During the management review, the ISMS lead presents the risk register: 47 risks, likelihood and impact each on a 1-5 scale, risk owners assigned, treatment measures prioritised. Top management discusses the top-10 extract and decides on the residual risk acceptance level. Without a structured methodology this meeting quickly turns into a gut-feeling debate without repeatability.
ISO/IEC 27005:2022 provides the methodology for information security risk management in the context of an ISO 27001 ISMS. The standard is written as guidance and describes the full risk management process, from establishing the context through risk assessment to continuous monitoring.
What does the standard cover?
ISO 27005 structures the risk management process into six steps and an iterative cycle. The logic follows ISO 31000 but focuses on information security risks.
The risk management process
- Context establishment: scope, risk acceptance criteria, method selection, stakeholder involvement.
- Risk identification: which risk sources, threats and vulnerabilities exist? Which assets are affected, what consequences are possible?
- Risk analysis: assessing likelihood and impact, qualitatively or quantitatively.
- Risk evaluation: comparing analysed risks with the acceptance criteria, prioritising.
- Risk treatment: choosing a treatment option (avoid, reduce, transfer, accept), selecting concrete controls — typically from ISO 27001 Annex A.
- Residual risk acceptance: documented decision by the responsible management.
Running in parallel throughout:
- Communication and consultation with stakeholders
- Monitoring and review of risks and the effectiveness of treatment
Risk identification: two approaches
ISO 27005:2022 explicitly names two approaches that can also be combined:
- Event-based: the starting point is plausible damage events (“what if our web shop is offline for three days?”). Top-down, well-suited to top management and risk workshops.
- Asset-based: the starting point is the assets (asset inventory), for which threats and vulnerabilities are identified. Bottom-up, well-suited to IT teams and detailed risk registers.
In practice, mature organisations often use a hybrid: event-based top risks from workshops are supplemented with asset-based detailed risks in the register.
Risk treatment and Statement of Applicability
The controls selected during risk treatment feed into the Statement of Applicability under ISO 27001 Clause 6.1.3. ISO 27005 describes the mechanism:
- At least one treatment option is chosen per risk.
- For “reduce”, concrete controls are assigned — typically from ISO 27001 Annex A.
- The SoA lists all Annex A controls with status (applicable or not) and justification.
- The risk treatment plan documents measures, responsibilities and deadlines.
Relation to ISO 27001
ISO 27005 is not certifiable and complements ISO 27001 with methodology. ISO 27001 requires a risk management process but does not prescribe a method. Organisations that use ISO 27005 document their alignment with the standard in the risk management policy and follow its logic. During the audit, the auditor typically asks:
- How is the risk management process documented?
- Which risk assessment criteria have been defined?
- How was risk identification carried out? Is a complete risk register in place?
- How are risk owners assigned?
- How is residual risk acceptance documented (ideally with date and signature)?
Mapping to other standards
| Standard | Relation to ISO 27005 |
|---|---|
| ISO/IEC 27001:2022 | Provides the requirement for a risk management process; ISO 27005 provides the methodology |
| ISO 31000:2018 | Overarching risk management standard; ISO 27005 uses its terminology |
| NIST SP 800-30 | US counterpart for risk assessment; comparable process, different scales |
| FAIR (Factor Analysis of Information Risk) | Quantitative methodology; compatible with ISO 27005 |
| OCTAVE Allegro | Asset-centred methodology; alternative approach with a similar outcome |
| BSI Standard 200-3 | Risk analysis for IT-Grundschutz; own methodology with modules |
Implementation effort
Initial risk assessment (SME): 5-15 days. Covers asset identification, workshops with business units, assessment and treatment plan. More for widely distributed or complex business processes.
Annual update: 1-3 days of focused work plus ongoing maintenance following material changes (new systems, outsourcing, major incidents).
Risk workshops with top management: 2-4 hours before each management review, often semi-annually.
Tooling decision: Excel works for the first 1-2 years and becomes unwieldy from 100+ risks or several business units onward. At that point a dedicated risk register with links to assets, controls and incidents pays off.
Related standards
- ISO/IEC 27001: the ISMS main standard whose Clause 6.1 requires risk management.
- ISO/IEC 27002: provides the control texts selected during risk treatment.
- ISO 22301: Business Continuity Management with its own Business Impact Analysis, complementing classical risk management.
- BSI IT-Grundschutz: offers its own risk analysis methodology through BSI Standard 200-3.
Sources
- ISO/IEC 27005:2022 (ISO Online Browsing Platform) — official standard information
- ISO 31000:2018 — overarching risk management standard
- Beuth Verlag — German translation as DIN EN ISO/IEC 27005 (paid)
- NIST SP 800-30 Rev. 1 — Guide for Conducting Risk Assessments (free)