ISO 27005

ISO 27005: everything you need to know if you consider implementing it

Everything you need to know about the international standard ISO 27005: Official definition, summary, methodology, advantages and limitations.

Published on 3 March 2022 (Updated on 3 March 2022)

ISO 27005 is an international standard which is essential in the field of information technology risk management. It helps organisations rationalise sensitive data protection and anticipate the consequences of cyberattacks and cybercrimes. As a renowned international certification, ISO 27005 was particularly used in 2021, a year during which companies had to deal with more and more complex cyber risks. How does this ISO standard work? Who is it for? How to train for it? What are its possible limitations?

What is ISO 27005 about?

The exact title of ISO 27005 as presented on the ISO website is “Information technology — Security techniques — Information security risk management”. This standard therefore helps your company manage risks related to information security.

ISO 27005, a definition

As its name suggests, ISO/IEC 27005 is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). To be more specific, it supports information security based on a risk management approach. Unlike methods such as the NIST cybersecurity framework, this standard is subject to certification.

ISO 27005 is also based on the guidelines set out in ISO/IEC 27001 and ISO/IEC 27002. Originally published in June 2008 under the acronym ISO/IEC 27005:2008, it was reissued in 2011, then in 2018. Our article refers to this latest version.

To sum up the concepts featured in ISO 27005: chapters 6 to 12 develop an information systems risk management approach; chapter 7 deals more specifically with risk analysis, which remains the backbone of a proper cybersecurity strategy; chapter 8 focuses on risk assessment; chapters 9 to 12 detail how to implement a risk treatment strategy as well as how to follow it up.

Who is this ISO standard intended for?

The International Organization for Standardization recommends the ISO 27005 standard to companies, but also to public establishments such as "government agencies" and to NPOs, non-profit organisations.

In practice, this information security standard is used to ensure data confidentiality but also availability and integrity of the organisation’s key information assets. It is designed for all structures concerned by cyber risks and by the continuous increase of data in their services.

What is the exact purpose of ISO/IEC 27005 standard?

It is designed to support the satisfactory implementation of information security based on a risk management approach. This is why training your employees is required, it will make them develop the skills to carry out effective information security risk management processes. People trained in ISO 27005 are theoretically able to identify, analyse, measure and treat risks.

This standard also aims at helping your company set up an ISMS – Information Security Management System. An ISMS implies establishing cybersecurity processes and policies and at the same time, continuously improving risk management. You are supposed to take into account human and technical factors during this process.

To this end, the ISO 27005 standard follows a logic which is reminiscent of the PDCA (Plan, Do, Check, Act) methodology of continuous improvement:

  • Plan : Identify and assess cyber risks, then have a strategic reflection on the corresponding risk reduction measures;
  • Do : Have these measures implemented;
  • Check : Conduct a performance review;
  • Act : Ensure monitoring and improvement of your risk treatment strategy.

What are the ISO 27005 training courses?

There are several certification courses for ISO 27005 training:

  • ISO 27005 Foundation, which gives access to the PECB Certified ISO/CEI 27005 Foundation certification;
  • ISO 27005 Certified Risk Manager with EBIOS: this training views risk management from the EBIOS method perspective. It ends up with two exams: PECB Certified ISO/CEI 27005 Risk Manager and PECB Certified EBIOS;
  • ISO 27005 Certified Risk Manager with MEHARI, “harmonised risk analysis method”, developed by the CLUSIF in France;
  • ISO 27005 Risk Manager of the ANSSI (French National Agency for Information Systems Security).
ISO 27005 certification requires passing an exam

How does ISO 27005 work?

This international standard includes more than 20 pages of information security risk management approaches. Broadly speaking though, the document supports the general concepts of the methodology through 4 main steps:

1 / Contextualisation of risk management

Risk analysis contextualisation consists in determining where risk management starts and where it ends. This is also now the time to set up a series of criteria:

  • assessment criteria help you identify the assets threatened by cyber risks and the thresholds above which the risks must be dealt with;
  • impact criteria correspond to the minimum level of consequences above which a risk needs to be taken under consideration;
  • risk acceptance criteria represent a threshold below which the risk can be tolerated.

2 / Risk assessment

During this step, you will first of all determine the elements at risk: the organisation as a whole, but also the information systems, services and data groups. Then you will need to pinpoint the threats and vulnerabilities revolving around these elements.

After that, ISO 27005 requires you to match those threats and their occurrences with the security needs of your structure. This entire process should help you rank priorities according to the assessment criteria you defined in step 1.

While the ISO 27005 standard helps identify cybersecurity vulnerabilities, it does not however provide for a risk rating scale. The team in charge of applying the standard must build an evaluation system of their own. This system can rely on qualitative or quantitative estimation methods, the latter being based on measurable costs. In practice, for lack of ISO standard prescription, analyses tend to end up qualitative more often than not.

Risk Management ISO 27005

3 / Risk treatment strategy

During this step, your structure needs to set IT security goals while keeping in mind the results obtained during step 2. Once those goals are set, you are able to draft your specifications, which should help design measures to treat risks.

In ISO 27005 conceptualising these measures means comparing a risk with its treatment cost. Four possibilities then emerge:

  • refusal or avoidance: your organisation deems the cyber risk too serious and state that it must be avoided at all costs. Then, you may decide to put a stop to the activity likely to cause it;
  • transfer: your structure shares the risk with a third party - insurance or cybersecurity subcontractor - capable of protecting it from the risk, at least financially;
  • mitigation: you design measures to mitigate the impact or the probability of occurrence of a risk in order to make it more tolerable;
  • conservation: the risk is considered bearable and not enough of a threat, your structure chooses not to address it.

Each option involves a residual risk, which must be systematically assessed.

4 / “Risk acceptance”

The risk treatment strategy and the residual risks need to go through the “acceptance” step which means, in practice, that the entire treatment plan has to be greenlit by senior management. During this step, the general management heads may question costs they think are too high, they might also consider accepting certain risks. These exceptions have to be justified.

While the ISO 27005 methodology theoretically ends here, you should however keep in mind that all the work your organisation has done to implement it can be used as part of a monitoring and review procedure. It provides a history of the risks you have identified, the scenarios you have imagined, the risk analysis you have performed and the treatment strategies you have set up. This methodology, of course, should be repeated if threats and vulnerabilities were to evolve. This work can also serve as a support for communication with your stakeholders.

ISO/IEC 27005 is a certified training

ISO 27005: benefits and drawbacks

This cyber risk management standard comes with several advantages, one of the most remarkable being its adaptability to different kinds of structures. However, it lacks a prescriptive dimension in terms of risk analysis criteria.

Benefits of the ISO 27005 risk management method

Your organisation can benefit from the ISO/CEI 27005 standard in multiple ways:

  • This method can be used on its own;
  • your teams develop the required skills for a structured cyber risk management;
  • weaknesses and various threats to your organisation will be spotted;
  • Your organisation will end up with a resilient ISMS;
  • the method can be adapted to all structures, including organisations which evolve in an ever shifting context;
  • the confidence of your stakeholders will be boosted.

Drawbacks of ISO 27005

The main drawback of ISO 27005 remains its lack of a prescriptive aspect. When it comes to defining a risk management context, the organisation has to do everything on its own, be it the scope of application of the ISMS or even the risk criteria. This approach is therefore only suitable for structures wishing to develop their own methodology, at the cost of significant internal resources.

With regard to the contextualisation step of risk management and more specifically to the establishment of risk assessment criteria, ISO suggests you opt for quantitative criteria. A quantitative approach is the whole purpose of a method like FAIR Analysis, Factor Analysis of Information Risk.

This risk analysis standard is based on statistical and mathematical evaluation methods to assess and rank risks, factoring in financial consequences. It is a significant upgrade from the subjective approximations of qualitative risk assessment methods. It helps decision-making as well as setting up a more objective strategy which will be directly tied to the reality of the risks your structure incurs.

ISO 27005 vise la sécurité du SI


ISO 27005 is an international information security standard which provides a method and best practices for building an Information Security Management System (ISMS). It is designed to protect your structure from cyber threats and prevent the loss or corruption of sensitive data.

ISO 27005 helps organisations protect their information systems in order to prevent critical data from being corrupted, deleted or stolen.

You may want to have a basic training in cybersecurity and check what you know about ISO 27001 compliance.