Definition

ISO 27005

ISO 27005 provides guidelines for information security risk management, complementing ISO 27001 requirements.

ISO/IEC 27005:2022 provides guidance for information security risk management aligned with ISO 27001. It describes the complete process: identification, analysis, evaluation and treatment of risks within the ISMS context.

Key aspects

Risk assessment process

Defines a structured process including asset, threat and vulnerability identification, impact analysis and risk level determination.

Treatment options

Presents four options: modify risk (controls), retain (accept), avoid (eliminate activity) or share (insurance, third parties).

Alignment with ISO 31000

Applies the general principles of ISO 31000 to the specific domain of information security.

Frequently asked questions

No. ISO 27001 requires risk assessment but does not prescribe a specific methodology. ISO 27005 is the most aligned and recommended guide for meeting that requirement.

It strengthens the event and risk scenario-based approach, aligning with ISO 27001:2022 and its new 93-control Annex A.

Comparison

Ready to act on these findings?

Need an assessment in this area?

Request diagnosis→View research→

Loading content…

ISO 27005

Key aspects

Risk assessment process

Treatment options

Alignment with ISO 31000

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

ISO 27005

Key aspects

Risk assessment process

Treatment options

Alignment with ISO 31000

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

ISO 27005

Key aspects

Risk assessment process

Treatment options

Alignment with ISO 31000

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

ISO 27005

Key aspects

Risk assessment process

Treatment options

Alignment with ISO 31000

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?