Information Security

Information security risks pose a threat to businesses due to the possibility of financial loss or damage, loss of essential network services, or loss of reputation and customer confidence. Risk management is a key element in preventing online fraud, identity theft, web site damage, and personal data loss. Without a solid risk management framework, organizations expose themselves to many types of cyber threats.

The new International Standard, ISO 27005:2011, Information technology – Security techniques – Information security risk management, will help organizations of all types to better manage their information security risks.

ISO 27005:2011 describes the information security risk management process and associated actions, and supports the general concepts specified in ISO 27001:2005, Information technology – Security techniques – Information security management systems – Requirements.

In this second edition, the framework outlined in ISO 27005 has been reviewed and updated to reflect the content of these risk management documents:

  • ISO 31000:2009, Risk management – Principles and guidelines
  • ISO 31010:2009, Risk management – Risk assessment techniques
  • ISO Guide 73:2009, Risk management – Vocabulary

The standard is intended to align closely to ISO 31000:2009 in order to help organizations that wish to manage their information security risks in a similar way to the way they manage “other” business risks.

ISO 27005:2011 will assist users in the implementation of ISO 27001, the information security management system standard, which is based on a risk management approach. Knowledge of the concepts, models, processes, and terminologies described in ISO 27001 and ISO 27002: 2005, Information technology – Security techniques – Code of practice for information security management, is important for a complete understanding of ISO 27005.

The information security risk management process consists of:

  • Context establishment
  • Risk assessment
  • Risk treatment
  • Risk acceptance
  • Risk communication, and
  • Risk monitoring and review.

However, ISO 27005:2011 does not provide any specific methodology for information security risk management. It offers a generic approach. It is up to the organization to define its own approach to risk management, depending, for example, on the scope of the information security management system, based on the context of risk management, or the industry sector.

ISO 27005:2011 is applicable to all types of organizations (e.g., commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization’s information security. It can be ordered at the ANSI e-Standards Store at this web page.

You can enroll in one of our RABQSA-certified ISO 27001 information security courses by clicking a title below to see the course description and class schedule:

Requirements (2 Days)
Internal Auditor (3 Days)
Lead Auditor (4 Days)