Quiz Entry - updated: 2026.07.05
What is ISO 27005 and what are the steps of the information security risk management process?
ISO 27005 provides a framework for information security risk management without prescribing a specific methodology — it covers the full process from risk identification to risk acceptance.
* The ISO 27005 risk-management process; Communication and Monitoring run alongside every step. *
Key characteristics:
- Provides a framework, not a specific method — any risk management methodology can be used within it
- Builds on ISO 27001 and ISO 27002 (assumes knowledge of both)
- Covers the entire risk management lifecycle
The risk management process (from the standard):
- Context Establishment — Define scope, criteria, and organization of the process
- Risk Assessment:
- Risk Identification — What can go wrong?
- Risk Estimation — How likely and how severe?
- Risk Evaluation — Is the risk acceptable?
- Risk Treatment — Choose and implement measures to address risks
- Risk Acceptance — Management formally accepts the residual risks
Two continuous activities run alongside all steps:
- Risk Communication — Keeping stakeholders informed
- Risk Monitoring and Review — Ongoing oversight
Decision points: After risk assessment, check if the assessment is satisfactory. After risk treatment, check if the treatment is satisfactory. If not, iterate.
Go deeper:
ISO/IEC 27005 (Wikipedia) — der Risikomanagement-Prozess und wie 27005 auf die generische Methode aus ISO 31000 aufbaut, ohne eine bestimmte Methode vorzuschreiben.