ISO/IEC 27005: Risk management
ISO/IEC 27005 provides guidelines to identify, analyse, evaluate, treat and monitor information security risks. It complements ISO 27001 by detailing risk assessment methodology without prescribing a single approach.
Link with ISO 27001
ISO 27001 requires a risk-based approach (clauses 6.1, 8.2, 8.3). ISO 27005 is the methodological guide: it helps structure the risk register, impact analysis and treatment choices.
At Certi360, we often use ISO 27005 when setting up or reviewing an ISMS risk register.
What the standard covers
Organizational context and risk analysis scope.
Risk identification (assets, threats, vulnerabilities).
Risk evaluation and treatment (accept, mitigate, transfer, avoid).
Communication, monitoring and continuous review.