Information Security Risk Management

Organizations of all types are very concerned by threats that could compromise their information security. The new ISO 27005:2008 standard, which describes the information security risk management process and associated actions, will help information technology (IT) departments manage these risks.

Threats may be deliberate or accidental, and may relate to either the use and application of IT systems, or to IT’s physical and environmental aspects. These threats may take any form from identity theft, risks of doing business on-line, denial of service attacks, remote spying, theft of equipment or documents, as well as, a seismic or climatic phenomenon, fire, floods, or pandemic problems. These threats may result in various business impacts, for example, financial loss or damage, loss of essential network services, loss of customer confidence through to loss power supply, or failure of telecommunication equipment.

A risk is a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event. Risk assessment quantifies or qualitatively describes the risk and enables managers to prioritize risks according to their perceived seriousness, or other established criteria.

ISO 27005:2008, Information technology – Security techniques – Information security risk management, provides guidelines for information security risk management and supports the general concepts specified in ISO 27001:2005, Information technology – Security techniques – Information security management systems – Requirements.

ISO 27005 is designed to assist the implementation of ISO 27001, which is based on a risk management approach. Knowledge of the concepts, models, processes, and terminologies described in ISO 27001 and ISO 27002: 2005, Information technology – Security techniques – Code of practice for information security management, is important for a complete understanding of ISO 27005.

The information security risk management process consists of:

  • Context establishment
  • risk assessment
  • risk treatment
  • risk acceptance
  • risk communication, and
  • risk monitoring and review.

However, ISO 27005 does not provide any specific methodology for information security risk management. It is up to the organization to define its approach to risk management, depending, for example, on the scope of the information security management system, based on the context of risk management, or the industry sector.

Most organizations recognize the critical role that information technology plays in supporting their business objectives, and with the advent of the Internet and the prospect of performing business online, IT security has been in the forefront. ISO 27005 is relevant to managers and staff concerned with information security risk management within an organization and, where appropriate, external parties supporting such activities.

You can order ISO 27005 at this page of the ANSI Standards Store.