ISO/IEC 27005 issued in determined bid to reduce risk of information security breaches

In our hyper-connected, technology-driven world, data breaches and cyber attacks remain a significant threat to organisations. On the basis that a lack of awareness of the risks involved is often to blame for data breaches, a newly-revised standard has been introduced to assist today’s organisations.

Protecting the security of a company’s information – whether it be commercially sensitive data or the personal details of clients – has never been more under the spotlight. New legislation such as the European Union’s General Data Protection Regulation means that organisations are under even greater pressure to ensure their information is secure, but adhering to the most appropriate technologies and processes can be a minefield for them.

The newly-revised ISO/IEC 27005:2018 Information Technology – Security Techniques – Information Security Risk Management provides salient guidance for organisations on how to wade through the detail by providing a framework for effectively managing the risks.

Complementary to ISO/IEC 27001:2013, which provides the requirements for an information security management system, ISO/IEC 27005 has recently been updated to reflect the new version of ISO/IEC 27001 and thus ensure it’s best equipped to meet the demands of today’s organisations.

It provides detailed risk management guidance to help meet related requirements specified in ISO/IEC 27001.

Edward Humphreys, convener of the ISO/IEC Working Group that developed both ISO/IEC 27001 and ISO/IEC 27005, has explained that the updated standard is a key tool in the ISO/IEC ‘cyber risk toolbox’.

“ISO/IEC 27005 provides the ‘why, what and how’ for organisations to be able to manage their information security risks effectively in compliance with ISO/IEC 27001,” stated Humphreys. “It also helps to demonstrate to an organisation’s customers or stakeholders that robust risk processes are in place, giving them confidence that they’re dealing with a robust and protected business.”

ISO/IEC 27005 is one of more than a dozen standards in the ISO/IEC 27000 Series that make up the ‘cyber risk toolbox’, led by the flagship ISO/IEC 27001 Information Technology – Security Techniques – Information Security Management Systems – Requirements. Others in the series include those for protecting information in the Cloud,  dealing with information security in the telecoms and utility sectors, cyber security and auditing.

ISO/IEC 27005 was developed by Working Group 1 Information Security Management Systems of Technical Committee ISO/IEC JTC 1, Information Technology, Sub-Committee SC27, IT Security techniques, the secretariat of which is held by DIN, ISO’s member for Germany.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts