The newly revised ISO/IEC 27005:2018, Information technology – Security techniques – Information security risk management, aims to will protect the security of a company’s information by providing a framework for effectively managing risks.
ISO/IEC 27005 is complementary to ISO/IEC 27001:2013, which provides the requirements for an information security management system. As such, ISO/IEC 27005 has been updated to reflect the new version of ISO/IEC 27001 and ensure the standard is best equipped to meet the current demands of organizations. ISO/IEC 27005 also provides detailed risk management guidance to help meet related requirements specified in ISO/IEC 27001.
Edward Humphreys, convener of the ISO/IEC working group that developed both ISO/IEC 27001 and ISO/IEC 27005 said the updated standard is a key tool in the ISO/IEC “cyber-risk toolbox.”
“ISO/IEC 27005 provides the ‘why, what, and how’ for organizations to be able to manage their information security risks effectively in compliance with ISO/IEC 27001,” Humphreys said. “It also helps to demonstrate to an organization’s customers or stakeholders that robust risk processes are in place, giving them confidence that they are good to do business with.”
ISO/IEC 27005 is one of more than a dozen standards in the ISO/IEC 27000 series that make up the cyber-risk toolkit, led by ISO/IEC 27001. Other standards in the series include those for protecting information in the cloud, information security in the telecommunications and utility sectors, cybersecurity, and ISMS auditing.