LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is ISO 27005 and what are the steps of the information security risk management process?

ISO 27005 provides a framework for information security risk management without prescribing a specific methodology — it covers the full process from risk identification to risk acceptance.

Six-step risk process with Communication and Monitoring running alongside.

* The ISO 27005 risk-management process; Communication and Monitoring run alongside every step. *

Key characteristics:

  • Provides a framework, not a specific method — any risk management methodology can be used within it
  • Builds on ISO 27001 and ISO 27002 (assumes knowledge of both)
  • Covers the entire risk management lifecycle

The risk management process (from the standard):

  1. Context Establishment — Define scope, criteria, and organization of the process
  2. Risk Assessment:
    • Risk Identification — What can go wrong?
    • Risk Estimation — How likely and how severe?
    • Risk Evaluation — Is the risk acceptable?
  3. Risk Treatment — Choose and implement measures to address risks
  4. Risk Acceptance — Management formally accepts the residual risks

Two continuous activities run alongside all steps:

  • Risk Communication — Keeping stakeholders informed
  • Risk Monitoring and Review — Ongoing oversight

Decision points: After risk assessment, check if the assessment is satisfactory. After risk treatment, check if the treatment is satisfactory. If not, iterate.

Go deeper:

  • doc ISO/IEC 27005 (Wikipedia) — der Risikomanagement-Prozess und wie 27005 auf die generische Methode aus ISO 31000 aufbaut, ohne eine bestimmte Methode vorzuschreiben.

From Quiz: ISM / Standards & Frameworks I (ISO, BSI) | Updated: Jul 05, 2026