BS ISO/IEC 27005:2008 - Information technology. Security techniques. Information security risk management – BSI British Standards

Find Similar Items

This product falls into the following categories.

You may find similar items within these categories by selecting from the choices below:

Result Types

Subject

Industry Sector

Committee

ICS Category

BS ISO/IEC 27005:2008

Information technology. Security techniques. Information security risk management

Status : Revised, Withdrawn   Published : June 2008 Replaced By : BS ISO/IEC 27005:2011

WITHDRAWN TITLE
*To ask about withdrawn titles contact the BSI Knowledge Centre knowledgecentre@bsigroup.com, +44 20 8996 7004

This standard has now been superseeded by the 2011 version BS ISO/IEC 27005:2011

BS ISO/IEC 27005:2008 Information technology. Security techniques. Information security risk management

Organizations of all types are concerned by threats that could compromise their information security. Managing this aspect is usually a primary concern for their information technology (IT) departments. The new International Standard BS ISO/IEC 27005:2008 describes the information security risk management process and associated actions, and has been written to help manage these business-critical risks.

Threats may be deliberate or accidental, and may relate to either the use and application of IT systems or to IT's physical and environmental aspects. These threats may take any form from identity theft, risks of doing business on-line, denial of service attacks, remote spying, theft of equipment or documents through to a seismic or climatic phenomenon, fire, floods or pandemic problems.

These threats can have a direct impact on businesses, with possible financial loss or damage, loss of essential network services, loss of customer confidence through to loss power supply or failure of telecommunication equipment.

What's a risk?

A risk is a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event. Risk assessment quantifies or qualitatively describes the risk and enables managers to prioritize risks according to their perceived seriousness or other established criteria.

How does this standard help?

BS ISO/IEC 27005 is the international standard that provides guidelines for information security risk management (ISMS) in an organization, supporting in particular the requirements of  ISO/IEC 27001.

BS ISO/IEC 27005 can help your organization because it:

  • Describes  the information security risk management process and associated actions,  to help you manage business-critical risks to IT.
  • Supports  the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.
  • Covers the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002, giving you the knowledge you need for a complete understanding of ISO/IEC 27005:2008.

What does the information security risk management process consists of?

  • Context establishment
  • Risk assessment
  • Risk treatment
  • Risk acceptance
  • Risk communication
  • Risk monitoring and review.

Who should use BS ISO/IEC 27005?

BS ISO/IEC 27005 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) that intend to manage risks that could compromise the organization’s information security.

BS ISO/IEC 27005 is relevant to managers and staff concerned with information security risk management within an organization and, where appropriate, external parties supporting such activities.

The main driver of the topic is 27001 and this is a risk based standard. Risk assessments are made to determine what controls (from 27001) to put in place and the strength of control required to reduce these risks to level that an organization can regard as an acceptable business risk.

How does BS ISO/IEC 27005 complement BS ISO/IEC 27001?

If you use BS ISO/IEC 27001 Information technology. Security techniques. Information security management systems. Requirements, which is a risk-based standard, then you will find BS ISO/IEC 27005 very useful in providing additional guidance on the subject of risk.

Contents of BS ISO/IEC 27005 include:

  • Foreword
  • Introduction
  • Normative references
  • Terms and definitions
  • Structure of this International Standard
  • Background
  • Overview of the information security risk management process
  • Context establishment
  • General considerations
  • Basic Criteria
  • The scope and boundaries
  • Organization for information security risk management
  • Information security risk assessment
  • General description of information security risk assessment
  • Risk analysis
  • Risk identification
  • Risk estimation
  • Risk evaluation
  • Information security risk treatment
  • General description of risk treatment
  • Risk reduction
  • Risk retention
  • Risk avoidance
  • Risk transfer
  • Information security risk acceptance
  • Information security risk communication
  • Information security risk monitoring and review
  • Monitoring and review of risk factors
  • Risk management monitoring, reviewing and improving
  • Defining the scope and boundaries of the information security risk management process
  • Study of the organization
  • List of the constraints affecting the organization
  • List of the legislative and regulatory references applicable to the organization
  • List of the constraints affecting the scope
  • Identification and valuation of assets and impact assessment
  • Examples of asset identification
  • The identification of primary assets
  • List and description of supporting assets
  • Asset valuation
  • Impact assessment
  • Examples of typical threats
  • Vulnerabilities and methods for vulnerability assessment
  • Examples of vulnerabilities
  • Methods for assessment of technical vulnerabilities
  • Information security risk assessment approaches
  • High-level information security risk assessment
  • Detailed information security risk assessment
  • Matrix with predefined values
  • Ranking of Threats by Measures of Risk
  • Assessing a value for the likelihood and the possible consequences of risks
  • Constraints for risk reduction
  • Bibliography

However, ISO/IEC 27005:2008 does not provide any specific methodology for information security risk management. It is up to the organization to define its approach to risk management, depending, for example, on the scope of the information security management system, based on the context of risk management, or the industry sector.

A number of existing methodologies can be used under the framework described in this International Standard to implement the requirements of an ISMS.

Edward Humphreys, chairman of the UK National Committee and convener of the ISO/IEC working group that developed the standard comments:

 “Today, most organizations recognize the critical role that information technology plays in supporting their business objectives and with the advent of the Internet and the prospect of performing business online, IT security has been in the forefront. ISO/IEC 27005:2008 is relevant to managers and staff concerned with information security risk management within an organization and, where appropriate, external parties supporting such activities.”




Standard NumberBS ISO/IEC 27005:2008
TitleInformation technology. Security techniques. Information security risk management
StatusRevised, Withdrawn
Publication Date30 June 2008
Withdrawn Date30 June 2011
Cross ReferencesISO/IEC 27001:2005, ISO/IEC 27002:2005, ISO/IEC Guide 73:2002, ISO/IEC 16085:2006, AS/NZS 4360:2004, NIST SP 800-12, NIST SP 800-30
Replaced ByBS ISO/IEC 27005:2011
ReplacesBS ISO/IEC TR 13335-3:1998, BS ISO/IEC TR 13335-4:2000
International RelationshipsISO/IEC 27005:2008
Draft Superseded By07/30117272 DC
DescriptorsData processing, Computers, Management, Data security, Data storage protection, Risk assessment, Risk analysis, Information exchange, Business continuity, Anti-burglar measures, Computer software, Computer hardware, Computer networks
ICS35.040
Title in FrenchTechnologies de l'information. Techniques de sécurité. Gestion du risque en sécurité de l'information
CommitteeIST/33
ISBN978 0 580 54513 9
PublisherBSI
FormatA4
DeliveryNo
Pages64
File Size1.014 MB
Price£90.00


WITHDRAWN TITLE
*To ask about withdrawn titles contact the BSI Knowledge Centre knowledgecentre@bsigroup.com, +44 20 8996 7004
 Your basket
Your basket is empty

BSI Membership

Up to 50% off standards and conferences


Newsletters

Monthly industry and standards news


BSOL

Standards direct to your desktop


Customers who bought this product also bought