Site icon

What Is the Information Security Risk Management Process of ISO 27005?

Businesses undergoing ISO certification are probably aware of the 27000 series and its focus on comprehensive cybersecurity. What many organizations don’t know, however, is that the series itself provides guidelines for risk managers to better implement Information Security Management Systems (the core process of ISO 27001) following best risk management practices. 

 

What Is the Purpose of ISO 27005?

ISO 27005, “Security techniques – Information security risk management,” details some of the requirements and best practices for organizations looking to align their infrastructure with the tenants of the ISO 27000 series. 

ISO 27005 addresses explicitly two major areas of interest for these organizations:

More specifically, ISO 27005 focuses on how organizations may best implement an ISMS using risk management through a methodological process that includes considerations of the following factors:

 

What Are the Information Security Risk Management Processes?

At a high level, the process used in ISO 27005 is mapped out in another document, ISO 31000. It involves several steps covering establishing context-defining investigations and in-depth risk identification and management methodologies. More importantly, it structures these processes around an iterative model for continuous monitoring and optimization.

The core components of this process are as follows:

 

Context Establishment

At this stage, the organization starts gathering information about its operations and processes to inform the risk management model. Without this information, it’s difficult to claim that the organization’s ISMS can address real and pressing threats. 

 

Risk Identification

Following the context definition, the organization will then step into the overarching risk management portion of the process. At the identification stage, the organization determines what actions, or series of activities, could cause damage or loss to data, system integrity, or other operations. 

 

Risk Analysis

Once the organization has an overall schematic of risk (assets, controls, threats, and vulnerabilities), it can then begin to analyze risk to determine the “magnitude” of the consequences.

 

Risk Evaluation

At this stage, the organization should be able to combine their knowledge of their systems, the demands of their security obligations, the realities of the vulnerabilities and threats they face, and the potential consequences related to the realization of those threats. 

Additionally, this stage assumes that the organization is well on its way to defining, measuring, and ranking concrete sources of risk in their organization, including its risk appetite. At this point, the organization should also be able to make decisions about acceptable risks and how risks impact their systems (and, in many cases, if certain risks are worth addressing at all). 

 

Risk Treatment

Finally, any organization must have plans to address the event of a risk becoming a real security threat or breach. “Treatment,” in this case, refers to how that organization will approach different security events from the perspectives of prevention or mitigation.

 

Monitoring and Review

At no point should an organization consider a risk profile as static. Systems, threats, and goals often change, sometimes daily, and a risk and security management system should be able to adjust. As such, ISO 27005 calls for these organizations to monitor and review all procedures and policies to inform the evolution of risk management analysis.

 

Get Your ISMS Up to Speed With ISO 27005 and Lazarus Alliance

Getting certified under ISO 27001 is a long and arduous process, and implementing effective ISMS systems presents a challenge often beyond the capabilities of businesses that aren’t versed in cybersecurity. 

As a committed and experienced partner for organizations seeking ISO 27001 certification, we support organizations working on developing comprehensive security infrastructure–and a major part of this is working with ISO 27005. Our team and our tools can help get your infrastructure in line and keep it there. 

[wpforms id=”137574″]

Exit mobile version