Security teams take an average of 287 days to identify and contain a data breach. With the increase of cyber threats this is no longer sustainable. You want your organisation to have robust information security processes to protect information assets and intellectual property.
And ISO 27005 can help you get there.
Read all you need to know about ISO 27005, how it contributes to your information security risk management, and how it's interlinked with ISO 27001.
In this blog post, we'll cover:
- What is ISO 27005?
- How does ISO 27005 help with information security risk management?
- How does ISO 27005 align with ISO 27001?
- What is the ISO 27005 risk management process?
- How can ISO 27005 benefit your organisation?
- Become ISO 27005 compliant
What is ISO 27005?
ISO 27005 is an international standard for managing information security risks. It helps organisations identify, assess, and handle risks to keep their information safe. This standard complements ISO 27001 by focusing on risk management, which is essential for protecting data from threats. The standard is useful for any organisation looking to strengthen its cybersecurity.
Organisations of any size and in any sector can follow ISO 27005. For this reason, the ISO 27005 standard doesn't set a strict path for compliance. Instead, it proposes recommended practices. These practices are compatible with a typical Information Security Management System (ISMS).
ISO 27005 provides guidelines for procedures that are essential for an ISMS. These procedures include identifying, assessing, evaluating, and treating information security vulnerabilities. Following ISO 27005 helps organisations handle security controls and other measures better.
How does ISO 27005 help with information security risk management?
ISO 27005 can help your organisation conduct a more accurate information security risk assessment based on which you can improve your ISMS.
Information security risk management is identifying and mitigating risks related to information technology. It's a continual process that includes:
- Identifying and assessing risk
- Understanding the likelihood of risk and its consequences
- Establishing a ranked order for risk treatment
- Involving stakeholders in risk management decisions
- Monitoring the effectiveness of risk mitigation
- Educating stakeholders about risks and mitigation actions
Risks can potentially affect an organisation's confidentiality, reputation, and asset availability. Information security risk management can't stop all risks. But it helps organisations define and maintain an appropriate level of risk. Organisations should manage risk in line with their risk tolerance.
ISO 27005 defines best practices for information security risk management. It defines consistent processes within a broader framework. Implementing these processes helps organisations handle risks more reliably and more effectively.
How does ISO 27005 align with ISO 27001?
The ISO 27000 series is a set of standards that addresses information security. ISO 27005 helps organisations follow ISO 27001. That is why even though ISO 27005 is not particularly well known, many companies may have already implemented it by means of following ISO 27001.
What is ISO 27001?
ISO 27001 is the leading international standard for information security. It guides organisations in protecting their information in a systematic and cost-effective way. It promotes adopting an ISMS.
ISO 27001 certification requires an organisation to prove aspects of risk management, including:
- Evidence of information security risk management
- Risk actions taken
- Application of relevant controls from Annex A
Annex A contains reference control objectives and controls. The controls help an organisation structure its ISMS and meet ISO 27001 requirements.
The connection between ISO 27005 and ISO 27001
Risk assessments are one of the most important parts of complying with ISO 27001. ISO 27005 gives guidance on identifying, assessing, evaluating, and treating information security vulnerabilities. These procedures are key for an ISO 27001 information security management system.
ISO 27001 requires that controls applied as part of an ISMS be risk-based. Implementing an ISO 27005 information security risk management plan fulfils this rule.
What is the ISO 27005 risk management process?
ISO 27005 doesn't specify a particular risk management method. It promotes a continual process based on seven components. These steps overlap somewhat in their application.
Each main phase of the process has four steps:
- Input, which covers the information necessary to do an activity
- Action, which defines the activity
- Implementation guidance, which gives more details
- Output, which describes what information the activity should have generated
This structure provides the right information to start each risk management activity. Here they are in more detail.
Establish context
The first step for risk management with ISO 27005 is establishing the context. This step should define the organisation's risk evaluation criteria and risk acceptance criteria. ISO 27005 provides criteria for defining context according to factors such as:
- Identifying risks
- Determining who handles risk ownership
- Determining how risks affect the confidentiality, integrity, and availability of information
- Calculating the probability and effects of risks
Establishing the context for risk assessment is important. It helps ensure that the entire organisation does assessments the same way.
Define the risk estimation method
Defining risk management processes includes deciding which type of assessments to use. Quantitative or qualitative assessments are possible.
Quantitative measurement has the disadvantage of relying on historical data. Managing new risks is a more important goal for risk management.
Qualitative measurement is, by nature, a form of estimation. It can be accurate within defined boundaries, though. For example, terms like "high" or "low" to measure the consequences of risk are too vague.
A more useful qualitative scale for risk impacts might include categories such as:
- Total asset destruction
- Loss of most of an asset
- Loss of some of an asset
- Minor loss
This type of measurement will produce a more evidence-based and accurate process.
Conduct risk assessment
The risk assessment process includes risk identification, estimation, and evaluation. Many organisations use an asset-based risk assessment process. Risk identification includes:
- Inventory of information assets
- Identification of threats and vulnerabilities that could impact each asset
- Consequences of those risks for the organisation
Furthermore, risk estimation evaluates the likelihood of risks and their impacts. It then compares the level of risk against the risk acceptance criteria. The context establishment step defined the risk acceptance criteria. Then, the risk assessor can prioritise the list of risks to address the most serious risks first.
Pick your risk treatment
Risk treatment involves deciding on the proper risk mitigation strategy. Four responses to risk are possible:
- Avoid the risk by eliminating it
- Reduce the risk by using security controls
- Transfer the risk to a third party through insurance or outsourcing
- Tolerate the risk and take no action
Tolerating risk is the best option when the costs of treating the risk outweigh the benefits. This is often the case when the likelihood of the risk occurring is very small.
Decide on risk acceptance
It will never be possible to make your organisation 100% secure against any threats to information security. The goal is to align your individual risk tolerance with the measures you take towards information security.
Establishing your own criteria for risk acceptance should take into account factors like:
- Current strategies
- Business priorities
- Goals and objectives
- Stakeholder interests
Senior management then needs to approve the ISO 27005 risk assessment and treatment plan. Documentation of the ISO 27005 process can inform communication with stakeholders. Documentation of the work up to this point is very important. It lets auditors see the methods for identifying, assessing, and mitigating risk. It serves as a reference for future use.
Ensure risk communication and consultation
Effective communication about the information security risk management process is critical. The people who will put the plan in place need to understand why its provisions are necessary. Decision-makers and other stakeholders can agree more easily on how to manage risk.
Communication about risk management must be ongoing. Organisations need a communication plan for emergencies as well as normal operations.
Monitor risks and review
Risks can change suddenly and without warning. Continual monitoring is necessary. Monitoring helps an organisation quickly identify changes. The organisation can update the risk treatment plan as needed. Monitoring should include factors like:
- New assets
- Changes in asset values
- New internal or external threats
- Information security incidents
Monitoring also checks whether the organisation's risk treatment plan is working properly. Information security risk management is an ongoing process that needs active engagement.
How can ISO 27005 benefit your organisation?
- ISO 27005 is a flexible standard and can, therefore, be adapted to your industry, business model and size.
- ISO 27005 lets an organisation choose its own risk management approach. The organisation's individual circumstances inform this choice.
- The ISO 27005 method can stand on its own. It can also support compliance with ISO 27001. Following ISO 27005, your organisation will have a more resilient ISMS.
- Following ISO 27005 helps your teams develop expertise and experience. They can create a more effective information security risk management process. It shows that you can prioritise risks. You work proactively to mitigate their impacts.
- Compliance with ISO 27005 gives an organisation a competitive edge. It demonstrates to clients that you're serious about information security. Customers can be more confident that their data is safe with you.
Become ISO 27005 compliant
ISO 27005 can improve information security risk management for your organisation. Following ISO 27005 will help you develop a better information security management system. You can then follow ISO 27001 more easily.
Hear more about ISO 27005 risk management and its integral link to ISO 27001. Contact us to find out how the DataGuard ISO 27001 certification solution can help your organisation manage risks and comply with the latest industry standards for optimal security.
ISO 27001 Risk Management: Your 5-Step Guide
Feeling overwhelmed by ISO 27001's risk management requirements? Our comprehensive guide is designed to streamline your understanding of the standard's critical steps. It provides a detailed overview of the five key stages.
Download your free guide