The new standard ISO/IEC 27005:2011, Information technology – Security techniques – Information security risk management, provides IT managers and staff with a framework to implement a risk management approach to information security, ISO explained in a release.
According to the new standard, the information security risk management process consists of context establishment, risk assessment, risk treatment, risk acceptance, risk communication, and risk monitoring and review. The new standard incorporates a number of previously issued risk management documents: ISO 31000:2009, ISO/IEC 31010:2009, and ISO Guide73:2009.
Edward Humphreys, convener of the working group that developed the standard, commented: “ISO/IEC 27005:2011 is an essential standard for those that want to manage their risks effectively and, in particular, to comply with the popular information security management system standard ISO/IEC 27001. Risk management is critical to good business governance, and this standard helps organizations with advice on the why, what and how of managing information security risks in support of their governance objectives.”
The ISO stressed that ISO/IEC 27005:2011 does not provide a specific methodology for information security risk management but a generic approach. The organization needs to define its approach to risk management, depending, for example, on the scope of the information security management system, based on the context of risk management, or the industry sector.