Informationsecurity cybersecurity andprivacyprotection-Guidanceon managinginformationsecurityrisks
Securite de I'information cybersecurite et protection de lo vie privee Preconisations pour la gestion des risques lies α la securitede I'information
COPYRIGHTPROTECTEDDOCUMENT
ISO/IEC 2022
Allrights reelhrwiseideqrd inth txt f itsmlentat part f thisplibereproduedrutlizedthewiennyfombyanymeanslctrnicmechaicaldinghtcpyingrpstingn the intermet or an intranet without prior written permission. Permission can be requested from either ISO at the address belowor ISO's member body in the country of the requester.
ISO copyright officeCP 401 • Ch. de Blandonnet 8 CH-1214 Vernier GenevaEmail: copyright@ Phone: 41 22 749 01 11Published in Switzerland Website:
Contents
Page
5.1 5.2 Information security risk management process. Information security risk management cycles. 7 6
Context establishment 9
6.1 6.2 Identifying basic requirements of interested parties. Organizational considerations.. 10 96.3 6.4 Establishing and maintaining information security risk criteria. Applying risk assessment. 10 116.4.1 Risk acceptance criteria. General. 116.4.2 6.4.3 Criteria for performing information security risk assessments. 13 116.5 u dodde euso 15
Information security risk assessment process. 16
7.1 General. 167.2 Identifying information security risks. 7.2.1 Identifying and describing information security risks. 17 177.3 7.2.2 Analysing information security risks. Identifying risk owners. 18 197.3.2 7.3.1 Assessing potential consequences. General. 197.3.3 Assessing likelihood 20 197.4 Evaluatingtheinformation securityrisks. 7.3.4 Determining the levels of risk. 22 227.4.1 7.4.2 Comparing the results of risk analysis with the risk criteria. Prioritizing the analysed risks for risk treatment. 23 22
Information security risk treatment proces. 23
8.1 8.2 Selecting appropriate information securityrisk treatment options. General. 23 238.3 Determining all controls that are necessary to implement the information security risk treatment options. 248.4 Comparing the controls determined with those in ISO/IEC 27001:2022 Annex A 278.5 8.6 Information security risk treatment plan Producing a Statement of Applicability. 27 288.6.1 8.6.2 Formulation of the risk treatment plan. Approval by risk owners. 28 298.6.3 Acceptance of the residual information security risks. 30
Operation. 9.1 Performing information security risk assessment process. 319.2 Performing information security risk treatment process. 31
10 Leveraging related ISMS processes. 32
10.1 Context of the organization.. 3210.2 Leadership and mitment. 32
Licensed to People Media S.A. de C.V. / Eliezer Lopez Bamadas (elopez@pmsoluciones.mx) DGN Slore Order: OP-639952 / Dowmloaded: 2022-10-26ISO/IEC 27005:2022(E) Single user icence only copying and networking prohibited.
10.3 Communication and consultation.10.4 Documented information. 3510.4.2 Documented information about processes. 10.4.1 General. 35 3510.5 10.4.3 Documented information about results. Monitoring and review. 35 3610.5.2 Monitoring and reviewing factors influencing risks. 10.5.1 General. 36 3710.6 Management review. 3810.7 10.8 Continual improvement. Corrective action 38 39
Annex A (informative) Examples of techniques in support of the risk assessment process. 41Bibliography. 62
ISO/IEC 27005:2022(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International ElectrotechnicalCommission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technicalmittees established by the respective organization to deal with particular fields of technicalorganizations governmental and non-governmental in liaison with ISO and IEC also take part in thework.
needed for the different types of document should be noted. This document was drafted in are described in the ISO/IEC Directives Part 1. In particular the different approval criteriaaccordance with the editorial rules of the ISo/IEC Directives Part 2 (see or experts/refdocs).
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent Attention is drawn to the possibility that some of the elements of this document may be the subjectrights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISo list of patent declarations received [see or the IEClist of patent declarations received (see https.//patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.
For an explanation of the voluntary nature of standards the meaning of ISo specific terms and expressions related to conformity assessment as well as information about ISo's adherence toWww./iso/foreword.html. In the IEC see
This document was prepared by Joint Technical Committee ISO/IEC JTC 1 Information technology Submittee SC 27 Information security cybersecurity and privacy protection.
This fourth edition cancels and replaces the third edition (ISO/IEC 27005:2018) which has been technically revised.
The main changes are as follows:
all guidance text has been aligned with ISO/IEC 27001:2022 and ISO 31000:2018;- the terminology has been aligned with the terminology in ISO 31000:2018;-the structure of the clauses has been adjusted to the layout of ISO/IEC 27001:2022;- risk scenario concepts have been introduced;- the content of the annexes has been revised and restructured into a single annex.
-the event-based approach is contrasted with the asset-based approach to risk identification;
Any feedback or questions on this document should be directed to the user's national standardsbody. A plete listing of these bodies can be found at /memhers.html and
