Improved ISO Standard helps organisations to better manage information security risks

Issue 31 – September 2011

The revised ISO/IEC 27005:2011 helps IT departments to implement a risk management approach to manage their information security management system (ISMS) risks. Information technology – Security techniques – Information security risk management ISO/IEC 27005 describes the information security risk management process and associated actions.

'Risk management is critical to good business governance and ISO/IEC 27005 helps organisations with advice on the why, what, and how of managing information security risks in support of their governance objectives,' says Edward Humphreys, Convener of the ISO/IEC working group that developed ISO/IEC 27005.

ISO/IEC 27005:

  • helps users to implement ISO/IEC 27001:2005 Information technology – Security techniques – Information security management systems – Requirements, which is based on a risk management approach. Knowledge of the concepts, models, processes, and terminologies in ISO/IEC 27001 and ISO/IEC 27002: 2005 Information technology – Security techniques – Code of practice for information security management, is important for a complete understanding of ISO/IEC 27005
  • includes an updated framework to reflect the content of the risk management documents:
    • ISO 31000:2009 Risk management – Principles and guidelines. ISO/IEC 27005aligns closely to ISO 31000 to help organisations that wish to manage their information security risks in a similar way to the way they manage 'other' risks
    • ISO/IEC 31010:2009 Risk management – Risk assessment techniques
    • ISO Guide 73:2009 Risk management – Vocabulary
  • provides a generic approach – it is up to the organisation to define its approach to risk management, depending, for example, on the scope of the information security management system, based on the context of risk management, or the industry sector.

You can order PDFs of ISO and IEC Standards by calling 0800 782 632 during business hours or emailing enquiries@standards.co.nz.

Related Standards

  • AS/NZS ISO/IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements. Note: This Standard is Identical to and reproduced from ISO/IEC 27001:2005.
  • AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information management
  • AS/NZS ISO 31000:2009 Risk management – Principles and guidelines. Note: This Standard is identical to and reproduced from ISO 31000:2009.
  • ISO/IEC 31010:2010 Risk management – Risk assessment techniques
  • ISO Guide 73:2009 Risk management – Vocabulary

Related Touchstone articles

Published in business and ICT.