ALISON: ISO 27005 - Essentials

of Information Security Risk

Management
tfa7a

MODULE 1

Having completed this module you will be able to:

Explain the importance of ISO/IEC 27005 as the standard for establishing

information security management systems.

Discuss information security risk management systems other than the ISO
27000 standards.

List the steps of establishing an information management security system

within an organization.

Indicate the ISO/IEC 27005 requirements to establish the context of its

information security risk management system.

Distinguish between the cycles in information security risk management

systems.

Define the critical terms in the context of an information security management

system, i.e., risk appetite and risk owner.

Recognize the influencing factors that are involved in the formation of the risk
acceptance criteria.

ALISON: ISO 27005 - Essentials of Information Security Risk Management 1

 What Is Information Security Risk
Management?
With ever-increasing digitalization worldwide, businesses and organizations
constantly incorporate information security measures in their frameworks. While
these measures prove to be beneficial, it is highly important to implement them
systematically. Doing so is important to prevent risks associated with information
security.
Information Security Risk Management - Definition
It is a process of understanding the events that can affect an organization's
information assets and consequences.
Only when an organization knows the threats its information assets face can it
create effective strategies for its protection. However, we need to know that
information security risk management does not mean a complete elimination of all
the information risks. Instead, it refers to determining the tolerable risk threshold
for the organization. Once this threshold has been defined, risk management
leads to the creation of a strategy to address the identified risks.

An organization must take a standardized approach to identifying and eliminating

the risks its information assets face. This can be achieved by following the
requirements of information security standards enacted by the International
Organization for Standardization (ISO) and the International Electrotechnical
Commission.

Regarding information security risk management, ISO has established a complete

family of standards, and they are all part of the ISO27000 family. The following
standards come under this family:

ISO 27001 contains requirements for building, monitoring, and improving an

ISMS (Information Security Management System).

ISO 27002: It specifies controls for protecting ISMS.

ISO 27005: It provides a risk management framework for ISMS.

Together, the standards organizations create, monitor, and continually improve

the ISMS of an organization.

ALISON: ISO 27005 - Essentials of Information Security Risk Management 2

 What Is ISO 27005?
In this course, our focus will be on the ISO 27005 standard. Although it is not a
governmental or regulatory obligation that organizations must fulfill at all costs, it
is one of the best approaches to establishing a risk regulation framework. It is
essential to remember that getting certified against ISO27005 is not meant only
for organizations certified against ISO27001. Instead, any organization can easily
benefit from this standard.

Here is a brief overview of the standard in a tabular form:

How Is ISO 27005 Beneficial for

Organizations?
Compared to other risk management methodologies, the ISO 27500 is beneficial
for organizations in the following terms:

Simple Processes
ISO27005 has laid out five steps for organizations to help them identify and
manage information security risks. It ensures that organizations can thoroughly
address the threat landscape. Its repeatable approach keeps it relevant even when
an organization is battling emerging threats.
Compliance With ISO 27001

ALISON: ISO 27005 - Essentials of Information Security Risk Management 3

 Organizations that strongly implement ISO 27005 will find it easy to comply with
and eventually certify against the ISO 27001 standard.
Flexibility

ISO 27005 is flexible because it allows organizations to approach risk

management in a way that suits their business objectives and needs.

Changes and Modifications in ISO 27005

Since its inception, ISO 27005 has undergone several revisions to better align with
ISO 27001. During this course's development, the latest version of ISO 27005 was
published in 2022 (ISO 27005:2022). The 2022 version has replaced the 2018
version.

Here are some of the significant changes we see in the latest standard version.

It has merged the 12 clauses and six annexes of ISO 20075:2018 into ten
clauses and one annex only.

It has established a new risk management process comprising five steps.

It has introduced a new process to identify information security risks. These are:

Asset-based approach: This approach requires identifying asset-specific

vulnerabilities and threats, determining the likelihood of reoccurrence, and
defining the particular risk-treatment options.

Event-based approach: This approach involves identifying risks while focusing

on the world's landscape and determining their necessity and consequence.

diff

Other Types of Risk Management

Methodologies

ALISON: ISO 27005 - Essentials of Information Security Risk Management 4

 Now that we have gotten a gist of the ISO 27005 standard, let us look over some
other risk management methodologies commonly adopted by organizations.
Somehow or other, these methods can establish a robust risk management system
for information security within an organization:

Qualitative Risk Assessment

This approach involves evaluating different scenarios. Identifying different risks
requires answering the " what if" questions. In this type of risk assessment, a risk
matrix is commonly used to assess the likelihood and impact of each kind of risk.
This matrix includes grading, such as high, medium, and low, thus allowing easy
prioritization of the risks.

Quantitative Risk Assessment

This type of risk assessment defines risk using data and numbers. For instance, it
uses data to measure the impact and probability of individual risks.

Semi-quantitative Risk Assessment

A semi-quantitative risk assessment combines qualitative and quantitative risk
assessments. In this type of risk assessment, one parameter is assigned
qualitatively while the other is assigned quantitatively. This type of risk
assessment provides limited insights and is only used if the data required for a
quantitative risk assessment is incomplete or unreliable.

Threat-Based Risk Assessment

As its name suggests, threat-based risk assessment examines conditions that can
create and contribute to increased risks. It determines the techniques used by
rogue elements and the methods organizations can employ to stay safe against
them.

Asset-Based Risk Assessment

These types of risk assessments focus on the risks faced by the organization's
assets. These assets can be physical, or they can be a company's data or
intellectual property.

Vulnerability-Based Risk Assessment

ALISON: ISO 27005 - Essentials of Information Security Risk Management 5

 With this approach, organizations can identify the highest-priority risks. In these
types of risk assessments, various vulnerability management solutions are
deployed, such as AI, machine learning, and vulnerability scanning tools. With
these insights, cybersecurity teams can focus on any urgent risks.

Bibliography
1. Bonnie, Emily. “How to Develop a Risk Management Strategy + 6 Popular
Methodologies to Choose From.” Secureframe, 11 Apr. 2023,
secureframe.com/blog/risk-management-methodologies. Accessed 18 Aug. 2024.
2. ---. “The ISO 27005 Approach to Information Security Risk Management: 2022
Updates Explained.” Secureframe, 1 Nov. 2023, secureframe.com/blog/iso-
27005. Accessed 18 Aug. 2024.

1. 1. Bonnie, Emily. “How to Develop a Risk Management Strategy + 6 Popular

Methodologies to Choose From.” Secureframe, 11 Apr. 2023,
secureframe.com/blog/risk-management-methodologies. Accessed 18 Aug.
2024.

2. 2. --. “The ISO 27005 Approach to Information Security Risk Management:

2022 Updates Explained.” Secureframe, 1 Nov. 2023,
secureframe.com/blog/iso-27005. Accessed 18 Aug. 2024.

The Steps of Managing Information Security Risks

Step 1- Establishing the context Establishing the goals and criteria for information
security risk management

Step 2 - Risk Identification

1. Event-based approach

2. Asset-based approach

Step 3 - Risk Analysis

1. Qualitative approach

2. Quantitative approach

3. Semi-quantitative approach

ALISON: ISO 27005 - Essentials of Information Security Risk Management 6

 Step 4 - Risk Evaluation
Step 5 - Risk Treatment

The five steps to identify, evaluate, and address information security risks under
ISO 27005 are:

Step 1 - Establishing the Context

This step requires the organizations to set goals and criteria for risk management.
During this step, the organization will gather its important stakeholders and
discuss some important questions with them, such as:

What are their information security goals, and are they aligned with their
overall business objectives?

What regulatory, contractual, and compliance requirements have been

considered?

What are the existing risk management approaches within the organization?

How does the organization's information security risk management process

align with its risk management approaches?

On what basis does the organization decide that it will accept certain security
risks and mitigate others?

Step 2 - Risk Identification

Risk identification is the second step in managing information security risks. As
per ISO 27005, there are two complementary approaches to risk identification.
The organization can choose a single approach or use both of them together.

1. Event-Based Approach

This approach focuses on the organization's overall threat scenario, where it

identifies the main events or scenarios that can introduce a risk.

2. Asset-Based Approach

It focuses on the organizations' specific architecture and assets and determines

any key vulnerabilities and risks concerning each information asset.

ALISON: ISO 27005 - Essentials of Information Security Risk Management 7

 Information Security Risk Assessment - Components

Red arrows show the threats posed by each component to another.

Step 3 - Risk Analysis

In ISO 27005, the third step to managing information security risks is risk analysis.
This step helps an organization localize the systems, services, and data that are at
the most risk and determine the severity of each risk.

1. Qualitative Approach
It considers various scenarios and helps organizations identify different risks
by answering the "what-if" questions.

2. Quantitative Approach
The quantitative approach uses data and numbers to define risk levels.

3. Semi-Quantitative Approach
Some aspects of risk management can be quantified with statistical methods
(e.g., likelihood). Others, such as impact, can be defined with subjective
methods, such as expert opinions.

Step 4 - Risk Evaluation

After analyzing the risks, organizations must decide how they would respond to
each one. For this purpose, they may need to compare each risk against the

ALISON: ISO 27005 - Essentials of Information Security Risk Management 8

 tolerance criteria decided in Step 1. Risk evaluation helps with prioritizing risks for
systematic treatment.

Step 5 - Risk Treatment

In terms of risk treatment, ISO 27005:2022 focuses on the responsibility of the
risk owners to:

Create and approve a risk treatment plan and

Accept any residual risks

Risk owners should also be involved in the decision-making process regarding the
controls that will be implemented for risk treatment.

Other Risk Management Methodologies

To end this topic, discussing some of the other well-recognized information
security risk management methodologies in this course would be good.

OCTAVE
OCTAVE focuses on risk-based information security strategies tailored to the
organization's business needs. This framework identifies goals, assets, and
threats. It also evaluates vulnerabilities against the identified threats and helps the
organization develop a risk mitigation plan.
NIST 800-53

It is a systematic process for understanding the threats and vulnerabilities to an

organization's IT systems. With this framework, organizations can identify
vulnerabilities and threats, determine their impact and likelihood of threats, and
conduct risk determination control analysis.
NIST CSF
NIST CSF provides organizations with comprehensive guidelines and standards
with which they can improve their cybersecurity risk management.
DoD RMF

ALISON: ISO 27005 - Essentials of Information Security Risk Management 9

 The US Department of Defense has developed this Risk Management Framework
(RMF). As a structured framework, it helps organizations manage and secure their
information systems. The risk management methods presented in this RMF are
explicitly designed for the defense sector.
The FAIR Framework
FAIR is an acronym for Fair Analysis of Information Risk. It is a quantitative model
for risk identification and management that analyzes and evaluates information
security risks. The FAIR framework measures and assesses cyber risks by
considering different factors, such as impact and frequency.

The Qualitative Approach

The qualitative approach is part of Step 3: risk analysis. Here, we will take a look
at an example of the consequences scale according to the qualitative approach:

The Qualitative Risk Matrix

ALISON: ISO 27005 - Essentials of Information Security Risk Management 10

 This qualitative risk matrix gauges the consequences against the likelihood of
their occurrence.

Bibliography
1. DataGuard Insights. “Information Security Risk Management Framework |
DataGuard.” Dataguard.co.uk, 10 July 2024,
www.dataguard.co.uk/blog/information-security-risk-management-framework.
Accessed 19 Aug. 2024.
2. Emily Bonnie. “The ISO 27005 Approach to Information Security Risk
Management: 2022 Updates Explained.” Secureframe, 1 Nov. 2023,
secureframe.com/blog/iso-27005. Accessed 19 Aug. 2024.

1. 1. DataGuard Insights. “Information Security Risk Management Framework |

DataGuard.” Dataguard.co.uk, 10 July 2024,
www.dataguard.co.uk/blog/information-security-risk-management-
framework. Accessed 19 Aug. 2024.

2. 2. Emily Bonnie. “The ISO 27005 Approach to Information Security Risk

Management: 2022 Updates Explained.” Secureframe, 1 Nov. 2023,
secureframe.com/blog/iso-27005. Accessed 19 Aug. 2024.

ALISON: ISO 27005 - Essentials of Information Security Risk Management 11

 Information Security Risk Management - 5
The Information Security Risk Management Process - 5.1
To explain the information security risk management process discussed in ISO
27005, we will begin with Clause 5 of the standard.

The information security risk management can be iterative for risk assessment
activities. With such an approach, the detail and depth of the assessment can
be easily increased. Also, this approach creates a good balance by reducing
the time and effort required to control identification with the appropriate
assessment of risks.
Context Establishment

Context establishment refers to the assembly of internal and external context for:

Information security risk assessment

Information security risk management

The information security risk management process divides the tasks into the
following two categories:

Complete risk assessment: A risk assessment with sufficient information to

identify the actions required for risk modification to an acceptable level.

Incomplete risk assessment: A risk assessment may need another iteration if

the information is insufficient. This iteration can involve a contextual change of
the risk assessment, involving expertise in the relevant field, or other methods
of collecting information to enable risk modification to an acceptable level.

The following iterative process is involved in risk treatment:

Formulating the risk treatment options and selecting them

Planning and implementing the risk treatment options

Analyzing the effectiveness of the risk treatment options

Deciding the acceptability of the remaining risk

Performing further treatment if the risk treatment is unacceptable

ALISON: ISO 27005 - Essentials of Information Security Risk Management 12

 Cycles in Information Management Risk Security - 5.2
Both risk assessment and risk treatment must be updated regularly. This applies
to the whole risk treatment process, with the updates being divided into two risk
management cycles:

1. Strategic Cycle

Here, risk resources and threats, consequences, target objectives, and

business assets concerning information security events develop from changes
in the overall organizational context. This can be turned into inputs for the
overall risk assessment(s) and risk treatment update. This cycle can also work
to start new risk assessments or identify new risks.

2. Operational Cycle

In this cycle, the previously mentioned elements work as change criteria or

input information that can affect a risk assessment or an assessment where
the scenarios need to be reviewed and updated. The review should also
include updating the corresponding risk treatment.

Establishing the Context - 6

Organizational Considerations - 6.1
Under ISO 27005, an organization is an entity comprising a person or group with
responsibilities, functions, authorities, and relationships to achieve its objectives.
An organization doesn't have to be a company, a legal entity, or a corporate body.
Instead, it can also be a subset of a legal entity and still be considered an
organization under the ISMS context.
What is Risk Appetite?
Risk appetite refers to the amount of risk an organization can accept. This risk
appetite should be set by the organization's top management and it should review
it regularly as well.

Role of the Risk Owner

ALISON: ISO 27005 - Essentials of Information Security Risk Management 13

 The organization should determine the role of the risk owner regarding the
identified risks. This should be done in management activities. There should be
accountability and authority designated for the risks identified by the risk owners.

Basic Requirements of the Interested Parties - 6.2

It is required to identify the basic requirements of the interested parties involved.
Their compliance with these requirements should also be kept in mind. This will
include defining:

All the reference documents defining the security rules and

Controls that are applicable within the scope of the information security risk
assessment.

A list of reference documents that can be included in the process is given below.
Please note that this list isn't exhaustive:

Any additional standard covering ISMS

Security controls and rules from agreements or contracts

ISO/IEC 27001:2022, Annex A

Any national or international regulations

Internal security rules of the organization

Security controls that have been implemented according to previous risk

treatment activities

Risk Assessment - Application - 6.3

Organizations can perform risk assessments by embedding them in different
processes, such as project management, problem management, or incident
management. They can also embed them impromptu for a specifically identified
topic. Regardless of how they are performed, risk assessments should collectively
cover all the issues that apply to the scope of the organizational ISMS.

Since the primary goal of the risk assessment is to help organizations regarding
the decision-making process in risk management, they should target their risk

ALISON: ISO 27005 - Essentials of Information Security Risk Management 14

 assessment on those risks and controls that will improve their likelihood of
achieving their objectives.

Establishing and Maintaining the Risk Criteria for Information Security - 6.4

ISO 27001 specifies the requirements of the organizations so that they can define
their risk criteria. It also specifies an organization's requirements for establishing
and maintaining information security risk criteria. In short, these criteria will be:

The risk acceptance criteria

The criteria to perform information security risk assessments

While setting the risk criteria, the organization should consider its capacity,
factors related to time, consistency regarding the use of measurements, ways to
determine the risk level, and how to define, predict, and measure the likelihood
and consequences. The nature and type of uncertainties, tangible or
intangible, should also be considered, as they can affect both the objectives and
the outcomes.

The Risk Acceptance Criteria - 6.4.2

Risk acceptance criteria should determine the acceptability of the risk in risk
evaluation. However, in risk treatment, the risk acceptance criteria can determine
whether the proposed risk is sufficient to achieve an acceptable risk level OR if
further risk treatment is needed.
Levels of Risk Acceptance
The levels of risk acceptance should be defined by the organization. For this
purpose, these should be considered:

Consistency among the organization's general risk acceptance and the

information security risk acceptance.

Identification of the risk acceptance decisions with the management level

having the delegated authority.

The definition of the risk acceptance criteria according to the risk appetite.
This should also show the amount and risk type that the organization wants to

ALISON: ISO 27005 - Essentials of Information Security Risk Management 15

 retain or pursue.

Essentials of Risk Acceptance

This page continues the requirements related to the risk acceptance criteria:
Basis of Risk Acceptance Criteria
Multiple thresholds and acceptance authority can be delegated to different
management levels. Risk acceptance can be solely based on likelihood and
consequence. It can also be extended to consider the cost-benefit balance
between the controls' costs and prospective losses.
Application of Risk Criteria According to the Risk Class
Other risk classes can be assigned different risk acceptance criteria. For example,
a risk class can include risks causing non-compliance with laws. Another example
could be accepting risks in light of a contractual requirement.

Requirements for Future Treatment

Risk acceptance criteria can also include requirements for future risk treatment.
For example, a risk can be retained for a short period even if the risk level exceeds
the risk acceptance criteria.
Defining the Risk Acceptance Criteria
Risk acceptance criteria must be defined according to the risk appetite. This risk
appetite shows the type and amount of risk the organization will retain or pursue.

Bibliography
1. ISO/IEC 27005 Information Security, Cybersecurity, and Privacy Protection -----
- Guidance on Managing Information Security Risks. International Organisation for
Standardisation . Accessed 20 Aug. 2024.

Establishing the Context - 6

Risk Acceptance Criteria - 6.4.2

ALISON: ISO 27005 - Essentials of Information Security Risk Management 16

 For simplicity, we have broken down the requirements of Clause 6 into two topics.
In this topic, we will again continue from the requirements regarding establishing
the context. To begin with, here are the influencing factors that must be
considered when establishing the risk acceptance criteria:

Processes

Organizational objectives and opportunities

Operational activities

Supplier relationships

Technological limitations

Human factors

Supplier relationships

Legal and regulatory aspects

Please note that this list is not exhaustive.

Criteria to Perform Information Security Risk Assessment - 6.4.3

Risk assessment criteria specify a risk's significance regarding its consequences,
level, and likelihood. Also, information security risk assessment criteria must
consider the appropriateness of risk management activities. To achieve this
appropriateness, the following considerations should be considered:

Information's classification level

Quantity and concentration of information

Strategic value of the business processes that use this information

Importance of the information and assets concerned with the involved

information

Business and operational importance of integrity, confidentiality, and

availability

Interested party's expectations and perceptions

Any negative consequences

ALISON: ISO 27005 - Essentials of Information Security Risk Management 17

 Consistency with the risk criteria of the organization

Typically, the information security risk criteria comprise consequences, likelihood,

and level of risk. Let us first have a look at the criteria concerned with the
consequences:

Considerations in Defining the Consequence Criteria - 6.4.3.2

Loss of freedom, dignity, right to privacy, or loss of life or harm to groups

and/or individuals

Loss of capital, intellectual and staff

Effects incurred by deadlines and plans

Impaired third-party or internal operations

Damage to public reputation or trust

Loss of financial value and business

Adverse impact incurred by the interested parties

Loss of market share

Negative impact on the environment

Breaches of regulatory, statutory, or legal requirements

Breaches of service levels and contracts

Likelihood Criteria - 6.4.3.3

The likelihood criteria are based on several aspects, such as:

Technological failure

The extent to which organizational vulnerabilities are exploited

Any unnatural or accidental events

Human acts and omissions

The extent to which the relevant asset or information is exposed to the threat

ALISON: ISO 27005 - Essentials of Information Security Risk Management 18

 The likelihood can be expressed in:

Probabilistic terms: Chance that an event will occur in the timeframe

Frequentist terms: Notational average number of occurrences in a timeframe

Criteria to Determine the Risk Level - 6.4.3.4

The organization is required to develop a risk ranking by considering:

The likelihood criteria and the consequence criteria.

Contractual obligations.

Legal and regulatory requirements.

The consequences that information security events can impose on the

tactical, operational, and strategic levels.

Risks that are outside the organization's scope boundary also include any
unforeseen effects incurred by third parties.

Having these criteria is crucial for the evaluation of analyzed risks.

Choosing the Appropriate Method - 6.5

The organization's information security risk management approach should align
with the methods and approaches used to manage other organizational risks.
Whatever the approach is chosen, it should be documented. Also, ISO/IEC 27001'c
Clause 6.1.2 (b) requires the organizations within the ISMS scope to ensure
consistent, valid, and comparable results are produced by repeated information
security risk assessments. Thus, the chosen method must ensure that the results
have the following properties:

Validity: Assessments must produce results that are close to the reality.

Consistency: Assessments performed by different persons for the same risks

or those performed by the same people on different occasions should produce
the same result

ALISON: ISO 27005 - Essentials of Information Security Risk Management 19

 Comparability: The risk assessment criteria must be defined to ensure that
assessments being performed for different risks produce comparable results
while representing equivalent risk levels

The operational risk management methods are usually used for information
security risk management.

Bibliography
1. ISO/IEC 27005 Information Security, Cybersecurity, and Privacy Protection -----
- Guidance on Managing Information Security Risks. International Organisation for
Standardisation . Accessed 21 Aug. 2024.

Lesson Summary
The following important points have been covered in this module:
Types of Risk Management Methodologies

Qualitative risk assessment: This approach involves evaluating different

scenarios. To identify different risks, it requires answering to the "what if"
questions.

Quantitative risk assessment: This type of risk assessment defines risk using
data and numbers.

Semi-quantitative risk assessment: A semi-quantitative risk assessment

combines qualitative and quantitative risk assessments. In this type of risk
assessment, one parameter is assigned qualitatively, while the other is
assigned quantitatively.

Iterative Processes Involved in Risk Treatment

Formulating the risk treatment options and selecting them

Planning and implementing the risk treatment options

Analyzing the effectiveness of the risk treatment options

Deciding the acceptability of the remaining risk

ALISON: ISO 27005 - Essentials of Information Security Risk Management 20

 Performing further treatment if the risk treatment is unacceptable

Cycles in Information Management Risk Security

Strategic cycle: In this cycle, risk resources and threats, consequences, target
objectives, and business assets concerning information security events evolve
from changes in the overall organizational context.

Operational cycle: In this cycle, the afore-mentioned elements work as change

criteria or input information that can affect a risk assessment or an
assessment where the scenario needs to be reviewed and updated.

MODULE 2

Learning Outcomes
Having completed this module, you will be able to:

Indicate the activities carried out in the information security risk assessment
process.

Recognize the parameters to identify the risk owners.

Outline the results of risk analysis against risk criteria.

Identify the requirements for risk treatment options.

Define the method to communicate risks.

Information Security Risk Assessment

Process - 7

ALISON: ISO 27005 - Essentials of Information Security Risk Management 21

 There are several general requirements regarding the information security risk
assessment process that an organization must fulfill. This will help it assess risks
to:

Define the information security risk assessment process or

Assess risks

A risk assessment comprises the following activities:

Risk Identification

This is a process to find, recognize, and define the risks.

Risk Analysis

It is a process that helps organizations comprehend the risk types and

determine their level. It also considers the causes and sources of risk, the
likelihood of a specific event, its consequences, and their severity.

Risk Evaluation

This process compares the results of a risk analysis with risk criteria to
determine if the risk is acceptable. This comparison is also made to prioritize
the analyzed risks to treat them.

Identification of the Information Security Risks - 7.2

The following parameters are of the utmost importance to identify the information
security risks:

Trigger: Interested parties, experts, or risk owners have to look for any new or
changed events that can impact the achievement of information security
objectives.

Action: Any risks associated with the loss of confidentiality, availability, or

integrity of the information must be identified.

Input: These events can negatively influence the achievement of information

security objectives in the organization(s).

ALISON: ISO 27005 - Essentials of Information Security Risk Management 22

 Output: It is a list of identified risks.

The risk identification process aims to find, recognize, and describe the risks. It
also aims to generate a list of risks according to those events that can affect,
prevent, or delay the organization's ability to achieve its information security
objectives.

Identifying the Risk Owners

The following parameters are important in identifying risk owners:

Input: It is a list of identified risks.

Output: It is a list of risk owners with associated risks.

Actions: This refers to associating risks with the risk owners.

Trigger: Identifying risk owners becomes crucial when this has not been done
before and when personnel change in the business area(s) where risk is
present.

The risk owners can be the security committee, functional owners, department
managers, process owners, asset owners, and top management. Similarly, an
organization must use the organizational risk assessment process to identify high-
risk owners. If this is not possible, then it should define the criteria for their
identification. Such a criterion should:

Hold the risk owners accountable and authorize them to manage the risks they
own.

Understand the relevant issues and should be able to make informed

decisions.

Information Security Risk Analysis - 7.3

The core aim of performing a risk analysis is to determine the level of risk. Here, it
is important to mention that the techniques for risk analysis based on
consequences and likelihood can be of the following types:

ALISON: ISO 27005 - Essentials of Information Security Risk Management 23

 Quantitative: Here, a scale with numerical values is used (e.g., probability or
frequency of occurrence, monetary cost).

Qualitative: Here, a scale of qualifying attributes is used (e.g., high, medium,

low).

Semiquantitative: It uses a qualitative scale having assigned values.

Risk analysis should only target risks and controls that can improve the
organization's likelihood of achieving its objectives. Organizations can easily
spend significant time on risk assessment, especially on assessing consequences
and likelihood.

Assessment of the Potential Consequences - 7.3.2

The potential consequences are assessed based on the following criteria:

Input: It is a list of identified risk scenarios or relevant events. It also includes

business processes, risk resources, consequence criteria, identification of risk
resources, and business objectives. The list of existing controls, their
effectiveness, implementation, and usage status is also included in the input.

Action: The consequences of inadequate preservation of confidentiality,

availability, or integrity of the information must be identified and assessed.

Trigger: Consequences must be assessed when:

Their assessment has not been done before.

The list produced by "risk identification" gets changed.

Risk owners or interested parties change the units in which they want
specification of the consequences.

Those changes in the context or scope are determined that can affect the
consequences.

Assessment of Likelihood - 7.3.3

Requirements regarding the assessment of likelihood are:

ALISON: ISO 27005 - Essentials of Information Security Risk Management 24

 Input: Input comprises a list of identified risk scenarios or events. It also
includes business processes, identification of risk resources, business
objectives, business processes, and likelihood criteria. Input also includes a
list of all the existing controls, their effectiveness, usage status, and
implementation.

Action: Action assesses the likelihood of possible or actual scenarios

occurring. They should be expressed according to the established likelihood
criteria.

Trigger
The assessment of likelihood and the consequence are important for the risk
assessment process as it helps determine the risk level. Assessment of the
likelihood becomes mandatory when:

It has not been conducted before.

Those changes in the context or scope are determined can change the
likelihood.

There are vulnerabilities in the implemented controls.

Changes are found in the threat environment.

Audits/ tests for control effectiveness cause unexpected outcomes.

Output
It is a list of risk scenarios or events complemented by likelihood.

Determining the Risk Levels - 7.3.4

Input

It is a list of risk scenarios whose consequences are related to events or

assets and their likelihoods (qualitative or quantitative).

Action

The risk level must be determined by combining the assessed consequences

and the assessed likelihood for all the relevant risk scenarios

ALISON: ISO 27005 - Essentials of Information Security Risk Management 25

 Trigger

It becomes necessary to determine the risk levels if there is a need to evaluate

the information security risks.

Output

It is a list of risks with assigned values.

Bibliography
1. ISO/IEC 27005 Information Security, Cybersecurity, and Privacy Protection -----
- Guidance on Managing Information Security Risks. International Organization for
Standardization. Accessed 21 Aug. 2024.

Evaluation of Information Security Risks - 7.4

Comparing Results from Risk Analysis Against Risk Criteria - 7.4.1

Input: It is a list of risks and risk criteria with assigned values.

Action: The level of risks must be compared against risk evaluation criteria,
especially risk acceptance criteria.

Trigger: The results of risk analysis are compared with the risk criteria. This
becomes important when the treatment of information security risks must be
prioritized.

Output: It is a list of suggestions for decisions regarding the additional actions

regarding risk management.

After identifying the risks and assigning the values for severity of consequences
and likelihood, the organization must apply its risk acceptance criteria to
determine if risks can be accepted or not. If they cannot be accepted, then they
must be prioritized for treatment.

Risk Prioritization for Risk Treatment - 7.4.2

ALISON: ISO 27005 - Essentials of Information Security Risk Management 26

 The following parameters are included in risk prioritization for risk treatment:

Input: It is a list of results of risks compared against risk criteria.

Action: The risks given on the list must be prioritized for risk treatment while
also considering the assessed risk levels.

Trigger: If the information security risks are required to be treated, then it

becomes necessary to prioritize the analyzed risks for risk treatment.

Output: It is a list of prioritized risks with risk scenarios leading to those risks.

Risk Treatment Process for Information

Security - 8
In the information security risk treatment process, the input is based on the
outcomes of the risk treatment options, which are prioritized risks that must be
treated according to the risk criteria.
Selecting the Most Appropriate Information Security Risk Treatment Options - 8.2

Input: It is a list of prioritized risks with risk or event scenarios leading to those
risks.

Action: The organization should choose the risk treatment options.

Trigger: It becomes important to select the appropriate information security

risk treatment options if the risk treatment plan is non-existent or incomplete.

Output: It is a list of prioritized risks with the selected risk treatment options.

Options for risk treatment can include retaining risks by informed choice, avoiding
risks by not starting (or continuing) with the activity that gives rise to the risk, or
sharing the risk by dividing responsibilities with other parties, whether internally or
externally.

Necessary Controls to Implement Information Security Risk Treatment Options -

8.3

ALISON: ISO 27005 - Essentials of Information Security Risk Management 27

 The following necessary controls must be determined to implement information
security risk treatment options:

Input: It is a list of prioritized risks having the selected risk treatment options.

Action: All the controls should be determined, ranging from the chosen control
sets selected from the appropriate source. These necessary controls are
required to treat the risks according to the chosen risk treatment options.

Trigger: Management of information security risks, ISMS nonconformity.

Output: Every necessary control.

While determining the necessary controls, it is important to determine the

necessity of each control by asking questions, such as:

The effect this control has on the consequence or likelihood of that risk.

The way in which control maintains the risk level.

Classification of Controls
As mentioned, the organization should pay keen attention while determining the
necessary controls. These controls can be classified into the following three
categories:

Preventive Control

This control intends to prevent an information security event from occurring.

Such an event can cause one or more consequences.

Detective Control

This control intends to limit the consequences of an information security

event.

Corrective Control

This control intends to limit the consequences of an information security

event.

ALISON: ISO 27005 - Essentials of Information Security Risk Management 28

 These control categories will also be followed in clauses 8.4 and 8.5.

Clauses 8.4 and 8.5

Control Comparison with ones in ISO/IEC 27001 - 8.4
The requirements to compare the controls with the ones present in ISO/IEC
27001:2022 are as follows:

Input: They comprise all the necessary controls discussed in the previous
clause.

Action: All the necessary controls must be compared with the ones listed in
Annex A of ISO/IEC 27001:2022.

Trigger: Identifying any missing controls if risk treatment plans are made.

Output: All the controls applicable to risk treatment.

Statement of Applicability - 8.5

Input: They comprise all the necessary controls, as discussed in Clause 8.3.

Action: Generate a Statement of Applicability.

Trigger: Documenting all the necessary controls with their justification and
implementation status.

Output: Statement of Applicability.

Contents of Statement of Applicability

At least the following should be added to the statement of applicability:

ALISON: ISO 27005 - Essentials of Information Security Risk Management 29

 Bibliography
1. ISO/IEC 27005 Information Security, Cybersecurity, and Privacy Protection -----
- Guidance on Managing Information Security Risks. International Organisation for
Standardisation. Accessed 21 Aug. 2024.

Information Security Risk Treatment Plan -

8.6
The risk treatment plan is planned from:

Input: Results gathered from risk assessments.

Action: Formulation of the risk treatment plan.

Trigger: Organizations need to treat the risks.

Output: Risk treatment plan.

Organizations should consider the following while creating their risk treatment
plan:

Priorities according to the risk level and treatment urgency.

ALISON: ISO 27005 - Essentials of Information Security Risk Management 30

 Different types of controls (preventive, detective, corrective) and their
applicability.

The reason is to wait for settling a control before implementing a new one on
the same asset.

The reason for extending the time between the control implementation and
when the control becomes completely operational and effective.

Approval from risk owners is required in the following areas:

Input: Risk treatment plan(s).

Action: Getting approval of risk treatment plans from the risk owners.

Trigger: Getting the risk treatment plan(s) approved is necessary.

Output: An approved risk treatment plan.

Accepting the Residual Information Security Risks - 8.6.3

The residual information security risks will be accepted on the following criteria:

Input: The approved risk acceptance criteria and risk treatment plan.

Action: Determining the acceptability of the residual risks.

Trigger: Organizations need to make decisions regarding the residual risks.

Output: Accepted residual risks.

In this scenario, the importance of the treatment plan is significant since it should
feed the follow-up assessment of residual likelihood and consequence. Any
proposed controls within the risk treatment plans and their effectiveness must be
considered in a way that:

Their ability to reduce the likelihood, the consequence (or both) is determined,
and

The level of residual risks gets allocated to the risks.

ALISON: ISO 27005 - Essentials of Information Security Risk Management 31

 Operation - 9
Performing the Information Security Risk Assessment Process - 9.1

Input: Documents regarding the information security risk assessment process

include the risk acceptance criteria and risk assessment.

Action: Clause 7 and its requirements should be used to perform the risk
assessment process.

Trigger: The organization needs to assess risks at planned intervals or

according to the events.

Output: The risks that have been evaluated.

Performing the Information Security Risk Treatment Process - 9.2

Input: Evaluated risks.

Action: Clause 8 and its requirements should be used to perform the risk
treatment process.

Trigger: The organizational needs for risk treatment at planned intervals

according to the events.

Output: Residual risks or the risks that have been retained.

Leveraging the ISMS Process - 10

Organizational Context - 10.1

Input: It is the information regarding the organization and its internal and
external context.

Action: Consider all the relevant data to identify and describe internal and
external issues that influence information security risk management and
interested parties' requirements.

Trigger: The standard ISO/IEC 27001:2022 contains requirements for such

information to establish information security objectives.

ALISON: ISO 27005 - Essentials of Information Security Risk Management 32

 Output: Any internal and external issues that are risk-related and influence
information security risk management.

Organizations must have a very high-level understanding of the issues that can
affect their ISMS, whether negatively or positively. They should also know about
the internal or external context relevant to their purpose and their ability to attain
the intended outcome of their ISMS. These intended outcomes should be able to
ensure the integrity, confidentiality, and preservation of information by the
application of the risk management process.

Commitment and Leadership - 10.2

Input: Information regarding the information security risk assessment

treatment or information security risk assessment results that require
endorsement or approval.

Action: Management should consider the results regarding information

security risks to decide on or endorse further actions.

Trigger: ISO/IEC 27001 requires the management level to be involved in every

information security activity related to risk.

Output: Information security risk-related endorsement or decisions.

Top management will be accountable for managing risks and leading risk
assessments. This will also include:

Allocation of the resources to manage risks.

Delegating the authority, accountability, and responsibility to appropriate

organizational levels.

Establishing communication with the interested parties.

Communication and Consultation - 10.3

Input

ALISON: ISO 27005 - Essentials of Information Security Risk Management 33

 Information on risks, their causes and consequences, and their likelihood, all
of which are identified with risk management.

Action

Information on risks, their causes and consequences, along with their

likelihood and controls required for their treatment. These should be obtained
from (or communicated to) the external and the internal interested parties.

Trigger

Such communication is a requirement of ISO/IEC 27001.

Output

Perceptions of the relevant interested parties and the continued understanding

of the organization's information security risk management process and
results.

How to Communicate the Risks?

When risks are communicated and consulted upon, the chances of improvement
in interested parties' engagement increase. However, it is pertinent that this risk
communication be carried out so that the following activities can be commenced:

The assurance of the outcome of an organization's risk management should

be provided.

Risk information should be collected.

The results from the risk assessment should be shared and the risk treatment
plan should be presented.

The occurrence and consequence of information security breaches should

either be avoided or reduced.

Risk owners should be supported.

New information security knowledge should be obtained.

ALISON: ISO 27005 - Essentials of Information Security Risk Management 34

 The organization should coordinate with other parties and plan responses so
that the consequences of any incident can be reduced.

A sense of responsibility should be instilled in the risk owners and other

parties having a legitimate interest in risk.

Awareness should be improved.

Bibliography
1. ISO/IEC 27005 Information Security, Cybersecurity, and Privacy Protection -----
- Guidance on Managing Information Security Risks. International Organisation for
Standardisation. Accessed 21 Aug. 2024.

Leveraging the ISMS Process - 10

Documented Information - 10.4
ISO/IEC 27001 has already specified requirements for organizations regarding
document retention about the following in its clauses (as shown below):

The risk assessment process - 6.1.2

The risk assessment process results - 8.2

The risk treatment process - 6.1.3

The risk treatment process results - 8.3

Documented Information Regarding Processes - 10.4.2

Input: Knowledge regarding the information security risk assessment and risk
treatment processes according to clauses 7 and 8.

Action: Information regarding the information security risk assessment and

risk treatment processes must be documented and kept.

ALISON: ISO 27005 - Essentials of Information Security Risk Management 35

 Trigger: As per ISO/IEC 27001, the information regarding the information
security risk assessment and risk treatment processes must be documented.

Output: Documented information wanted by interested parties, such as a

certification body or determined by the organization. This documented
information is deemed necessary for effective information security risk
assessment and treatment processes.

Guidance for Documented Information

The following should be present in the documented information about the
information security risk assessment process:

Definition of risk criteria, including the criteria for performing information

security risk assessment and criteria for risk acceptance.

The rationale behind the validity, consistency, and compatibility of the results.

A description of the method used for analysis of the information security

risks. This will also include an assessment of the potential consequences,
resultant risk level, and realistic likelihood.

A description of the method to compare the results with prioritization of risks

for risk treatment and risk criteria.

The documented information about the information security risk treatment

process should describe the method for electing appropriate options, determining
necessary controls, producing risk treatment plans, and obtaining approval from
the risk owner. It should also describe how Annex A of ISO/IEC 27001 will
determine if the necessary controls have not been overlooked unintentionally.

Documented Information About Results - 10.4.3

Input: The information security risk treatment and its results.

Action: Information about security risk treatment options and treatment results
must be documented and retained.

ALISON: ISO 27005 - Essentials of Information Security Risk Management 36

 Trigger: ISO/IEC 27001 requires documented information about information
security risk assessment and its treatment results.

Output: Documented information about information security risk assessment

and its treatment results.

The documented information about the information security risk treatment

assessment results should comprise the identified risks, their consequences, and
the likelihood. It should also contain the risk owners' identity, the results of
applying the risk acceptance criteria, and the priority of risk treatment

Requirements for Monitoring and Review - 10.5.1

The monitoring process of the organization should have all aspects of the risk
assessment and risk treatment processes so that:

Risk treatments' effectiveness, efficiency, and economic prospects can be

ensured.

Information regarding future risk assessments can be obtained.

Trends, changes, incidents, near misses, successes, and failures can yield
lessons that can be analyzed.

Any changes within the internal and external contexts, including risks and risk
criteria changes, can be detected.

Any emerging risks can be identified.

Monitoring and Reviewing the Factors that Influence Risks - 10.5.2

Input: All risk information is gathered from risk management activities.

Action: Risks and risk factors (the assets' values, vulnerabilities, threats,
consequences, and likelihood of occurrence) must be monitored and reviewed
so that any changes within the organization's context can be detected at an
early stage. This will allow the organization to maintain an overview of the
complete risk picture.

Trigger: Review the organizational policy and determine any changes that may
be present in the present threat operating environment.

ALISON: ISO 27005 - Essentials of Information Security Risk Management 37

 Output: Continuous alignment of the risk management activities with the
organization's business objectives and risk acceptance criteria.

According to Clause 9.1 of the ISO/IEC 27001, organizations must evaluate the
performance of their information security and the effectiveness of their
ISMS. According to this requirement, the organizations should use their risk
treatment plan for performance evaluation. For this purpose, the organization
should first define one or more information needs. Then, with the help of top-level
specifications, the measures it requires should be determined. It should also
determine how those measures would be combined to satisfy the information
need.

Management Review - 10.6

Input: Results from the information security risk assessment and the status of
the information security risk treatment plan.

Action: Results of the information security risk assessment and status of the
information security risk treatment plan must be reviewed to confirm that the
residual risk meets the acceptance criteria. This review should also be done to
determine that the risk treatment plan has addressed all the relevant risks and
their treatment plan.

Trigger: Part of the scheduled calendar of review activities.

Output: Changes in the risk acceptance criteria and criteria to perform

information security risk assessments along with the updated information
security risk treatment plan.

Corrective Action - 10.7

Input: The risk treatment plan is ineffective. This means the residual risk will
remain unacceptable after the complete treatment plan.

Action: The risk treatment plans should be revised and implemented with the
individual risk that can be modified to an acceptable level.

Trigger: The decision to revise the risk treatment plan.

ALISON: ISO 27005 - Essentials of Information Security Risk Management 38

 Output: A revised risk treatment plan with its implementation.

Continual Improvement - 10.8

Input: All the risk information gathered from the risk management activities.

Action: The information security risk management process must be monitored,

reviewed, and improved continuously as required.

Trigger: The organization looks forward to improvement based on the lessons

learned during the information security risk management process.

Output: The continuous relevance of the information security risk

management process to the organization's business objective. Updating the
process is also considered as output here.

Bibliography
1. ISO/IEC 27005 Information Security, Cybersecurity, and Privacy Protection -----
- Guidance on Managing Information Security Risks. International Organization for
Standardization. Accessed 21 Aug. 2024.

Lesson Summary
The following key points have been discussed in this module:
Identification of the Information Security Risks - 7.2

Trigger: Interested parties, experts, or risk owners have to look for any new or
changed events that can impact the achievement of information security
objectives.

Action: Any risks associated with the loss of confidentiality, availability, or

integrity of the information must be identified.

Input: These events can negatively influence the achievement of information

security objectives in the organization(s).

ALISON: ISO 27005 - Essentials of Information Security Risk Management 39

 Output: It is a list of identified risks.

Types of Information Security Risk Analysis

Quantitative: Here, a scale with numerical values is used (e.g. probability or

frequency of occurrence, monetary cost).

Qualitative: Here, a scale of qualifying attributes is used (e.g. high, medium,

low).

Semiquantitative: It uses a qualitative scale having assigned values.

Considerations for Risk Treatment Plan

Priorities according to the risk level and treatment urgency.

Different types of controls (preventive, detective, corrective) and their

applicability.

The reason is to wait to settle a control before implementing a new one on the
same asset.

The reason for extending the time between the control implementation and the
moment when the control becomes completely operational and effective.

ALISON: ISO 27005 - Essentials of Information Security Risk Management 40