by Elizabeth Gasiorowski-Denis

The International Standard ISO/IEC 27005:2011 which gives managers and staff in IT departments a framework for implementing a risk management approach to assist them in managing their information security management system (ISMS) risks has been published.

Information security risks pose a considerable threat to businesses due to the possibility of financial loss or damage, loss of essential network services, or loss of reputation and customer confidence. Risk management is one of the key elements in preventing online fraud, identity theft, damage to Web sites, loss of personal data and many other information security incidents. Without a solid risk management framework, organisations expose themselves to many types of cyber threats.

The new International Standard ISO/IEC 27005:2011, Information technology - Security techniques - Information security risk management, will help organisations of all types to better manage their information security risks. It describes the information security risk management process and associated actions, and supports the general concepts specified in ISO/IEC 27001:2005, Information technology - Security techniques - Information security management systems - Requirements.

Edward Humphreys, Convener of the ISO/IEC working group that developed the standard comments: “ISO/IEC 27005:2011 is an essential standard for those that want to manage their risks effectively and, in particular, to comply with the popular information security management system standard ISO/IEC 27001. Risk management is critical to good business governance, and this standard helps organisations with advice on the why, what and how of managing information security risks in support of their governance objectives.”

In this second edition, the framework outlined in ISO/IEC 27005 has been reviewed and updated to reflect the content of the risk management documents:

    ISO 31000:2009, Risk management - Principles and guidelines
    ISO/IEC 31010:2009, Risk management - Risk assessment techniques
    ISO Guide73:2009, Risk management - Vocabulary

The standard is intended to align closely to ISO 31000:2009 in order to help organizations that wish to manage their information security risks in a similar way to the way they manage “other” risks.

ISO/IEC 27005:2011 will assist users in the implementation of ISO/IEC 27001, the information security management system standard, which is based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002: 2005, Information technology – Security techniques – Code of practice for information security management, is important for a complete understanding of this International Standard. The information security risk management process consists of:

•     Context establishment
•     Risk assessment
•     Risk treatment
•     Risk acceptance
•     Risk communication
•     Risk monitoring and review

However, ISO/IEC 27005:2011 does not provide any specific methodology for information security risk management but a generic approach. It is up to the organisation to define its approach to risk management, depending, for example, on the scope of the information security management system, based on the context of risk management, or the industry sector.