ISO 27005 - Information Security Risk Management

    Standards and Frameworks

    ISO 27005 - Information Security Risk Management

    ISO/IEC 27005:2018 –– Information technology –– Security techniques -- Information security risk management

    ISO 27005 is part of the ISO 27000 family of standards. The standard provides guidelines assisting the implementation of the risk management aspects of ISO 27001. The development of the standard is led by ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission). The standard is reviewed every 5 years.

    Last Updated: July 30, 2019

  • General

    ISO 27005 provides guidelines for information security risk management in an organization. The standard covers various aspects of information security risk management, including:

    • establishing a context for risk management
    • defining risk evaluation and acceptance criteria
    • steps for identifying, analyzing and evaluating risks
    • implementing risk treatment plans and conducting ongoing monitoring and review of risks

    However, ISO 27005 does not provide any specific method for risk management. Organizations need to define their own approach. An organization can do so by referring to:

    • the scope of the organization’s information security management system (ISMS)
    • the context of the organization’s risk management, or
    • the industry sector of the organization

    It is worth noting that ISO 27005 does not contain direct guidance on the implementation of the ISMS requirements specified in ISO/IEC 27001. The methodologies under ISO 27005 to implement an ISMS is based on the asset, threat and vulnerability risk identification method that is no longer required by ISO/IEC 27001.

    ISO 27005 applies to all types of organizations, no matter it is a commercial enterprise, a government agency, or a non-profit organization. The standard applies when an organization intends to manage risks that can compromise the organization’s information security. ISO 27005 can be used by

    • an organization’s manager and staff  concerned with information security risk management
    • external parties supporting an organization’s information security risk management

    ISO 27005 refers to concepts, models, processes and terminologies set in SO/IEC 27001 and ISO/IEC 27002.


Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.