People often say that the world is changing, and technology is painted as the catalyst for this rapid progression. In truth, the world has always been changing, and technology, due to its inherent nature, is always advancing. However, because of global interconnectivity and digitization, today’s changes are accelerated. Thankfully, standards share this feature of perennial change, as periodic revisions address the current needs of their users.
Such is true with ISO/IEC 27005:2022 – Information Security, Cybersecurity And Privacy Protection – Guidance On Managing Information Security Risks. This international standard, which was developed by working group 1 Information security management systems of technical committee ISO/IEC JTC 1, Information technology, subcommittee SC 27, IT Security techniques, provides guidelines for information security risk management.
What Is ISO/IEC 27005:2022?
In the interconnected, globalized, digitally-dependent world, cyberattacks have risen to a prime concern. Furthermore, legislation like the General Data Protection Regulation (GDPR) has pressured organizations to keep their information secure. Overall, risk is abundant, and the need to acknowledge and address the persistent potential of data breaches makes ISO/IEC 27005:2022 so significant.
ISO/IEC 27005:2022 supports the concepts outlined in ISO/IEC 27001:2022 – Information technology – Security techniques – Information security management systems – Requirements to assist in implementing information security with a basis in risk management. ISO/IEC 27001:2022, as a management system standard, offers a nonprescriptive framework through which any organization can implement, maintain, and continually improve an information security management system specific to that organization’s context.
ISO/IEC 27005:2022 also includes clear information that the standard does not contain direct guidance on the implementation of the information security management system (ISMS) requirements specified in ISO/IEC 27001:2022.
Risk is present in all aspects of life. Managing it in the relied-upon context of information security is a necessity. ISO/IEC 27005:2022 is based on the asset, threat, and vulnerability risk identification method that was once a part of ISO/IEC 27001.
What Is the Difference Between ISO/IEC 27005 and ISO 31000?
The international standard ISO 31000:2018 – Risk Management – Guidelines provides general risk management guidelines that apply to any for use by any organization, regardless of sector or size, at any point throughout the life of the organization, and applicable to any activity. ISO/IEC 27005:2022 uses the process outlined in this standard as a basis and applies it specifically to information security risk management.
As stated in ISO/IEC 27005:2022:
“ISO 31000 is referenced in ISO/IEC 27001 as a general model.”
Changes to ISO/IEC 27005:2022
Some changes to ISO/IEC 27005:2022 were made to better align it with ISO/IEC 27001:2022. For example, ISO/IEC 27005:2022 differs from the third edition of the same standard because its guidance text was aligned with and the structure of the clauses was adjusted to the layout of ISO/IEC 27001:2022. Additionally, the guidance text and terminology was aligned with ISO 31000:2018 – Risk Management – Guidelines.
Furthermore, while the previous edition was titled “Information Technology – Security Techniques – Information Security Risk Management,” ISO/IEC 27005:2022 is “Information Security, Cybersecurity And Privacy Protection – Guidance On Managing Information Security Risks.”
Some other changes made to ISO/IEC 27005:2022 include:
- Risk scenario concepts were introduced.
- The event-based approach was contrasted with the asset-based approach to risk identification.
- The content of the annexes was revised and restructured into a single annex, Annex A, “Examples of techniques in support of the risk assessment process.”
ISO/IEC 27005:2022 – Information Security, Cybersecurity And Privacy Protection – Guidance On Managing Information Security Risks is available on the ANSI Webstore. It can also be acquired at a discount as part of the following standards packages: