The information security risk management according to the ISO 27005 standard

15 Apr 2025 09:43 AM - By itSMF Staff

Reading time: ~ 2 min.

direttiva sulla responsabilità da intelligenza artificiale itsmf blog

ISO 27005 standard: the risk management of the information security

The ISO/IEC 27005:2022 standard on «Information security, cybersecurity and privacy protection — Guidance on managing information security risks» provides a useful guidance for all kind of organizations (no matter which type, size or industry).

ISO 27005 is useful for all the organizations that have already adopted an Information Security Management System according to the ISO 27001 standard to evaluate (assessment) and treat the information security risks.

If you want to have an overview on ISO/IEC 27001 Information Security Management System, check out our previous post. in the next lines, we're going to have a look at the 27005 standard structure.

The ISO/IEC 27005 standard structure

The ISO/IEC 27005 standard has 10 main chapters and an «ANNEX A». This is an overview on the structure:

  • Chapter 1: scope
  • Chapter 2: normative reference
  • Chapter 3: terms and definitions; with focus on:
    • 3.1 «terms related to information security risk»
    • 3.2 «terms related to information security risk management».
  • Chapter 4: structure of the document
  • Chapter 5: information security risk management; with focus on:
    • 5.1 «information security risk management process»
    • 5.2 «information security risk management cycles»
  • Chapter 6: Context establishment; with focus on:
    • 6.1 Organizational considerations
    • 6.2 Identifying basi requirements of interested parties
    • 6.3 applying risk assessment
    • 6.4 establishing and maintaining information security risk criteria
      • 6.4.1 general
      • 6.4.2 risk acceptance criteria
      • 6.4.3 criteria for performing information security risk assessments
    • 6.5 choosing an appropriate method
  • Chapter 7 Information security risk assessment process
    • 7.1 general
    • 7.2 identifying information security risks
      • 7.2.1 identifying and describing information security risks
      • 7.2.2 identifying risk owners
    • 7.3 analysing information security risks
      • 7.3.1 general
      • 7.3.2 assessing potential consequences
      • 7.3.3 assessing likelihood
      • 7.3.4 determining the levels of risk
    • 7.4 evaluating the information security risks
      • 7.4.1 Comparing the results of risk analysis with the risk criteria
      • 7.4.2 Prioritizing the analysed risks for risk treatment 
  • Chapter 8 Information security risk treatment process
    • 8.1 general
    • 8.2 selecting appropriate information security risk treatment option

    • 8.3 determining all controls that are necessary to implement the information security

      risk treatment options
    • 8.4 comparing the controls determined with those in ISO/IEC 27001:2022, Annex A
    • 8.5 producing a statement of applicability
    • 8.6 information security risk treatment plan
      • 8.6.1 formulation of the risk treatment plan
      • 8.6.2 approval by risk owners
      • 8.6.3 acceptance of the residual information security risks
  • Chapter 9 Operation
    • 9.1. performing information security risk assessment process
    • 9.2 performing information security risk treatment process
  • Chapter 10 leveraging related ISMS processes
    • 10.1 context of the organization
    • 10.2 leadership and commitment
    • 10.3 communication and consultation
    • 10.4 documented information
      • 10.4.1 general
      • 10.4.2 documented information about processes
      • 10.4.3 documented inforrmation about results
    • 10.5 monitoring and review
      • 10.5.1 general
      • 10.5.2 monitoring and reviewing factors influencing risks
    • 10.6 management review
    • 10.7 corrective action
    • 10.8 continual improvement
  • Annex A Examples of techniques in support of the risk assessment process

Our infographic on ISO/IEC 27005:2022 standard

To better figure out  the «big picture» about the ISO 27005 standard, take a look at our infographic:

By Andrea Leonardi (Minerva Group Service, Alpemi Consulting & itSMF Swizerland board member).
The ISO 27005:2022 is indeed a useful supplementation of the ISO 31000:2018 standard on «risk management – guidelines», as it applies the guidance provided by the second one to the specific topic of the information security risks.

If you want to keep you up-to-date with the most recent news on this topic, don't forget to subscribe to our newsletter: you will get a monthly update with the most relevant and valuable content from our experts!

SUBSCRIBE TO OUR NEWSLETTER

Need to know more about it?

Click on one of the options below to enter in the itSMF Enviroment and for being updated the way which is best for you.

Subscribe to itSMF Newsletter
CONTACT US TO SEND YOUR MESSAGE
DISCOVER OUR EVENT CALENDAR
Get the benefits of Membership Program

Our sponsors

A special thanks to our Advanced Sponsors:

itSMF Staff

Categories :
Tags :