BS ISO/IEC 27005:2011
Information security management systems – Information security risk management
What is it?
BS ISO/IEC 27005:2011 expands on the requirements in BS ISO/IEC 27001 for information security risk management. Conducting risk assessments and subsequently performing risk management is an essential component of any Information Security Management System (ISMS).
The technical approach used within BS ISO/IEC 27005:2011 is fully aligned with the international standard for risk management, BS ISO 31000.
How does it work?
BS ISO/IEC 27005:2011 describes an information security risk management process and associated actions modelled on the generic risk management processes defined in BS ISO 31000:2009. This information security risk management is then linked back to the risk assessment and risk management requirements of BS ISO/IEC 27001:2005. Annexes provide checklists, examples and other practical advice.
BS ISO/IEC 27005:2011 does not define or mandate any particular methodology for performing risk assessments. However, some examples of suitable approaches are given as examples in an annex.
Who should buy it?
Anyone who is planning to build an ISMS based on BS ISO/IEC 27001 needs BS ISO/IEC 27005:2011 as well. It is an essential supporting standard for ISMS implementation.
It will be useful for anyone needing insight into the practical aspects of building an ISO/IEC 27001 ISMS. It can also be used as a stand-alone guide to performing information risk management in ways compatible with BS ISO 31000.
See the preview for contents.
Revision
BS ISO/IEC 27005:2011 is currently being revised to fully align with the new edition of ISO/IEC 27001, BS ISO/IEC 27001:2013.
Although the latest edition of ISO/IEC 27001 has significantly revised risk management requirements when compared to the 2005 edition, most of the practical advice and examples within BS ISO/IEC 27005:2011 is equally applicable to an ISMS built using the latest edition of ISO/IEC 27001. Indeed, some of the risk assessment approaches used as examples within BS ISO/IEC 27005:2011 reflect BS ISO 31000:2009 (and thus BS ISO/IEC 27001:2013) and are not strictly compatible with BS ISO/IEC 27001:2005.
BS ISO/IEC 27005:2011
Information security management systems – Information security risk management
What is it?
BS ISO/IEC 27005:2011 expands on the requirements in BS ISO/IEC 27001 for information security risk management. Conducting risk assessments and subsequently performing risk management is an essential component of any Information Security Management System (ISMS).
The technical approach used within BS ISO/IEC 27005:2011 is fully aligned with the international standard for risk management, BS ISO 31000.
How does it work?
BS ISO/IEC 27005:2011 describes an information security risk management process and associated actions modelled on the generic risk management processes defined in BS ISO 31000:2009. This information security risk management is then linked back to the risk assessment and risk management requirements of BS ISO/IEC 27001:2005. Annexes provide checklists, examples and other practical advice.
BS ISO/IEC 27005:2011 does not define or mandate any particular methodology for performing risk assessments. However, some examples of suitable approaches are given as examples in an annex.
Who should buy it?
Anyone who is planning to build an ISMS based on BS ISO/IEC 27001 needs BS ISO/IEC 27005:2011 as well. It is an essential supporting standard for ISMS implementation.
It will be useful for anyone needing insight into the practical aspects of building an ISO/IEC 27001 ISMS. It can also be used as a stand-alone guide to performing information risk management in ways compatible with BS ISO 31000.
Contents
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Structure of this International Standard
5 Background
6 Overview of the information security risk management process
7 Context establishment
8 Information security risk assessment
9 Information security risk treatment
10 Information security risk acceptance
11 Information security risk communication and consultation
12 Information security risk monitoring and review
Annex A Defining the scope and boundaries of the information security risk management process
Annex B Identification and valuation of assets and impact assessment
Annex C Examples of typical threats
Annex D Vulnerabilities and methods for vulnerability assessment
Annex E Information security risk assessment approaches
Annex F Constraints for risk modification
Annex G Differences in definitions between ISO/IEC 27005:2008 and ISO/IEC 27005:2011
Bibliography
Revision
BS ISO/IEC 27005:2011 is currently being revised to fully align with the new edition of ISO/IEC 27001, BS ISO/IEC 27001:2013.
Although the latest edition of ISO/IEC 27001 has significantly revised risk management requirements when compared to the 2005 edition, most of the practical advice and examples within BS ISO/IEC 27005:2011 is equally applicable to an ISMS built using the latest edition of ISO/IEC 27001. Indeed, some of the risk assessment approaches used as examples within BS ISO/IEC 27005:2011 reflect BS ISO 31000:2009 (and thus BS ISO/IEC 27001:2013) and are not strictly compatible with BS ISO/IEC 27001:2005.