What does ISO/IEC 27005 standardise, and what is not prescribed?
27005 is the Information Security Risk Management standard: it defines the risk-management process (analysis → assessment → treatment → monitoring) but does not prescribe a specific risk-analysis method.
* ISO 27005 fixes the process shape — context to identify to analyse to evaluate to treat to accept to monitor, looping back — but leaves the risk-analysis method to you. *
The standard is explicit:
"Anleitung für ein Information Security Risk Management ohne Spezifikation einer Risiko-Management-Methode."
So you can plug in any quantitative or qualitative method:
- Annual Loss Expectancy (ALE = SLE × ARO)
- FAIR (Factor Analysis of Information Risk)
- Bayesian network risk modelling
- Pure qualitative L×I matrices
- BSI 200-3 (which is itself an alternative)
What 27005 fixes:
- Process flow — context → risk identification → analysis → evaluation → treatment → acceptance → communication → monitoring & review.
- The vocabulary (asset, threat, vulnerability, likelihood, impact, residual risk).
- Risk treatment options: avoid / modify / share / accept.
Prerequisites: the standard assumes the reader already knows ISO 27001 and 27002.
Tip: 27005 is to risk what 27001 is to security: it tells you that you must, not how. The "how" is left to your chosen methodology — which is why mature organisations document their method as an internal "Risk Management Policy" referencing 27005.
Go deeper:
ISO/IEC 27005 — information security risk management — the process it fixes and its deliberate silence on a specific method.
ISO 31000 — the generic risk framework it builds on — the principles/framework/process model 27005 specialises for information security.