ISO 27005:2018 Information Security Risk Management - it's important

Auditor reviewing a company's information security management system

The third edition of this Standard was published in July 2018 but it's rarely referenced in ISMS documentation.


What is ISO 27005 for?

ISO 27005 provides the framework for managing risk that you can customize your methods to suit your individual needs. 

ISO 27001 vs ISO 27005

ISO 27001 is intended to be applied to all types of organizations and there is no 'one size fits all' approach upon which to depend.  You need to use a specific approach to each sector to achieve maximum benefit. 

The involvement of your (proposed) Information Security Team in developing an information risk management framework (as guided by ISO 27005) from the outset is a great way to get buy-in and commitment to your ISO 27001 Project. Don't ignore this Standard, please.

Who Should Take ISO 27005 Training?

ISO 27005 (also known as IEC 27005) will be, or should be, of particular interest to:

  • IT Managers and those who implement and maintain an ISMS for their organization,
  • Consultants and Advisers who develop, implement and maintain ISMSs, and
  • Lead Auditors who wish for a deeper understanding of how risk should be addressed in an ISMS.

Those expecting to find techniques and methods for managing risk will be disappointed as ISO 27005 focuses on the issues and the thinking that should precede the selection of risk management tools and methods (you'll find that in our ISO 27001 Courses).

The best choice for risk management tools and methods remains IEC 31010:2009 Risk management - Risk assessment techniques. With 20+ really useful tools explained with examples,  this is the 'Gold Standard' for risk management. 

ISO 27005:2018 Clauses

The Contents table, summarised below, tells the whole story.  All of the activities mentioned in ISO 27001 are treated one-by-one and then explained in clear, simple terms.

  • ISO 27005 Clause 6 Overview of the information security risk management process
  • ISO 27005 Clause 7 Context establishment 
  • ISO 27005 Clause 7.1 General considerations 
  • ISO 27005 Clause 7.2 Basic criteria 
  • ISO 27005 Clause 7.3 Scope and boundaries 
  • ISO 27005 Clause 7.4 Organization for information security risk management
  • ISO 27005 Clause 8 Information security risk assessment
  • ISO 27005 Clause 8.1 General description of information security risk assessment 
  • ISO 27005 Clause 8.2 Risk identification 
  • ISO 27005 Clause 8.3 Risk analysis 
  • ISO 27005 Clause 8.4 Risk evaluation
  • ISO 27005 Clause 9 Information security risk treatment
  • ISO 27005 Clause 9.1 General description of risk treatment
  • ISO 27005 Clause 9.2 Risk modification 
  • ISO 27005 Clause 9.3 Risk retention 
  • ISO 27005 Clause 9.4 Risk avoidance
  • ISO 27005 Clause 9.5 Risk sharing 
  • ISO 27005 Clause 10 Information security risk acceptance 
  • ISO 27005 Clause 11 Information security risk communication and consultation
  • ISO 27005 Clause 12 Information security risk monitoring and review
  • ISO 27005 Clause 12.1 Monitoring and review of risk factors
  • ISO 27005 Clause 12.2 Risk management monitoring, review and improvement


New call-to-action


But as is so often the case in ISO Standards the best has been kept 'til last - the Annexes.  

ISO 27005 Annexes

  • Annex A: Defining the scope and boundaries of the information security risk management process
  • Annex B: Identification and valuation of assets and impact assessment
  • Annex C: Examples of typical threats
  • Annex D: Vulnerabilities and methods for vulnerability assessment
  • Annex E:  Information security risk assessment approaches
  • Annex F: Constraints for risk modification


Throughout, copious examples are given and these are the true value in this Standard.  Even the vexed question of 'Vulnerability' versus 'Threat' is clearly explained in simple English.  For those professionally interested in ISO 27001, and all things about Information Security, this Standard is essential reading.

ISO 27005 Resources

For more information, and perhaps to buy a copy of the new Standard, go to the ISO Website.

A good source of information on all things to do with ISO 27001 is iso27001security.com.



Choose from eight ISO 27001 Courses


Note: Originally published in July 2018; revised and updated in April 2021.

Related Articles


deGRANDSON Global is an ISO Certified Educational Organization

In October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

  • ISO 21001, Educational Organizational Management System,
  • ISO 29993, Learning Services outside formal Education,  and
  • ISO 29994, Learning Services – additional requirements for Distance Learning.

We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


Written by Dr John FitzGerald

Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
Find me on:

Subscribe to Email Updates

Recent Posts