Everything you need to know about ISO 27005: summary, requirements, pros and cons

What is ISO 27005 about?

The exact title of ISO 27005 as presented on the ISO website is “Information technology — Security techniques — Information security risk management”. As such, this standard helps companies manage risks related to information security.

‍

ISO 27005, a definition

As its name suggests, ISO/IEC 27005 is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). To be more specific, it supports information security based on a risk management approach. Unlike methods such as the NIST cybersecurity framework, this standard is subject to certification.

ISO 27005 is also based on the guidelines set out in ISO/IEC 27001 and ISO/IEC 27002. Originally published in June 2008 under the acronym ISO/IEC 27005:2008, it was reissued in 2011, and again in 2018. Our article will refer to this latest version.

‍

Here is a summary of the concepts featured in ISO 27005: chapters six to 12 develop an information systems risk management approach; chapter seven deals more specifically with risk analysis, which remains the backbone of a proper cybersecurity strategy; chapter eight focuses on risk assessment; and chapters nine to twelve detail how to implement a risk treatment strategy and how to follow it up.

‍

Who is the intended user of this ISO standard?

The International Organization for Standardization recommends the ISO 27005 standard to companies, but also to public establishments such as "government agencies" and to NPOs (non-profit organizations).

In practice, this information security standard is used to ensure data confidentiality and the availability and integrity of an organization’s key information assets. It is designed for all structures affected by cyber risks and by the continuous increase of data in their services.

‍

What is the exact purpose of the ISO/IEC 27005 standard?

It is designed to support the satisfactory implementation of information security based on a risk management approach. Employee training is generally required in order to help them develop the skills to carry out effective information security risk management processes. People trained in ISO 27005 are theoretically able to identify, analyze, measure, and treat risks.

‍

This standard also aims at helping your company set up an ISMS (Information Security Management System). An ISMS implies establishing cybersecurity processes and policies, while at the same time continuously improving risk management and taking into account human and technical factors during the process.

‍

To this end, the ISO 27005 standard follows a logic which is reminiscent of the PDCA (Plan, Do, Check, Act) methodology of continuous improvement:

• Plan: Identify and assess cyber risks, then reflect strategically on corresponding risk reduction measures;
• Do: Have these measures implemented;
• Check: Conduct a performance review;
• Act: Ensure monitoring and improvement of your risk treatment strategy.

What are the ISO 27005 training courses?

There are several certification courses for ISO 27005 training:

• ISO 27005 Foundation, which gives access to the PECB Certified ISO/CEI 27005 Foundation certification;
• ISO 27005 Certified Risk Manager with EBIOS. This training explores risk management from the EBIOS method perspective, culminating in two exams: PECB Certified ISO/CEI 27005 Risk Manager and PECB Certified EBIOS;
• ISO 27005 Certified Risk Manager with MEHARI, “harmonized risk analysis method”, developed by the CLUSIF in France;
• ISO 27005 Risk Manager of the ANSSI (French National Agency for Information Systems Security).