ISO/IEC 27005:2022 provides guidelines for information security risk management. Knowledge of the concepts, models, processes, and terminologies described in ISO 27001 and ISO 27002 is important for a complete understanding of this standard.
This document supports the main concepts specified in ISO 27001 and is designed to assist with the implementation of information security based on a risk management approach.
This document applies to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) that intend to manage risks that can compromise their information security.
ISO/IEC 27005:2022, Information security, cybersecurity and privacy protection – Guidance on managing information security risks.
- This Standard provides internationally recognized best-practice guidelines for information security risk management
- Aligned with ISO 27001 and ISO 27002
- Applicable to all types and sizes of organizations
- The latest best-practice approach to effective information security risk management
ISO 27005:2022 introduces several new changes to better align the standard’s terminology and structure with the latest updates to ISO/IEC 27005:2022.
Here is a summary of the most significant changes:
- ISO 27005:2022 consolidates the 2018 version’s 12 clauses and six annexes into ten clauses and one annex.
- It establishes a new risk management process with five steps: context establishment, risk identification, risk analysis, risk evaluation, and risk treatment. (The risk acceptance stage has been removed and a new clause introduced: 8.6.3. Acceptance of the residual information security risk. Risk acceptance is now decided after risk treatment.)
- It introduces a new process for identifying information security risks. The 2022 update describes two approaches:
- Event-based approach: Involves identifying risk sources and focusing on the overall threat landscape to define the consequence and severity of each given risk scenario.
- Asset-based approach: Involves identifying asset-specific threats and vulnerabilities, determining their likelihood, and defining specific risk treatment options.
