LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What does ISO/IEC 27005 standardise, and what is not prescribed?

27005 is the Information Security Risk Management standard: it defines the risk-management process (analysis → assessment → treatment → monitoring) but does not prescribe a specific risk-analysis method.

Linear risk-management process chain: context, identify, analyse, evaluate, treat (avoid/modify/share/accept), accept, monitor and review, with a feedback loop back to context

* ISO 27005 fixes the process shape — context to identify to analyse to evaluate to treat to accept to monitor, looping back — but leaves the risk-analysis method to you. *

The standard is explicit:

"Anleitung für ein Information Security Risk Management ohne Spezifikation einer Risiko-Management-Methode."

So you can plug in any quantitative or qualitative method:

  • Annual Loss Expectancy (ALE = SLE × ARO)
  • FAIR (Factor Analysis of Information Risk)
  • Bayesian network risk modelling
  • Pure qualitative L×I matrices
  • BSI 200-3 (which is itself an alternative)

What 27005 fixes:

  • Process flow — context → risk identification → analysis → evaluation → treatment → acceptance → communication → monitoring & review.
  • The vocabulary (asset, threat, vulnerability, likelihood, impact, residual risk).
  • Risk treatment options: avoid / modify / share / accept.

Prerequisites: the standard assumes the reader already knows ISO 27001 and 27002.

Tip: 27005 is to risk what 27001 is to security: it tells you that you must, not how. The "how" is left to your chosen methodology — which is why mature organisations document their method as an internal "Risk Management Policy" referencing 27005.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 05, 2026