ISO 27005 is an essential international standard in the field of information technology risk management. It helps organisations to rationalise sensitive data protection and anticipate the consequences of cyberattacks and cybercrimes. As a renowned international certification, ISO 27005 was well-used in 2021, a year during which companies had to deal with increasingly complex cyber risks. How does this ISO standard work? Who is it for? How can you train for it? And what are its possible limitations?
The exact title of ISO 27005 as presented on the ISO website is “Information technology — Security techniques — Information security risk management”. As such, this standard helps companies manage risks related to information security.
As its name suggests, ISO/IEC 27005 is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). To be more specific, it supports information security based on a risk management approach. Unlike methods such as the NIST cybersecurity framework, this standard is subject to certification.
ISO 27005 is also based on the guidelines set out in ISO/IEC 27001 and ISO/IEC 27002. Originally published in June 2008 under the acronym ISO/IEC 27005:2008, it was reissued in 2011, and again in 2018. Our article will refer to this latest version.
Here is a summary of the concepts featured in ISO 27005: chapters six to 12 develop an information systems risk management approach; chapter seven deals more specifically with risk analysis, which remains the backbone of a proper cybersecurity strategy; chapter eight focuses on risk assessment; and chapters nine to 12 detail how to implement a risk treatment strategy and how to follow it up.
The International Organization for Standardization recommends the ISO 27005 standard to companies, but also to public establishments such as "government agencies" and to NPOs (non-profit organisations).
In practice, this information security standard is used to ensure data confidentiality and the availability and integrity of an organisation’s key information assets. It is designed for all structures affected by cyber risks and by the continuous increase of data in their services.
It is designed to support the satisfactory implementation of information security based on a risk management approach. Employee training is generally required in order to help them develop the skills to carry out effective information security risk management processes. People trained in ISO 27005 are theoretically able to identify, analyse, measure, and treat risks.
This standard also aims at helping your company set up an ISMS (Information Security Management System). An ISMS implies establishing cybersecurity processes and policies, while at the same time continuously improving risk management and taking into account human and technical factors during the process.
To this end, the ISO 27005 standard follows a logic which is reminiscent of the PDCA (Plan, Do, Check, Act) methodology of continuous improvement:
There are several certification courses for ISO 27005 training:
This international standard includes more than 20 pages of information security risk management approaches. Broadly speaking, though, the document supports the general concepts of the methodology through four main steps:
Risk analysis contextualisation consists of determining where risk management starts and where it ends. This is also the time to set up a series of criteria:
During this step, you will first determine the elements at risk: the organisation as a whole, but also information systems, services, and data groups. Next, you will need to pinpoint the threats and vulnerabilities revolving around these elements.
After that, ISO 27005 requires you to match those threats and their occurrences with the security needs of your structure. This entire process should help you rank priorities according to the assessment criteria you defined in step one.
While the ISO 27005 standard helps identify cybersecurity vulnerabilities, it does not provide for a risk rating scale. The team in charge of applying the standard must build an evaluation system of their own. This system can rely on qualitative or quantitative estimation methods, the latter being based on measurable costs. In practice, due to a lack of ISO standard prescription, analyses tend to end up qualitative more often than not.
During this step, your structure needs to set IT security goals while keeping in mind the results obtained during step two. Once those goals are set, you may then draft your specifications, which should help design measures for treating risks.
In ISO 27005, conceptualising these measures means comparing a risk with its treatment cost. Four possibilities then emerge:
Each option involves a residual risk, which must be systematically assessed.
The risk treatment strategy and residual risks need to go through an “acceptance” stage, which means, in practice, that the entire treatment plan has to be given the green light by senior management. During this step, heads of departments may question costs that they think are too high, or consider accepting certain risks. These exceptions should be justified.
The ISO 27005 methodology theoretically ends here, though you should keep in mind that all the work your organisation has done to implement it can be used as part of a monitoring and review procedure. It provides a history of the risks you have identified, the scenarios you have imagined, the risk analysis you have performed, and the treatment strategies you have set up. Of course, this methodology should be repeated if threats and vulnerabilities were to evolve. This work can also serve as a support for communication with your stakeholders.
This cyber risk management standard comes with several advantages, one of the most remarkable being its adaptability to different kinds of structures. However, it lacks a prescriptive dimension in terms of risk analysis criteria.
Your organisation can benefit from the ISO/CEI 27005 standard in multiple ways:
The main drawback of ISO 27005 remains its lack of a prescriptive aspect. When it comes to defining scope for risk management, the organisation is required to do everything independently, whether that is the scope of application of the ISMS or even the risk criteria. This approach is therefore only suitable for structures that wish to invest significant internal resources in developing their own methodology.
With regard to the contextualisation step of risk management, and more specifically to the establishment of risk assessment criteria, ISO suggests you opt for quantitative criteria. A quantitative approach is the whole purpose of a method like FAIR™ Analysis (Factor Analysis of Information Risk).
This risk analysis standard is based on statistical and mathematical evaluation methods to assess and rank risks, and it factors in financial consequences. It is a significant upgrade from the subjective approximations of qualitative risk assessment methods. It simplifies decision-making and the implementation of a more objective strategy, which will be directly tied to the reality of the risks your structure faces.
ISO 27005 is an international information security standard which provides a method and best practices for building an Information Security Management System (ISMS). It is designed to protect your structure from cyber threats and prevent the loss or corruption of sensitive data.
ISO 27005 helps organisations protect their information systems in order to prevent critical data from being corrupted, deleted or stolen.
You may want to have basic training in cybersecurity and check what you know about ISO 27001 compliance.
related to Cybersecurity and Cyber Risk Quantification (CRQ)