Threats may be deliberate or accidental, and may relate to either the use and application of IT systems or to IT's physical and environmental aspects. These threats may take any form from identity theft, risks of doing business on-line, denial of service attacks, remote spying, theft of equipment or documents through to a seismic or climatic phenomenon, fire, floods or pandemic problems. These threats may result in various business impacts, for example, financial loss or damage, loss of essential network services, loss of customer confidence through to loss power supply or failure of telecommunication equipment.

A risk is a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event. Risk assessment quantifies or qualitatively describes the risk and enables managers to prioritize risks according to their perceived seriousness or other established criteria.

ISO/IEC 27005:2008, Information technology – Security techniques – Information security risk management, provides guidelines for information security risk management and supports the general concepts specified in ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements.

The new standard is designed to assist the implementation of ISO/IEC 27001, the information security management system standard, which is based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002: 2005, Information technology – Security techniques – Code of practice for information security management, is important for a complete understanding of this International Standard.

The information security risk management process consists of:

  • context establishment
  • risk assessment
  • risk treatment
  • risk acceptance
  • risk communication, and
  • risk monitoring and review.

However, ISO/IEC 27005:2008 does not provide any specific methodology for information security risk management. It is up to the organization to define its approach to risk management, depending, for example, on the scope of the information security management system, based on the context of risk management, or the industry sector.

Edward Humphreys, convener of the ISO/IEC working group that developed the standard comments: “Today, most organizations recognize the critical role that information technology plays in supporting their business objectives and with the advent of the Internet and the prospect of performing business online, IT security has been in the forefront. ISO/IEC 27005:2008 is relevant to managers and staff concerned with information security risk management within an organization and, where appropriate, external parties supporting such activities.”

ISO/IEC 27005:2008, Information technology – Security techniques – Information security risk management, was developed by the joint technical committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. It costs 154 Swiss francs and is available from ISO national member institutes (see the complete list with contact details) and from ISO Central Secretariat through the ISO Store or by contacting the Marketing & Communication department (see right-hand column).