ISO/IEC 27005:2011 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.
ISO 27005, issued in 2005, filled a noticeable gap in the ISO 27000 series of standards. The standard is officially titled ISO/IEC 27005.2008, "Information technology -- Security techniques -- Information security risk management." It took the International Organization for Standardization three years to document the standards for the risk management methodology. Now, just as ISO 27005 is gaining traction, the same organization has issued a new standard, ISO 31000.2009, "Risk management -- Principles and guidelines." As a result, some bewilderment has been re-introduced to an already confusing topic.
ISO 27005 defines risk as "potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization." ISO 31000 states that risk is the "effect of uncertainty on objectives." The definition I've previously used for risk, "the measurement of the uncertainty of harm to an asset or group of assets," falls between the two.
This disparity in the definitions of risk is explained to some extent by the fact that the goal of ISO 27005 is an ISMS, whereas ISO 31000 is a means to the end of enterprise risk management. This forces the issue as to whether information security risk is distinct from, a component of or subordinate to overall organizational risk. Clearly the risks to information are a subset of the risks to the enterprise, but the technical nature of both the threats and the vulnerabilities does distinguish them. Whether IT is different enough from rocket technology, brain surgery technology or nuclear power plant technology to justify its own standard is an excellent, but unanswered, question.
Thus, those attempting to build risk management into an information security program need to honor the standards set in ISO 27005, while simultaneously not contravening the requirements, or at least the intentions, of ISO 31000.
What, for example, is the context of risk management if not the sum of all the other steps? Does not communication of risk include monitoring and reviewing? The most aggressively confusing section of ISO 27005 is the one on risk assessment, which includes risk analysis and risk evaluation. Risk analysis in turn is made up of risk identification and risk estimation. Some (but not all) of these terms are defined in the glossary, but in so arbitrary a manner that a perfectly valid alternative approach could use the same terms in a different way or use different terms altogether and still achieve the same objective: managing risk.
All information security risks by definition are relatively rare and their effects are significant. If the risks were commonplace but insignificant, no standard would be needed to manage them. Thus, all qualitative estimates would show the magnitude of any information security risk to be "high" and the likelihood "low," to use the ISO 27005 standard's terms. But if all relevant risks are all estimated at the same level on the same scales, what value is there in the estimates?
The alternative is quantitative estimation. The ISO 27005 standard states this must be based on historical incident data, which, it says, has "the disadvantage [of] the lack of such data on new risks or information security weaknesses." In his influential book on risk, "The Black Swan," Nassim Nicholas Taleb wrote that "what you don't know is far more important than what you do know." Managing new risks and weaknesses is, or should be, the aim of risk management.
The difficulty of working with ISO 27005 is captured in its definition of risk estimation: "the process to assign values to the probability and consequences of a risk." Compliance with the standard means assigning values to the unknowable (likelihood) and the unknown (consequences). No wonder risk estimation is such a blunt tool for managing risk!
The solution to applying ISO 27005 in a useful way lies in accepting that although measurement of risk cannot be precise, it can be accurate within defined boundaries. This is a form of estimation with rigor around the process. There is a methodology for systematically handling concepts that embody imprecision and vagueness: "fuzzy set theory."
This field of mathematics, devised by L. A. Zadeh in 1965, describes objects or processes that are not amenable to precise definition or precise measurement. It recognizes there are some aspects of human experience that cannot be expressed as absolute numerical quantities but rather as a range of possible values. Fuzzy set theory can be used as a technique to modify or amend the risk estimation methodology in ISO 27005.
No doubt this is what the authors of ISO 27005 had in mind when they wrote the standard. A standard is not immutable, however, and its weaknesses must be addressed. Failing to do so will result in risk management practices that are based on biases and preconceived notions, not discernable evidence. The fact that the evidence is a little fuzzy around the edges, however, does not undercut the value of ISO 27005 for measuring risk.
SUMMARYISO 27005 Lead Risk Manager training enables you to acquire the necessary expertise to support an organization in the risk management process related to all assets of relevance for Information Security using the ISO 27005 standard as a reference framework. During this training course, you will gain a comprehensive knowledge of a process model for designing and developing an Information Security Risk Management program. The training will also contain a thorough understanding of best practices of risk assessment methods such as OCTAVE, EBIOS, MEHARI and harmonized TRA. This training course supports the implementation process of the ISMS framework presented in the ISO 27001 standard.
After mastering all the necessary concepts of Information Security Risk Management based on ISO 27005, you can sit for the exam and apply for a "PECB Certified ISO 27005 Lead Risk Manager" credential. By holding a PECB Lead Risk Manager Certificate, you will be able to demonstrate that you have the practical knowledge and professional capabilities to support and lead a team in managing Information Security Risks.
Learning Objectives Understand the concepts, approaches, methods and techniques that enable an effective risk management process according to ISO 27005 Acknowledge the correlation between Information Security risk management and security controls Learn how to interpret the requirements of ISO 27001 in Information Security Risk Management Acquire the competence and skills to effectively advise organizations on Information Security Risk Management best practices Acquire the knowledge necessary for the implementation, management and maintenance of an ongoing risk management program
In the interconnected, globalized, digitally-dependent world, cyberattacks have risen to a prime concern. Furthermore, legislation like the General Data Protection Regulation (GDPR) has pressured organizations to keep their information secure. Overall, risk is abundant, and the need to acknowledge and address the persistent potential of data breaches makes ISO/IEC 27005:2022 so significant.
ISO/IEC 27005:2022 also includes clear information that the standard does not contain direct guidance on the implementation of the information security management system (ISMS) requirements specified in ISO/IEC 27001:2022.
Risk is present in all aspects of life. Managing it in the relied-upon context of information security is a necessity. ISO/IEC 27005:2022 is based on the asset, threat, and vulnerability risk identification method that was once a part of ISO/IEC 27001.
ISO/IEC 27005 provides guidelines for the establishment of a systematic approach to Information Security risk management which is necessary to identify organizational needs regarding information security requirements and to create an effective information security management system. Moreover, this international standard supports ISO/IEC 27001 concepts and is designed to assist an efficient implementation of information security based on a risk management approach.
Attendees take the ISO 17024-certificated, ISO 27005 Certified ISMS Risk Management (CIS RM) exam set by IBITGQ(International Board for IT Governance Qualifications). There is no extra charge for this exam. 2b1af7f3a8