Businesses undergoing ISO certification are probably aware of the 27000 series and its focus on comprehensive cybersecurity. What many organizations don’t know, however, is that the series itself provides guidelines for risk managers to better implement Information Security Management Systems (the core process of ISO 27001) following best risk management practices. 

What Is the Purpose of ISO 27005?

ISO 27005, “Security techniques – Information security risk management,” details some of the requirements and best practices for organizations looking to align their infrastructure with the tenants of the ISO 27000 series. 

ISO 27005 addresses explicitly two major areas of interest for these organizations:

• Information Security Management Systems (ISMS): ISO 27001 defines the concept of an ISMS. This structure includes technical controls, operations, and business processes that support organization-wide cybersecurity. Rather than focusing on a checklist of controls, ISO 27001 proposes a comprehensive approach to security in which all infrastructure and stakeholders may play a part.
• Risk Management: Risk management, briefly, is the systematic approach of defining, identifying, and mitigating security risks within a security infrastructure.

More specifically, ISO 27005 focuses on how organizations may best implement an ISMS using risk management through a methodological process that includes considerations of the following factors:

• How the organization identifies risks,
• How those risks are assessed in terms of their consequences to the organization and stakeholders,
• How can the organization communicate these risks,
• How the organization prioritizes those risks, including the actions needed to reduce risk occurrence,
• How the organization notifies stakeholders, so they remain informed, 
• The effectiveness of the organization’s risk treatment, 
• The effectiveness of risk monitoring, and
• Ongoing education for employees related to risk.

What Are the Information Security Risk Management Processes?

At a high level, the process used in ISO 27005 is mapped out in another document, ISO 31000. It involves several steps covering establishing context-defining investigations and in-depth risk identification and management methodologies. More importantly, it structures these processes around an iterative model for continuous monitoring and optimization.

The core components of this process are as follows:

Context Establishment

At this stage, the organization starts gathering information about its operations and processes to inform the risk management model. Without this information, it’s difficult to claim that the organization’s ISMS can address real and pressing threats. 

• Establishing Risk Management Approaches and Criteria: At this point, the organization must conduct a full risk assessment, including defining policies and procedures for addressing risk and implementing risk-based controls. At this stage, the organization looks at the value of information and information processing systems, legal and compliance requirements, and business goals.
• Establishing Impact Criteria: Here, the organization determines the impact (degree of damage) based on risk factors. This can include classifying the level of the risk involved, the impact on CIA (confidentiality, integrity, accessibility), loss of business or monetary assets, disruption of operations, legal or regulatory breaches, etc.
• Establishing Risk Acceptance Criteria: Based on the assessed impact of the identified risks, the organization must then determine how their business goals compare to these impacts and, further, how the organization would weigh goals against potential risks. This includes determining risk thresholds based on their obligations, desired profits, risk categories, and likely mitigation efforts. 
• Establishing Scope: Any measure of risk, thresholds, and impact must include a comprehensive definition of the scope of assessment, including boundaries on data processing systems, business policies, and legal obligations.

Risk Identification

Following the context definition, the organization will then step into the overarching risk management portion of the process. At the identification stage, the organization determines what actions, or series of activities, could cause damage or loss to data, system integrity, or other operations. 

• Assets: The organization must identify all relevant assets. An “asset” is “anything that has value to the organization and therefore requires protection.” This broad definition can include data, mission-critical IT infrastructure, business processes, and people. 
• Threats: A threat is an external challenge that may cause harm to any of the assets identified above. Due to the complexity of modern threats, effectively identifying those threats across different contexts (IT, personnel, administrative, etc.) and combinations of processes and technologies requires close attention to detail and input from various organizational stakeholders.
• Existing Controls: It’s critical that the organization avoid double-dipping when implementing controls. That’s why ISO 27005 makes a fine point of determining what existing security and privacy controls exist and how they address potential threats and protect assets. In most cases, this knowledge can go a long way if the organization is already adhering to regulations or compliance requirements.
• Vulnerabilities: The other side of the coin in terms of threats, vulnerabilities are weaknesses or flaws in technologies, processes, or controls that could be open to a threat. 
• Consequences: The scope of damage or adverse conditions that may result from a breach or attack emerging from understood threats, vulnerabilities, and system arrangements.

Risk Analysis

Once the organization has an overall schematic of risk (assets, controls, threats, and vulnerabilities), it can then begin to analyze risk to determine the “magnitude” of the consequences.

• Methodologies: At the first step of the analysis, the organization must define its methodologies. What are the criteria for these analyses? Will the analysis be qualitative, quantitative, or a combination of both? What are the metrics and KPIs for effective analysis?
• Consequences: A point of scenario-building, the organization must assess how consequences may play out in cases where threats are carried out. This can include the path of exploitation, the ultimate cost of a realized threat, and the intangible effects (hits to reputation or morale) that may result.
• Incident Likelihood: As the name suggests, the simple likelihood that an event may occur. This stage will include data drawn from the overall IT and business context–geography, data processed, the technology used, internal threat vulnerabilities, etc.
• Risk Determination: Many risk management frameworks will require the organization to rank risks in severity and likelihood, and ISO 27005 is no different. Ranking risks can help with the next step of risk evaluation.

Risk Evaluation

At this stage, the organization should be able to combine their knowledge of their systems, the demands of their security obligations, the realities of the vulnerabilities and threats they face, and the potential consequences related to the realization of those threats. 

Additionally, this stage assumes that the organization is well on its way to defining, measuring, and ranking concrete sources of risk in their organization, including its risk appetite. At this point, the organization should also be able to make decisions about acceptable risks and how risks impact their systems (and, in many cases, if certain risks are worth addressing at all). 

Risk Treatment

Finally, any organization must have plans to address the event of a risk becoming a real security threat or breach. “Treatment,” in this case, refers to how that organization will approach different security events from the perspectives of prevention or mitigation.

• Modification: The organization may choose to take a preventive approach to risk. In this case, they may decide to identify risks and how to reduce or transform them using different, complementary security controls. 
• Retention: On the other hand, if the risk is deemed acceptable from a business, security, or compliance standpoint, then the organization may decide to “retain” it–or, rather, not to address it as-is.
  
• Avoidance: The organization may avoid those processes if the risk is aligned with specific technologies or practices. This approach assumes that the cost of implementing solutions to mitigate the risk is prohibitively high, as is attempting to work with it. 
• Sharing: Sharing involves spreading the management and consequences of a specific source of risk. Solutions can include outsourcing IT infrastructure or security processes to modify or avoid the risk or buying insurance to cover damages should a threat become real.

Monitoring and Review

At no point should an organization consider a risk profile as static. Systems, threats, and goals often change, sometimes daily, and a risk and security management system should be able to adjust. As such, ISO 27005 calls for these organizations to monitor and review all procedures and policies to inform the evolution of risk management analysis.

Get Your ISMS Up to Speed With ISO 27005 and Lazarus Alliance

Getting certified under ISO 27001 is a long and arduous process, and implementing effective ISMS systems presents a challenge often beyond the capabilities of businesses that aren’t versed in cybersecurity. 

As a committed and experienced partner for organizations seeking ISO 27001 certification, we support organizations working on developing comprehensive security infrastructure–and a major part of this is working with ISO 27005. Our team and our tools can help get your infrastructure in line and keep it there.