Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27005:2022 — Information Security Risk Management
Comprehensive guidance for identifying, analyzing, evaluating and treating information security risks
ISO/IEC 27005:2022 provides comprehensive guidance on information security risk management and is the definitive reference for organizations implementing the risk management requirements of ISO/IEC 27001. It replaces the 2018 edition and aligns fully with ISO/IEC 27001:2022, incorporating updated threat landscapes, new risk assessment methodologies, and enhanced guidance on risk communication and consultation. The standard bridges the gap between the generic risk management principles of ISO 31000 and the specific information security context, providing security professionals with a disciplined approach to identifying, analyzing, evaluating, treating, monitoring, and reviewing information security risks throughout the organization.
ISO/IEC 27005:2022 is the bridge between high-level risk management concepts (ISO 31000) and the specific information security context of ISO/IEC 27001. It translates general risk principles into actionable infosec practices that align with modern threat landscapes including ransomware, supply chain attacks, and cloud-native vulnerabilities.
1. Risk Management Process Framework
The standard defines a structured risk management process consisting of six key activities: context establishment, risk identification, risk analysis, risk evaluation, risk treatment, and risk monitoring and review. These activities operate within a continuous cycle, supported by ongoing communication and consultation with stakeholders throughout the process. The framework is designed to be scalable — a small startup with twenty employees can apply the same fundamental process as a multinational corporation, albeit with different levels of formality and documentation.
| Activity | Purpose | Key Outputs |
|---|---|---|
| Context establishment | Define scope, risk criteria, and methodology | Risk management policy, risk acceptance criteria, scope document |
| Risk identification | Identify assets, threats, vulnerabilities, and existing controls | Asset inventory, threat catalogue, vulnerability list, risk register |
| Risk analysis | Determine likelihood and impact of risk scenarios | Risk level calculations (qualitative, quantitative, semi-quantitative) |
| Risk evaluation | Compare risk levels against acceptance criteria | Risk prioritization list, treatment decisions |
| Risk treatment | Select and implement controls to modify risk | Risk treatment plan (RTP), Statement of Applicability (SOA) |
| Risk monitoring & review | Track risks, detect changes, verify treatment effectiveness | Risk review reports, incident trends, control effectiveness metrics |
ISO/IEC 27005:2022 emphasizes the importance of establishing risk criteria early in the process. Risk criteria should reflect the organization’s risk appetite (how much risk the organization is willing to accept), legal and regulatory obligations, and stakeholder expectations. Without clearly defined criteria that are agreed upon by top management, risk evaluation becomes subjective and inconsistent across different business units. The standard recommends that risk criteria be reviewed at least annually and updated whenever significant changes occur in the business environment or regulatory landscape.
2. Risk Assessment Methodologies and Practical Application
The standard does not prescribe a single risk assessment method. Instead, it describes several approaches and guides organizations in selecting the most appropriate one based on their context, maturity, and available data:
- Qualitative methods: Use descriptive scales (e.g., Low/Medium/High, or a 5×5 likelihood-impact matrix). Best suited for organizations with limited historical data or where expert judgment is the primary information source. Qualitative assessments can be conducted relatively quickly and are easily understood by non-specialist stakeholders.
- Quantitative methods: Use numerical values (e.g., monetary loss in dollars, probability percentages, expected annual loss). Examples include Annualized Loss Expectancy (ALE), Monte Carlo simulation for complex risk scenarios, and Factor Analysis of Information Risk (FAIR), which provides a rigorous taxonomy for decomposing risk into its constituent factors. Suitable for mature organizations with robust historical data collection and analytical capabilities.
- Semi-quantitative methods: Combine qualitative scales with numerical weighting, assigning numeric values to qualitative labels and computing risk scores. The most common approach in practice, balancing rigor with usability. For example, assigning scores of 1-5 to likelihood and impact descriptors, then multiplying to produce a risk priority number.
For most engineering teams beginning their risk management journey, a semi-quantitative approach with a 5×5 risk matrix works well in the initial iteration. Use qualitative labels (Very Low to Very High) for both likelihood and impact, map them to a numerical score (1-5), and compute the product as the risk level. This approach is intuitive, communicable to non-technical stakeholders, and repeatable across assessment cycles. As the organization matures, it can transition to more quantitative methods for critical risk scenarios.
3. New in ISO/IEC 27005:2022 — Threat Intelligence and Risk Communication
The 2022 edition introduces a stronger emphasis on threat intelligence integration, reflecting the dramatic evolution of the cybersecurity threat landscape since the 2018 edition. Organizations are encouraged to leverage external threat feeds from Information Sharing and Analysis Centers (ISACs), Computer Emergency Response Teams (CERTs), and commercial threat intelligence providers as inputs to risk identification and analysis. This aligns with the cybersecurity paradigm shift from reactive defense to proactive threat hunting and intelligence-driven risk management.
Organizations often make the mistake of conducting risk assessments once a year and treating the results as static artifacts. ISO/IEC 27005:2022 emphasizes that risks are inherently dynamic — new vulnerabilities are disclosed daily, threat actors continuously evolve their tactics, techniques, and procedures (TTPs), and business environments change through mergers, acquisitions, and digital transformation initiatives. Risk management must be a continuous process with ongoing monitoring and periodic reassessment, not a once-a-year compliance exercise.
The standard also expands guidance on risk communication and consultation, recognizing that effective risk management depends as much on human factors as on technical controls. It emphasizes that risk information must reach the right stakeholders at the right time, in a form they can understand and act upon. This includes upward reporting to top management in business language (focusing on potential business impact and recommended strategic decisions), lateral communication to department heads for operational coordination, and downward briefing to operational teams who own day-to-day risk mitigation responsibilities. The standard also addresses the importance of establishing a risk-aware culture where employees at all levels understand their role in managing information security risks.
4. Frequently Asked Questions
Q: What is the relationship between ISO/IEC 27005:2022 and ISO 31000?
A: ISO 31000 provides generic risk management principles and a framework applicable to any type of risk (financial, operational, strategic, etc.). ISO/IEC 27005 specializes these principles specifically for the information security domain, adding detailed guidance on threat identification, vulnerability assessment, information security control selection, and the specific risk scenarios relevant to information security.
A: ISO 31000 provides generic risk management principles and a framework applicable to any type of risk (financial, operational, strategic, etc.). ISO/IEC 27005 specializes these principles specifically for the information security domain, adding detailed guidance on threat identification, vulnerability assessment, information security control selection, and the specific risk scenarios relevant to information security.
Q: Do I need to use ISO/IEC 27005 to comply with ISO/IEC 27001 risk requirements?
A: No, ISO/IEC 27001 does not mandate a specific risk management standard. However, ISO/IEC 27005 is the most closely aligned guidance standard available, and using it demonstrates a structured, recognized approach to risk management during certification audits. Certification auditors are familiar with its methodology, which can streamline the audit process.
A: No, ISO/IEC 27001 does not mandate a specific risk management standard. However, ISO/IEC 27005 is the most closely aligned guidance standard available, and using it demonstrates a structured, recognized approach to risk management during certification audits. Certification auditors are familiar with its methodology, which can streamline the audit process.
Q: How often should risk assessments be performed?
A: The standard does not prescribe a specific calendar frequency because this depends on organizational context. However, common practice in most industries is an annual formal risk assessment supplemented by ad-hoc assessments triggered by significant changes — new system deployments, major infrastructure changes, regulatory or legislative updates, merger and acquisition activities, or following significant security incidents.
A: The standard does not prescribe a specific calendar frequency because this depends on organizational context. However, common practice in most industries is an annual formal risk assessment supplemented by ad-hoc assessments triggered by significant changes — new system deployments, major infrastructure changes, regulatory or legislative updates, merger and acquisition activities, or following significant security incidents.
Q: Can risk treatment involve accepting risks rather than mitigating them?
A: Yes. Risk acceptance (retention) is one of four legitimate treatment options alongside risk modification (mitigation), risk avoidance, and risk sharing (transfer through insurance or contracts). However, all accepted risks must be formally documented with rationale, explicitly approved by authorized management at the appropriate level, and subject to ongoing monitoring to ensure they remain within the organization’s defined risk acceptance criteria over time.
A: Yes. Risk acceptance (retention) is one of four legitimate treatment options alongside risk modification (mitigation), risk avoidance, and risk sharing (transfer through insurance or contracts). However, all accepted risks must be formally documented with rationale, explicitly approved by authorized management at the appropriate level, and subject to ongoing monitoring to ensure they remain within the organization’s defined risk acceptance criteria over time.
