Search in ISMS Guides

Google
 

Thursday, July 3, 2008

ISO/IEC 27005 Information technology -- Security techniques -- Information security risk management

This standard was published in June 2008.

“ISO/IEC 27005:2008 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2008. ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.”

ISO/IEC 27005 revises the Management of Information and Communications Technology Security (MICTS) standards ISO/IEC TR 13335-3:1998 plus ISO/IEC TR 13335-4:2000.
Some personal comments on ’27005

[These are just my personal perspective. They inevitably reflect my own prejudices and limited experience with information security risk management.]

At around 60 sides, ISO/IEC 27005 is a heavyweight standard although the main part is just 24 pages, the rest being mostly annexes with examples and further information for users. There is quite a lot of meat on the bones, reflecting the complexities in this area.

Although the standard defines risk as “a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event”, the risk analysis process outlined in the standard indicates the need to identify information assets at risk, the potential threats or threat sources, the potential vulnerabilities and the potential consequences (impacts) if risks materialize. Examples of threats, vulnerabilities and impacts are tabulated in the annexes; although incomplete, these may prove useful for brainstorming risks relating to information assets under evaluation. It is clearly implied that automated system security vulnerability assessment tools are insufficient for risk analysis without taking into account other vulnerabilities plus the threats and impacts.

The standard includes a section and annex on defining the scope and boundaries of information security risk management which should, I guess, be no less than the scope of the ISMS.

The standard deliberately remains agnostic about quantitative and qualitative risk assessment methods, essentially recommending that users choose whatever methods suit them best, and noting that they are both methods of estimating, not defining, risks. Note the plural - 'methods' - the implication being that different methods might be used for, say, a high-level risk assessment followed by more in-depth risk analysis on the high risk areas. The pros and cons of quantitative vs qualitative methods do get a mention.

The steps in the process are (mostly) defined to the level of inputs -> actions -> outputs, with additional “implementation guidance” in similar style to ISO/IEC 27002.

The standard incorporates some iterative elements e.g. if the results of an assessment are unsatisfactory, you loop-back to the inputs and have another run through. For those of us who think in pictures, there are useful figures giving an overview of the whole process and more detail on the risk assessment -> risk treatment -> residual risk bit.

From:iso27001security.com

20 comments:

Joshua said...

For five years, our company has benefited a lot from ISO certification 9001. It has been helpful to assure that our systems are working with fewer errors. Moreover, ISO allows us to have an image that easily earns public trust. Thanks for sharing. Please keep us updated.

iso27001consultant said...

Very good post, I was really searching for this topic, as I wanted this topic to understand completely and it is also very rare in internet, that is why it was very difficult to understand.
Information Security Management System

Unknown said...

yes, the security servicing companies can get this ISO certificate to grow there business.

ISO Certification Service Providers in India

Green TQM said...

Really useful stuff. Keep on posting more related topics like ISO 9001 Certification
. We are Waiting for your next update.

Ansa Certifications said...

Thank you so much for sharing this great blog.Very inspiring and helpful too.

list of ISO 9712 certification in Chennai
ISO 9712 training in India

lithindavid said...

Very Nice. This blog is very useful to me. Now I have clarified my doubts on iso 27001 Certification. Thanks for sharing the information.

Mohamadsiraj said...

Great Content! Information Security Management It is an important topic!. ISO 27000 Certification

Mohamadriyas said...

This is a very important blog for everyone. I read and I really like it.ISO 22301 Certification in Saudiarabia

harrishvijay said...

very nice blog. Thanks for sharing . ISO 27002 Certification in Bahrain

Amith Sharma said...

Thank you for using my Guide and if it work for you that makes me happy

ISO 27001 Certification

Mohamadriyas said...

Thanks for update your post, Its really helpful to me.
ISO 27001 Certification

Michael Smith said...

This is really an awesome article. Thank you for sharing this.It is worth reading for everyone.

ISO 27001 Certification

Jessy Shan said...

This blog is the Best place for learning and contribution.

Certificacion ISO 27001

John Smith said...

This post is really nice and informative. The explanation given is really comprehensive and informative..

ISO 27001 Certification

YASARARAFAT said...

Thanks for sharing this post.ISO 27001 Qatar

Unknown said...

Thanks for sharing this great content. It is really informative and useful., You can also check this Similar site ISO Lead Auditor Training in Hyderabad

Savitha Lachan said...

I recently came across your blog and have been reading along. I thought I would leave my first comment.

ISO 27001 Certification Bodies in India

Unknown said...

Informative Blog, thanks for sharing useful information. Get one of the best gate entry management system to make your apartment and society secure.

rajkumarias said...

ISO 27001 Lead Auditor Training is the necessary guidance for professionals who wish to build a strong career in Information Security Management System auditing. IRCA ISO 27001 ISMS Lead Auditor Training in Sri Lanka | 2 days| class room, online | 95% rating | certificate in 10 days | Contact:enquiry@iascertification.com. Call @ +65 3159 1803

QSICERT said...

Information Security Management System