National foreword

This British Standard is the UK implementation of ISO/IEC 27005:2022.

The UK participation in its preparation was entrusted to Technical Committee IST/33/1, Information Security Management Systems.

A list of organizations represented on this committee can be obtained on request to its committee manager.

Contractual and legal considerations

This publication has been prepared in good faith, however no representation, warranty, assurance or undertaking (express or implied) is or will be made, and no responsibility or liability is or will be accepted by BSI in relation to the adequacy, accuracy, completeness or reasonableness of this publication. All and any such responsibility and liability is expressly disclaimed to the full extent permitted by the law.

This publication is provided as is, and is to be used at the recipient’s own risk.

The recipient is advised to consider seeking professional guidance with respect to its use of this publication.

This publication is not intended to constitute a contract. Users are responsible for its correct application.

Compliance with a British Standard cannot confer immunity from legal obligations.

This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 October 2022.

Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.

The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC list of patent declarations received (see https://patents.iec.ch).

Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, Information security, cybersecurity and privacy protection.

This fourth edition cancels and replaces the third edition (ISO/IEC 27005:2018), which has been technically revised.

The main changes are as follows:

all guidance text has been aligned with ISO/IEC 27001:2022, and ISO 31000:2018;
the terminology has been aligned with the terminology in ISO 31000:2018;
the structure of the clauses has been adjusted to the layout of ISO/IEC 27001:2022;
risk scenario concepts have been introduced;
the event-based approach is contrasted with the asset-based approach to risk identification;
the content of the annexes has been revised and restructured into a single annex.

Any feedback or questions on this document should be directed to the user’s national standards body. A complete listing of these bodies can be found at www.iso.org/members.html and www.iec.ch/national-committees.

Introduction

This document provides guidance on:

implementation of the information security risk requirements specified in ISO/IEC 27001;
essential references within the standards developed by ISO/IEC JTC 1/SC 27 to support information security risk management activities;
actions that address risks related to information security (see ISO/IEC 27001:2022, 6.1 and Clause 8);
implementation of risk management guidance in ISO 31000 in the context of information security.

This document contains detailed guidance on risk management and supplements the guidance in ISO/IEC 27003.

This document is intended to be used by:

organizations that intend to establish and implement an information security management system (ISMS) in accordance with ISO/IEC 27001;
persons that perform or are involved in information security risk management (e.g. ISMS professionals, risk owners and other interested parties);
organizations that intend to improve their information security risk management process.

1 Scope

This document provides guidance to assist organizations to:

fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
perform information security risk management activities, specifically information security risk assessment and treatment.

This document is applicable to all organizations, regardless of type, size or sector.

2 Normative references

3 Terms and definitions

3.1 Terms related to information security risk

3.2 Terms related to information security risk management

4 Structure of this document

5 Information security risk management

5.1 Information security risk management process

5.2 Information security risk management cycles

6 Context establishment

6.1 Organizational considerations

6.2 Identifying basic requirements of interested parties

6.3 Applying risk assessment

6.4 Establishing and maintaining information security risk criteria

6.5 Choosing an appropriate method

7 Information security risk assessment process

7.1 General

7.2 Identifying information security risks

7.3 Analysing information security risks

7.4 Evaluating the information security risks

8 Information security risk treatment process

8.1 General

8.2 Selecting appropriate information security risk treatment options

8.3 Determining all controls that are necessary to implement the information security risk treatment options

8.4 Comparing the controls determined with those in ISO/IEC 27001:2022, Annex A

8.5 Producing a Statement of Applicability

8.6 Information security risk treatment plan

9 Operation

9.1 Performing information security risk assessment process

9.2 Performing information security risk treatment process

10 Leveraging related ISMS processes

10.1 Context of the organization

10.2 Leadership and commitment

10.3 Communication and consultation

10.4 Documented information

10.5 Monitoring and review

10.6 Management review

10.7 Corrective action

10.8 Continual improvement

Bibliography

BS ISO/IEC 27005:2022

Information security, cybersecurity and privacy protection. Guidance on managing information security risks

Current

Published:

31 Oct 2022