BS ISO/IEC 27005:2011
Information security management systems – Information security risk management
What is it?
BS ISO/IEC 27005:2011 expands on the requirements in BS ISO/IEC 27001 for information security risk management. Conducting risk assessments and subsequently performing risk management is an essential component of any Information Security Management System (ISMS).
The technical approach used within BS ISO/IEC 27005:2011 is fully aligned with the international standard for risk management, BS ISO 31000.
How does it work?
BS ISO/IEC 27005:2011 describes an information security risk management process and associated actions modelled on the generic risk management processes defined in BS ISO 31000:2009. This information security risk management is then linked back to the risk assessment and risk management requirements of BS ISO/IEC 27001:2005. Annexes provide checklists, examples and other practical advice.
BS ISO/IEC 27005:2011 does not define or mandate any particular methodology for performing risk assessments. However, some examples of suitable approaches are given as examples in an annex.
Who should buy it?
Anyone who is planning to build an ISMS based on BS ISO/IEC 27001 needs BS ISO/IEC 27005:2011 as well. It is an essential supporting standard for ISMS implementation.
It will be useful for anyone needing insight into the practical aspects of building an ISO/IEC 27001 ISMS. It can also be used as a stand-alone guide to performing information risk management in ways compatible with BS ISO 31000.
See the preview for contents.
BS ISO/IEC 27005:2011 is currently being revised to fully align with the new edition of ISO/IEC 27001, BS ISO/IEC 27001:2013.
Although the latest edition of ISO/IEC 27001 has significantly revised risk management requirements when compared to the 2005 edition, most of the practical advice and examples within BS ISO/IEC 27005:2011 is equally applicable to an ISMS built using the latest edition of ISO/IEC 27001. Indeed, some of the risk assessment approaches used as examples within BS ISO/IEC 27005:2011 reflect BS ISO 31000:2009 (and thus BS ISO/IEC 27001:2013) and are not strictly compatible with BS ISO/IEC 27001:2005.