SIST EN ISO/IEC 27005:2024
(Main)Information security, cybersecurity and privacy protection - Guidance on managing information security risks (ISO/IEC 27005:2022)
Information security, cybersecurity and privacy protection - Guidance on managing information security risks (ISO/IEC 27005:2022)
This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.
Informationssicherheit, Cybersicherheit und Datenschutz - Leitfaden zur Handhabung von Informationssicherheitsrisiken (ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Préconisations pour la gestion des risques liés à la sécurité de l'information (ISO/IEC 27005:2022)
Le présent document fournit des recommandations pour aider les organismes à:
— satisfaire aux exigences de l'ISO/IEC 27001 concernant les actions visant à traiter les risques liés à la sécurité de l'information;
— réaliser des activités de gestion des risques liés à la sécurité de l'information, en particulier l'appréciation et le traitement de ces risques.
Le présent document est applicable à tous les organismes, quels que soient leur type, leur taille ou leur secteur.
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Navodila za obvladovanje informacijskih varnostnih tveganj (ISO/IEC 27005:2022)
Ta dokument zagotavlja navodila za pomoč organizacijam pri:
– izpolnjevanju zahtev iz standarda ISO/IEC 27001 v zvezi z ukrepi za obravnavo informacijskih varnostnih tveganj;
– izvajanju aktivnosti obvladovanja informacijskih varnostnih tveganj, predvsem njihovega ocenjevanja in obravnave.
Ta dokument se uporablja za vse organizacije, ne glede na vrsto, velikost ali sektor.
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
01-oktober-2024
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Navodila za
obvladovanje informacijskih varnostnih tveganj (ISO/IEC 27005:2022)
Information security, cybersecurity and privacy protection - Guidance on managing
information security risks (ISO/IEC 27005:2022)
Informationssicherheit, Cybersicherheit und Datenschutz - Leitfaden zur Handhabung
von Informationssicherheitsrisiken (ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Préconisations
pour la gestion des risques liés à la sécurité de l'information (ISO/IEC 27005:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 27005:2024
ICS:
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN ISO/IEC 27005
NORME EUROPÉENNE
EUROPÄISCHE NORM
August 2024
ICS 35.030
English version
Information security, cybersecurity and privacy protection
- Guidance on managing information security risks
(ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und
de la vie privée - Préconisations pour la gestion des Datenschutz - Leitfaden zur Handhabung von
risques liés à la sécurité de l'information (ISO/IEC Informationssicherheitsrisiken (ISO/IEC 27005:2022)
27005:2022)
This European Standard was approved by CEN on 1 August 2024.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2024 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 27005:2024 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 27005:2022 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by February 2025, and conflicting national standards
shall be withdrawn at the latest by February 2025.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27005:2022 has been approved by CEN-CENELEC as EN ISO/IEC 27005:2024
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 27005
Fourth edition
2022-10
Information security, cybersecurity
and privacy protection — Guidance on
managing information security risks
Sécurité de l'information, cybersécurité et protection de la vie
privée — Préconisations pour la gestion des risques liés à la sécurité
de l'information
Reference number
ISO/IEC 27005:2022(E)
© ISO/IEC 2022
ISO/IEC 27005:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Contents Page
Foreword .v
Introduction . vi
1 S c op e . 1
2 Nor m at i ve r ef er enc e s . 1
3 Terms and definitions . 1
3.1 T erms related to information security risk . 1
3.2 T erms related to information security risk management . . 5
4 Structure of this document .7
5 I nformation security risk management . 7
5.1 I nformation security risk management process . 7
5.2 I nformation security risk management cycles . 9
6 C ont e x t e s t abl i s h ment .9
6.1 Organizational considerations . 9
6.2 I dentifying basic requirements of interested parties . 10
6.3 A pplying risk assessment . 10
6.4 E stablishing and maintaining information security risk criteria . 11
6.4.1 G eneral . 11
6.4.2 R isk acceptance criteria . 11
6.4.3 C riteria for performing information security risk assessments .13
6.5 C hoosing an appropriate method . 15
7 I nformation security risk assessment process .16
7.1 G eneral . 16
7.2 I dentifying information security risks . 17
7.2.1 I dentifying and describing information security risks . . 17
7.2.2 I dentifying risk owners . 18
7.3 A nalysing information security risks . 19
7.3.1 General . 19
7.3.2 Assessing potential consequences . 19
7.3.3 Assessing likelihood .20
7.3.4 Determining the levels of risk . 22
7.4 E valuating the information security risks. 22
7.4.1 Comparing the results of risk analysis with the risk criteria .22
7.4.2 P rioritizing the analysed risks for risk treatment .23
8 I nformation security risk treatment process .23
8.1 General .23
8.2 S electing appropriate information security risk treatment options .23
8.3 D etermining all controls that are necessary to implement the information security
risk treatment options . 24
8.4 C omparing the controls determined with those in ISO/IEC 27001:2022, Annex A . 27
8.5 P roducing a Statement of Applicability . 27
8.6 I nformation security risk treatment plan .28
8.6.1 Formulation of the risk treatment plan .28
8.6.2 A pproval by risk owners .29
8.6.3 Acceptance of the residual information security risks .30
9 O p er at ion .31
9.1 P erforming information security risk assessment process . 31
9.2 P erforming information security risk treatment process . 31
10 Leveraging related ISMS processes . .32
10.1 C ontext of the organization . . 32
10.2 L eadership and commitment . 32
iii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
10.3 C ommunication and consultation. 33
10.4 Documented information . 35
10.4.1 G eneral . 35
10.4.2 Documented information about processes . 35
10.4.3 Documented information about results . 35
10.5 M onitoring and review .36
10.5.1 G eneral .36
10.5.2 Monitoring and reviewing factors influencing risks . 37
10.6 M anagement review .38
10.7 Corrective action .38
10.8 Continual improvement .39
Annex A (informative) Examples of techniques in support of the risk assessment process .41
Bibliography .62
iv
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This fourth edition cancels and replaces the third edition (ISO/IEC 27005:2018), which has been
technically revised.
The main changes are as follows:
— all guidance text has been aligned with ISO/IEC 27001:2022, and ISO 31000:2018;
— the terminology has been aligned with the terminology in ISO 31000:2018;
— the structure of the clauses has been adjusted to the layout of ISO/IEC 27001:2022;
— risk scenario concepts have been introduced;
— the event-based approach is contrasted with the asset-based approach to risk identification;
— the content of the annexes has been revised and restructured into a single annex.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
v
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Introduction
This document provides guidance on:
— implementation of the information security risk requirements specified in ISO/IEC 27001;
— essential references within the standards developed by ISO/IEC JTC 1/SC 27 to support information
security risk management activities;
— actions that address risks related to information security (see ISO/IEC 27001:2022, 6.1 and Clause 8);
— implementation of risk management guidance in ISO 31000 in the context of information security.
This document contains detailed guidance on risk management and supplements the guidance in
ISO/IEC 27003.
This document is intended to be used by:
— organizations that intend to establish and implement an information security management system
(ISMS) in accordance with ISO/IEC 27001;
— persons that perform or are involved in information security risk management (e.g. ISMS
professionals, risk owners and other interested parties);
— organizations that intend to improve their information security risk management process.
vi
© ISO/IEC 2022 – All rights reserved
INTERNATIONAL STANDARD ISO/IEC 27005:2022(E)
Information security, cybersecurity and privacy
protection — Guidance on managing information security
risks
1 S cope
This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk
assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.
2 Normat ive references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1 T erms related to information security risk
3.1.1
external context
external environment in which the organization seeks to achieve its objectives
Note 1 to entry: External context can include the following:
— the social, cultural, political, legal, regulatory, financial, technological, economic, geological environment,
whether international, national, regional or local;
— key drivers and trends affecting the objectives of the organization;
— external interested parties’ relationships, perceptions, values, needs and expectations;
— contractual relationships and commitments;
— the complexity of networks and dependencies.
[SOURCE: ISO Guide 73:2009, 3.3.1.1, modified — Note 1 to entry has been modified.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.2
internal context
internal environment in which the organization seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— vision, mission and values;
— governance, organizational structure, roles and accountabilities;
— strategy, objectives and policies;
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems
and technologies);
— data, information systems and information flows;
— relationships with internal interested parties, taking into account their perceptions and values;
— contractual relationships and commitments;
— internal interdependencies and interconnections.
[SOURCE: ISO Guide 73:2009, 3.3.1.2, modified — Note 1 to entry has been modified.]
3.1.3
risk
effect of uncertainty on objectives
Note 1 to entry: An effect is a deviation from the expected, positive or negative.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event (3.1.11), its consequence (3.1.14), or likelihood (3.1.13).
Note 4 to entry: Risk is usually expressed in terms of risk sources (3.1.6), potential events, their consequences
and their likelihood.
Note 5 to entry: In the context of information security management systems, information security risks can be
expressed as effect of uncertainty on information security objectives.
Note 6 to entry: Information security risks are usually associated with a negative effect of uncertainty on
information security objectives.
Note 7 to entry: Information security risks can be associated with the potential that threats (3.1.9) will exploit
vulnerabilities (3.1.10) of an information asset or group of information assets and thereby cause harm to an
organization.
[SOURCE: ISO 31000:2018, 3.1, modified — the phrase: “It can be positive, negative or both, and can
address, create or result in opportunities and threats” has been replaced with “positive or negative” in
Note 1 to entry; the original Note 3 to entry has been renumbered as Note 4 to entry; and Notes 3, 5, 6
and 7 to entry have been added.]
3.1.4
risk scenario
sequence or combination of events (3.1.11) leading from the initial cause to the unwanted consequence
(3.1.14)
[SOURCE: ISO 17666:2016, 3.1.13, modified — Note 1 to entry has been deleted.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.5
risk owner
person or entity with the accountability and authority to manage a risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.5.1.5]
3.1.6
risk source
element which alone or in combination has the potential to give rise to risk (3.1.3)
Note 1 to entry: A risk source can be one of these three types:
— human;
— environmental;
— technical.
Note 2 to entry: A human risk source type can be intentional or unintentional.
[SOURCE: ISO 31000:2018, 3.4, modified — Notes 1 and 2 to entry have been added.]
3.1.7
risk criteria
terms of reference against which the significance of a risk (3.1.3) is evaluated
Note 1 to entry: Risk criteria are based on organizational objectives, and external context (3.1.1) and internal
context (3.1.2).
Note 2 to entry: Risk criteria can be derived from standards, laws, policies and other requirements.
[SOURCE: ISO Guide 73:2009, 3.3.1.3]
3.1.8
risk appetite
amount and type of risk (3.1.3) that an organization is willing to pursue or retain
[SOURCE: ISO Guide 73:2009, 3.7.1.2]
3.1.9
threat
potential cause of an information security incident (3.1.12) that can result in damage to a system or harm
to an organization
3.1.10
vulnerability
weakness of an asset or control (3.1.16) that can be exploited so that an event (3.1.11) with a negative
consequence (3.1.14) occurs
3.1.11
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can have one or more occurrences, and can have several causes and several consequences
(3.1.14).
Note 2 to entry: An event can also be something that is expected which does not happen, or something that is not
expected which does happen.
[SOURCE: ISO 31000:2018, 3.5, modified — Note 3 to entry has been removed.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.12
information security incident
single or a series of unwanted or unexpected information security events that have a significant
probability of compromising business operations and threatening information security
3.1.13
likelihood
chance of something happening
Note 1 to entry: In risk management terminology, the word “likelihood” is used to refer to the chance of something
happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively,
and described using general terms or mathematically (such as a probability or a frequency over a given time
period).
Note 2 to entry: The English term “likelihood” does not have a direct equivalent in some languages; instead, the
equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted
as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it
should have the same broad interpretation as the term “probability” has in many languages other than English.
[SOURCE: ISO 31000:2018, 3.7]
3.1.14
consequence
outcome of an event (3.1.11) affecting objectives
Note 1 to entry: A consequence can be certain or uncertain and can have positive or negative direct or indirect
effects on objectives.
Note 2 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 3 to entry: Any consequence can escalate through cascading and cumulative effects.
[SOURCE: ISO 31000:2018, 3.6]
3.1.15
level of risk
significance of a risk (3.1.3), expressed in terms of the combination of consequences (3.1.14) and their
likelihood (3.1.13)
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — the phrase: “magnitude of a risk or combination of
risks” has been replaced with “significance of a risk”.]
3.1.16
control
measure that maintains and/or modifies risk (3.1.3)
Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice, or other conditions
and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8]
3.1.17
residual risk
risk (3.1.3) remaining after risk treatment (3.2.7)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risks can also contain retained risk.
[SOURCE: ISO Guide 73:2009, 3.8.1.6, modified — Note 2 to entry has been modified.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.2 T erms related to information security risk management
3.2.1
risk management process
systematic application of management policies, procedures and practices to the activities of
communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating,
monitoring and reviewing risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.1]
3.2.2
risk communication and consultation
set of continual and iterative processes that an organization conducts to provide, share or obtain
information, and to engage in dialogue with interested parties regarding the management of risk (3.1.3)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.1.13), significance,
evaluation, acceptance and treatment of risk.
Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its
interested parties on an issue prior to making a decision or determining a direction on that issue. Consultation is:
— a process which impacts on a decision through influence rather than power;
— an input to decision making, not joint decision making.
3.2.3
risk assessment
overall process of risk identification (3.2.4), risk analysis (3.2.5) and risk evaluation (3.2.6)
[SOURCE: ISO Guide 73:2009, 3.4.1]
3.2.4
risk identification
process of finding, recognizing and describing risks (3.1.3)
Note 1 to entry: Risk identification involves the identification of risk sources (3.1.6), events (3.1.11), their causes
and their potential consequences (3.1.14).
Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions,
and interested parties’ needs.
[SOURCE: ISO Guide 73:2009, 3.5.1, modified — "interested party" has replaced "stakeholder" in Note 2
to entry.]
3.2.5
risk analysis
process to comprehend the nature of risk (3.1.3) and to determine the level of risk (3.1.15)
Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.2.6) and decisions about risk treatment
(3.2.7).
Note 2 to entry: Risk analysis includes risk estimation.
[SOURCE: ISO Guide 73:2009, 3.6.1]
3.2.6
risk evaluation
process of comparing the results of risk analysis (3.2.5) with risk criteria (3.1.7) to determine whether
the risk (3.1.3) and/or its significance is acceptable or tolerable
Note 1 to entry: Risk evaluation assists in the decision about risk treatment (3.2.7).
[SOURCE: ISO Guide 73:2009, 3.7.1, modified — “significance” has replaced “magnitude”.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.2.7
risk treatment
process to modify risk (3.1.3)
Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source (3.1.6);
— changing the likelihood (3.1.13);
— changing the consequences (3.1.14);
— sharing the risk with another party or parties (including contracts and risk financing); and
— retaining the risk by informed decision.
Note 2 to entry: Information security risk treatment does not include “taking or increasing risk in order to pursue
an opportunity” but the organization can have this option for general risk management.
Note 3 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk
mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
Note 4 to entry: Risk treatment can create new risks or modify existing risks.
[SOURCE: ISO Guide 73:2009, 3.8.1, modified ─ Note 1 to entry has been added and the original Note 1
and 2 to entry have been renumbered as Note 2 and 3 to entry.]
3.2.8
risk acceptance
informed decision to take a particular risk (3.1.3)
Note 1 to entry: Risk acceptance can occur without risk treatment (3.2.7) or during the process of risk treatment.
Note 2 to entry: Accepted risks are subject to monitoring and review.
[SOURCE: ISO Guide 73:2009, 3.7.1.6]
3.2.9
risk sharing
form of risk treatment (3.2.7) involving the agreed distribution of risk (3.1.3) with other parties
Note 1 to entry: Legal or regulatory requirements can limit, prohibit or mandate risk sharing.
Note 2 to entry: Risk sharing can be carried out through insurance or other forms of contract.
Note 3 to entry: The extent to which risk is distributed can depend on the reliability and clarity of the sharing
arrangements.
Note 4 to entry: Risk transfer is a form of risk sharing.
[SOURCE: ISO Guide 73:2009, 3.8.1.3]
3.2.10
risk retention
temporary acceptance of the potential benefit of gain, or burden of loss, from a particular risk (3.1.3)
Note 1 to entry: Retention can be restricted to a certain period of time.
Note 2 to entry: The level of risk (3.1.15) retained can depend on risk criteria (3.1.7).
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
[SOURCE: ISO Guide 73:2009, 3.8.1.5, modified — the word “temporary” has been added at the start of
the definition and the phrase; “Risk retention includes the acceptance of residual risks” has replaced
“Retention can be restricted to a certain period of time “ in Note 1 to entry.]
4 Str ucture of this document
This document is structured as follows:
— Clause 5: Information security risk management;
— Clause 6: Context establishment;
— Clause 7: Information security risk assessment process;
— Clause 8: Information security risk treatment process;
— Clause 9: Operation;
— Clause 10: Leveraging related ISMS processes.
Except for the descriptions given in general subclauses, all risk management activities as presented
from Clause 7 to Clause 10 are structured as follows:
Input: Identifies any required information to perform the activity.
Action: Describes the activity.
Trigger: Provides guidance on when to start the activity, for example because of a change within the
organization or according to a plan or a change in the external context of the organization.
Output: Identifies any information derived after performing the activity, as well as any criteria that
such output should satisfy.
Guidance: Provides guidance on performing the activity, keyword and key concept.
5 In formation security risk management
5.1 Information secur ity risk management process
The information security risk management process is presented in Figure 1.
NOTE This process is based on the general risk management process defined in ISO 31000.
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Figure 1 — Information security risk management process
As Figure 1 illustrates, the information security risk management process can be iterative for risk
assessment and/or risk treatment activities. An iterative approach to conducting risk assessment can
increase depth and detail of the assessment at each iteration. The iterative approach provides a good
balance between minimizing the time and effort spent in identifying controls, while still ensuring that
risks are appropriately assessed.
Context establishment means assembling the internal and external context for information security
risk management or an information security risk assessment.
If the risk assessment provides sufficient information to effectively determine the actions required
to modify the risks to an acceptable level, then the task is complete and the risk treatment follows.
If the information is insufficient, another iteration of the risk assessment should be performed. This
can involve a change of context of the risk assessment (e.g. revised scope), involvement of expertise in
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
the relevant field, or other ways to collect the information required to enable risk modification to an
acceptable level (see "risk decision point 1" in Figure 1).
Risk treatment involves an iterative process of:
— formulating and selecting risk treatment options;
— planning and implementing risk treatment;
— assessing the effectiveness of that treatment;
— deciding whether the remaining risk is acceptable;
— taking further treatment if not acceptable.
It is possible that the risk treatment does not immediately lead to an acceptable level of residual risks. In
this situation, another attempt to find further risk treatment can be performed, or there can be another
iteration of the risk assessment, either as a whole or in parts. This can involve a change of context of the
risk assessment (e.g. by a revised scope) and involvement of expertise in the relevant field. Knowledge
about relevant threats or vulnerabilities can lead to better decisions about suitable risk treatment
activities in the next iteration of the risk assessment (see "risk decision point 2" in Figure 1).
Context establishment is discussed in detail in Clause 6, risk assessment activities in Clause 7 and risk
treatment activities in Clause 8.
Other activities necessary for managing information security risks are discussed in Clause 10.
5.2 Information secur ity risk management cycles
The risk assessment and the risk treatment should be updated on a regular basis and based on
changes. This should apply to, the entire risk assessment and the updates can be divided into two risk
management cycles:
— strategic cycle, where business assets, risk sources and threats, target objectives or consequences
to information security events are evolving from changes in the overall context of the organization.
This can result as inputs for an overall update of the risk assessment or risk assessments and the
risk treatments. It can also serve as an input for identifying new risks and initiate completely new
risk assessments;
— operational cycle, where the above-mentioned elements serves as input information or changed
criteria that will affect a risk assessment or assessment where the scenarios should be reviewed
and updated. The review should include updating of the corresponding risk treatment as applicable.
The strategic cycle should be conducted at longer time basis or when major changes occur while the
operational cycle should be shorter depending on the detailed risks that are identified and assessed as
well as the related risk treatment.
The strategic cycle applies to the environment in which the organization seeks to achieve its objectives,
while the operational cycle applies to all risk assessments considering the context of the risk
management process. In both cycles, there can be many risk assessments with different contexts and
scope in each assessment.
6 Context establishm ent
6.1 Organizational considerations
NOTE This subclause relates to ISO/IEC 27001:2022, 4.1.
An organization is defined as person or group of people that has its own functions with responsibilities,
authorities and relationships to achieve its objectives. An organization is not necessarily a company,
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
other corporate body or legal entity, it can also be a subset of a legal entity (e.g. the IT department of a
company), and can be considered as the “organization” within the context of ISMS.
It is important to understand that risk appetite, defined as the amount of risk an organization is willing
to pursue or accept, can vary considerably from organization to organization. For instance, factors
affecting an organization’s risk appetite include size, complexity and sector. Risk appetite should be set
and regularly reviewed by top management.
The organization should ensure that the role of the risk owner is determined in terms of the management
activities regarding the identified risks. Risk owners should have appropriate accountability and
authority for managing identified risks.
6.2 Identifying basic r equirements of interested parties
NOTE This subclause relates to ISO/IEC 27001:2022, 4.2.
The basic requirements of relevant interested parties should be identified, as well as the status of
compliance with these requirements. This includes identifying all the reference documents that define
security rules and controls and that apply within the scope of the information security risk assessment.
These reference documents can include, but are not limited to:
a) ISO/IEC 27001:2022, Annex A;
b) additional standards that cover ISMS;
c) additional standards applicable to a specific sector (e.g. financial, healthcare);
d) specific international and/or national regulations;
e) the organization’s internal security rules;
f) security rules and controls from contracts or agreements;
g) security controls implemented based on previous risk treatment activities.
Any non-compliance with the basic requirements should be explained and justified. These basic
requirements and their compliance should be the input for the likelihood assessment and for the risk
treatment.
6.3 A pplying risk assessment
NOTE This subclause relates to ISO/IEC 27001:2022, 4.3.
Organizations can perform risk a
...
SLOVENSKI STANDARD
01-oktober-2024
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Navodila za
obvladovanje informacijskih varnostnih tveganj (ISO/IEC 27005:2022)
Information security, cybersecurity and privacy protection - Guidance on managing
information security risks (ISO/IEC 27005:2022)
Informationssicherheit, Cybersicherheit und Datenschutz - Leitfaden zur Handhabung
von Informationssicherheitsrisiken (ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Préconisations
pour la gestion des risques liés à la sécurité de l'information (ISO/IEC 27005:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 27005:2024
ICS:
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPÄISCHE NORM EN ISO/IEC 27005
EUROPEAN STANDARD
August 2024
NORME EUROPÉENNE
ICS 35.030
Deutsche Fassung
Informationssicherheit, Cybersicherheit und Datenschutz -
Leitfaden zur Handhabung von
Informationssicherheitsrisiken (ISO/IEC 27005:2022)
Information security, cybersecurity and privacy Sécurité de l'information, cybersécurité et protection
protection - Guidance on managing information de la vie privée - Préconisations pour la gestion des
security risks (ISO/IEC 27005:2022) risques liés à la sécurité de l'information (ISO/IEC
27005:2022)
Diese Europäische Norm wurde vom CEN am 1. August 2024 angenommen.
Die CEN und CENELEC-Mitglieder sind gehalten, die CEN/CENELEC-Geschäftsordnung zu erfüllen, in der die Bedingungen
festgelegt sind, unter denen dieser Europäischen Norm ohne jede Änderung der Status einer nationalen Norm zu geben ist. Auf
dem letzten Stand befindliche Listen dieser nationalen Normen mit ihren bibliographischen Angaben sind beim CEN-CENELEC-
Management-Zentrum oder bei jedem CEN und CENELEC-Mitglied auf Anfrage erhältlich.
Diese Europäische Norm besteht in drei offiziellen Fassungen (Deutsch, Englisch, Französisch). Eine Fassung in einer anderen
Sprache, die von einem CEN und CENELEC-Mitglied in eigener Verantwortung durch Übersetzung in seine Landessprache
gemacht und dem Management-Zentrum mitgeteilt worden ist, hat den gleichen Status wie die offiziellen Fassungen.
CEN- und CENELEC-Mitglieder sind die nationalen Normungsinstitute und elektrotechnischen Komitees von Belgien, Bulgarien,
Dänemark, Deutschland, Estland, Finnland, Frankreich, Griechenland, Irland, Island, Italien, Kroatien, Lettland, Litauen,
Luxemburg, Malta, den Niederlanden, Norwegen, Österreich, Polen, Portugal, der Republik Nordmazedonien, Rumänien,
Schweden, der Schweiz, Serbien, der Slowakei, Slowenien, Spanien, der Tschechischen Republik, der Türkei, Ungarn, dem
Vereinigten Königreich und Zypern.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2024 CEN/CENELEC Alle Rechte der Verwertung, gleich in welcher Form und in Ref. Nr. EN ISO/IEC 27005:2024 D
welchem Verfahren, sind weltweit den nationalen Mitgliedern
von CEN und den Mitgliedern von CENELEC vorbehalten.
Inhalt
Seite
Europäisches Vorwort . 5
Vorwort . 6
Einleitung . 7
1 Anwendungsbereich . 8
2 Normative Verweisungen . 8
3 Begriffe . 8
3.1 Begriffe im Zusammenhang mit Informationssicherheitsrisiken . 8
3.2 Begriffe im Zusammenhang mit der Handhabung von Informationssicherheitsrisiken . 12
4 Aufbau dieses Dokuments . 15
5 Handhabung von Informationssicherheitsrisiken . 15
5.1 Prozess zur Handhabung von Informationssicherheitsrisiken . 15
5.2 Zyklen des Informationssicherheitsrisikomanagements . 17
6 Kontextfestlegung . 18
6.1 Organisatorische Aspekte . 18
6.2 Identifizierung grundlegender Anforderungen von interessierten Parteien . 18
6.3 Anwendung der Risikobeurteilung . 19
6.4 Festlegung und Aufrechterhaltung der Informationssicherheitsrisikokriterien. 19
6.4.1 Allgemeines . 19
6.4.2 Risikoakzeptanzkriterien. 20
6.4.3 Kriterien für die Durchführung von Informationssicherheitsrisikobeurteilungen . 21
6.5 Wahl eines angemessenen Verfahrens . 25
7 Prozess zur Beurteilung von Informationssicherheitsrisiken . 25
7.1 Allgemeines . 25
7.2 Identifizierung von Informationssicherheitsrisiken . 26
7.2.1 Identifizierung und Beschreibung von Informationssicherheitsrisiken . 26
7.2.2 Identifizierung von Risikoeigentümern . 28
7.3 Analyse von Informationssicherheitsrisiken . 29
7.3.1 Allgemeines . 29
7.3.2 Beurteilung potentieller Auswirkungen . 29
7.3.3 Beurteilung der Wahrscheinlichkeit . 30
7.3.4 Bestimmung der Risikoniveaus . 32
7.4 Bewertung der Informationssicherheitsrisiken . 33
7.4.1 Vergleich der Ergebnisse der Risikoanalyse mit den Risikokriterien . 33
7.4.2 Priorisierung der analysierten Risiken für die Risikobehandlung . 34
8 Prozess zur Informationssicherheitsrisikobehandlung . 34
8.1 Allgemeines . 34
8.2 Auswahl geeigneter Optionen zur Behandlung von Informationssicherheitsrisiken . 34
8.3 Festlegung aller Maßnahmen, die zur Umsetzung der gewählten Optionen für die
Informationssicherheitsrisikobehandlung erforderlich sind . 35
8.4 Vergleich der festgelegten Maßnahmen mit denen in ISO/IEC 27001:2022, Anhang A . 39
8.5 Erstellung einer Erklärung zur Anwendbarkeit . 39
8.6 Behandlungsplan für Informationssicherheitsrisiken . 40
8.6.1 Ausarbeitung des Risikobehandlungsplans . 40
8.6.2 Zustimmung durch die Risikoeigentümer . 42
8.6.3 Akzeptanz der Restrisiken für die Informationssicherheit . 42
9 Betrieb . 43
9.1 Durchführung des Prozesses zur Risikobeurteilung der Informationssicherheit . 43
9.2 Durchführung des Prozesses zur Risikobehandlung der Informationssicherheit . 44
10 Unterstützung verbundener ISMS-Prozesse . 44
10.1 Kontext der Organisation . 44
10.2 Führung und Verpflichtung . 45
10.3 Kommunikation und Konsultation . 46
10.4 Dokumentierte Informationen . 48
10.4.1 Allgemeines . 48
10.4.2 Dokumentierte Informationen über Prozesse . 48
10.4.3 Dokumentierte Informationen über Ergebnisse . 49
10.5 Überwachen und Überprüfen . 50
10.5.1 Allgemeines . 50
10.5.2 Überwachung und Überprüfung der die Risiken beeinflussenden Faktoren . 50
10.6 Managementbewertung . 52
10.7 Korrekturmaßnahme . 52
10.8 Fortlaufende Verbesserung . 53
Anhang A (informativ) Beispiele für Techniken zur Unterstützung des
Risikobeurteilungsprozesses . 55
A.1 Risikokriterien für die Informationssicherheit . 55
A.1.1 Kriterien im Zusammenhang mit der Risikobeurteilung . 55
A.1.2 Risikoakzeptanzkriterien . 60
A.2 Praktische Verfahren . 61
A.2.1 Risikokomponenten für die Informationssicherheit . 61
A.2.2 Werte. 62
A.2.3 Risikoquellen und gewünschter Endzustand . 63
A.2.4 Ereignisbasierter Ansatz . 67
A.2.5 Auf Werten basierender Ansatz . 69
A.2.6 Beispiele für Szenarien, die in beiden Ansätzen anwendbar sind . 75
A.2.7 Überwachung risikobehafteter Ereignisse . 76
Literaturhinweise. 79
Bilder
Bild 1 — Prozess zur Handhabung von Informationssicherheitsrisiken . 16
Bild A.1 — Komponenten für die Risikobeurteilung der Informationssicherheit . 62
Bild A.2 — Beispiel eines Diagramms der Abhängigkeiten von Werten . 63
Bild A.3 — Identifizierung der interessierten Parteien des Ökosystems . 68
Bild A.4 — Risikobeurteilung anhand von Risikoszenarien . 76
Bild A.5 — Beispiel für die Anwendung des SFDT-Modells . 78
Tabellen
Tabelle A.1 — Beispiel einer Auswirkungsskala . 55
Tabelle A.2 — Beispiel einer Wahrscheinlichkeitsskala . 57
Tabelle A.3 — Beispiel für einen qualitativen Ansatz bei den Risikokriterien . 57
Tabelle A.4 — Beispiel einer logarithmischen Wahrscheinlichkeitsskala. 59
Tabelle A.5 — Beispiel einer logarithmischen Auswirkungsskala. 60
Tabelle A.6 — Beispiel für eine Bewertungsskala in Kombination mit einer Drei-Farben-
Risikomatrix . 61
Tabelle A.7 — Beispiele und übliche Angriffsmethoden . 64
Tabelle A.8 — Beispielhafte Klassifizierung von Motivationen, die den DES zum Ausdruck bringen
................................................................................................................................................................................... 65
Tabelle A.9 — Beispiele für Zielvorgaben . 65
Tabelle A.10 — Beispiele für typische Bedrohungen . 69
Tabelle A.11 — Beispiele für typische Schwachstellen . 71
Tabelle A.12 — Beispiele für Risikoszenarien in beiden Ansätzen . 76
Tabelle A.13 — Beispiel für ein Risikoszenario und eine Überwachung risikobehafteter
Ereignisse . 77
Europäisches Vorwort
Der Text von ISO/IEC 27005:2022 wurde vom Technischen Komitee ISO/IEC JTC 1 „Information technology“
der Internationalen Organisation für Normung (ISO) erarbeitet und als EN ISO/IEC 27005:2024 durch das
Technische Komitee CEN/CLC/JTC 13 „Cybersicherheit und Datenschutz“ übernommen, dessen Sekretariat
von DIN gehalten wird.
Diese Europäische Norm muss den Status einer nationalen Norm erhalten, entweder durch Veröffentlichung
eines identischen Textes oder durch Anerkennung bis Februar 2025, und etwaige entgegenstehende nationale
Normen müssen bis Februar 2025 zurückgezogen werden.
Es wird auf die Möglichkeit hingewiesen, dass einige Elemente dieses Dokuments Patentrechte berühren
können. CEN-CENELEC ist nicht dafür verantwortlich, einige oder alle diesbezüglichen Patentrechte zu
identifizieren.
Rückmeldungen oder Fragen zu diesem Dokument sollten an das jeweilige nationale Normungsinstitut des
Anwenders gerichtet werden. Eine vollständige Liste dieser Institute ist auf den Internetseiten von CEN
abrufbar.
Entsprechend der CEN-CENELEC-Geschäftsordnung sind die nationalen Normungsinstitute der folgenden
Länder gehalten, diese Europäische Norm zu übernehmen: Belgien, Bulgarien, Dänemark, Deutschland, die
Republik Nordmazedonien, Estland, Finnland, Frankreich, Griechenland, Irland, Island, Italien, Kroatien,
Lettland, Litauen, Luxemburg, Malta, Niederlande, Norwegen, Österreich, Polen, Portugal, Rumänien,
Schweden, Schweiz, Serbien, Slowakei, Slowenien, Spanien, Tschechische Republik, Türkei, Ungarn,
Vereinigtes Königreich und Zypern.
Anerkennungsnotiz
Der Text von ISO/IEC 27005:2022 wurde von CEN-CENELEC als EN ISO/IEC 27005:2024 ohne irgendeine
Abänderung genehmigt.
Vorwort
ISO (die Internationale Organisation für Normung) und IEC (die Internationale Elektrotechnische
Kommission) bilden das auf die weltweite Normung spezialisierte System. Nationale Normungs-
organisationen, die Mitglieder von ISO oder IEC sind, beteiligen sich an der Entwicklung von Internationalen
Normen in Technischen Komitees, die von der jeweiligen Organisation eingerichtet wurden, um spezifische
Gebiete technischer Aktivitäten zu behandeln. Auf Gebieten von beiderseitigem Interesse arbeiten die
Technischen Komitees von ISO und IEC zusammen. Weitere internationale staatliche und nichtstaatliche
Organisationen, die in engem Kontakt mit ISO und IEC stehen, nehmen ebenfalls an der Arbeit teil.
Die Verfahren, die bei der Entwicklung dieses Dokuments angewendet wurden und die für die weitere Pflege
vorgesehen sind, werden in den ISO/IEC-Directives, Teil 1 beschrieben. Im Besonderen sollten die für die
verschiedenen ISO-Dokumentenarten notwendigen Annahmekriterien beachtet werden. Dieses Dokument
wurde in Übereinstimmung mit den Gestaltungsregeln der ISO/IEC-Directives, Teil 2 erarbeitet (siehe
www.iso.org/directives oder www.iec.ch/members_experts/refdocs).
Es wird auf die Möglichkeit hingewiesen, dass einige Elemente dieses Dokuments Patentrechte berühren
können. ISO und IEC sind nicht dafür verantwortlich, einige oder alle diesbezüglichen Patentrechte zu
identifizieren. Details zu allen während der Entwicklung des Dokuments identifizierten Patentrechten finden
sich in der Einleitung und/oder in der ISO-Liste der erhaltenen Patenterklärungen (siehe
www.iso.org/patents) oder in der IEC-Liste der erhaltenen Patenterklärungen (siehe http://patents.iec.ch).
Jeder in diesem Dokument verwendete Handelsname dient nur zur Unterrichtung der Anwender und bedeutet
keine Anerkennung.
Für eine Erläuterung des freiwilligen Charakters von Normen, der Bedeutung ISO-spezifischer Begriffe und
Ausdrücke in Bezug auf Konformitätsbewertungen sowie Informationen darüber, wie ISO die Grundsätze der
Welthandelsorganisation (WTO, en: World Trade Organization) hinsichtlich technischer Handelshemmnisse
(TBT, en: Technical Barriers to Trade) berücksichtigt, siehe www.iso.org/iso/foreword.html. In der IEC, siehe
www.iec.ch/understanding-standards.
Dieses Dokument wurde vom gemeinsamen Technischen Komitee ISO/IEC JTC 1, Information technology,
Unterkomitee SC 27, Information security, cybersecurity and privacy protection, erarbeitet.
Diese vierte Ausgabe ersetzt die dritte Ausgabe (ISO/IEC 27005:2018), die technisch überarbeitet wurde.
Die wesentlichen Änderungen sind folgende:
der gesamte Leitfaden wurde an ISO/IEC 27001:2022 und ISO 31000:2018 angepasst;
die Terminologie wurde an die Terminologie in ISO 31000:2018 angepasst;
die Gliederung der Abschnitte wurde an den Aufbau der ISO/IEC 27001:2022 angepasst;
Konzepte für Risikoszenarien wurden eingeführt;
der ereignisbasierte Ansatz wird dem auf Werten basierenden Ansatz zur Risikoidentifizierung
gegenübergestellt;
der Inhalt der Anhänge wurde überarbeitet und in einem einzigen Anhang zusammengefasst.
Rückmeldungen oder Fragen zu diesem Dokument sollten an das jeweilige nationale Normungsinstitut des
Anwenders gerichtet werden. Eine vollständige Auflistung dieser Institute ist unter
www.iso.org/members.html und www.iec.ch/national-committees zu finden.
Einleitung
Dieses Dokument bietet einen Leitfaden für:
die Implementierung der in ISO/IEC 27001 festgelegten Anforderungen im Hinblick auf Informations-
sicherheitsrisiken;
die wesentlichen Verweisungen innerhalb der von ISO/IEC JTC 1/SC 27 entwickelten Normen zur
Unterstützung von Maßnahmen im Rahmen der Handhabung von Informationssicherheitsrisiken;
Aktionen zur Bewältigung von Risiken im Zusammenhang mit der Informationssicherheit (siehe
ISO/IEC 27001:2022, 6.1 und Abschnitt 8);
die Implementierung eines Leitfadens zum Risikomanagement in ISO 31000 im Zusammenhang mit der
Informationssicherheit.
Dieses Dokument enthält einen ausführlichen Leitfaden zum Risikomanagement und ergänzt die Leitlinien in
ISO/IEC 27003.
Dieses Dokument richtet sich an:
Organisationen, die beabsichtigen, ein Informationssicherheitsmanagementsystem (ISMS) in Überein-
stimmung mit ISO/IEC 27001 einzuführen und umzusetzen;
Personen, die das Informationssicherheitsrisikomanagement durchführen oder daran beteiligt sind (z. B.
Fachkräfte für ISMS, Risikoeigentümer und andere interessierte Parteien);
Organisation, die ihren Risikomanagementprozess im Bereich der Informationssicherheit verbessern
wollen.
1 Anwendungsbereich
Dieses Dokument enthält einen Leitfaden, der Organisationen dabei hilft,
die Anforderungen der ISO/IEC 27001 in Bezug auf Aktionen zur Bewältigung von
Informationssicherheitsrisiken zu erfüllen;
Maßnahmen zur Handhabung von Informationssicherheitsrisiken, insbesondere zur Risikobeurteilung
und -behandlung im Bereich der Informationssicherheit, durchzuführen.
Dieses Dokument gilt für alle Organisationen, unabhängig von ihrer Art, Größe oder Branche.
2 Normative Verweisungen
Die folgenden Dokumente werden im Text in solcher Weise in Bezug genommen, dass einige Teile davon oder
ihr gesamter Inhalt Anforderungen des vorliegenden Dokuments darstellen. Bei datierten Verweisungen gilt
nur die in Bezug genommene Ausgabe. Bei undatierten Verweisungen gilt die letzte Ausgabe des in Bezug
genommenen Dokuments (einschließlich aller Änderungen).
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Begriffe
Für die Anwendung dieses Dokuments gelten die Begriffe nach ISO/IEC 27000 und die folgenden Begriffe.
ISO und IEC stellen terminologische Datenbanken für die Verwendung in der Normung unter den folgenden
Adressen bereit:
ISO Online Browsing Platform: verfügbar unter https://www.iso.org/obp
IEC Electropedia: verfügbar unter https://www.electropedia.org/
3.1 Begriffe im Zusammenhang mit Informationssicherheitsrisiken
3.1.1
externer Kontext
externes Umfeld, in dem die Organisation versucht, ihre Ziele zu erreichen
Anmerkung 1 zum Begriff: Der externe Kontext kann Folgendes beinhalten:
soziale, kulturelle, politische, rechtliche, behördliche, finanzielle, technologische, wirtschaftliche, geologische
Umgebung, seien sie internationaler, nationaler, regionaler oder lokaler Art;
Schlüsselfaktoren und Trends, die die Ziele der Organisation beeinflussen;
die Beziehungen, Wahrnehmungen, Werte, Erfordernisse und Erwartungen externer interessierter Parteien;
vertragliche Beziehungen und Verpflichtungen;
die Komplexität der Netzwerke und Abhängigkeiten.
[QUELLE: ISO Guide 73:2009, 3.3.1.1, modifiziert — Anmerkung 1 zum Begriff wurde modifiziert.]
3.1.2
interner Kontext
interne Umgebung, innerhalb derer die Organisation versucht, ihre Ziele zu erreichen
Anmerkung 1 zum Begriff: Der interne Kontext kann Folgendes beinhalten:
Vision, Mission und Werte;
Leitung, Organisationsstruktur, Rollen und Rechenschaftspflichten;
Strategie, Ziele und Richtlinien;
die Organisationskultur;
von der Organisation übernommene Normen, Leitlinien und Modelle;
Fähigkeiten im Sinne von Ressourcen und Wissen (z. B. Kapital, Zeit, Menschen, Prozesse, Systeme und
Technologien);
Daten, Informationssysteme und Informationsflüsse;
Beziehungen zu internen interessierten Parteien unter Berücksichtigung ihrer Wahrnehmungen und Werte;
vertragliche Beziehungen und Verpflichtungen;
interne gegenseitige Abhängigkeiten und Verbindungen.
[QUELLE: ISO Guide 73:2009, 3.3.1.2, modifiziert — Anmerkung 1 zum Begriff wurde modifiziert.]
3.1.3
Risiko
Auswirkung von Unsicherheit auf Ziele
Anmerkung 1 zum Begriff: Eine Auswirkung ist eine Abweichung vom Erwarteten in positiver oder negativer Hinsicht.
Anmerkung 2 zum Begriff: Ziele können verschiedene Aspekte und Kategorien umfassen und auf verschiedenen
Ebenen angewendet werden.
Anmerkung 3 zum Begriff: Ungewissheit ist der Zustand des auch teilweisen Fehlens von Information im Hinblick auf
das Verständnis oder Wissen über ein Ereignis (3.1.11), seine Auswirkungen (3.1.14) oder seine
Wahrscheinlichkeit (3.1.13).
Anmerkung 4 zum Begriff: Das Risiko wird üblicherweise anhand der Risikoquellen/Risikoursachen (3.1.6), der
potentiellen Ereignisse, ihrer Auswirkungen und ihrer Wahrscheinlichkeit dargestellt.
Anmerkung 5 zum Begriff: Im Kontext von Informationssicherheitsmanagementsystemen können
Informationssicherheitsrisiken als Auswirkung von Ungewissheit auf Informationssicherheitsziele beschrieben werden.
Anmerkung 6 zum Begriff: Informationssicherheitsrisiken sind üblicherweise mit einer negativen Auswirkung von
Ungewissheit auf Informationssicherheitsziele verbunden.
Anmerkung 7 zum Begriff: Informationssicherheitsrisiken können mit der Möglichkeit verbunden sein, dass
Bedrohungen (3.1.9) Schwachstellen (3.1.10) eines Informationswerts oder einer Gruppe solcher Werte ausnutzen und
damit einer Organisation Schaden zufügen.
[QUELLE: ISO 31000:2018, 3.1, modifiziert — die Formulierung: „Sie kann positiv, negativ oder beides sein
und Möglichkeiten und Bedrohungen ansprechen, schaffen oder zu ihnen führen“ wurde durch „in positiver
oder negativer Hinsicht“ in Anmerkung 1 zum Begriff ersetzt; die ursprüngliche Anmerkung 3 zum Begriff
wurde in Anmerkung 4 zum Begriff umnummeriert und Anmerkung 3, Anmerkung 5, Anmerkung 6 und
Anmerkung 7 zum Begriff wurden hinzugefügt.]
3.1.4
Risikoszenario
Abfolge oder Kombination von Ereignissen (3.1.11), die von der ursprünglichen Ursache zur unerwünschten
Folge (3.1.14) führen
[QUELLE: ISO 17666:2016, 3.1.13, modifiziert — Anmerkung 1 zum Begriff wurde gestrichen.]
3.1.5
Risikoeigentümer
Person oder Entität, die Verantwortung und Berechtigung hat, ein Risiko (3.1.3) zu handhaben
[QUELLE: ISO Guide 73:2009, 3.5.1.5]
3.1.6
Risikoquelle
Risikoursache
Element, das allein oder gemeinsam mit anderen Faktoren potentiell zu Risiken (3.1.3) führt
Anmerkung 1 zum Begriff: Eine Risikoquelle kann eine dieser drei Arten sein:
menschlich;
umweltbedingt;
technisch.
Anmerkung 2 zum Begriff: Die Art einer menschlichen Risikoquelle kann absichtlich oder unabsichtlich sein.
[QUELLE: ISO 31000:2018, 3.4, modifiziert — Anmerkung 1 und Anmerkung 2 zum Begriff wurden
hinzugefügt.]
3.1.7
Risikokriterien
Festlegungen, um die Signifikanz eines Risikos (3.1.3) zu bewerten
Anmerkung 1 zum Begriff: Risikokriterien basieren auf Zielen der Organisation sowie dem externen Kontext (3.1.1)
und dem internen Kontext (3.1.2).
Anmerkung 2 zum Begriff: Risikokriterien können aus Normen, Gesetzen, Richtlinien und anderen Anforderungen
abgeleitet werden.
[QUELLE: ISO Guide 73:2009, 3.3.1.3]
3.1.8
Risikobereitschaft
Größe und Art des Risikos (3.1.3), das eine Organisation willens ist, einzugehen oder beizubehalten
[QUELLE: ISO Guide 73:2009, 3.7.1.2]
3.1.9
Bedrohung
mögliche Ursache eines Informationssicherheitsvorfalls (3.1.12), der zu Schaden für ein System oder eine
Organisation führen kann
3.1.10
Schwachstelle
Schwäche eines Wertes oder einer Maßnahme (3.1.16), die so ausgenutzt werden kann, dass ein
Ereignis (3.1.11) mit einer negativen Folge (3.1.14) eintritt
3.1.11
Ereignis
Eintritt oder Veränderung einer bestimmten Kombination von Umständen
Anmerkung 1 zum Begriff: Ein Ereignis kann einmal oder mehrmals eintreten und mehrere Ursachen und mehrere
Auswirkungen (3.1.14) haben.
Anmerkung 2 zum Begriff: Ein Ereignis kann auch etwas sein, das erwartet wird und nicht eintritt oder etwas, das
unerwartet eintritt.
[QUELLE: ISO 31000:2018, 3.5, modifiziert — Anmerkung 3 zum Begriff wurde entfernt.]
3.1.12
Informationssicherheitsvorfall
einzelnes oder eine Reihe von ungewollten oder unerwarteten Informationssicherheitsereignissen, die eine
erhebliche Wahrscheinlichkeit besitzen, den Geschäftsbetrieb zu gefährden und die Informationssicherheit zu
bedrohen
3.1.13
Wahrscheinlichkeit
Möglichkeit, dass etwas geschieht
Anmerkung 1 zum Begriff: In der Terminologie des Risikomanagements bezeichnet der Begriff „Wahrscheinlichkeit“
die Möglichkeit, dass etwas geschieht, gleichgültig ob diese Möglichkeit objektiv oder subjektiv, qualitativ oder quantitativ
definiert, gemessen oder bestimmt und mit allgemeinen Begriffen oder mathematisch (z. B. durch die statistische
Wahrscheinlichkeit oder die Häufigkeit in einer bestimmten Zeitspanne) beschrieben wird.
Anmerkung 2 zum Begriff: Der englische Begriff „likelihood“ hat in einigen Sprachen keine direkte Entsprechung,
stattdessen wird oftmals die Entsprechung des Begriffs „probability“ verwendet. Allerdings wird im Englischen
„probability“ oftmals sehr eng als mathematischer Begriff interpretiert. Deshalb wird in der englischen Terminologie des
Risikomanagements der Begriff „likelihood“ mit der Absicht verwendet, dass er dieselbe weit gefasste Bedeutung haben
sollte wie der Begriff „Wahrscheinlichkeit“ in vielen anderen Sprachen.
[QUELLE: ISO 31000:2018, 3.7]
3.1.14
Auswirkung
Ergebnis eines Ereignisses (3.1.11), welches die Ziele betrifft
Anmerkung 1 zum Begriff: Eine Auswirkung kann gewiss oder ungewiss sein und sich direkt oder indirekt bzw. positiv
oder negativ auf Ziele auswirken.
Anmerkung 2 zum Begriff: Auswirkungen können qualitativ oder quantitativ beschrieben werden.
Anmerkung 3 zum Begriff: Jede Auswirkung kann durch kaskadierende und kumulative Effekte eskalieren.
[QUELLE: ISO 31000:2018, 3.6]
3.1.15
Risikoniveau
Signifikanz eines Risikos (3.1.3), das mittels einer Kombination von Auswirkungen (3.1.14) und deren
Wahrscheinlichkeit (3.1.13) ausgedrückt wird
[QUELLE: ISO Guide 73:2009, 3.6.1.8, modifiziert — die Formulierung: „Größe eines Risikos oder einer
Kombination von Risiken“ wurde durch „Signifikanz eines Risikos“ ersetzt.]
3.1.16
Steuerung
Maßnahme, die das Risiko (3.1.3) beibehält und/oder verändert
Anmerkung 1 zum Begriff: Steuerungen umfassen unter anderem alle Prozesse, Grundsätze, Instrumente, Verfahren
oder andere Bedingungen und/oder Aktionen, welche Risiken beibehalten oder verändern.
Anmerkung 2 zum Begriff: Steuerungen können nicht immer die beabsichtigte oder angenommene verändernde
Wirkung ausüben.
[QUELLE: ISO 31000:2018, 3.8]
3.1.17
Restrisiko
Risiko (3.1.3), das nach einer Risikobehandlung (3.2.7) verbleibt
Anmerkung 1 zum Begriff: Das Restrisiko kann nicht identifizierte Risiken beinhalten.
Anmerkung 2 zum Begriff: Restrisiken können auch ein beibehaltenes Risiko beinhalten.
[QUELLE: ISO Guide 73:2009, 3.8.1.6, modifiziert — Anmerkung 2 zum Begriff wurde modifiziert.]
3.2 Begriffe im Zusammenhang mit der Handhabung von Informationssicherheitsrisiken
3.2.1
Risikomanagementprozess
systematische Anwendung von Managementrichtlinien, -verfahren und -praktiken auf die Tätigkeiten des
Kommunizierens, Abstimmens und Festlegens des Kontextes sowie Identifizierung, Analyse, Bewertung,
Behandlung, Überwachung und Überprüfung von Risiken (3.1.3)
[QUELLE: ISO Guide 73:2009, 3.1]
3.2.2
Risikokommunikation und -konsultation
Satz fortlaufender und iterativer Prozesse, den eine Organisation durchführt, um Informationen zu liefern, zu
teilen oder zu erhalten und den Dialog mit interessierten Parteien in Bezug auf die Handhabung von
Risiken (3.1.3) zu suchen
Anmerkung 1 zum Begriff: Die Information kann sich auf die Existenz, die Beschaffenheit, die Gestalt, die
Wahrscheinlichkeit (3.1.13), die Signifikanz, die Bewertung, die Akzeptanz und die Behandlung von Risiken beziehen.
Anmerkung 2 zum Begriff: Bei Konsultationen handelt es sich um einen bidirektionalen Prozess von fundierter
Kommunikation zwischen einer Organisation und ihren interessierten Parteien zu einer Angelegenheit, bevor eine
Entscheidung getroffen oder eine Zielrichtung für diese Angelegenheit bestimmt wird. Eine Konsultation ist:
ein Prozess, der sich auf eine Entscheidung eher durch Beeinflussung als durch Machtbefugnis auswirkt;
eine Eingabe für das Treffen von Entscheidungen, nicht aber das gemeinsame Treffen von Entscheidungen.
3.2.3
Risikobeurteilung
übergreifender Prozess, der aus Risikoidentifizierung (3.2.4), Risikoanalyse (3.2.5) und Risikobewer-
tung (3.2.6) besteht
[QUELLE: ISO Guide 73:2009, 3.4.1]
3.2.4
Risikoidentifizierung
Prozess des Findens, Erkennens und Beschreibens von Risiken (3.1.3)
Anmerkung 1 zum Begriff: Die Risikoidentifizierung beinhaltet die Identifizierung der Risikoquellen (3.1.6), der
Ereignisse (3.1.11), ihrer Ursachen und möglichen Auswirkungen (3.1.14).
Anmerkung 2 zum Begriff: Die Risikoidentifizierung kann historische Daten, theoretische Analysen, fundierte
Meinungen und Expertenmeinungen sowie Erfordernisse von interessierten Parteien umfassen.
[QUELLE: ISO Guide 73:2009, 3.5.1, modifiziert — in Anmerkung 2 zum Begriff wurde „Stakeholder“ durch
„interessierte Partei“ ersetzt.]
3.2.5
Risikoanalyse
Prozess, um die Beschaffenheit des Risikos (3.1.3) zu verstehen und das Risikoniveau (3.1.15) zu bestimmen
Anmerkung 1 zum Begriff: Die Risikoanalyse liefert die Grundlage für die Risikobewertung (3.2.6) und die
Entscheidungen im Zuge der Risikobehandlung (3.2.7).
Anmerkung 2 zum Begriff: Die Risikoanalyse beinhaltet die Risikoabschätzung.
[QUELLE: ISO Guide 73:2009, 3.6.1]
3.2.6
Risikobewertung
Prozess, bei dem die Ergebnisse der Risikoanalyse (3.2.5) mit den Risikokriterien (3.1.7) verglichen werden,
um zu bestimmen, ob das Risiko (3.1.3) und/oder seine Signifikanz akzeptabel oder tragbar sind
Anmerkung 1 zum Begriff: Die Risikobewertung unterstützt bei der Entscheidung über die Risikobehandlung (3.2.7).
[QUELLE: ISO Guide 73:2009, 3.7.1, modifiziert — „Größe“ wurde durch „Signifikanz“ ersetzt.]
3.2.7
Risikobehandlung
Prozess zur Veränderung eines Risikos (3.1.3)
Anmerkung 1 zum Begriff: Die Risikobehandlung kann Folgendes umfassen:
Vermeiden des Risikos, indem entschieden wird, die Aufgabe, aus der sich ein Risiko ergibt, nicht zu beginnen oder
fortzuführen;
Eingehen oder Vergrößern des Risikos mit dem Ziel, eine Chance wahrzunehmen;
Beseitigen der Risikoursache (3.1.6);
Verändern der Wahrscheinlichkeit (3.1.13);
Verändern der Auswirkungen (3.1.14);
Teilen des Risikos mit einer anderen Partei oder anderen Parteien (einschließlich Verträgen und Risikofinanzierung)
und
Beibehalten des Risikos auf Grundlage einer informierten Entscheidung.
Anmerkung 2 zum Begriff: Die Behandlung von Risiken im Bereich der Informationssicherheit beinhaltet nicht das
„Eingehen oder Vergrößern des Risikos mit dem Ziel, eine Chance wahrzunehmen“, aber die Organisation kann diese
Option für das allgemeine Risikomanagement nutzen.
Anmerkung 3 zum Begriff: Risikobehandlungen, die sich mit negativen Auswirkungen beschäftigen, werden manchmal
auch als „Risikominderung“, „Risikoeliminierung“, „Risikovorsorge“ und „Risikoreduzierung“ bezeichnet.
Anmerkung 4 zum Begriff: Die Risikobehandlung kann zu neuen Risiken führen oder vorhandene Risiken verändern.
[QUELLE: ISO Guide 73:2009, 3.8.1 modifiziert — Anmerkung 1 zum Begriff wurde hinzugefügt und die
ursprüngliche Anmerkung 1 und Anmerkung 2 zum Begriff wurden in Anmerkung 2 und Anmerkung 3 zum
Begriff umnummeriert.]
3.2.8
Risikoakzeptanz
informierte Entscheidung, ein bestimmtes Risiko (3.1.3) zu tragen
Anmerkung 1 zum Begriff: Risikoakzeptanz kann ohne Risikobehandlung (3.2.7) oder während des
Risikobehandlungsprozesses erfolgen.
Anmerkung 2 zum Begriff: Akzeptierte Risiken werden einer Überwachung und Überprüfung unterzogen.
[QUELLE: ISO Guide 73:2009, 3.7.1.6]
3.2.9
Risikoteilung
Form der Risikobehandlung (3.2.7), welche die mit anderen Parteien vereinbarte Verteilung des Risikos (3.1.3)
beinhaltet
Anmerkung 1 zum Begriff: Rechtliche oder behördliche Anforderungen können die Risikoteilung einschränken,
verbieten oder anordnen.
Anmerkung 2 zum Begriff: Die Risikoteilung kann durch Versicherungen oder andere Vertragsformen vollzogen
werden.
Anmerkung 3 zum Begriff: Wie weit das Risiko verteilt wird, kann von der Zuverlässigkeit und Klarheit der
Teilungsvereinbarungen abhängen.
Anmerkung 4 zum Begriff: Die Risikoübertragung ist eine Form der Risikoteilung.
[QUELLE: ISO Guide 73:2009, 3.8.1.3]
3.2.10
Risikobeibehaltung
zeitweilige Akzeptanz des potentiellen Nutzens eines Gewinns oder der Belastung durch einen Verlust
aufgrund eines bestimmten Risikos (3.1.3)
Anmerkung 1 zum Begriff: Die Beibehaltung kann auf eine bestimmte Zeitspanne beschränkt sein.
Anmerkung 2 zum Begriff: Das beibehaltene Risikoniveau (3.1.15) kann von Risikokriterien (3.1.7) abhängen.
[QUELLE: ISO Guide 73:2009, 3.8.1.5, modifiziert — das Wort „zeitweilig“ wurde am Anfang der Definition
hinzugefügt und die Formulierung „Die Risikobeibehaltung schließt die Akzeptanz von Restrisiken ein“ wurde
durch „Die Beibehaltung kann auf eine bestimmte Zeitspanne beschränkt werden“ in Anmerkung 1 zum
Begriff ersetzt.]
4 Aufbau dieses Dokuments
Dieses Dokument ist wie folgt strukturiert:
Abschnitt 5: Handhabung von Informationssicherheitsrisiken;
Abschnitt 6: Kontextfestlegung;
Abschnitt 7: Prozess der Risikobeurteilung der Informationssicherheit;
Abschnitt 8: Prozess der Risikobehandlung der Informationssicherheit;
Abschnitt 9: Betrieb;
Abschnitt 10: Unterstützung verbundener ISMS-Prozesse.
Abgesehen von den Beschreibungen in den allgemeinen Unterabschnitten sind alle
Risikomanagementaufgaben, wie sie in Abschnitt 7 bis Abschnitt 10 dargestellt sind, wie folgt strukturiert:
Eingabe: Identifizierung aller Informationen, die zur Durchführung der Aufgabe erforderlich sind.
Aktion: Beschreibung der Aufgabe.
Auslöser: Bereitstellung eines Leitfadens für den Beginn der Aufgabe, z. B. aufgrund einer Änderung innerhalb
der Organisation oder nach einem Plan oder einer Änderung im externen Kontext der Organisation.
Ausgabe: Identifizierung aller Informationen, die nach der Durchführung der Aufgabe abgeleitet werden,
sowie aller Kriterien, die diese Ausgabe erfüllen sollte.
Leitfaden: Bereitstellung eines Leitfadens zur Durchführung der Aufgabe, eines Schlüsselworts und eines
Schlüsselkonzepts.
5 Handhabung von Informationssicherheitsrisiken
5.1 Prozess zur Handhabung von Informationssicherheitsrisiken
Der Prozess zur Handhabung von Informationssicherheitsrisiken wird in Bild 1 dargestellt.
ANMERKUNG Dieser Prozess beruht auf dem allgemeinen Risikomanagementprozess nach ISO 31000.
Bild 1 — Prozess zur Handhabung von Informationssicherheitsrisiken
Wie in Bild 1 veranschaulicht, kann der Prozess zur Handhabung der Informationssicherheitsrisiken für
Aufgaben zur Risikobeurteilung und/oder Risikobehandlung iterativ sein. Ein iterativer Ansatz bei der
Durchführung von Risikobeurteilungen kann die Tiefe und den Detaillierungsgrad der Beurteilung bei jeder
Iteration erhöhen. Der iterative Ansatz bietet ein gutes Gleichgewicht zwischen der Minimierung des Zeit- und
Arbeitsaufwands für die Festlegung von Maßnahmen und der gleichzeitigen Sicherstellung einer
angemessenen Risikobeurteilung.
Die Kontextfestlegung bedeutet die Zusammenstellung des internen und externen Kontexts für die
Handhabung von Informationssicherheitsrisiken oder eine Risikobeurteilung der Informationssicherheit.
Wenn die Risikobeurteilung genügend Informationen liefert, um die erforderlichen Aktionen zur Änderung
der Risiken auf ein akzeptables Niveau zu bestimmen, ist die Aufgabe abgeschlossen und es folgt die
Risikobehandlung. Sind die Informationen unzureichend, sollte eine weitere Iteration der Risikobeurteilung
durchgeführt werden. Dies kann eine Änderung des K
...
SLOVENSKI STANDARD
01-oktober-2024
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Navodila za
obvladovanje informacijskih varnostnih tveganj (ISO/IEC 27005:2022)
Information security, cybersecurity and privacy protection - Guidance on managing
information security risks (ISO/IEC 27005:2022)
Informationssicherheit, Cybersicherheit und Datenschutz - Leitfaden zur Handhabung
von Informationssicherheitsrisiken (ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Préconisations
pour la gestion des risques liés à la sécurité de l'information (ISO/IEC 27005:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 27005:2024
ICS:
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN ISO/IEC 27005
NORME EUROPÉENNE
EUROPÄISCHE NORM
August 2024
ICS 35.030
English version
Information security, cybersecurity and privacy protection
- Guidance on managing information security risks
(ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und
de la vie privée - Préconisations pour la gestion des Datenschutz - Leitfaden zur Handhabung von
risques liés à la sécurité de l'information (ISO/IEC Informationssicherheitsrisiken (ISO/IEC 27005:2022)
27005:2022)
This European Standard was approved by CEN on 1 August 2024.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2024 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 27005:2024 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 27005:2022 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by February 2025, and conflicting national standards
shall be withdrawn at the latest by February 2025.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27005:2022 has been approved by CEN-CENELEC as EN ISO/IEC 27005:2024
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 27005
Fourth edition
2022-10
Information security, cybersecurity
and privacy protection — Guidance on
managing information security risks
Sécurité de l'information, cybersécurité et protection de la vie
privée — Préconisations pour la gestion des risques liés à la sécurité
de l'information
Reference number
ISO/IEC 27005:2022(E)
© ISO/IEC 2022
ISO/IEC 27005:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Contents Page
Foreword .v
Introduction . vi
1 S c op e . 1
2 Nor m at i ve r ef er enc e s . 1
3 Terms and definitions . 1
3.1 T erms related to information security risk . 1
3.2 T erms related to information security risk management . . 5
4 Structure of this document .7
5 I nformation security risk management . 7
5.1 I nformation security risk management process . 7
5.2 I nformation security risk management cycles . 9
6 C ont e x t e s t abl i s h ment .9
6.1 Organizational considerations . 9
6.2 I dentifying basic requirements of interested parties . 10
6.3 A pplying risk assessment . 10
6.4 E stablishing and maintaining information security risk criteria . 11
6.4.1 G eneral . 11
6.4.2 R isk acceptance criteria . 11
6.4.3 C riteria for performing information security risk assessments .13
6.5 C hoosing an appropriate method . 15
7 I nformation security risk assessment process .16
7.1 G eneral . 16
7.2 I dentifying information security risks . 17
7.2.1 I dentifying and describing information security risks . . 17
7.2.2 I dentifying risk owners . 18
7.3 A nalysing information security risks . 19
7.3.1 General . 19
7.3.2 Assessing potential consequences . 19
7.3.3 Assessing likelihood .20
7.3.4 Determining the levels of risk . 22
7.4 E valuating the information security risks. 22
7.4.1 Comparing the results of risk analysis with the risk criteria .22
7.4.2 P rioritizing the analysed risks for risk treatment .23
8 I nformation security risk treatment process .23
8.1 General .23
8.2 S electing appropriate information security risk treatment options .23
8.3 D etermining all controls that are necessary to implement the information security
risk treatment options . 24
8.4 C omparing the controls determined with those in ISO/IEC 27001:2022, Annex A . 27
8.5 P roducing a Statement of Applicability . 27
8.6 I nformation security risk treatment plan .28
8.6.1 Formulation of the risk treatment plan .28
8.6.2 A pproval by risk owners .29
8.6.3 Acceptance of the residual information security risks .30
9 O p er at ion .31
9.1 P erforming information security risk assessment process . 31
9.2 P erforming information security risk treatment process . 31
10 Leveraging related ISMS processes . .32
10.1 C ontext of the organization . . 32
10.2 L eadership and commitment . 32
iii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
10.3 C ommunication and consultation. 33
10.4 Documented information . 35
10.4.1 G eneral . 35
10.4.2 Documented information about processes . 35
10.4.3 Documented information about results . 35
10.5 M onitoring and review .36
10.5.1 G eneral .36
10.5.2 Monitoring and reviewing factors influencing risks . 37
10.6 M anagement review .38
10.7 Corrective action .38
10.8 Continual improvement .39
Annex A (informative) Examples of techniques in support of the risk assessment process .41
Bibliography .62
iv
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This fourth edition cancels and replaces the third edition (ISO/IEC 27005:2018), which has been
technically revised.
The main changes are as follows:
— all guidance text has been aligned with ISO/IEC 27001:2022, and ISO 31000:2018;
— the terminology has been aligned with the terminology in ISO 31000:2018;
— the structure of the clauses has been adjusted to the layout of ISO/IEC 27001:2022;
— risk scenario concepts have been introduced;
— the event-based approach is contrasted with the asset-based approach to risk identification;
— the content of the annexes has been revised and restructured into a single annex.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
v
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Introduction
This document provides guidance on:
— implementation of the information security risk requirements specified in ISO/IEC 27001;
— essential references within the standards developed by ISO/IEC JTC 1/SC 27 to support information
security risk management activities;
— actions that address risks related to information security (see ISO/IEC 27001:2022, 6.1 and Clause 8);
— implementation of risk management guidance in ISO 31000 in the context of information security.
This document contains detailed guidance on risk management and supplements the guidance in
ISO/IEC 27003.
This document is intended to be used by:
— organizations that intend to establish and implement an information security management system
(ISMS) in accordance with ISO/IEC 27001;
— persons that perform or are involved in information security risk management (e.g. ISMS
professionals, risk owners and other interested parties);
— organizations that intend to improve their information security risk management process.
vi
© ISO/IEC 2022 – All rights reserved
INTERNATIONAL STANDARD ISO/IEC 27005:2022(E)
Information security, cybersecurity and privacy
protection — Guidance on managing information security
risks
1 S cope
This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk
assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.
2 Normat ive references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1 T erms related to information security risk
3.1.1
external context
external environment in which the organization seeks to achieve its objectives
Note 1 to entry: External context can include the following:
— the social, cultural, political, legal, regulatory, financial, technological, economic, geological environment,
whether international, national, regional or local;
— key drivers and trends affecting the objectives of the organization;
— external interested parties’ relationships, perceptions, values, needs and expectations;
— contractual relationships and commitments;
— the complexity of networks and dependencies.
[SOURCE: ISO Guide 73:2009, 3.3.1.1, modified — Note 1 to entry has been modified.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.2
internal context
internal environment in which the organization seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— vision, mission and values;
— governance, organizational structure, roles and accountabilities;
— strategy, objectives and policies;
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems
and technologies);
— data, information systems and information flows;
— relationships with internal interested parties, taking into account their perceptions and values;
— contractual relationships and commitments;
— internal interdependencies and interconnections.
[SOURCE: ISO Guide 73:2009, 3.3.1.2, modified — Note 1 to entry has been modified.]
3.1.3
risk
effect of uncertainty on objectives
Note 1 to entry: An effect is a deviation from the expected, positive or negative.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event (3.1.11), its consequence (3.1.14), or likelihood (3.1.13).
Note 4 to entry: Risk is usually expressed in terms of risk sources (3.1.6), potential events, their consequences
and their likelihood.
Note 5 to entry: In the context of information security management systems, information security risks can be
expressed as effect of uncertainty on information security objectives.
Note 6 to entry: Information security risks are usually associated with a negative effect of uncertainty on
information security objectives.
Note 7 to entry: Information security risks can be associated with the potential that threats (3.1.9) will exploit
vulnerabilities (3.1.10) of an information asset or group of information assets and thereby cause harm to an
organization.
[SOURCE: ISO 31000:2018, 3.1, modified — the phrase: “It can be positive, negative or both, and can
address, create or result in opportunities and threats” has been replaced with “positive or negative” in
Note 1 to entry; the original Note 3 to entry has been renumbered as Note 4 to entry; and Notes 3, 5, 6
and 7 to entry have been added.]
3.1.4
risk scenario
sequence or combination of events (3.1.11) leading from the initial cause to the unwanted consequence
(3.1.14)
[SOURCE: ISO 17666:2016, 3.1.13, modified — Note 1 to entry has been deleted.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.5
risk owner
person or entity with the accountability and authority to manage a risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.5.1.5]
3.1.6
risk source
element which alone or in combination has the potential to give rise to risk (3.1.3)
Note 1 to entry: A risk source can be one of these three types:
— human;
— environmental;
— technical.
Note 2 to entry: A human risk source type can be intentional or unintentional.
[SOURCE: ISO 31000:2018, 3.4, modified — Notes 1 and 2 to entry have been added.]
3.1.7
risk criteria
terms of reference against which the significance of a risk (3.1.3) is evaluated
Note 1 to entry: Risk criteria are based on organizational objectives, and external context (3.1.1) and internal
context (3.1.2).
Note 2 to entry: Risk criteria can be derived from standards, laws, policies and other requirements.
[SOURCE: ISO Guide 73:2009, 3.3.1.3]
3.1.8
risk appetite
amount and type of risk (3.1.3) that an organization is willing to pursue or retain
[SOURCE: ISO Guide 73:2009, 3.7.1.2]
3.1.9
threat
potential cause of an information security incident (3.1.12) that can result in damage to a system or harm
to an organization
3.1.10
vulnerability
weakness of an asset or control (3.1.16) that can be exploited so that an event (3.1.11) with a negative
consequence (3.1.14) occurs
3.1.11
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can have one or more occurrences, and can have several causes and several consequences
(3.1.14).
Note 2 to entry: An event can also be something that is expected which does not happen, or something that is not
expected which does happen.
[SOURCE: ISO 31000:2018, 3.5, modified — Note 3 to entry has been removed.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.12
information security incident
single or a series of unwanted or unexpected information security events that have a significant
probability of compromising business operations and threatening information security
3.1.13
likelihood
chance of something happening
Note 1 to entry: In risk management terminology, the word “likelihood” is used to refer to the chance of something
happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively,
and described using general terms or mathematically (such as a probability or a frequency over a given time
period).
Note 2 to entry: The English term “likelihood” does not have a direct equivalent in some languages; instead, the
equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted
as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it
should have the same broad interpretation as the term “probability” has in many languages other than English.
[SOURCE: ISO 31000:2018, 3.7]
3.1.14
consequence
outcome of an event (3.1.11) affecting objectives
Note 1 to entry: A consequence can be certain or uncertain and can have positive or negative direct or indirect
effects on objectives.
Note 2 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 3 to entry: Any consequence can escalate through cascading and cumulative effects.
[SOURCE: ISO 31000:2018, 3.6]
3.1.15
level of risk
significance of a risk (3.1.3), expressed in terms of the combination of consequences (3.1.14) and their
likelihood (3.1.13)
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — the phrase: “magnitude of a risk or combination of
risks” has been replaced with “significance of a risk”.]
3.1.16
control
measure that maintains and/or modifies risk (3.1.3)
Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice, or other conditions
and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8]
3.1.17
residual risk
risk (3.1.3) remaining after risk treatment (3.2.7)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risks can also contain retained risk.
[SOURCE: ISO Guide 73:2009, 3.8.1.6, modified — Note 2 to entry has been modified.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.2 T erms related to information security risk management
3.2.1
risk management process
systematic application of management policies, procedures and practices to the activities of
communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating,
monitoring and reviewing risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.1]
3.2.2
risk communication and consultation
set of continual and iterative processes that an organization conducts to provide, share or obtain
information, and to engage in dialogue with interested parties regarding the management of risk (3.1.3)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.1.13), significance,
evaluation, acceptance and treatment of risk.
Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its
interested parties on an issue prior to making a decision or determining a direction on that issue. Consultation is:
— a process which impacts on a decision through influence rather than power;
— an input to decision making, not joint decision making.
3.2.3
risk assessment
overall process of risk identification (3.2.4), risk analysis (3.2.5) and risk evaluation (3.2.6)
[SOURCE: ISO Guide 73:2009, 3.4.1]
3.2.4
risk identification
process of finding, recognizing and describing risks (3.1.3)
Note 1 to entry: Risk identification involves the identification of risk sources (3.1.6), events (3.1.11), their causes
and their potential consequences (3.1.14).
Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions,
and interested parties’ needs.
[SOURCE: ISO Guide 73:2009, 3.5.1, modified — "interested party" has replaced "stakeholder" in Note 2
to entry.]
3.2.5
risk analysis
process to comprehend the nature of risk (3.1.3) and to determine the level of risk (3.1.15)
Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.2.6) and decisions about risk treatment
(3.2.7).
Note 2 to entry: Risk analysis includes risk estimation.
[SOURCE: ISO Guide 73:2009, 3.6.1]
3.2.6
risk evaluation
process of comparing the results of risk analysis (3.2.5) with risk criteria (3.1.7) to determine whether
the risk (3.1.3) and/or its significance is acceptable or tolerable
Note 1 to entry: Risk evaluation assists in the decision about risk treatment (3.2.7).
[SOURCE: ISO Guide 73:2009, 3.7.1, modified — “significance” has replaced “magnitude”.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.2.7
risk treatment
process to modify risk (3.1.3)
Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source (3.1.6);
— changing the likelihood (3.1.13);
— changing the consequences (3.1.14);
— sharing the risk with another party or parties (including contracts and risk financing); and
— retaining the risk by informed decision.
Note 2 to entry: Information security risk treatment does not include “taking or increasing risk in order to pursue
an opportunity” but the organization can have this option for general risk management.
Note 3 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk
mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
Note 4 to entry: Risk treatment can create new risks or modify existing risks.
[SOURCE: ISO Guide 73:2009, 3.8.1, modified ─ Note 1 to entry has been added and the original Note 1
and 2 to entry have been renumbered as Note 2 and 3 to entry.]
3.2.8
risk acceptance
informed decision to take a particular risk (3.1.3)
Note 1 to entry: Risk acceptance can occur without risk treatment (3.2.7) or during the process of risk treatment.
Note 2 to entry: Accepted risks are subject to monitoring and review.
[SOURCE: ISO Guide 73:2009, 3.7.1.6]
3.2.9
risk sharing
form of risk treatment (3.2.7) involving the agreed distribution of risk (3.1.3) with other parties
Note 1 to entry: Legal or regulatory requirements can limit, prohibit or mandate risk sharing.
Note 2 to entry: Risk sharing can be carried out through insurance or other forms of contract.
Note 3 to entry: The extent to which risk is distributed can depend on the reliability and clarity of the sharing
arrangements.
Note 4 to entry: Risk transfer is a form of risk sharing.
[SOURCE: ISO Guide 73:2009, 3.8.1.3]
3.2.10
risk retention
temporary acceptance of the potential benefit of gain, or burden of loss, from a particular risk (3.1.3)
Note 1 to entry: Retention can be restricted to a certain period of time.
Note 2 to entry: The level of risk (3.1.15) retained can depend on risk criteria (3.1.7).
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
[SOURCE: ISO Guide 73:2009, 3.8.1.5, modified — the word “temporary” has been added at the start of
the definition and the phrase; “Risk retention includes the acceptance of residual risks” has replaced
“Retention can be restricted to a certain period of time “ in Note 1 to entry.]
4 Str ucture of this document
This document is structured as follows:
— Clause 5: Information security risk management;
— Clause 6: Context establishment;
— Clause 7: Information security risk assessment process;
— Clause 8: Information security risk treatment process;
— Clause 9: Operation;
— Clause 10: Leveraging related ISMS processes.
Except for the descriptions given in general subclauses, all risk management activities as presented
from Clause 7 to Clause 10 are structured as follows:
Input: Identifies any required information to perform the activity.
Action: Describes the activity.
Trigger: Provides guidance on when to start the activity, for example because of a change within the
organization or according to a plan or a change in the external context of the organization.
Output: Identifies any information derived after performing the activity, as well as any criteria that
such output should satisfy.
Guidance: Provides guidance on performing the activity, keyword and key concept.
5 In formation security risk management
5.1 Information secur ity risk management process
The information security risk management process is presented in Figure 1.
NOTE This process is based on the general risk management process defined in ISO 31000.
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Figure 1 — Information security risk management process
As Figure 1 illustrates, the information security risk management process can be iterative for risk
assessment and/or risk treatment activities. An iterative approach to conducting risk assessment can
increase depth and detail of the assessment at each iteration. The iterative approach provides a good
balance between minimizing the time and effort spent in identifying controls, while still ensuring that
risks are appropriately assessed.
Context establishment means assembling the internal and external context for information security
risk management or an information security risk assessment.
If the risk assessment provides sufficient information to effectively determine the actions required
to modify the risks to an acceptable level, then the task is complete and the risk treatment follows.
If the information is insufficient, another iteration of the risk assessment should be performed. This
can involve a change of context of the risk assessment (e.g. revised scope), involvement of expertise in
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
the relevant field, or other ways to collect the information required to enable risk modification to an
acceptable level (see "risk decision point 1" in Figure 1).
Risk treatment involves an iterative process of:
— formulating and selecting risk treatment options;
— planning and implementing risk treatment;
— assessing the effectiveness of that treatment;
— deciding whether the remaining risk is acceptable;
— taking further treatment if not acceptable.
It is possible that the risk treatment does not immediately lead to an acceptable level of residual risks. In
this situation, another attempt to find further risk treatment can be performed, or there can be another
iteration of the risk assessment, either as a whole or in parts. This can involve a change of context of the
risk assessment (e.g. by a revised scope) and involvement of expertise in the relevant field. Knowledge
about relevant threats or vulnerabilities can lead to better decisions about suitable risk treatment
activities in the next iteration of the risk assessment (see "risk decision point 2" in Figure 1).
Context establishment is discussed in detail in Clause 6, risk assessment activities in Clause 7 and risk
treatment activities in Clause 8.
Other activities necessary for managing information security risks are discussed in Clause 10.
5.2 Information secur ity risk management cycles
The risk assessment and the risk treatment should be updated on a regular basis and based on
changes. This should apply to, the entire risk assessment and the updates can be divided into two risk
management cycles:
— strategic cycle, where business assets, risk sources and threats, target objectives or consequences
to information security events are evolving from changes in the overall context of the organization.
This can result as inputs for an overall update of the risk assessment or risk assessments and the
risk treatments. It can also serve as an input for identifying new risks and initiate completely new
risk assessments;
— operational cycle, where the above-mentioned elements serves as input information or changed
criteria that will affect a risk assessment or assessment where the scenarios should be reviewed
and updated. The review should include updating of the corresponding risk treatment as applicable.
The strategic cycle should be conducted at longer time basis or when major changes occur while the
operational cycle should be shorter depending on the detailed risks that are identified and assessed as
well as the related risk treatment.
The strategic cycle applies to the environment in which the organization seeks to achieve its objectives,
while the operational cycle applies to all risk assessments considering the context of the risk
management process. In both cycles, there can be many risk assessments with different contexts and
scope in each assessment.
6 Context establishm ent
6.1 Organizational considerations
NOTE This subclause relates to ISO/IEC 27001:2022, 4.1.
An organization is defined as person or group of people that has its own functions with responsibilities,
authorities and relationships to achieve its objectives. An organization is not necessarily a company,
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
other corporate body or legal entity, it can also be a subset of a legal entity (e.g. the IT department of a
company), and can be considered as the “organization” within the context of ISMS.
It is important to understand that risk appetite, defined as the amount of risk an organization is willing
to pursue or accept, can vary considerably from organization to organization. For instance, factors
affecting an organization’s risk appetite include size, complexity and sector. Risk appetite should be set
and regularly reviewed by top management.
The organization should ensure that the role of the risk owner is determined in terms of the management
activities regarding the identified risks. Risk owners should have appropriate accountability and
authority for managing identified risks.
6.2 Identifying basic r equirements of interested parties
NOTE This subclause relates to ISO/IEC 27001:2022, 4.2.
The basic requirements of relevant interested parties should be identified, as well as the status of
compliance with these requirements. This includes identifying all the reference documents that define
security rules and controls and that apply within the scope of the information security risk assessment.
These reference documents can include, but are not limited to:
a) ISO/IEC 27001:2022, Annex A;
b) additional standards that cover ISMS;
c) additional standards applicable to a specific sector (e.g. financial, healthcare);
d) specific international and/or national regulations;
e) the organization’s internal security rules;
f) security rules and controls from contracts or agreements;
g) security controls implemented based on previous risk treatment activities.
Any non-compliance with the basic requirements should be explained and justified. These basic
requirements and their compliance should be the input for the likelihood assessment and for the risk
treatment.
6.3 A pplying risk assessment
NOTE This subclause relates to ISO/IEC 27001:2022, 4.3.
Organizations can perform risk ass
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...