Global InfoSec Standard: ISO/IEC 27005:2008
An important international standard for information security is ISO/IEC 27005:2008 – Information Technology, Security Techniques, and Information Security Risk Management. Business continuity professionals who are also interested in information security should review the standard.
Organizations of all types are concerned by threats that could compromise their information security. Managing this aspect is usually a primary concern for their information technology (IT) departments. The new International Standard ISO/IEC 27005:2008 describes the information security risk management process and associated actions, and has been written to help manage these business-critical risks.
Threats may be deliberate or accidental, and may relate to either the use and application of IT systems or to IT’s physical and environmental aspects. These threats may take any form from identity theft, risks of doing business on-line, denial of service attacks, remote spying, theft of equipment or documents through to a seismic or climatic phenomenon, fire, floods or pandemic problems.
ISO/IEC 27005 can help organizations because it:
1. Describes the information security risk management process and associated actions, to help you manage business-critical risks to IT.
2. Supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.
3. Covers the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002, giving you the knowledge you need for a complete understanding of ISO/IEC 27005:2008.
What does the information security risk management process consists of?
1. Context establishment
2. Risk assessment
3. Risk treatment
4. Risk acceptance
5. Risk communication
6. Risk monitoring and review
Who should use ISO/IEC 27005?
ISO/IEC 27005 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profits) that intend to manage risks that could compromise the organization’s information security.
How does ISO/IEC 27005 complement ISO/IEC 27001?
If you use ISO/IEC 27001, which is a risk-based standard, then you will find BS ISO/IEC 27005 very useful in providing additional guidance on the subject of risk.
However, ISO/IEC 27005:2008 does not provide any specific methodology for information security risk management. It is up to the organization to define its approach to risk management, depending, for example, on the scope of the information security management system, based on the context of risk management, or the industry sector.
For more information on ISO/IEC 2005:2008, see http://www.itgovernanceusa.com/product/26.aspx
