Why ISO 27005?
Risk management is the heart of all information security. Without understanding what risks the organisation faces, it’s impossible to prioritise measures effectively. ISO 27005 provides a structured framework to do just that.
Connection to NIS2: NIS2 Article 21 requires “policies on risk analysis and information systems security”. ISO 27005 provides a proven method to meet this requirement.
The Risk Management Process
ISO 27005 describes risk management as a cyclical process with six main steps:
- Establish Context Define the scope and criteria for risk management. What needs to be protected? Which threats and vulnerabilities are relevant? What risk criteria should be used? How is acceptable risk level defined?
- Identify Risks Find, recognise and describe risks. Identify assets (systems, data, processes), threats (what can go wrong), vulnerabilities (weaknesses that can be exploited), and existing controls.
- Analyse Risks Assess likelihood and consequence for each risk. How likely is the threat to materialise? What will be the impact on confidentiality, integrity and availability? Calculate risk level.
- Evaluate Risks Compare analysed risks against risk criteria. Which risks are acceptable? Which require treatment? Prioritise based on risk level and organisational risk appetite.
- Treat Risks Select and implement measures for unacceptable risks. Four main options: avoid (eliminate the risk), reduce (decrease likelihood or consequence), transfer (insurance, outsourcing), accept (informed decision).
- Monitor and Review Follow up that risk treatment is working. Monitor changes in threat landscape. Review and update risk assessment regularly. Learn from incidents.
Risk Identification in Practice
Asset Identification
Start by listing what needs to be protected:
Asset Types:
- Information — Customer data, trade secrets, personal data
- Systems — Applications, databases, networks
- Infrastructure — Servers, data centres, communications
- Processes — Business-critical processes, support processes
- People — Key personnel, competencies
Threat Identification
What threats can affect the assets?
| Threat Category | Examples |
|---|---|
| Cyber Attacks | Ransomware, phishing, DDoS, data breaches |
| Insider Threats | Unintentional mistakes, malicious insiders |
| Physical Threats | Fire, flooding, theft |
| Technical Failures | System failures, corruption, capacity shortfalls |
| Supplier-Related | Supplier breaches, service outages |
Vulnerability Identification
What weaknesses can be exploited?
- Unpatched systems
- Weak passwords
- Poor segmentation
- Lack of encryption
- Insufficient logging
- Inadequate backup
Risk Analysis
Likelihood Assessment
| Level | Description | Frequency |
|---|---|---|
| 1 - Unlikely | Very rare | <1 time per 10 years |
| 2 - Low | May occur | 1 time per 1-10 years |
| 3 - Medium | Occurs sometimes | 1 time per year |
| 4 - High | Occurs regularly | Several times per year |
| 5 - Very High | Expected to occur | Monthly or more often |
Impact Assessment
| Level | Description | Impact |
|---|---|---|
| 1 - Negligible | Minimal impact | <£1k, no service impact |
| 2 - Minor | Limited impact | £1k-10k, brief disruption |
| 3 - Moderate | Significant impact | £10k-100k, days |
| 4 - Severe | Major impact | £100k-1m, weeks |
| 5 - Catastrophic | Business-critical | >£1m, months |
Risk Matrix
| Negligible | Minor | Moderate | Severe | Catastrophic | |
|---|---|---|---|---|---|
| Very High | Medium | High | High | Critical | Critical |
| High | Low | Medium | High | High | Critical |
| Medium | Low | Low | Medium | High | High |
| Low | Low | Low | Low | Medium | Medium |
| Unlikely | Low | Low | Low | Low | Medium |
Interpretation: Critical and high risks require immediate treatment. Medium requires action plan. Low can be accepted with monitoring.
Risk Treatment
Eliminate the risk by not conducting the activity, removing the system, or choosing another solution. Example: Decommission insecure legacy system.
Implement controls that decrease likelihood or consequence. Example: Install firewall, encrypt data, train staff.
Move risk to another party through insurance or outsourcing. Example: Cyber insurance, cloud provider with SLA.
Informed decision to live with the risk. Document decision and responsible person. Monitor risk continuously.
Documentation
Risk Register
A risk register should contain:
| Field | Description |
|---|---|
| Risk ID | Unique identifier |
| Description | What is the risk? |
| Asset | Which asset is affected? |
| Threat | Which threat? |
| Vulnerability | Which vulnerability? |
| Likelihood | 1-5 |
| Impact | 1-5 |
| Risk Level | Calculated |
| Treatment | Avoid/reduce/transfer/accept |
| Action | What needs to be done? |
| Owner | Who owns the risk? |
| Status | Open/in progress/closed |
| Review Date | When should the risk be reviewed? |
Common Mistakes
"Cyber attacks" as one risk. Break down into specific scenarios for meaningful analysis.
Risks should be assessed considering already implemented measures.
IT cannot assess business consequences alone. The business must participate.
Risk management is continuous, not an annual project.
How Securapilot Can Help
Securapilot’s risk management module builds on ISO 27005:
- Structured process — Guided risk identification and assessment
- Risk register — Centralised management of all risks
- Risk matrix — Visual presentation of risk landscape
- Treatment plans — Tracking of actions
- Dashboard — Management overview
- History — Full traceability over time
Book a demo and see how we can support your risk management.
Frequently asked questions
Is ISO 27005 mandatory?
No, ISO 27005 is a guidance standard, not a certifiable requirement. However, NIS2 and ISO 27001 require risk management, and ISO 27005 provides an established method to meet these requirements.
How does ISO 27005 relate to ISO 27001?
ISO 27001 requires risk management (clause 6.1.2) but doesn't specify the method. ISO 27005 provides detailed guidance on how risk management can be implemented.
How often should risk assessments be conducted?
At least annually, but also during major changes in operations, IT environment or threat landscape. Continuous risk monitoring is recommended.
What's the difference between risk assessment and risk management?
Risk assessment is part of risk management. Risk management is the entire process from establishing context to monitoring and reviewing. Risk assessment is the step where risks are identified, analysed and evaluated.
