ISO/IEC 27005:2018 – Information technology – Security techniques – Information security risk management (3rd edition)
As a result, ISO27k standards encourage organizations to assess risks to their information (referred to as “information security risks” in the standards, but which are in reality simply information risks) in advance of addressing them differently. The practical implementation and management perspectives dictate that the most significant information risks be addressed first.
Scope of this standard
Providing guidelines for information security risk management, the standard complements ISO/IEC 27001 and is designed to assist organizations in managing information security per risk.
It mentions ISO/IEC 27001, ISO/IEC 27002 and ISO 31000 in its content and identifies ISO/IEC 27000 as a normative (essential) standard. The bibliography includes references to NIST standards.
The standard’s content
Although it is a substantial document with 66 pages, many of those pages are annexed with additional details and examples.
A specific method of risk management is not specified, recommended, or even named in the standard. There is however a continuous process that involves many iterative activities in various sequences:
– Identify the context for risk management (e.g. the scope, compliance obligations, methods or approaches to be used, and the policies and criteria that apply, including the organization’s level of risk tolerance);
– Aim to quantitatively or qualitatively determine (i.e. identify, evaluate, and account for) the risks associated with information, based on the information assets, threats, controls, and vulnerabilities to estimate the probability of incidents, along with the resulting business impacts, measuring the risk level;
– Utilize (i.e. modify the use of information security controls, retain, avoid sharing with third parties) the risks appropriately and prioritize the risks based on the levels of risk;
– Keeping stakeholders informed at all times; and
– Assess risks and treat them effectively by identifying and responding to significant changes as they emerge on an ongoing basis.
The appendixes provide additional details, including examples to demonstrate the approach recommended.
The standard’s status
It is in ancient history that the first (2008) and second (2011) editions were published.
2018 saw the publication of the third edition of ISO/IEC 27005 – a temporary stopgap measure with very little change, e.g. referencing the ISO/IEC 27001 2013 edition.
There was a project to revise/rewrite the third edition that failed and was cancelled but has since been restarted. The fourth edition of 27005 is currently being developed. We expect that the fourth edition of ISO/IEC 27005 will be published at the same time as the next release of ISO/IEC 27001, which will include the updated ISMS procedure, which is still to be determined. The fourth edition is currently in the second committee draft stage, with the title of: “Information security, cybersecurity and privacy protection – Guidance on managing information security risks” and within the following new scope:
This document offers guidance to aid organizations in:
a) compliance with ISO/IEC 27001 requirements regarding risk mitigation actions, including the assessment and treatment of information security risks, and
b) managing risk about information security.
Progress is being made on the revision. A rewrite is needed for the problematic background clause. By the end of 2022, the fourth edition will have been published.
Read the ISO27k FAQ for more information on selecting appropriate methods and management tools for information risk analysis.
Following are the main clauses that are likely to appear in the draft fourth edition:
– Risks relating to the outcome(s) of the ISMS – I am unsure of what this clause will specify.
– Information security risk management – explains how to identify, evaluate, treat, monitor/manage, and mitigate information security risks according to ISO 27k.
– Context establishment – clarifies whether this standard, and clause 6 of ISO/IEC 27001, applies to information [security] risks, ISMS risks, or both. There are also detailed instructions in this lengthy clause about defining objectives and determining criteria for managing information [security] risks. There might be an overlap between this and ‘context’ about managing information risks within an organizational or business context, which is what 27001 is referring to.
– Information security risk assessment process – this paragraph describes how to systematically identify, analyze, evaluate and prioritize information [security] risks.
– Information security risk treatment process – describes how to treat risk primarily by using information security controls to manage information [security] risks, with a bias in outlining other treatment approaches. Annex A, which is a part of ISO/IEC 27001, is described as a partial set of potentially useful controls that should be evaluated to determine their relevance to each of the information [security] risks to be mitigated.
– Operation – our clause mentions that at regular intervals we should review our procedures and treatments related to information security
– Leveraging related ISMS processes – this clause essentially repeats and elaborates on ISO/IEC 27001, similarly providing implementation advice to ISO/IEC 27003. The reason it is to be included in ISO/IEC 27005 is unclear to me.
By defining ‘information risk’ as “risk associated with information” instead of the undefined and unhelpful term ‘information security risk’, SC 27 has missed a golden opportunity to reframe its standard to emphasize information risk management. As ISO27k is supposed to be a risk-based management approach, identifying, evaluating, and managing information risks is crucial.
There are several areas in which it could be useful, for example:
1. Starting by explaining the concept of “information risk” – first, explaining it formally (properly), then making it more accessible and understandable by clarifying it for us in accessible and understandable terms;
2. Provide an overview of the organizational/business context in which information risk management operates – what it entails, how it is related to other types of risk management, and how it supports corporate management and governance;
3. Describe the main risk management steps as follows:
– Explain each of those activities in greater depth, and provide pragmatic advice on how to implement them (e.g. four basic risk management methods; how to measure, assess and compare risks; how to recognize changes, and predict changes with the aid of trends, statistics, and situational awareness);
– Explain the process management and governance elements, such as setting goals and objectives, planning and allocating resources, gathering information and documents, reviewing and authorizing the work, etc.
– Identify the relevant standards for linking related concepts, for example.:
a. Conscious and deliberate reasons to take risks – the upsides or opportunities that can be gained;
b. The concept of information [risk] ownership, combined with accountability and responsibility;
c. IT-related risks – such as those connected with networks, applications, data, coding, and technology;
d. Non-IT/non-cyber risks, such as those related to people, intellectual property, tangible assets, and compliance;
e. Utilizing information security controls to mitigate information risks where appropriate (it is important to note that security controls are not always necessary, despite what infosec professionals often think);
f. Cyber insurance and business continuity management;
g. Cloud technologies, supplier/partner/customer relationship management, and the societal and social risks involved with information technology.
4. Appendices with information on different methods, systems and approaches to risk management, risk assessment, risk analysis, risk treatment, etc. including those from other disciplines, such as safety, technology and innovation risks, relationship risks, project risks, financial risks, etc …
Furthermore, it has been suggested (by British Standards) that ISO/IEC 27005 should largely be replaced by BS7799-3:2017, which would be more expedient and return ISO27k to its roots.