This standard has now been superseeded by the 2011 version BS ISO/IEC 27005:2011
BS ISO/IEC 27005:2008 Information technology. Security techniques. Information security risk management
Organizations of all types are concerned by threats that could compromise their information security. Managing this aspect is usually a primary concern for their information technology (IT) departments. The new International Standard BS ISO/IEC 27005:2008 describes the information security risk management process and associated actions, and has been written to help manage these business-critical risks.
Threats may be deliberate or accidental, and may relate to either the use and application of IT systems or to IT's physical and environmental aspects. These threats may take any form from identity theft, risks of doing business on-line, denial of service attacks, remote spying, theft of equipment or documents through to a seismic or climatic phenomenon, fire, floods or pandemic problems.
These threats can have a direct impact on businesses, with possible financial loss or damage, loss of essential network services, loss of customer confidence through to loss power supply or failure of telecommunication equipment.
What's a risk?
A risk is a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event. Risk assessment quantifies or qualitatively describes the risk and enables managers to prioritize risks according to their perceived seriousness or other established criteria.
How does this standard help?
BS ISO/IEC 27005 is the international standard that provides guidelines for information security risk management (ISMS) in an organization, supporting in particular the requirements of ISO/IEC 27001.
BS ISO/IEC 27005 can help your organization because it:
- Describes the information security risk management process and associated actions, to help you manage business-critical risks to IT.
- Supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.
- Covers the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002, giving you the knowledge you need for a complete understanding of ISO/IEC 27005:2008.
What does the information security risk management process consists of?
- Context establishment
- Risk assessment
- Risk treatment
- Risk acceptance
- Risk communication
- Risk monitoring and review.
Who should use BS ISO/IEC 27005?
BS ISO/IEC 27005 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) that intend to manage risks that could compromise the organization’s information security.
BS ISO/IEC 27005 is relevant to managers and staff concerned with information security risk management within an organization and, where appropriate, external parties supporting such activities.
The main driver of the topic is 27001 and this is a risk based standard. Risk assessments are made to determine what controls (from 27001) to put in place and the strength of control required to reduce these risks to level that an organization can regard as an acceptable business risk.
How does BS ISO/IEC 27005 complement BS ISO/IEC 27001?
If you use BS ISO/IEC 27001 Information technology. Security techniques. Information security management systems. Requirements, which is a risk-based standard, then you will find BS ISO/IEC 27005 very useful in providing additional guidance on the subject of risk.
Contents of BS ISO/IEC 27005 include:
- Normative references
- Terms and definitions
- Structure of this International Standard
- Overview of the information security risk management process
- Context establishment
- General considerations
- Basic Criteria
- The scope and boundaries
- Organization for information security risk management
- Information security risk assessment
- General description of information security risk assessment
- Risk analysis
- Risk identification
- Risk estimation
- Risk evaluation
- Information security risk treatment
- General description of risk treatment
- Risk reduction
- Risk retention
- Risk avoidance
- Risk transfer
- Information security risk acceptance
- Information security risk communication
- Information security risk monitoring and review
- Monitoring and review of risk factors
- Risk management monitoring, reviewing and improving
- Defining the scope and boundaries of the information security risk management process
- Study of the organization
- List of the constraints affecting the organization
- List of the legislative and regulatory references applicable to the organization
- List of the constraints affecting the scope
- Identification and valuation of assets and impact assessment
- Examples of asset identification
- The identification of primary assets
- List and description of supporting assets
- Asset valuation
- Impact assessment
- Examples of typical threats
- Vulnerabilities and methods for vulnerability assessment
- Examples of vulnerabilities
- Methods for assessment of technical vulnerabilities
- Information security risk assessment approaches
- High-level information security risk assessment
- Detailed information security risk assessment
- Matrix with predefined values
- Ranking of Threats by Measures of Risk
- Assessing a value for the likelihood and the possible consequences of risks
- Constraints for risk reduction
However, ISO/IEC 27005:2008 does not provide any specific methodology for information security risk management. It is up to the organization to define its approach to risk management, depending, for example, on the scope of the information security management system, based on the context of risk management, or the industry sector.
A number of existing methodologies can be used under the framework described in this International Standard to implement the requirements of an ISMS.
Edward Humphreys, chairman of the UK National Committee and convener of the ISO/IEC working group that developed the standard comments:
“Today, most organizations recognize the critical role that information technology plays in supporting their business objectives and with the advent of the Internet and the prospect of performing business online, IT security has been in the forefront. ISO/IEC 27005:2008 is relevant to managers and staff concerned with information security risk management within an organization and, where appropriate, external parties supporting such activities.”