ISO 27005:2022: Main Changes and Implications
In the current era of digitalization, businesses of all sizes are extremely concerned with protecting the privacy and security of their data. The growing number of cyberattacks, among others, poses a variety of hazards that could result in downtime, data breaches, compliance violations, loss of reputation and trust, monetary loss, and much more if they exploit businesses’ weaknesses.
Thus, enterprises must now adopt a well-structured and methodical approach to manage and treat information security risks.
The international standard ISO/IEC 27005 is intended to provide recommendations for information security risk management. It includes instructions for the construction and enhancement of an organization’s information security risk management process, as well as the application of ISO/IEC 27001 requirements addressing the evaluation and treatment of information security risks.
In order to stay up with changes and developments in a given field, ISO typically revises its standards every five years following release. The ISO/IEC 27005 standard was revised and reprinted in October 2022, four years after its last publication. The old version of ISO/IEC 27005 is canceled and replaced with the most recent and fourth version of the standard.
What Are the Changes in ISO 27005:2022?
The title of the new version of ISO/IEC 27005 is one of the first modifications that are readily apparent. Previously, the version was titled:
ISO/IEC 27005:2018 Information technology — Security methods — Management of information security risk
The name of the revised edition is:
ISO/IEC 27005:2022 Advice on handling information security concerns
Other significant alterations include:
- The standard has been revised to conform with ISO/IEC 27001:2022 and ISO 31000:2018.
- The nomenclature has been modified to be consistent with ISO 31000:2018 terminology. For instance, the term “impact” has been replaced with “consequence.”
- The clauses have been reorganized in accordance with the structure of ISO/IEC 27001.
- All clauses now have a trigger criterion that provides guidance on when to commence an action, when to complete a stage, or when to make updates to the framework.
- The revised standard also includes the idea of “risk scenario,” which is described as “a sequence or combination of events leading from the initial cause to the undesirable conclusion.” The 2018 edition replaced the phrase “incident scenario” with this new notion.
- The updated version of the standard specifies a risk management method with five primary stages for managing information security risks: context establishment, risk identification, risk analysis, risk evaluation, and risk treatment; the risk acceptance stage has been eliminated.
- Clause 10 Acceptance of Information Security Risk has also been removed from the current version of the standard. However, clause 8.6.3 Acceptance of the residual information security risk has been included to ISO/IEC 27005:2022 in order to address the acceptance of residual risk. This implies that the new version simplifies risk acceptance by reducing it to a decision point that is examined after risk treatment.
- The new version of ISO/IEC 27005:2022 has included a new component to the process of information security risk management that was not present in the previous version. This component specifies the documentation rules stated in clauses 10.4.2 Documented process information and 10.4.3 Documented results information.
- The earlier version of the standard described the risk identification process as a series of actions that included identifying assets, threats, existing controls, vulnerabilities, and consequences. These actions are no longer clearly stated in the revised version of the standard.
- Two methodologies are described in ISO/IEC 27005:2022 for the identification of information security risks. While both approaches to risk identification can be used to generate risk scenarios, they differ with respect to the level at which risk identification is initiated.
- Event-based approach is a high-level assessment that entails identifying strategic scenarios by analyzing risk sources and how they affect interested parties in order to attain desired objectives. It focuses on the danger landscape as a whole, is most suitable for macroscopic analysis, and is used to determine the effect and severity of a specific situation.
- The asset-based method is an in-depth assessment that may be used to construct operational scenarios by carefully considering and identifying assets, risks, and vulnerabilities. The asset-based method permits businesses to identify asset-specific threats and vulnerabilities, estimate the probability of a given situation, and select risk treatment choices.
- The revised standard now includes the semiquantitative technique for analyzing information security risks in addition to the qualitative and quantitative procedures.
- In addition, ISO/IEC 27005:2022 has incorporated a new monitoring concept, namely clause A.2.7 Monitoring risk-related events, which refers to the identification of elements that can influence an information security risk scenario.
- In accordance with ISO/IEC 27001:2022, a new clause has been added to the standard covering the Statement of Applicability (SoA). This section provides guidance for developing a Statement of Applicability (SoA) that describes all intended controls for risk treatment, the basis for implementing the selected controls, and the reasons for excluding alternative controls from ISO/IEC 27001:2022, Annex A.
- Clause 10, Leveraging related ISMS procedures, has been added to provide implementation recommendations for some of the most influential clauses of ISO/IEC 27001:2022 on information security risk management.
- All prior standard annexes have been revised and consolidated into a single annex:
- Annex A (informative) Determining the scope and limits of the procedure for information security risk management
- Annex B (informative) Identification and value of assets and evaluation of their effects
- Annex C (informative) Examples of common dangers
- Annex D (informative) Vulnerabilities and vulnerability assessment methodologies
- Annex E (informative) Approaches to information security risk assessment
- Annex F (informative) Limitations on risk modification
- The present arrangement is as follows:
- Annex A (informative) Examples of techniques that support the process of risk assessment:
- A.1 Risk-based information security criterion
- A.1.1 Criteria associated with risk evaluation
- A.1.2 Risk acceptance criterion
- A.2 Practical techniques
- A.2.1 Information security threat factors
- A.2.2 Assets
- A.2.3 Sources of danger and intended outcome
- A.2.4 Event-based method A.2.5 Asset-based method A.2.6 Scenarios applicable to both methods
- A.2.7 Monitoring risky occurrences
Would Updates to ISO/IEC 27005:2022 Impact My Existing ISO/IEC 27005 Certificate?
The new ISO/IEC 27005:2022 amendments will not affect the existing ISO/IEC 27005 certificate. PECB has produced an updated version of ISO/IEC 27005 Lead Risk Manager and ISO/IEC 27005 Risk Manager training courses based on the current edition of the standard for those seeking certification against ISO/IEC 27005:2022.
What relationship does ISO/IEC 27005 have to other ISO standards?
ISO/IEC 27005 and ISO/IEC 27001 are security standards.
ISO/IEC 27005, as a member of the ISO/IEC 27000 family, is closely related to ISO/IEC 27001. ISO/IEC 27001 specifies the criteria for an information security management system (ISMS). ISO/IEC 27005, on the other hand, can be utilized by organizations that have implemented an ISMS, as it assists in meeting the ISO/IEC 27001 requirements for information security risk management, namely clauses 6.1 Actions to address risks and opportunities, 8.2 Information security risk assessment, and 8.3 Information security risk treatment.
ISO 31000 and ISO/IEC 27005
ISO 31000 provides principles, a procedure, and a framework for managing risks encountered by companies of any size and complexity in any industry. While both standards address risk management, ISO/IEC 27005 focuses on the management of information security risks, whereas ISO 31000 outlines a process for managing all sorts of risks. ISO/IEC 27005’s guidelines and terminology are harmonized with ISO 31000’s. As a result, enterprises can utilize both standards to manage risks associated with information security and other domains.