People often say that the world is changing, and technology is painted as the catalyst for this rapid progression. In truth, the world has always been changing, and technology, due to its inherent nature, is always advancing. However, because of global interconnectivity and digitization, today’s changes are accelerated. Thankfully, standards share this feature of perennial change, as periodic revisions address the current needs of their users.
Such is true with ISO/IEC 27005:2018 – Information technology – Security techniques – Information security risk management. This international standard, which was developed by working group 1 Information security management systems of technical committee ISO/IEC JTC 1, Information technology, subcommittee SC 27, IT Security techniques, provides guidelines for information security risk management.
In the interconnected, globalized, digitally-dependent world, cyberattacks have risen to a prime concern. Furthermore, new legislation like the General Data Protection Regulation (GDPR) has pressured organizations to keep their information secure. Overall, risk is abundant, and the need to acknowledge and address the persistent potential of data breaches makes ISO/IEC 27005:2018 so significant.
ISO/IEC 27005:2018 supports the concepts outlined in ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – Requirements to assist in implementing information security with a basis in risk management. ISO/IEC 27001:2013, as a management system standard, offers a nonprescriptive framework through which any organization can implement, maintain, and continually improve an information security management system specific to that organization’s context.
In fact, many of the changes to ISO/IEC 27005:2018 came about as a means to better align it with ISO/IEC 27001:2013. For example, ISO/IEC 27005:2018 differs from the second edition of the same standard because it features no direct references to ISO/IEC 27001:2005. Furthermore, Annex G in ISO/IEC 27001:2005, which detailed “Differences in definitions between ISO/IEC 27005:2008 and ISO/IEC 27005:2011” has been removed from the revision entirely.
ISO/IEC 27005:2018 also includes clear information that the standard does not contain direct guidance on the implementation of the information security management system (ISMS) requirements specified in ISO/IEC 27001:2013.
Risk is present in all aspects of life. Managing it in the relied-upon context of information security is a necessity. ISO/IEC 27005:2018 is based on the asset, threat, and vulnerability risk identification method that was once a part of ISO/IEC 27001.
ISO/IEC 27005:2018 – Information technology – Security techniques – Information security risk management is available on the ANSI Webstore.