What is ISO 27005 about?
The exact title of ISO 27005 as presented on the ISO website is “Information technology — Security techniques — Information security risk management”. As such, this standard helps companies manage risks related to information security.
ISO 27005, a definition
As its name suggests, ISO/IEC 27005 is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). To be more specific, it supports information security based on a risk management approach. Unlike methods such as the NIST cybersecurity framework, this standard is subject to certification.
ISO 27005 is also based on the guidelines set out in ISO/IEC 27001 and ISO/IEC 27002. Originally published in June 2008 under the acronym ISO/IEC 27005:2008, it was reissued in 2011, and again in 2018. Our article will refer to this latest version.
Here is a summary of the concepts featured in ISO 27005: chapters six to 12 develop an information systems risk management approach; chapter seven deals more specifically with risk analysis, which remains the backbone of a proper cybersecurity strategy; chapter eight focuses on risk assessment; and chapters nine to 12 detail how to implement a risk treatment strategy and how to follow it up.
Who is the intended user of this ISO standard?
The International Organization for Standardization recommends the ISO 27005 standard to companies, but also to public establishments such as "government agencies" and to NPOs (non-profit organisations).
In practice, this information security standard is used to ensure data confidentiality and the availability and integrity of an organisation’s key information assets. It is designed for all structures affected by cyber risks and by the continuous increase of data in their services.
What is the exact purpose of the ISO/IEC 27005 standard?
It is designed to support the satisfactory implementation of information security based on a risk management approach. Employee training is generally required in order to help them develop the skills to carry out effective information security risk management processes. People trained in ISO 27005 are theoretically able to identify, analyse, measure, and treat risks.
This standard also aims at helping your company set up an ISMS (Information Security Management System). An ISMS implies establishing cybersecurity processes and policies, while at the same time continuously improving risk management and taking into account human and technical factors during the process.
To this end, the ISO 27005 standard follows a logic which is reminiscent of the PDCA (Plan, Do, Check, Act) methodology of continuous improvement:
- Plan: Identify and assess cyber risks, then reflect strategically on corresponding risk reduction measures;
- Do: Have these measures implemented;
- Check: Conduct a performance review;
- Act: Ensure monitoring and improvement of your risk treatment strategy.
What are the ISO 27005 training courses?
There are several certification courses for ISO 27005 training:
- ISO 27005 Foundation, which gives access to the PECB Certified ISO/CEI 27005 Foundation certification;
- ISO 27005 Certified Risk Manager with EBIOS. This training explores risk management from the EBIOS method perspective, culminating in two exams: PECB Certified ISO/CEI 27005 Risk Manager and PECB Certified EBIOS;
- ISO 27005 Certified Risk Manager with MEHARI, “harmonised risk analysis method”, developed by the CLUSIF in France;
- ISO 27005 Risk Manager of the ANSSI (French National Agency for Information Systems Security).
Transform how you model, measure, and manage cyber risk.
Our FAIR-certified experts will help you prioritize your IT security investments, improve governance and increase your organization's cyber resilience..
How does ISO 27005 work?
This international standard includes more than 20 pages of information security risk management approaches. Broadly speaking, though, the document supports the general concepts of the methodology through four main steps:
1 / Contextualisation of risk management
Risk analysis contextualisation consists of determining where risk management starts and where it ends. This is also the time to set up a series of criteria:
- assessment criteria help you identify the assets threatened by cyber risks and the thresholds above which risks must be dealt with;
- impact criteria correspond to the minimum level of consequences, above which a risk needs to be taken into consideration;
- risk acceptance criteria represent a threshold below which the risk can be tolerated.
2 / Risk assessment
During this step, you will first determine the elements at risk: the organisation as a whole, but also information systems, services, and data groups. Next, you will need to pinpoint the threats and vulnerabilities revolving around these elements.
After that, ISO 27005 requires you to match those threats and their occurrences with the security needs of your structure. This entire process should help you rank priorities according to the assessment criteria you defined in step one.
While the ISO 27005 standard helps identify cybersecurity vulnerabilities, it does not provide for a risk rating scale. The team in charge of applying the standard must build an evaluation system of their own. This system can rely on qualitative or quantitative estimation methods, the latter being based on measurable costs. In practice, due to a lack of ISO standard prescription, analyses tend to end up qualitative more often than not.
3 / Risk treatment strategy
During this step, your structure needs to set IT security goals while keeping in mind the results obtained during step two. Once those goals are set, you may then draft your specifications, which should help design measures for treating risks.
In ISO 27005, conceptualising these measures means comparing a risk with its treatment cost. Four possibilities then emerge:
- refusal or avoidance: your organisation deems the cyber risk too serious and states that it must be avoided at all costs. Then, you may decide to put a stop to the activity likely to cause it;
- transfer: your structure shares the risk with a third party – insurance or cybersecurity subcontractor – capable of protecting it from the risk, at least financially;
- mitigation: you design measures to mitigate the impact or the probability of occurrence of a risk in order to make it more tolerable;
- conservation: the risk is considered bearable and not enough of a threat, your structure chooses not to address it.
Each option involves a residual risk, which must be systematically assessed.
4 / “Risk acceptance”
The risk treatment strategy and residual risks need to go through an “acceptance” stage, which means, in practice, that the entire treatment plan has to be given the green light by senior management. During this step, heads of departments may question costs that they think are too high, or consider accepting certain risks. These exceptions should be justified.
The ISO 27005 methodology theoretically ends here, though you should keep in mind that all the work your organisation has done to implement it can be used as part of a monitoring and review procedure. It provides a history of the risks you have identified, the scenarios you have imagined, the risk analysis you have performed, and the treatment strategies you have set up. Of course, this methodology should be repeated if threats and vulnerabilities were to evolve. This work can also serve as a support for communication with your stakeholders.
ISO 27005: benefits and drawbacks
This cyber risk management standard comes with several advantages, one of the most remarkable being its adaptability to different kinds of structures. However, it lacks a prescriptive dimension in terms of risk analysis criteria.
Benefits of the ISO 27005 risk management method
Your organisation can benefit from the ISO/CEI 27005 standard in multiple ways:
- this method can be used on its own;
- your teams develop the required skills for structured cyber risk management;
- weaknesses and various threats to your organisation will be spotted;
- your organisation will begin to benefit from a resilient ISMS;
- the method can be adjusted to all structures, including organisations that constantly adapt to an ever-changing landscape;
- the confidence of your stakeholders will be boosted.
Drawbacks of ISO 27005
The main drawback of ISO 27005 remains its lack of a prescriptive aspect. When it comes to defining scope for risk management, the organisation is required to do everything independently, whether that is the scope of application of the ISMS or even the risk criteria. This approach is therefore only suitable for structures that wish to invest significant internal resources in developing their own methodology.
With regard to the contextualisation step of risk management, and more specifically to the establishment of risk assessment criteria, ISO suggests you opt for quantitative criteria. A quantitative approach is the whole purpose of a method like FAIR™ Analysis (Factor Analysis of Information Risk).
This risk analysis standard is based on statistical and mathematical evaluation methods to assess and rank risks, and it factors in financial consequences. It is a significant upgrade from the subjective approximations of qualitative risk assessment methods. It simplifies decision-making and the implementation of a more objective strategy, which will be directly tied to the reality of the risks your structure faces.
FAQ : ISO 27005
What is ISO 27005?
ISO 27005 is an international information security standard which provides a method and best practices for building an Information Security Management System (ISMS). It is designed to protect your structure from cyber threats and prevent the loss or corruption of sensitive data.
What is ISO 27005 used for?
ISO 27005 helps organisations protect their information systems in order to prevent critical data from being corrupted, deleted or stolen.
Are there any prerequisites for using ISO 27005?
You may want to have basic training in cybersecurity and check what you know about ISO 27001 compliance.
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.