Skip to main content

ISO 27005

Risk Management

What is ISO 27005?

The international standard ISO/IEC 27005 is part of the ISO 27000 series of standards. In 2008 it was published by Joint Technical Committee JTC1 established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its official title is "Information technology — Security techniques — Information security risk management".

ISO 27001 requires organisations to identify and assess IT security risks as well as to implement appropriate security controls. By complying with ISO 27005 you meet these requirements: ISO 27005 includes a description of the entire risk management process, the individual risk analysis steps, and information on establishing the process. However, ISO 27005 does not provide a specific risk management methodology; every organisation needs to define its own approach depending on the scope of the Information Security Management System (ISMS), the industry etc. Since ISO 27005 is to be used in conjunction with ISO 27001, certification is not possible.

ISO 27005: Topics and Content

ISO 27005 covers the following topics:
  • Risk management criteria, scope, and organisation
  • Risk assessment
  • Risk treatment
  • Risk acceptance
  • Risk communication
  • Monitoring and review

ISO 27005 in Your Organisation

ISO 27005 serves as a practical guide to risk management as part of an ISO 27001-compliant ISMS. Please refer to our overview to find out which other standards from the ISO 27000 series are relevant for you. Our project procedure describes how plan42 supports you during implementation. Do you have any further questions? Please feel free to contact us.