ISO 27005 risk management and how it's connected to ISO 27001

Security teams take an average of 287 days to identify and contain a data breach. With the increase of cyber threats this is no longer sustainable. You want your organisation to have robust information security processes to protect information assets and intellectual property.

And ISO 27005 can help you get there.

Read all you need to know about ISO 27005, how it contributes to your information security risk management, and how it's interlinked with ISO 27001.

In this blog post, we'll cover:


What is ISO 27005?

ISO 27005 is an international standard for managing information security risks. It helps organisations identify, assess, and handle risks to keep their information safe. This standard complements ISO 27001 by focusing on risk management, which is essential for protecting data from threats. The standard is useful for any organisation looking to strengthen its cybersecurity.

Organisations of any size and in any sector can follow ISO 27005. For this reason, the ISO 27005 standard doesn't set a strict path for compliance. Instead, it proposes recommended practices. These practices are compatible with a typical Information Security Management System (ISMS).

ISO 27005 provides guidelines for procedures that are essential for an ISMS. These procedures include identifying, assessing, evaluating, and treating information security vulnerabilities. Following ISO 27005 helps organisations handle security controls and other measures better.

How does ISO 27005 help with information security risk management?

ISO 27005 can help your organisation conduct a more accurate information security risk assessment based on which you can improve your ISMS.

Information security risk management is identifying and mitigating risks related to information technology. It's a continual process that includes:

  • Identifying and assessing risk
  • Understanding the likelihood of risk and its consequences
  • Establishing a ranked order for risk treatment
  • Involving stakeholders in risk management decisions
  • Monitoring the effectiveness of risk mitigation
  • Educating stakeholders about risks and mitigation actions

Risks can potentially affect an organisation's confidentiality, reputation, and asset availability. Information security risk management can't stop all risks. But it helps organisations define and maintain an appropriate level of risk. Organisations should manage risk in line with their risk tolerance.

ISO 27005 defines best practices for information security risk management. It defines consistent processes within a broader framework. Implementing these processes helps organisations handle risks more reliably and more effectively.


How does ISO 27005 align with ISO 27001?

The ISO 27000 series is a set of standards that addresses information security. ISO 27005 helps organisations follow ISO 27001. That is why even though ISO 27005 is not particularly well known, many companies may have already implemented it by means of following ISO 27001.

What is ISO 27001?

ISO 27001 is the leading international standard for information security. It guides organisations in protecting their information in a systematic and cost-effective way. It promotes adopting an ISMS. 

ISO 27001 certification requires an organisation to prove aspects of risk management, including:

  • Evidence of information security risk management
  • Risk actions taken
  • Application of relevant controls from Annex A

Annex A contains reference control objectives and controls. The controls help an organisation structure its ISMS and meet ISO 27001 requirements.

The connection between ISO 27005 and ISO 27001

Risk assessments are one of the most important parts of complying with ISO 27001. ISO 27005 gives guidance on identifying, assessing, evaluating, and treating information security vulnerabilities. These procedures are key for an ISO 27001 information security management system.

ISO 27001 requires that controls applied as part of an ISMS be risk-based. Implementing an ISO 27005 information security risk management plan fulfils this rule.


What is the ISO 27005 risk management process?

ISO 27005 doesn't specify a particular risk management method. It promotes a continual process based on seven components. These steps overlap somewhat in their application.

Each main phase of the process has four steps:

  • Input, which covers the information necessary to do an activity
  • Action, which defines the activity
  • Implementation guidance, which gives more details
  • Output, which describes what information the activity should have generated

This structure provides the right information to start each risk management activity. Here they are in more detail.

Establish context

The first step for risk management with ISO 27005 is establishing the context. This step should define the organisation's risk evaluation criteria and risk acceptance criteria. ISO 27005 provides criteria for defining context according to factors such as:

  • Identifying risks
  • Determining who handles risk ownership
  • Determining how risks affect the confidentiality, integrity, and availability of information
  • Calculating the probability and effects of risks

Establishing the context for risk assessment is important. It helps ensure that the entire organisation does assessments the same way.

Define the risk estimation method

Defining risk management processes includes deciding which type of assessments to use. Quantitative or qualitative assessments are possible.

Quantitative measurement has the disadvantage of relying on historical data. Managing new risks is a more important goal for risk management.

Qualitative measurement is, by nature, a form of estimation. It can be accurate within defined boundaries, though. For example, terms like "high" or "low" to measure the consequences of risk are too vague.

A more useful qualitative scale for risk impacts might include categories such as:

  • Total asset destruction
  • Loss of most of an asset
  • Loss of some of an asset
  • Minor loss

This type of measurement will produce a more evidence-based and accurate process.

Conduct risk assessment

The risk assessment process includes risk identification, estimation, and evaluation. Many organisations use an asset-based risk assessment process. Risk identification includes:

  • Inventory of information assets
  • Identification of threats and vulnerabilities that could impact each asset
  • Consequences of those risks for the organisation

Furthermore, risk estimation evaluates the likelihood of risks and their impacts. It then compares the level of risk against the risk acceptance criteria. The context establishment step defined the risk acceptance criteria. Then, the risk assessor can prioritise the list of risks to address the most serious risks first.

Pick your risk treatment

Risk treatment involves deciding on the proper risk mitigation strategy. Four responses to risk are possible:

  • Avoid the risk by eliminating it
  • Reduce the risk by using security controls
  • Transfer the risk to a third party through insurance or outsourcing
  • Tolerate the risk and take no action

Tolerating risk is the best option when the costs of treating the risk outweigh the benefits. This is often the case when the likelihood of the risk occurring is very small.

Decide on risk acceptance

It will never be possible to make your organisation 100% secure against any threats to information security. The goal is to align your individual risk tolerance with the measures you take towards information security.

Establishing your own criteria for risk acceptance should take into account factors like:

  • Current strategies
  • Business priorities
  • Goals and objectives
  • Stakeholder interests

Senior management then needs to approve the ISO 27005 risk assessment and treatment plan. Documentation of the ISO 27005 process can inform communication with stakeholders. Documentation of the work up to this point is very important. It lets auditors see the methods for identifying, assessing, and mitigating risk. It serves as a reference for future use.

Ensure risk communication and consultation

Effective communication about the information security risk management process is critical. The people who will put the plan in place need to understand why its provisions are necessary. Decision-makers and other stakeholders can agree more easily on how to manage risk.

Communication about risk management must be ongoing. Organisations need a communication plan for emergencies as well as normal operations.

Monitor risks and review

Risks can change suddenly and without warning. Continual monitoring is necessary. Monitoring helps an organisation quickly identify changes. The organisation can update the risk treatment plan as needed. Monitoring should include factors like:

  • New assets
  • Changes in asset values
  • New internal or external threats
  • Information security incidents

Monitoring also checks whether the organisation's risk treatment plan is working properly. Information security risk management is an ongoing process that needs active engagement.


How can ISO 27005 benefit your organisation?

  1. ISO 27005 is a flexible standard and can, therefore, be adapted to your industry, business model and size.
  2. ISO 27005 lets an organisation choose its own risk management approach. The organisation's individual circumstances inform this choice.
  3. The ISO 27005 method can stand on its own. It can also support compliance with ISO 27001. Following ISO 27005, your organisation will have a more resilient ISMS.
  4. Following ISO 27005 helps your teams develop expertise and experience. They can create a more effective information security risk management process. It shows that you can prioritise risks. You work proactively to mitigate their impacts.
  5. Compliance with ISO 27005 gives an organisation a competitive edge. It demonstrates to clients that you're serious about information security. Customers can be more confident that their data is safe with you.


Become ISO 27005 compliant

ISO 27005 can improve information security risk management for your organisation. Following ISO 27005 will help you develop a better information security management system. You can then follow ISO 27001 more easily.

Hear more about ISO 27005 risk management and its integral link to ISO 27001. Contact us to find out how the DataGuard ISO 27001 certification solution can help your organisation manage risks and comply with the latest industry standards for optimal security.

ISO 27001 Risk Management 212x234 UK ISO 27001 Risk Management 800x600 MOBILE UK

ISO 27001 Risk Management: Your 5-Step Guide

Feeling overwhelmed by ISO 27001's risk management requirements? Our comprehensive guide is designed to streamline your understanding of the standard's critical steps. It provides a detailed overview of the five key stages.

Download your free guide

About the author

DataGuard Information Security Experts DataGuard Information Security Experts
DataGuard Information Security Experts

Tips and best practices on successfully getting certifications like ISO 27001 or TISAX®, the importance of robust security programmes, efficient risk mitigation... you name it! Our certified (Chief) Information Security Officers and InfoSec Consultants from Germany, the UK, and Austria use their year-long experience to set you up for long-term success. How? By giving you the tools and knowledge to protect your company, its information assets and people from common risks such as cyber-attacks. What makes our specialists qualified? These are some of the certifications of our privacy experts: Certified Information Privacy Professional Europe (IAPP), ITIL® 4 Foundation Certificate for IT Service Management, ISO 27001 Lead Implementer/Lead Auditor/Master, Certificate in Information Security Management Principles (CISMP), Certified TickIT+ Lead Auditor, Certified ISO 9001 Lead Auditor, Cyber Essentials

Explore more articles

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies

100% success in ISO 27001 audits to date



TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk