The fourth edition of this Standard was published in October 2022, but it's rarely referenced in ISMS documentation.
ISO 27005 provides the framework for managing risk so that you can customize your methods to suit your individual needs.
ISO 27001 is intended to be applied to all types of organisations, and there is no 'one size fits all' approach upon which to depend. You need to use a specific approach to each economic sector to achieve maximum benefit.
The involvement of your (proposed) Information Security Team in developing an information risk management framework (as guided by ISO 27005) from the outset is a great way to get buy-in and commitment to your ISO 27001 Project. Don't ignore this Standard, please.
ISO 27005 (also known as IEC 27005) will be, or should be, of particular interest to:
Those expecting to find techniques and methods for managing risk will be disappointed as ISO 27005 focuses on the issues and the thinking that should precede the selection of risk management tools and methods (you'll find that in our ISO 27001 training). The best choice for risk management tools and methods remains IEC 31010:2019 Risk Management - Risk assessment techniques. With 40+ useful tools explained with examples, this is the 'Gold Standard' for risk management.
This standard focuses on the information security risk management process and the information security risk management cycles. You are taken step by step through the process following the process map shown here, which is taken from the standard.
And as is often the case in ISO Standards, the best has been kept 'til last - the Annexes.
This Annex titled Examples of techniques in support of the risk assessment process is a 'goldmine' of practical information. Subjects covered here include...
Throughout, copious examples are given which are the true value of this Standard. Even the vexed question of 'Vulnerability' versus 'Threat' is clearly explained in simple English. This Standard is essential for those professionally interested in ISO 27001 and all things about Information Security, and this Standard is essential reading.
For more information and to buy a copy of the new Standard, go to the ISO Website.
A good source of information on all things to do with ISO 27001 is iso27001security.com.
In
We have chosen ISO 21001 certification because it is based on independent third-party assessment, unlike IRCA and Exemplar badges (which we believe are commercially compromised). It is a ‘university grade’ standard globally by schools, colleges, and universities to demonstrate competence.