
Process Inadequate change management, missing approvals
People Insufficient training, social engineering susceptibility
Physical Inadequate access controls, environmental controls

Consequence Identification

Identify potential impacts:

Consequence Description
Confidentiality breach Unauthorized disclosure of information
Integrity violation Unauthorized modification or corruption
Availability loss Systems or data unavailable
Legal/regulatory Fines, penalties, legal action
Reputational Customer trust loss, brand damage
Financial Direct costs, lost revenue, recovery costs

Risk Analysis

Determine the level of risk for each identified scenario:

Qualitative Analysis

Most common approach, using descriptive scales:

Risk Asset Threat Likelihood Impact Risk Level
R001 Customer database Unauthorized access 4 (Likely) 5 (Severe) 20 (High)
R002 Employee laptops Theft 3 (Possible) 3 (Moderate) 9 (Medium)
R003 Network DDoS attack 3 (Possible) 4 (Major) 12 (Medium)

Semi-Quantitative Analysis

Combines qualitative assessment with numerical scores for comparison.

Quantitative Analysis

Uses numerical values (monetary amounts, probabilities) when data is available:

Factor Quantitative Value
Annual Rate of Occurrence (ARO) 0.1 (once every 10 years)
Single Loss Expectancy (SLE) $500,000
Annual Loss Expectancy (ALE) $50,000

Risk Evaluation

Compare analyzed risks against criteria:

Step Action
1. Rank risks Order by risk level
2. Compare to criteria Check against acceptance thresholds
3. Prioritize treatment Determine treatment priority
4. Document decisions Record rationale for each risk

Risk Prioritization Matrix:

Risk Level / Treatment Effort Low Effort High Effort
High Risk Priority 1 (Quick wins) Priority 2 (Strategic)
Medium Risk Priority 3 (Efficient) Priority 4 (Planned)
Low Risk Accept or monitor Accept

Risk Treatment

Treatment Options

ISO 27005 defines four risk treatment options:

Option Description When to Use
Risk modification Implement controls to reduce risk Most common option
Risk retention Accept the risk without action Risk within tolerance
Risk avoidance Eliminate the activity causing risk Risk unacceptable, no mitigation possible
Risk sharing Transfer risk to third party Insurance, outsourcing

Control Selection

When modifying risk, select appropriate controls:

Selection Criteria Consideration
Effectiveness Will the control reduce risk sufficiently?
Cost Is the control cost-justified by risk reduction?
Implementation feasibility Can the control be implemented?
Operational impact What is the impact on operations?
Integration Does it integrate with existing controls?

Control Sources:

  • ISO 27001 Annex A (93 controls)
  • ISO 27002 (detailed implementation guidance)
  • Industry-specific frameworks
  • Regulatory requirements

Residual Risk

After treatment, assess remaining risk:

Risk Inherent Risk Controls Applied Residual Risk Status
R001 20 (High) MFA, encryption, monitoring 8 (Medium) Acceptable
R002 9 (Medium) Device encryption, MDM 4 (Low) Acceptable
R003 12 (Medium) DDoS protection service 4 (Low) Acceptable

Risk Acceptance

Management must formally accept:

  • Residual risks after treatment
  • Any risks retained without treatment
  • Risk treatment plans with implementation timelines

Document acceptance decisions with:

  • Risk owner signature
  • Acceptance criteria applied
  • Review date
  • Any conditions

Risk Documentation

Risk Register

Maintain a risk register with essential fields:

Field Purpose
Risk ID Unique identifier
Description What could happen
Asset/process affected What is at risk
Threat What could cause the risk
Vulnerability What weakness is exploited
Likelihood How likely (1-5)
Impact How severe (1-5)
Inherent risk level Pre-treatment risk score
Treatment option Modify/accept/avoid/share
Controls Selected mitigations
Residual risk level Post-treatment risk score
Risk owner Who is accountable
Status Open/in progress/closed
Review date Next review

Risk Treatment Plan

Document planned treatments:

Element Description
Risk ID Link to risk register
Treatment action What will be done
Control reference ISO 27001 Annex A control
Responsible person Who will implement
Timeline Implementation date
Resources Budget, personnel
Success criteria How completion is measured

Monitoring and Review

Continuous Monitoring

Risk management is not a one-time exercise:

Monitoring Activity Frequency
Risk indicator monitoring Ongoing
Control effectiveness review Quarterly
Risk register review Quarterly
Full risk reassessment Annually
Post-incident risk review After incidents
Change-triggered review When significant changes occur

Triggers for Review

Reassess risks when:

  • New threats emerge
  • Vulnerabilities are discovered
  • Business processes change
  • New systems are implemented
  • Incidents occur
  • External environment changes
  • Regulatory requirements change

Key Risk Indicators (KRIs)

Monitor indicators that signal changing risk:

KRI What It Indicates
Failed login attempts Potential attack activity
Vulnerability scan results Changing technical risk
Security incidents Realized risks
Compliance findings Control effectiveness
Threat intelligence Emerging threats
Employee turnover Knowledge risk

Common Challenges and Solutions

Challenge 1: Overwhelming Number of Risks

Problem: Identifying hundreds of risks becomes unmanageable.

Solution:

  • Focus on significant risks (top 30-75)
  • Group similar risks
  • Use appropriate granularity
  • Prioritize based on business impact

Challenge 2: Inconsistent Risk Assessment

Problem: Different assessors rate the same risk differently.

Solution:

  • Define clear criteria with examples
  • Conduct calibration exercises
  • Use facilitated workshops
  • Document assessment rationale

Challenge 3: Risk Assessment Theater

Problem: Going through the motions without meaningful insight.

Solution:

  • Connect risks to real business concerns
  • Use results for actual decisions
  • Report meaningfully to management
  • Focus on actionable outcomes

Challenge 4: Stale Risk Information

Problem: Risk register becomes outdated quickly.

Solution:

  • Integrate risk review into operations
  • Set calendar reminders for reviews
  • Assign risk owners with accountability
  • Link to change management process

Integration with ISO 27001

ISMS Integration Points

ISO 27005 risk management integrates throughout the ISMS:

ISMS Element Risk Management Role
Context (Clause 4) Defines risk management scope
Leadership (Clause 5) Management accepts residual risk
Planning (Clause 6) Risk assessment drives control selection
Support (Clause 7) Resources for risk management
Operation (Clause 8) Implement and monitor risk treatment
Evaluation (Clause 9) Measure risk management effectiveness
Improvement (Clause 10) Improve based on risk trends

Statement of Applicability

Risk assessment results drive the Statement of Applicability:

SoA Element Risk Connection
Control selection Based on identified risks
Inclusion justification Which risks does the control address
Exclusion justification Why risks don't require the control

The Bastion Approach

Streamlined Risk Management

Bastion simplifies ISO 27005 implementation:

Challenge Bastion Solution
Methodology development Pre-built, auditor-approved methodology
Asset identification Automated discovery from integrations
Threat identification Industry-specific threat library
Risk scoring Guided assessment with calibration
Control mapping Automatic control recommendations
Documentation Risk register with audit trail
Ongoing monitoring Continuous risk tracking

Expert Guidance

Your vCISO helps with:

  • Risk assessment facilitation
  • Consistent scoring calibration
  • Appropriate scope and granularity
  • Management reporting
  • Auditor preparation

Need help with your information security risk management? Talk to our team

Sources

← PreviousISO 27002 Explained: A Complete Guide to Security ControlsNext →ISO 27018: Protecting Personal Data in the Cloud
Back to ISO 27001 guides