Security Risk Standard

The new ISO 27005:2011 standard gives managers and staff in IT departments a framework for implementing a risk management approach to assist them in managing their information security management system (ISMS) risks.

Information security risks pose a considerable threat to businesses due to the possibility of financial loss or damage, loss of essential network services, or loss of reputation and customer confidence. Risk management is one of the key elements in preventing online fraud, identity theft, damage to Web sites, loss of personal data, and many other information security incidents. Without a solid risk management framework, organizations expose themselves to many types of cyber threats

The new international standard, ISO 27005:2011, Information technology – Security techniques – Information security risk management, will help organizations of all types to better manage their information security risks

It describes the information security risk management process and associated actions, and supports the general concepts specified in ISO 27001:2005, Information technology – Security techniques – Information security management systems – Requirements

In this second edition, the framework outlined in ISO 27005 has been reviewed and updated to reflect the content of the risk management documents:

  • ISO 31000:2009, Risk management – Principles and guidelines
  • ISO 31010:2009, Risk management – Risk assessment techniques
  • ISO Guide73:2009, Risk management – Vocabulary

The standard is intended to align closely to ISO 31000:2009 in order to help organizations that wish to manage their information security risks in a similar way to how they manage “other” risks.

ISO 27005:2011 will assist users in the implementation of ISO 27001, the information security management system standard, which is based on a risk management approach. Knowledge of the concepts, models, processes, and terminologies described in ISO 27001 and ISO 27002: 2005, Information technology – Security techniques – Code of practice for information security management, is important for a complete understanding of ISO 27005. The information security risk management process consists of:

  • Context establishment
  • Risk assessment
  • Risk treatment
  • Risk acceptance
  • Risk communication, and
  • Risk monitoring and review.

However, ISO 27005:2011 does not provide any specific methodology for information security risk management, but a generic approach. It is up to the organization to define its approach to risk management, depending, for example, on the scope of the information security management system, based on the context of risk management, or the industry sector.

You can order ISO 27005:2011 at this web page in the ANSI e-Standards Store.