Security teams take an average of 287 days to identify and contain a data breach. And the rapid pace of technological development means that information security threats are constantly changing.
You want your organisation to have robust information security processes to protect your information assets and intellectual property. And we’ll share with you how the ISO 27005 can help you get there.
The international norm can help your organisation conduct a more accurate information security risk assessment based on which you can improve your information security management system (ISMS).
Following the ISO 27005 standard can also help your organisation achieve ISO 27001 certification – but more on that later.
What Is ISO 27005?
ISO 27005 is an international standard from the International Organisation for Standardisation (ISO). The International Electrotechnical Commission (IEC) helped develop it. Its official title is Information Technology-Security Techniques-Information Security Risk Management.
The most recent version of ISO 27005 is from 2018. ISO 27005 shows how to conduct an information security risk assessment. The assessment complies with ISO 27001.
Organisations of any size and in any sector can follow ISO 27005. For this reason, the ISO 27005 standard doesn't set a strict path for compliance.
Instead, it proposes recommended practices. These practices are compatible with a typical information security management system (ISMS).
ISO 27005 provides guidelines for procedures that are essential for an ISMS. These procedures include identifying, assessing, evaluating, and treating information security vulnerabilities. Following ISO 27005 helps organisations better handle security controls and other measures.
The standard offers a framework for information security risk management. It includes planning, executing, administering, monitoring, and managing a risk management plan.
Information Security Risk Management and ISO 27005
Information security risk management is identifying and mitigating risks related to information technology. It's a continual process that includes:
- Identifying and assessing risk
- Understanding the likelihood of risk and its consequences
- Establishing a ranked order for risk treatment
- Involving stakeholders in risk management decisions
- Monitoring the effectiveness of risk mitigation
- Educating stakeholders about risks and mitigation actions
Risks can potentially affect an organisation's confidentiality, reputation, and asset availability.
Information security risk management won't stop all risks. It helps organisations define and maintain an appropriate level of risk. Organisations should manage risk in line with their risk tolerance.
ISO 27005 defines best practices for information security risk management. It defines consistent processes within a broader framework. Implementing these processes helps organisations handle risks more reliably and more effectively.
How ISO 27005 Aligns with ISO 27001?
The ISO 27000 series is a set of standards that addresses information security. ISO 27005 helps organisations follow ISO 27001. That is why even though ISO 27005 is not particularly well known, many companies may have already implemented it by means of following ISO 27001.
Overview of the ISO 27001 Standard
ISO 27001 is the leading international standard for information security. It guides organisations in protecting their information in a systematic and cost-effective way. It promotes adopting an information security management system.
ISO 27001 certification requires an organisation to prove aspects of risk management including:
- Evidence of information security risk management
- Risk actions taken
- Application of relevant controls from Annex A
ISO 27005 and ISO 27001
Risk assessments are one of the most important parts of complying with ISO 27001. And ISO 27005 gives guidance on identifying, assessing, evaluating, and treating information security vulnerabilities. These procedures are key for an ISO 27001 information security management system.
ISO 27001 requires that controls applied as part of an ISMS be risk-based. Implementing an ISO 27005 information security risk management plan fulfils this rule.
ISO 27005 Risk Management Processes
ISO 27005 doesn't specify a particular risk management method. It promotes a continual process based on seven components. These steps overlap somewhat in their application.
Each main phase of the process has four steps:
- Input, which covers the information necessary to do an activity
- Action, which defines the activity
- Implementation guidance, which gives more details
- Output, which describes what information the activity should have generated
This structure provides the right information to start each risk management activity.
The first step for risk management with ISO 27005 is establishing the context. This step should define the organisation's risk evaluation criteria and risk acceptance criteria. ISO 27005 provides criteria for defining context according to factors such as:
- Identifying risks
- Determining who handles risk ownership
- Determining how risks affect the confidentiality, integrity, and availability of information
- Calculating the probability and effects of risks
Establishing the context for risk assessment is important. It helps ensure that the entire organisation does assessments the same way.
Risk Estimation Method
Defining risk management processes includes deciding which type of assessments to use. Quantitative or qualitative assessments are possible.
Quantitative measurement has the disadvantage of relying on historical data. Managing new risks is a more important goal for risk management.
Qualitative measurement is by nature a form of estimation. It can be accurate within defined boundaries, though. For example, terms like "high" or "low" to measure the consequences of risk are too vague. A more useful qualitative scale for risk impacts might include categories such as:
- Total asset destruction
- Loss of most of an asset
- Loss of some of an asset
- Minor loss
This type of measurement will produce a more evidence-based and accurate process.
The risk assessment process includes risk identification, estimation, and evaluation. Many organisations use an asset-based risk assessment process.
Risk identification includes:
- Inventory of information assets
- Identification of threats and vulnerabilities that could impact each asset
- Consequences of those risks for the organisation
Furthermore, risk estimation evaluates the likelihood of risks and their impacts. It then compares the level of risk against the risk acceptance criteria. The context establishment step defined the risk acceptance criteria. Then the risk assessor can prioritise the list of risks to address the most serious risks first.
Risk treatment involves deciding on the proper risk mitigation strategy. Four responses to risk are possible:
- Avoid the risk by eliminating it
- Reduce the risk by using security controls
- Transfer the risk to a third party through insurance or outsourcing
- Tolerate the risk and take no action
Tolerating risk is the best option when the costs of treating the risk outweigh the benefits. This is often the case when the likelihood of the risk occurring is very small.
It will never be possible to be make your organisation 100 % secure against any threats to information security. The goal is to align your individual risk tolerance with the measures you take towards information security. Establishing your own criteria for risk acceptance should take into account factors like:
- Current strategies
- Business priorities
- Goals and objectives
- Stakeholder interests
Senior management then needs to approve the ISO 27005 risk assessment and treatment plan.
Documentation of the work up to this point is very important. It lets auditors see the methods for identifying, assessing, and mitigating risk. It serves as a reference for future use.
Documentation of the ISO 27005 process can inform communication with stakeholders.
Risk Communication and Consultation
Effective communication about the information security risk management process is critical. The people who will put the plan in place need to understand why its provisions are necessary. Decision-makers and other stakeholders can agree more easily on how to manage risk.
Communication about risk management must be ongoing. Organisations need a communication plan for emergencies as well as normal operations.
Risk Monitoring and Review
Risks can change suddenly and without warning. Continual monitoring is necessary.
Monitoring helps an organisation quickly identify changes. The organisation can update the risk treatment plan as needed. Monitoring should include factors like:
- New assets
- Changes in asset values
- New internal or external threats
- Information security incidents
Monitoring also checks whether the organisation's risk treatment plan is working properly. Information security risk management is an ongoing process that needs active engagement.
Benefits for Your Organisation
- ISO 27005 is a flexible standard and can therefore be adapted to your industry, business model and size.
- ISO 27005 lets an organisation choose its own risk management approach. The organisation's individual circumstances inform this choice.
- The ISO 27005 method can stand on its own. It can also support compliance with ISO 27001. Following ISO 27005, your organisation will have a more resilient ISMS.
- Following ISO 27005 helps your teams develop expertise and experience. They can create a more effective information security risk management process. It shows that you can prioritise risks. You work proactively to mitigate their impacts.
- Compliance with ISO 27005 gives an organisation a competitive edge. It demonstrates to clients that you're serious about information security. Customers can be more confident that their data is safe with you.
Becoming ISO 27005 Compliant
ISO 27005 can improve information security risk management for your organisation. Following ISO 27005 will help you develop a better information security management system. You can follow ISO 27001 more easily.
DataGuard can help you to implement an ISMS and get ISO 27001 certified. Our team of infosec specialists has the experience to provide in-depth industry-specific guidance. We offer a range of services and a web-based infosec platform.
Schedule a free initial consultation today. Let's start designing your information security risk management solution.