EN ISO/IEC 27005:2024
(Main)Information security, cybersecurity and privacy protection - Guidance on managing information security risks (ISO/IEC 27005:2022)
Information security, cybersecurity and privacy protection - Guidance on managing information security risks (ISO/IEC 27005:2022)
This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.
Informationssicherheit, Cybersicherheit und Datenschutz - Leitfaden zur Handhabung von Informationssicherheitsrisiken (ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Préconisations pour la gestion des risques liés à la sécurité de l'information (ISO/IEC 27005:2022)
Le présent document fournit des recommandations pour aider les organismes à:
— satisfaire aux exigences de l'ISO/IEC 27001 concernant les actions visant à traiter les risques liés à la sécurité de l'information;
— réaliser des activités de gestion des risques liés à la sécurité de l'information, en particulier l'appréciation et le traitement de ces risques.
Le présent document est applicable à tous les organismes, quels que soient leur type, leur taille ou leur secteur.
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Navodila za obvladovanje informacijskih varnostnih tveganj (ISO/IEC 27005:2022)
Ta dokument zagotavlja navodila za pomoč organizacijam pri:
– izpolnjevanju zahtev iz standarda ISO/IEC 27001 v zvezi z ukrepi za obravnavo informacijskih varnostnih tveganj;
– izvajanju aktivnosti obvladovanja informacijskih varnostnih tveganj, predvsem njihovega ocenjevanja in obravnave.
Ta dokument se uporablja za vse organizacije, ne glede na vrsto, velikost ali sektor.
General Information
- Status
- Published
- Publication Date
- 06-Aug-2024
- Technical Committee
- CEN/CLC/TC 13 - Cybersecurity and Data Protection
- Current Stage
- 6060 - Definitive text made available (DAV) - Publishing
- Start Date
- 07-Aug-2024
- Due Date
- 25-Apr-2026
- Completion Date
- 07-Aug-2024
Overview
EN ISO/IEC 27005:2024 (adoption of ISO/IEC 27005:2022 as EN ISO/IEC 27005:2024) provides detailed guidance on managing information security risks to support implementation of an Information Security Management System (ISMS). It helps organizations of any type, size or sector to fulfil ISO/IEC 27001 requirements related to identifying, assessing and treating information security risks, with additional emphasis on cybersecurity and privacy protection.
Key topics and technical coverage
This guidance covers the full information security risk management lifecycle and related ISMS processes, including:
- Risk management process and cycles - principles for establishing iterative risk management activities.
- Context establishment - organizational considerations, stakeholder requirements and risk criteria.
- Risk assessment - identification, description and ownership of information security risks.
- Risk analysis: assessing potential consequences and likelihood to determine risk levels.
- Risk evaluation: comparing results against risk acceptance criteria and prioritizing risks.
- Risk treatment - selecting treatment options, determining and implementing controls, and documenting a risk treatment plan.
- Controls alignment - comparing selected controls with ISO/IEC 27001:2022 Annex A and producing a Statement of Applicability.
- Operation and monitoring - performing assessments and treatments, documented information, communication, monitoring, management review, corrective action and continual improvement.
- Practical techniques - Annex A provides examples of techniques to support risk assessment activities.
- Definitions, normative references and structured guidance to choose appropriate methods and criteria.
Practical applications
ISO/IEC 27005 is practical for organizations that need to:
- Implement or mature an ISMS and meet ISO/IEC 27001 risk requirements.
- Conduct systematic information security and cybersecurity risk assessments.
- Develop risk treatment plans and justify control selections (useful for audits and compliance).
- Integrate privacy risk considerations into security risk workflows.
- Prioritize security investments and supplier/vendor risk measures based on documented risk levels.
- Establish repeatable, auditable processes for monitoring, review and continual improvement.
Who should use this standard
- CISOs, information security and risk managers
- Compliance officers and internal auditors
- IT/security architects and project managers
- Consultants supporting ISO/IEC 27001 implementation
- Organizations across public and private sectors seeking structured risk management
Related standards
- ISO/IEC 27001 - requirements for an Information Security Management System (ISMS)
- The broader ISO/IEC 27000 family - context for security management and implementation guidance
Keywords: ISO/IEC 27005:2024, information security risk management, ISO/IEC 27001, risk assessment, risk treatment, ISMS, cybersecurity, privacy protection, Statement of Applicability.
Frequently Asked Questions
EN ISO/IEC 27005:2024 is a standard published by the European Committee for Standardization (CEN). Its full title is "Information security, cybersecurity and privacy protection - Guidance on managing information security risks (ISO/IEC 27005:2022)". This standard covers: This document provides guidance to assist organizations to: — fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; — perform information security risk management activities, specifically information security risk assessment and treatment. This document is applicable to all organizations, regardless of type, size or sector.
This document provides guidance to assist organizations to: — fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; — perform information security risk management activities, specifically information security risk assessment and treatment. This document is applicable to all organizations, regardless of type, size or sector.
EN ISO/IEC 27005:2024 is classified under the following ICS (International Classification for Standards) categories: 03.100.70 - Management systems; 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.
You can purchase EN ISO/IEC 27005:2024 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of CEN standards.
Standards Content (Sample)
SLOVENSKI STANDARD
01-oktober-2024
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Navodila za
obvladovanje informacijskih varnostnih tveganj (ISO/IEC 27005:2022)
Information security, cybersecurity and privacy protection - Guidance on managing
information security risks (ISO/IEC 27005:2022)
Informationssicherheit, Cybersicherheit und Datenschutz - Leitfaden zur Handhabung
von Informationssicherheitsrisiken (ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Préconisations
pour la gestion des risques liés à la sécurité de l'information (ISO/IEC 27005:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 27005:2024
ICS:
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN ISO/IEC 27005
NORME EUROPÉENNE
EUROPÄISCHE NORM
August 2024
ICS 35.030
English version
Information security, cybersecurity and privacy protection
- Guidance on managing information security risks
(ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und
de la vie privée - Préconisations pour la gestion des Datenschutz - Leitfaden zur Handhabung von
risques liés à la sécurité de l'information (ISO/IEC Informationssicherheitsrisiken (ISO/IEC 27005:2022)
27005:2022)
This European Standard was approved by CEN on 1 August 2024.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2024 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 27005:2024 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 27005:2022 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by February 2025, and conflicting national standards
shall be withdrawn at the latest by February 2025.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27005:2022 has been approved by CEN-CENELEC as EN ISO/IEC 27005:2024
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 27005
Fourth edition
2022-10
Information security, cybersecurity
and privacy protection — Guidance on
managing information security risks
Sécurité de l'information, cybersécurité et protection de la vie
privée — Préconisations pour la gestion des risques liés à la sécurité
de l'information
Reference number
ISO/IEC 27005:2022(E)
© ISO/IEC 2022
ISO/IEC 27005:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Contents Page
Foreword .v
Introduction . vi
1 S c op e . 1
2 Nor m at i ve r ef er enc e s . 1
3 Terms and definitions . 1
3.1 T erms related to information security risk . 1
3.2 T erms related to information security risk management . . 5
4 Structure of this document .7
5 I nformation security risk management . 7
5.1 I nformation security risk management process . 7
5.2 I nformation security risk management cycles . 9
6 C ont e x t e s t abl i s h ment .9
6.1 Organizational considerations . 9
6.2 I dentifying basic requirements of interested parties . 10
6.3 A pplying risk assessment . 10
6.4 E stablishing and maintaining information security risk criteria . 11
6.4.1 G eneral . 11
6.4.2 R isk acceptance criteria . 11
6.4.3 C riteria for performing information security risk assessments .13
6.5 C hoosing an appropriate method . 15
7 I nformation security risk assessment process .16
7.1 G eneral . 16
7.2 I dentifying information security risks . 17
7.2.1 I dentifying and describing information security risks . . 17
7.2.2 I dentifying risk owners . 18
7.3 A nalysing information security risks . 19
7.3.1 General . 19
7.3.2 Assessing potential consequences . 19
7.3.3 Assessing likelihood .20
7.3.4 Determining the levels of risk . 22
7.4 E valuating the information security risks. 22
7.4.1 Comparing the results of risk analysis with the risk criteria .22
7.4.2 P rioritizing the analysed risks for risk treatment .23
8 I nformation security risk treatment process .23
8.1 General .23
8.2 S electing appropriate information security risk treatment options .23
8.3 D etermining all controls that are necessary to implement the information security
risk treatment options . 24
8.4 C omparing the controls determined with those in ISO/IEC 27001:2022, Annex A . 27
8.5 P roducing a Statement of Applicability . 27
8.6 I nformation security risk treatment plan .28
8.6.1 Formulation of the risk treatment plan .28
8.6.2 A pproval by risk owners .29
8.6.3 Acceptance of the residual information security risks .30
9 O p er at ion .31
9.1 P erforming information security risk assessment process . 31
9.2 P erforming information security risk treatment process . 31
10 Leveraging related ISMS processes . .32
10.1 C ontext of the organization . . 32
10.2 L eadership and commitment . 32
iii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
10.3 C ommunication and consultation. 33
10.4 Documented information . 35
10.4.1 G eneral . 35
10.4.2 Documented information about processes . 35
10.4.3 Documented information about results . 35
10.5 M onitoring and review .36
10.5.1 G eneral .36
10.5.2 Monitoring and reviewing factors influencing risks . 37
10.6 M anagement review .38
10.7 Corrective action .38
10.8 Continual improvement .39
Annex A (informative) Examples of techniques in support of the risk assessment process .41
Bibliography .62
iv
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This fourth edition cancels and replaces the third edition (ISO/IEC 27005:2018), which has been
technically revised.
The main changes are as follows:
— all guidance text has been aligned with ISO/IEC 27001:2022, and ISO 31000:2018;
— the terminology has been aligned with the terminology in ISO 31000:2018;
— the structure of the clauses has been adjusted to the layout of ISO/IEC 27001:2022;
— risk scenario concepts have been introduced;
— the event-based approach is contrasted with the asset-based approach to risk identification;
— the content of the annexes has been revised and restructured into a single annex.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
v
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Introduction
This document provides guidance on:
— implementation of the information security risk requirements specified in ISO/IEC 27001;
— essential references within the standards developed by ISO/IEC JTC 1/SC 27 to support information
security risk management activities;
— actions that address risks related to information security (see ISO/IEC 27001:2022, 6.1 and Clause 8);
— implementation of risk management guidance in ISO 31000 in the context of information security.
This document contains detailed guidance on risk management and supplements the guidance in
ISO/IEC 27003.
This document is intended to be used by:
— organizations that intend to establish and implement an information security management system
(ISMS) in accordance with ISO/IEC 27001;
— persons that perform or are involved in information security risk management (e.g. ISMS
professionals, risk owners and other interested parties);
— organizations that intend to improve their information security risk management process.
vi
© ISO/IEC 2022 – All rights reserved
INTERNATIONAL STANDARD ISO/IEC 27005:2022(E)
Information security, cybersecurity and privacy
protection — Guidance on managing information security
risks
1 S cope
This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk
assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.
2 Normat ive references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1 T erms related to information security risk
3.1.1
external context
external environment in which the organization seeks to achieve its objectives
Note 1 to entry: External context can include the following:
— the social, cultural, political, legal, regulatory, financial, technological, economic, geological environment,
whether international, national, regional or local;
— key drivers and trends affecting the objectives of the organization;
— external interested parties’ relationships, perceptions, values, needs and expectations;
— contractual relationships and commitments;
— the complexity of networks and dependencies.
[SOURCE: ISO Guide 73:2009, 3.3.1.1, modified — Note 1 to entry has been modified.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.2
internal context
internal environment in which the organization seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— vision, mission and values;
— governance, organizational structure, roles and accountabilities;
— strategy, objectives and policies;
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems
and technologies);
— data, information systems and information flows;
— relationships with internal interested parties, taking into account their perceptions and values;
— contractual relationships and commitments;
— internal interdependencies and interconnections.
[SOURCE: ISO Guide 73:2009, 3.3.1.2, modified — Note 1 to entry has been modified.]
3.1.3
risk
effect of uncertainty on objectives
Note 1 to entry: An effect is a deviation from the expected, positive or negative.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event (3.1.11), its consequence (3.1.14), or likelihood (3.1.13).
Note 4 to entry: Risk is usually expressed in terms of risk sources (3.1.6), potential events, their consequences
and their likelihood.
Note 5 to entry: In the context of information security management systems, information security risks can be
expressed as effect of uncertainty on information security objectives.
Note 6 to entry: Information security risks are usually associated with a negative effect of uncertainty on
information security objectives.
Note 7 to entry: Information security risks can be associated with the potential that threats (3.1.9) will exploit
vulnerabilities (3.1.10) of an information asset or group of information assets and thereby cause harm to an
organization.
[SOURCE: ISO 31000:2018, 3.1, modified — the phrase: “It can be positive, negative or both, and can
address, create or result in opportunities and threats” has been replaced with “positive or negative” in
Note 1 to entry; the original Note 3 to entry has been renumbered as Note 4 to entry; and Notes 3, 5, 6
and 7 to entry have been added.]
3.1.4
risk scenario
sequence or combination of events (3.1.11) leading from the initial cause to the unwanted consequence
(3.1.14)
[SOURCE: ISO 17666:2016, 3.1.13, modified — Note 1 to entry has been deleted.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.5
risk owner
person or entity with the accountability and authority to manage a risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.5.1.5]
3.1.6
risk source
element which alone or in combination has the potential to give rise to risk (3.1.3)
Note 1 to entry: A risk source can be one of these three types:
— human;
— environmental;
— technical.
Note 2 to entry: A human risk source type can be intentional or unintentional.
[SOURCE: ISO 31000:2018, 3.4, modified — Notes 1 and 2 to entry have been added.]
3.1.7
risk criteria
terms of reference against which the significance of a risk (3.1.3) is evaluated
Note 1 to entry: Risk criteria are based on organizational objectives, and external context (3.1.1) and internal
context (3.1.2).
Note 2 to entry: Risk criteria can be derived from standards, laws, policies and other requirements.
[SOURCE: ISO Guide 73:2009, 3.3.1.3]
3.1.8
risk appetite
amount and type of risk (3.1.3) that an organization is willing to pursue or retain
[SOURCE: ISO Guide 73:2009, 3.7.1.2]
3.1.9
threat
potential cause of an information security incident (3.1.12) that can result in damage to a system or harm
to an organization
3.1.10
vulnerability
weakness of an asset or control (3.1.16) that can be exploited so that an event (3.1.11) with a negative
consequence (3.1.14) occurs
3.1.11
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can have one or more occurrences, and can have several causes and several consequences
(3.1.14).
Note 2 to entry: An event can also be something that is expected which does not happen, or something that is not
expected which does happen.
[SOURCE: ISO 31000:2018, 3.5, modified — Note 3 to entry has been removed.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.12
information security incident
single or a series of unwanted or unexpected information security events that have a significant
probability of compromising business operations and threatening information security
3.1.13
likelihood
chance of something happening
Note 1 to entry: In risk management terminology, the word “likelihood” is used to refer to the chance of something
happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively,
and described using general terms or mathematically (such as a probability or a frequency over a given time
period).
Note 2 to entry: The English term “likelihood” does not have a direct equivalent in some languages; instead, the
equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted
as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it
should have the same broad interpretation as the term “probability” has in many languages other than English.
[SOURCE: ISO 31000:2018, 3.7]
3.1.14
consequence
outcome of an event (3.1.11) affecting objectives
Note 1 to entry: A consequence can be certain or uncertain and can have positive or negative direct or indirect
effects on objectives.
Note 2 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 3 to entry: Any consequence can escalate through cascading and cumulative effects.
[SOURCE: ISO 31000:2018, 3.6]
3.1.15
level of risk
significance of a risk (3.1.3), expressed in terms of the combination of consequences (3.1.14) and their
likelihood (3.1.13)
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — the phrase: “magnitude of a risk or combination of
risks” has been replaced with “significance of a risk”.]
3.1.16
control
measure that maintains and/or modifies risk (3.1.3)
Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice, or other conditions
and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8]
3.1.17
residual risk
risk (3.1.3) remaining after risk treatment (3.2.7)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risks can also contain retained risk.
[SOURCE: ISO Guide 73:2009, 3.8.1.6, modified — Note 2 to entry has been modified.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.2 T erms related to information security risk management
3.2.1
risk management process
systematic application of management policies, procedures and practices to the activities of
communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating,
monitoring and reviewing risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.1]
3.2.2
risk communication and consultation
set of continual and iterative processes that an organization conducts to provide, share or obtain
information, and to engage in dialogue with interested parties regarding the management of risk (3.1.3)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.1.13), significance,
evaluation, acceptance and treatment of risk.
Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its
interested parties on an issue prior to making a decision or determining a direction on that issue. Consultation is:
— a process which impacts on a decision through influence rather than power;
— an input to decision making, not joint decision making.
3.2.3
risk assessment
overall process of risk identification (3.2.4), risk analysis (3.2.5) and risk evaluation (3.2.6)
[SOURCE: ISO Guide 73:2009, 3.4.1]
3.2.4
risk identification
process of finding, recognizing and describing risks (3.1.3)
Note 1 to entry: Risk identification involves the identification of risk sources (3.1.6), events (3.1.11), their causes
and their potential consequences (3.1.14).
Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions,
and interested parties’ needs.
[SOURCE: ISO Guide 73:2009, 3.5.1, modified — "interested party" has replaced "stakeholder" in Note 2
to entry.]
3.2.5
risk analysis
process to comprehend the nature of risk (3.1.3) and to determine the level of risk (3.1.15)
Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.2.6) and decisions about risk treatment
(3.2.7).
Note 2 to entry: Risk analysis includes risk estimation.
[SOURCE: ISO Guide 73:2009, 3.6.1]
3.2.6
risk evaluation
process of comparing the results of risk analysis (3.2.5) with risk criteria (3.1.7) to determine whether
the risk (3.1.3) and/or its significance is acceptable or tolerable
Note 1 to entry: Risk evaluation assists in the decision about risk treatment (3.2.7).
[SOURCE: ISO Guide 73:2009, 3.7.1, modified — “significance” has replaced “magnitude”.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.2.7
risk treatment
process to modify risk (3.1.3)
Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source (3.1.6);
— changing the likelihood (3.1.13);
— changing the consequences (3.1.14);
— sharing the risk with another party or parties (including contracts and risk financing); and
— retaining the risk by informed decision.
Note 2 to entry: Information security risk treatment does not include “taking or increasing risk in order to pursue
an opportunity” but the organization can have this option for general risk management.
Note 3 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk
mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
Note 4 to entry: Risk treatment can create new risks or modify existing risks.
[SOURCE: ISO Guide 73:2009, 3.8.1, modified ─ Note 1 to entry has been added and the original Note 1
and 2 to entry have been renumbered as Note 2 and 3 to entry.]
3.2.8
risk acceptance
informed decision to take a particular risk (3.1.3)
Note 1 to entry: Risk acceptance can occur without risk treatment (3.2.7) or during the process of risk treatment.
Note 2 to entry: Accepted risks are subject to monitoring and review.
[SOURCE: ISO Guide 73:2009, 3.7.1.6]
3.2.9
risk sharing
form of risk treatment (3.2.7) involving the agreed distribution of risk (3.1.3) with other parties
Note 1 to entry: Legal or regulatory requirements can limit, prohibit or mandate risk sharing.
Note 2 to entry: Risk sharing can be carried out through insurance or other forms of contract.
Note 3 to entry: The extent to which risk is distributed can depend on the reliability and clarity of the sharing
arrangements.
Note 4 to entry: Risk transfer is a form of risk sharing.
[SOURCE: ISO Guide 73:2009, 3.8.1.3]
3.2.10
risk retention
temporary acceptance of the potential benefit of gain, or burden of loss, from a particular risk (3.1.3)
Note 1 to entry: Retention can be restricted to a certain period of time.
Note 2 to entry: The level of risk (3.1.15) retained can depend on risk criteria (3.1.7).
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
[SOURCE: ISO Guide 73:2009, 3.8.1.5, modified — the word “temporary” has been added at the start of
the definition and the phrase; “Risk retention includes the acceptance of residual risks” has replaced
“Retention can be restricted to a certain period of time “ in Note 1 to entry.]
4 Str ucture of this document
This document is structured as follows:
— Clause 5: Information security risk management;
— Clause 6: Context establishment;
— Clause 7: Information security risk assessment process;
— Clause 8: Information security risk treatment process;
— Clause 9: Operation;
— Clause 10: Leveraging related ISMS processes.
Except for the descriptions given in general subclauses, all risk management activities as presented
from Clause 7 to Clause 10 are structured as follows:
Input: Identifies any required information to perform the activity.
Action: Describes the activity.
Trigger: Provides guidance on when to start the activity, for example because of a change within the
organization or according to a plan or a change in the external context of the organization.
Output: Identifies any information derived after performing the activity, as well as any criteria that
such output should satisfy.
Guidance: Provides guidance on performing the activity, keyword and key concept.
5 In formation security risk management
5.1 Information secur ity risk management process
The information security risk management process is presented in Figure 1.
NOTE This process is based on the general risk management process defined in ISO 31000.
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Figure 1 — Information security risk management process
As Figure 1 illustrates, the information security risk management process can be iterative for risk
assessment and/or risk treatment activities. An iterative approach to conducting risk assessment can
increase depth and detail of the assessment at each iteration. The iterative approach provides a good
balance between minimizing the time and effort spent in identifying controls, while still ensuring that
risks are appropriately assessed.
Context establishment means assembling the internal and external context for information security
risk management or an information security risk assessment.
If the risk assessment provides sufficient information to effectively determine the actions required
to modify the risks to an acceptable level, then the task is complete and the risk treatment follows.
If the information is insufficient, another iteration of the risk assessment should be performed. This
can involve a change of context of the risk assessment (e.g. revised scope), involvement of expertise in
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
the relevant field, or other ways to collect the information required to enable risk modification to an
acceptable level (see "risk decision point 1" in Figure 1).
Risk treatment involves an iterative process of:
— formulating and selecting risk treatment options;
— planning and implementing risk treatment;
— assessing the effectiveness of that treatment;
— deciding whether the remaining risk is acceptable;
— taking further treatment if not acceptable.
It is possible that the risk treatment does not immediately lead to an acceptable level of residual risks. In
this situation, another attempt to find further risk treatment can be performed, or there can be another
iteration of the risk assessment, either as a whole or in parts. This can involve a change of context of the
risk assessment (e.g. by a revised scope) and involvement of expertise in the relevant field. Knowledge
about relevant threats or vulnerabilities can lead to better decisions about suitable risk treatment
activities in the next iteration of the risk assessment (see "risk decision point 2" in Figure 1).
Context establishment is discussed in detail in Clause 6, risk assessment activities in Clause 7 and risk
treatment activities in Clause 8.
Other activities necessary for managing information security risks are discussed in Clause 10.
5.2 Information secur ity risk management cycles
The risk assessment and the risk treatment should be updated on a regular basis and based on
changes. This should apply to, the entire risk assessment and the updates can be divided into two risk
management cycles:
— strategic cycle, where business assets, risk sources and threats, target objectives or consequences
to information security events are evolving from changes in the overall context of the organization.
This can result as inputs for an overall update of the risk assessment or risk assessments and the
risk treatments. It can also serve as an input for identifying new risks and initiate completely new
risk assessments;
— operational cycle, where the above-mentioned elements serves as input information or changed
criteria that will affect a risk assessment or assessment where the scenarios should be reviewed
and updated. The review should include updating of the corresponding risk treatment as applicable.
The strategic cycle should be conducted at longer time basis or when major changes occur while the
operational cycle should be shorter depending on the detailed risks that are identified and assessed as
well as the related risk treatment.
The strategic cycle applies to the environment in which the organization seeks to achieve its objectives,
while the operational cycle applies to all risk assessments considering the context of the risk
management process. In both cycles, there can be many risk assessments with different contexts and
scope in each assessment.
6 Context establishm ent
6.1 Organizational considerations
NOTE This subclause relates to ISO/IEC 27001:2022, 4.1.
An organization is defined as person or group of people that has its own functions with responsibilities,
authorities and relationships to achieve its objectives. An organization is not necessarily a company,
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
other corporate body or legal entity, it can also be a subset of a legal entity (e.g. the IT department of a
company), and can be considered as the “organization” within the context of ISMS.
It is important to understand that risk appetite, defined as the amount of risk an organization is willing
to pursue or accept, can vary considerably from organization to organization. For instance, factors
affecting an organization’s risk appetite include size, complexity and sector. Risk appetite should be set
and regularly reviewed by top management.
The organization should ensure that the role of the risk owner is determined in terms of the management
activities regarding the identified risks. Risk owners should have appropriate accountability and
authority for managing identified risks.
6.2 Identifying basic r equirements of interested parties
NOTE This subclause relates to ISO/IEC 27001:2022, 4.2.
The basic requirements of relevant interested parties should be identified, as well as the status of
compliance with these requirements. This includes identifying all the reference documents that define
security rules and controls and that apply within the scope of the information security risk assessment.
These reference documents can include, but are not limited to:
a) ISO/IEC 27001:2022, Annex A;
b) additional standards that cover ISMS;
c) additional standards applicable to a specific sector (e.g. financial, healthcare);
d) specific international and/or national regulations;
e) the organization’s internal security rules;
f) security rules and controls from contracts or agreements;
g) security controls implemented based on previous risk treatment activities.
Any non-compliance with the basic requirements should be explained and justified. These basic
requirements and their compliance should be the input for the likelihood assessment and for the risk
treatment.
6.3 A pplying risk assessment
NOTE This subclause relates to ISO/IEC 27001:2022, 4.3.
Organizations can perform risk a
...
SLOVENSKI STANDARD
01-oktober-2024
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Navodila za
obvladovanje informacijskih varnostnih tveganj (ISO/IEC 27005:2022)
Information security, cybersecurity and privacy protection - Guidance on managing
information security risks (ISO/IEC 27005:2022)
Informationssicherheit, Cybersicherheit und Datenschutz - Leitfaden zur Handhabung
von Informationssicherheitsrisiken (ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Préconisations
pour la gestion des risques liés à la sécurité de l'information (ISO/IEC 27005:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 27005:2024
ICS:
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN ISO/IEC 27005
NORME EUROPÉENNE
EUROPÄISCHE NORM
August 2024
ICS 35.030
English version
Information security, cybersecurity and privacy protection
- Guidance on managing information security risks
(ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und
de la vie privée - Préconisations pour la gestion des Datenschutz - Leitfaden zur Handhabung von
risques liés à la sécurité de l'information (ISO/IEC Informationssicherheitsrisiken (ISO/IEC 27005:2022)
27005:2022)
This European Standard was approved by CEN on 1 August 2024.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2024 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 27005:2024 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 27005:2022 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by February 2025, and conflicting national standards
shall be withdrawn at the latest by February 2025.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27005:2022 has been approved by CEN-CENELEC as EN ISO/IEC 27005:2024
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 27005
Fourth edition
2022-10
Information security, cybersecurity
and privacy protection — Guidance on
managing information security risks
Sécurité de l'information, cybersécurité et protection de la vie
privée — Préconisations pour la gestion des risques liés à la sécurité
de l'information
Reference number
ISO/IEC 27005:2022(E)
© ISO/IEC 2022
ISO/IEC 27005:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Contents Page
Foreword .v
Introduction . vi
1 S c op e . 1
2 Nor m at i ve r ef er enc e s . 1
3 Terms and definitions . 1
3.1 T erms related to information security risk . 1
3.2 T erms related to information security risk management . . 5
4 Structure of this document .7
5 I nformation security risk management . 7
5.1 I nformation security risk management process . 7
5.2 I nformation security risk management cycles . 9
6 C ont e x t e s t abl i s h ment .9
6.1 Organizational considerations . 9
6.2 I dentifying basic requirements of interested parties . 10
6.3 A pplying risk assessment . 10
6.4 E stablishing and maintaining information security risk criteria . 11
6.4.1 G eneral . 11
6.4.2 R isk acceptance criteria . 11
6.4.3 C riteria for performing information security risk assessments .13
6.5 C hoosing an appropriate method . 15
7 I nformation security risk assessment process .16
7.1 G eneral . 16
7.2 I dentifying information security risks . 17
7.2.1 I dentifying and describing information security risks . . 17
7.2.2 I dentifying risk owners . 18
7.3 A nalysing information security risks . 19
7.3.1 General . 19
7.3.2 Assessing potential consequences . 19
7.3.3 Assessing likelihood .20
7.3.4 Determining the levels of risk . 22
7.4 E valuating the information security risks. 22
7.4.1 Comparing the results of risk analysis with the risk criteria .22
7.4.2 P rioritizing the analysed risks for risk treatment .23
8 I nformation security risk treatment process .23
8.1 General .23
8.2 S electing appropriate information security risk treatment options .23
8.3 D etermining all controls that are necessary to implement the information security
risk treatment options . 24
8.4 C omparing the controls determined with those in ISO/IEC 27001:2022, Annex A . 27
8.5 P roducing a Statement of Applicability . 27
8.6 I nformation security risk treatment plan .28
8.6.1 Formulation of the risk treatment plan .28
8.6.2 A pproval by risk owners .29
8.6.3 Acceptance of the residual information security risks .30
9 O p er at ion .31
9.1 P erforming information security risk assessment process . 31
9.2 P erforming information security risk treatment process . 31
10 Leveraging related ISMS processes . .32
10.1 C ontext of the organization . . 32
10.2 L eadership and commitment . 32
iii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
10.3 C ommunication and consultation. 33
10.4 Documented information . 35
10.4.1 G eneral . 35
10.4.2 Documented information about processes . 35
10.4.3 Documented information about results . 35
10.5 M onitoring and review .36
10.5.1 G eneral .36
10.5.2 Monitoring and reviewing factors influencing risks . 37
10.6 M anagement review .38
10.7 Corrective action .38
10.8 Continual improvement .39
Annex A (informative) Examples of techniques in support of the risk assessment process .41
Bibliography .62
iv
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This fourth edition cancels and replaces the third edition (ISO/IEC 27005:2018), which has been
technically revised.
The main changes are as follows:
— all guidance text has been aligned with ISO/IEC 27001:2022, and ISO 31000:2018;
— the terminology has been aligned with the terminology in ISO 31000:2018;
— the structure of the clauses has been adjusted to the layout of ISO/IEC 27001:2022;
— risk scenario concepts have been introduced;
— the event-based approach is contrasted with the asset-based approach to risk identification;
— the content of the annexes has been revised and restructured into a single annex.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
v
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Introduction
This document provides guidance on:
— implementation of the information security risk requirements specified in ISO/IEC 27001;
— essential references within the standards developed by ISO/IEC JTC 1/SC 27 to support information
security risk management activities;
— actions that address risks related to information security (see ISO/IEC 27001:2022, 6.1 and Clause 8);
— implementation of risk management guidance in ISO 31000 in the context of information security.
This document contains detailed guidance on risk management and supplements the guidance in
ISO/IEC 27003.
This document is intended to be used by:
— organizations that intend to establish and implement an information security management system
(ISMS) in accordance with ISO/IEC 27001;
— persons that perform or are involved in information security risk management (e.g. ISMS
professionals, risk owners and other interested parties);
— organizations that intend to improve their information security risk management process.
vi
© ISO/IEC 2022 – All rights reserved
INTERNATIONAL STANDARD ISO/IEC 27005:2022(E)
Information security, cybersecurity and privacy
protection — Guidance on managing information security
risks
1 S cope
This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk
assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.
2 Normat ive references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1 T erms related to information security risk
3.1.1
external context
external environment in which the organization seeks to achieve its objectives
Note 1 to entry: External context can include the following:
— the social, cultural, political, legal, regulatory, financial, technological, economic, geological environment,
whether international, national, regional or local;
— key drivers and trends affecting the objectives of the organization;
— external interested parties’ relationships, perceptions, values, needs and expectations;
— contractual relationships and commitments;
— the complexity of networks and dependencies.
[SOURCE: ISO Guide 73:2009, 3.3.1.1, modified — Note 1 to entry has been modified.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.2
internal context
internal environment in which the organization seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— vision, mission and values;
— governance, organizational structure, roles and accountabilities;
— strategy, objectives and policies;
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems
and technologies);
— data, information systems and information flows;
— relationships with internal interested parties, taking into account their perceptions and values;
— contractual relationships and commitments;
— internal interdependencies and interconnections.
[SOURCE: ISO Guide 73:2009, 3.3.1.2, modified — Note 1 to entry has been modified.]
3.1.3
risk
effect of uncertainty on objectives
Note 1 to entry: An effect is a deviation from the expected, positive or negative.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event (3.1.11), its consequence (3.1.14), or likelihood (3.1.13).
Note 4 to entry: Risk is usually expressed in terms of risk sources (3.1.6), potential events, their consequences
and their likelihood.
Note 5 to entry: In the context of information security management systems, information security risks can be
expressed as effect of uncertainty on information security objectives.
Note 6 to entry: Information security risks are usually associated with a negative effect of uncertainty on
information security objectives.
Note 7 to entry: Information security risks can be associated with the potential that threats (3.1.9) will exploit
vulnerabilities (3.1.10) of an information asset or group of information assets and thereby cause harm to an
organization.
[SOURCE: ISO 31000:2018, 3.1, modified — the phrase: “It can be positive, negative or both, and can
address, create or result in opportunities and threats” has been replaced with “positive or negative” in
Note 1 to entry; the original Note 3 to entry has been renumbered as Note 4 to entry; and Notes 3, 5, 6
and 7 to entry have been added.]
3.1.4
risk scenario
sequence or combination of events (3.1.11) leading from the initial cause to the unwanted consequence
(3.1.14)
[SOURCE: ISO 17666:2016, 3.1.13, modified — Note 1 to entry has been deleted.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.5
risk owner
person or entity with the accountability and authority to manage a risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.5.1.5]
3.1.6
risk source
element which alone or in combination has the potential to give rise to risk (3.1.3)
Note 1 to entry: A risk source can be one of these three types:
— human;
— environmental;
— technical.
Note 2 to entry: A human risk source type can be intentional or unintentional.
[SOURCE: ISO 31000:2018, 3.4, modified — Notes 1 and 2 to entry have been added.]
3.1.7
risk criteria
terms of reference against which the significance of a risk (3.1.3) is evaluated
Note 1 to entry: Risk criteria are based on organizational objectives, and external context (3.1.1) and internal
context (3.1.2).
Note 2 to entry: Risk criteria can be derived from standards, laws, policies and other requirements.
[SOURCE: ISO Guide 73:2009, 3.3.1.3]
3.1.8
risk appetite
amount and type of risk (3.1.3) that an organization is willing to pursue or retain
[SOURCE: ISO Guide 73:2009, 3.7.1.2]
3.1.9
threat
potential cause of an information security incident (3.1.12) that can result in damage to a system or harm
to an organization
3.1.10
vulnerability
weakness of an asset or control (3.1.16) that can be exploited so that an event (3.1.11) with a negative
consequence (3.1.14) occurs
3.1.11
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can have one or more occurrences, and can have several causes and several consequences
(3.1.14).
Note 2 to entry: An event can also be something that is expected which does not happen, or something that is not
expected which does happen.
[SOURCE: ISO 31000:2018, 3.5, modified — Note 3 to entry has been removed.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.12
information security incident
single or a series of unwanted or unexpected information security events that have a significant
probability of compromising business operations and threatening information security
3.1.13
likelihood
chance of something happening
Note 1 to entry: In risk management terminology, the word “likelihood” is used to refer to the chance of something
happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively,
and described using general terms or mathematically (such as a probability or a frequency over a given time
period).
Note 2 to entry: The English term “likelihood” does not have a direct equivalent in some languages; instead, the
equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted
as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it
should have the same broad interpretation as the term “probability” has in many languages other than English.
[SOURCE: ISO 31000:2018, 3.7]
3.1.14
consequence
outcome of an event (3.1.11) affecting objectives
Note 1 to entry: A consequence can be certain or uncertain and can have positive or negative direct or indirect
effects on objectives.
Note 2 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 3 to entry: Any consequence can escalate through cascading and cumulative effects.
[SOURCE: ISO 31000:2018, 3.6]
3.1.15
level of risk
significance of a risk (3.1.3), expressed in terms of the combination of consequences (3.1.14) and their
likelihood (3.1.13)
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — the phrase: “magnitude of a risk or combination of
risks” has been replaced with “significance of a risk”.]
3.1.16
control
measure that maintains and/or modifies risk (3.1.3)
Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice, or other conditions
and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8]
3.1.17
residual risk
risk (3.1.3) remaining after risk treatment (3.2.7)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risks can also contain retained risk.
[SOURCE: ISO Guide 73:2009, 3.8.1.6, modified — Note 2 to entry has been modified.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.2 T erms related to information security risk management
3.2.1
risk management process
systematic application of management policies, procedures and practices to the activities of
communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating,
monitoring and reviewing risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.1]
3.2.2
risk communication and consultation
set of continual and iterative processes that an organization conducts to provide, share or obtain
information, and to engage in dialogue with interested parties regarding the management of risk (3.1.3)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.1.13), significance,
evaluation, acceptance and treatment of risk.
Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its
interested parties on an issue prior to making a decision or determining a direction on that issue. Consultation is:
— a process which impacts on a decision through influence rather than power;
— an input to decision making, not joint decision making.
3.2.3
risk assessment
overall process of risk identification (3.2.4), risk analysis (3.2.5) and risk evaluation (3.2.6)
[SOURCE: ISO Guide 73:2009, 3.4.1]
3.2.4
risk identification
process of finding, recognizing and describing risks (3.1.3)
Note 1 to entry: Risk identification involves the identification of risk sources (3.1.6), events (3.1.11), their causes
and their potential consequences (3.1.14).
Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions,
and interested parties’ needs.
[SOURCE: ISO Guide 73:2009, 3.5.1, modified — "interested party" has replaced "stakeholder" in Note 2
to entry.]
3.2.5
risk analysis
process to comprehend the nature of risk (3.1.3) and to determine the level of risk (3.1.15)
Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.2.6) and decisions about risk treatment
(3.2.7).
Note 2 to entry: Risk analysis includes risk estimation.
[SOURCE: ISO Guide 73:2009, 3.6.1]
3.2.6
risk evaluation
process of comparing the results of risk analysis (3.2.5) with risk criteria (3.1.7) to determine whether
the risk (3.1.3) and/or its significance is acceptable or tolerable
Note 1 to entry: Risk evaluation assists in the decision about risk treatment (3.2.7).
[SOURCE: ISO Guide 73:2009, 3.7.1, modified — “significance” has replaced “magnitude”.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.2.7
risk treatment
process to modify risk (3.1.3)
Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source (3.1.6);
— changing the likelihood (3.1.13);
— changing the consequences (3.1.14);
— sharing the risk with another party or parties (including contracts and risk financing); and
— retaining the risk by informed decision.
Note 2 to entry: Information security risk treatment does not include “taking or increasing risk in order to pursue
an opportunity” but the organization can have this option for general risk management.
Note 3 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk
mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
Note 4 to entry: Risk treatment can create new risks or modify existing risks.
[SOURCE: ISO Guide 73:2009, 3.8.1, modified ─ Note 1 to entry has been added and the original Note 1
and 2 to entry have been renumbered as Note 2 and 3 to entry.]
3.2.8
risk acceptance
informed decision to take a particular risk (3.1.3)
Note 1 to entry: Risk acceptance can occur without risk treatment (3.2.7) or during the process of risk treatment.
Note 2 to entry: Accepted risks are subject to monitoring and review.
[SOURCE: ISO Guide 73:2009, 3.7.1.6]
3.2.9
risk sharing
form of risk treatment (3.2.7) involving the agreed distribution of risk (3.1.3) with other parties
Note 1 to entry: Legal or regulatory requirements can limit, prohibit or mandate risk sharing.
Note 2 to entry: Risk sharing can be carried out through insurance or other forms of contract.
Note 3 to entry: The extent to which risk is distributed can depend on the reliability and clarity of the sharing
arrangements.
Note 4 to entry: Risk transfer is a form of risk sharing.
[SOURCE: ISO Guide 73:2009, 3.8.1.3]
3.2.10
risk retention
temporary acceptance of the potential benefit of gain, or burden of loss, from a particular risk (3.1.3)
Note 1 to entry: Retention can be restricted to a certain period of time.
Note 2 to entry: The level of risk (3.1.15) retained can depend on risk criteria (3.1.7).
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
[SOURCE: ISO Guide 73:2009, 3.8.1.5, modified — the word “temporary” has been added at the start of
the definition and the phrase; “Risk retention includes the acceptance of residual risks” has replaced
“Retention can be restricted to a certain period of time “ in Note 1 to entry.]
4 Str ucture of this document
This document is structured as follows:
— Clause 5: Information security risk management;
— Clause 6: Context establishment;
— Clause 7: Information security risk assessment process;
— Clause 8: Information security risk treatment process;
— Clause 9: Operation;
— Clause 10: Leveraging related ISMS processes.
Except for the descriptions given in general subclauses, all risk management activities as presented
from Clause 7 to Clause 10 are structured as follows:
Input: Identifies any required information to perform the activity.
Action: Describes the activity.
Trigger: Provides guidance on when to start the activity, for example because of a change within the
organization or according to a plan or a change in the external context of the organization.
Output: Identifies any information derived after performing the activity, as well as any criteria that
such output should satisfy.
Guidance: Provides guidance on performing the activity, keyword and key concept.
5 In formation security risk management
5.1 Information secur ity risk management process
The information security risk management process is presented in Figure 1.
NOTE This process is based on the general risk management process defined in ISO 31000.
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Figure 1 — Information security risk management process
As Figure 1 illustrates, the information security risk management process can be iterative for risk
assessment and/or risk treatment activities. An iterative approach to conducting risk assessment can
increase depth and detail of the assessment at each iteration. The iterative approach provides a good
balance between minimizing the time and effort spent in identifying controls, while still ensuring that
risks are appropriately assessed.
Context establishment means assembling the internal and external context for information security
risk management or an information security risk assessment.
If the risk assessment provides sufficient information to effectively determine the actions required
to modify the risks to an acceptable level, then the task is complete and the risk treatment follows.
If the information is insufficient, another iteration of the risk assessment should be performed. This
can involve a change of context of the risk assessment (e.g. revised scope), involvement of expertise in
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
the relevant field, or other ways to collect the information required to enable risk modification to an
acceptable level (see "risk decision point 1" in Figure 1).
Risk treatment involves an iterative process of:
— formulating and selecting risk treatment options;
— planning and implementing risk treatment;
— assessing the effectiveness of that treatment;
— deciding whether the remaining risk is acceptable;
— taking further treatment if not acceptable.
It is possible that the risk treatment does not immediately lead to an acceptable level of residual risks. In
this situation, another attempt to find further risk treatment can be performed, or there can be another
iteration of the risk assessment, either as a whole or in parts. This can involve a change of context of the
risk assessment (e.g. by a revised scope) and involvement of expertise in the relevant field. Knowledge
about relevant threats or vulnerabilities can lead to better decisions about suitable risk treatment
activities in the next iteration of the risk assessment (see "risk decision point 2" in Figure 1).
Context establishment is discussed in detail in Clause 6, risk assessment activities in Clause 7 and risk
treatment activities in Clause 8.
Other activities necessary for managing information security risks are discussed in Clause 10.
5.2 Information secur ity risk management cycles
The risk assessment and the risk treatment should be updated on a regular basis and based on
changes. This should apply to, the entire risk assessment and the updates can be divided into two risk
management cycles:
— strategic cycle, where business assets, risk sources and threats, target objectives or consequences
to information security events are evolving from changes in the overall context of the organization.
This can result as inputs for an overall update of the risk assessment or risk assessments and the
risk treatments. It can also serve as an input for identifying new risks and initiate completely new
risk assessments;
— operational cycle, where the above-mentioned elements serves as input information or changed
criteria that will affect a risk assessment or assessment where the scenarios should be reviewed
and updated. The review should include updating of the corresponding risk treatment as applicable.
The strategic cycle should be conducted at longer time basis or when major changes occur while the
operational cycle should be shorter depending on the detailed risks that are identified and assessed as
well as the related risk treatment.
The strategic cycle applies to the environment in which the organization seeks to achieve its objectives,
while the operational cycle applies to all risk assessments considering the context of the risk
management process. In both cycles, there can be many risk assessments with different contexts and
scope in each assessment.
6 Context establishm ent
6.1 Organizational considerations
NOTE This subclause relates to ISO/IEC 27001:2022, 4.1.
An organization is defined as person or group of people that has its own functions with responsibilities,
authorities and relationships to achieve its objectives. An organization is not necessarily a company,
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
other corporate body or legal entity, it can also be a subset of a legal entity (e.g. the IT department of a
company), and can be considered as the “organization” within the context of ISMS.
It is important to understand that risk appetite, defined as the amount of risk an organization is willing
to pursue or accept, can vary considerably from organization to organization. For instance, factors
affecting an organization’s risk appetite include size, complexity and sector. Risk appetite should be set
and regularly reviewed by top management.
The organization should ensure that the role of the risk owner is determined in terms of the management
activities regarding the identified risks. Risk owners should have appropriate accountability and
authority for managing identified risks.
6.2 Identifying basic r equirements of interested parties
NOTE This subclause relates to ISO/IEC 27001:2022, 4.2.
The basic requirements of relevant interested parties should be identified, as well as the status of
compliance with these requirements. This includes identifying all the reference documents that define
security rules and controls and that apply within the scope of the information security risk assessment.
These reference documents can include, but are not limited to:
a) ISO/IEC 27001:2022, Annex A;
b) additional standards that cover ISMS;
c) additional standards applicable to a specific sector (e.g. financial, healthcare);
d) specific international and/or national regulations;
e) the organization’s internal security rules;
f) security rules and controls from contracts or agreements;
g) security controls implemented based on previous risk treatment activities.
Any non-compliance with the basic requirements should be explained and justified. These basic
requirements and their compliance should be the input for the likelihood assessment and for the risk
treatment.
6.3 A pplying risk assessment
NOTE This subclause relates to ISO/IEC 27001:2022, 4.3.
Organizations can perform risk ass
...
SLOVENSKI STANDARD
01-oktober-2024
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Navodila za
obvladovanje informacijskih varnostnih tveganj (ISO/IEC 27005:2022)
Information security, cybersecurity and privacy protection - Guidance on managing
information security risks (ISO/IEC 27005:2022)
Informationssicherheit, Cybersicherheit und Datenschutz - Leitfaden zur Handhabung
von Informationssicherheitsrisiken (ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Préconisations
pour la gestion des risques liés à la sécurité de l'information (ISO/IEC 27005:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 27005:2024
ICS:
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPÄISCHE NORM EN ISO/IEC 27005
EUROPEAN STANDARD
August 2024
NORME EUROPÉENNE
ICS 35.030
Deutsche Fassung
Informationssicherheit, Cybersicherheit und Datenschutz -
Leitfaden zur Handhabung von
Informationssicherheitsrisiken (ISO/IEC 27005:2022)
Information security, cybersecurity and privacy Sécurité de l'information, cybersécurité et protection
protection - Guidance on managing information de la vie privée - Préconisations pour la gestion des
security risks (ISO/IEC 27005:2022) risques liés à la sécurité de l'information (ISO/IEC
27005:2022)
Diese Europäische Norm wurde vom CEN am 1. August 2024 angenommen.
Die CEN und CENELEC-Mitglieder sind gehalten, die CEN/CENELEC-Geschäftsordnung zu erfüllen, in der die Bedingungen
festgelegt sind, unter denen dieser Europäischen Norm ohne jede Änderung der Status einer nationalen Norm zu geben ist. Auf
dem letzten Stand befindliche Listen dieser nationalen Normen mit ihren bibliographischen Angaben sind beim CEN-CENELEC-
Management-Zentrum oder bei jedem CEN und CENELEC-Mitglied auf Anfrage erhältlich.
Diese Europäische Norm besteht in drei offiziellen Fassungen (Deutsch, Englisch, Französisch). Eine Fassung in einer anderen
Sprache, die von einem CEN und CENELEC-Mitglied in eigener Verantwortung durch Übersetzung in seine Landessprache
gemacht und dem Management-Zentrum mitgeteilt worden ist, hat den gleichen Status wie die offiziellen Fassungen.
CEN- und CENELEC-Mitglieder sind die nationalen Normungsinstitute und elektrotechnischen Komitees von Belgien, Bulgarien,
Dänemark, Deutschland, Estland, Finnland, Frankreich, Griechenland, Irland, Island, Italien, Kroatien, Lettland, Litauen,
Luxemburg, Malta, den Niederlanden, Norwegen, Österreich, Polen, Portugal, der Republik Nordmazedonien, Rumänien,
Schweden, der Schweiz, Serbien, der Slowakei, Slowenien, Spanien, der Tschechischen Republik, der Türkei, Ungarn, dem
Vereinigten Königreich und Zypern.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2024 CEN/CENELEC Alle Rechte der Verwertung, gleich in welcher Form und in Ref. Nr. EN ISO/IEC 27005:2024 D
welchem Verfahren, sind weltweit den nationalen Mitgliedern
von CEN und den Mitgliedern von CENELEC vorbehalten.
Inhalt
Seite
Europäisches Vorwort . 5
Vorwort . 6
Einleitung . 7
1 Anwendungsbereich . 8
2 Normative Verweisungen . 8
3 Begriffe . 8
3.1 Begriffe im Zusammenhang mit Informationssicherheitsrisiken . 8
3.2 Begriffe im Zusammenhang mit der Handhabung von Informationssicherheitsrisiken . 12
4 Aufbau dieses Dokuments . 15
5 Handhabung von Informationssicherheitsrisiken . 15
5.1 Prozess zur Handhabung von Informationssicherheitsrisiken . 15
5.2 Zyklen des Informationssicherheitsrisikomanagements . 17
6 Kontextfestlegung . 18
6.1 Organisatorische Aspekte . 18
6.2 Identifizierung grundlegender Anforderungen von interessierten Parteien . 18
6.3 Anwendung der Risikobeurteilung . 19
6.4 Festlegung und Aufrechterhaltung der Informationssicherheitsrisikokriterien. 19
6.4.1 Allgemeines . 19
6.4.2 Risikoakzeptanzkriterien. 20
6.4.3 Kriterien für die Durchführung von Informationssicherheitsrisikobeurteilungen . 21
6.5 Wahl eines angemessenen Verfahrens . 25
7 Prozess zur Beurteilung von Informationssicherheitsrisiken . 25
7.1 Allgemeines . 25
7.2 Identifizierung von Informationssicherheitsrisiken . 26
7.2.1 Identifizierung und Beschreibung von Informationssicherheitsrisiken . 26
7.2.2 Identifizierung von Risikoeigentümern . 28
7.3 Analyse von Informationssicherheitsrisiken . 29
7.3.1 Allgemeines . 29
7.3.2 Beurteilung potentieller Auswirkungen . 29
7.3.3 Beurteilung der Wahrscheinlichkeit . 30
7.3.4 Bestimmung der Risikoniveaus . 32
7.4 Bewertung der Informationssicherheitsrisiken . 33
7.4.1 Vergleich der Ergebnisse der Risikoanalyse mit den Risikokriterien . 33
7.4.2 Priorisierung der analysierten Risiken für die Risikobehandlung . 34
8 Prozess zur Informationssicherheitsrisikobehandlung . 34
8.1 Allgemeines . 34
8.2 Auswahl geeigneter Optionen zur Behandlung von Informationssicherheitsrisiken . 34
8.3 Festlegung aller Maßnahmen, die zur Umsetzung der gewählten Optionen für die
Informationssicherheitsrisikobehandlung erforderlich sind . 35
8.4 Vergleich der festgelegten Maßnahmen mit denen in ISO/IEC 27001:2022, Anhang A . 39
8.5 Erstellung einer Erklärung zur Anwendbarkeit . 39
8.6 Behandlungsplan für Informationssicherheitsrisiken . 40
8.6.1 Ausarbeitung des Risikobehandlungsplans . 40
8.6.2 Zustimmung durch die Risikoeigentümer . 42
8.6.3 Akzeptanz der Restrisiken für die Informationssicherheit . 42
9 Betrieb . 43
9.1 Durchführung des Prozesses zur Risikobeurteilung der Informationssicherheit . 43
9.2 Durchführung des Prozesses zur Risikobehandlung der Informationssicherheit . 44
10 Unterstützung verbundener ISMS-Prozesse . 44
10.1 Kontext der Organisation . 44
10.2 Führung und Verpflichtung . 45
10.3 Kommunikation und Konsultation . 46
10.4 Dokumentierte Informationen . 48
10.4.1 Allgemeines . 48
10.4.2 Dokumentierte Informationen über Prozesse . 48
10.4.3 Dokumentierte Informationen über Ergebnisse . 49
10.5 Überwachen und Überprüfen . 50
10.5.1 Allgemeines . 50
10.5.2 Überwachung und Überprüfung der die Risiken beeinflussenden Faktoren . 50
10.6 Managementbewertung . 52
10.7 Korrekturmaßnahme . 52
10.8 Fortlaufende Verbesserung . 53
Anhang A (informativ) Beispiele für Techniken zur Unterstützung des
Risikobeurteilungsprozesses . 55
A.1 Risikokriterien für die Informationssicherheit . 55
A.1.1 Kriterien im Zusammenhang mit der Risikobeurteilung . 55
A.1.2 Risikoakzeptanzkriterien . 60
A.2 Praktische Verfahren . 61
A.2.1 Risikokomponenten für die Informationssicherheit . 61
A.2.2 Werte. 62
A.2.3 Risikoquellen und gewünschter Endzustand . 63
A.2.4 Ereignisbasierter Ansatz . 67
A.2.5 Auf Werten basierender Ansatz . 69
A.2.6 Beispiele für Szenarien, die in beiden Ansätzen anwendbar sind . 75
A.2.7 Überwachung risikobehafteter Ereignisse . 76
Literaturhinweise. 79
Bilder
Bild 1 — Prozess zur Handhabung von Informationssicherheitsrisiken . 16
Bild A.1 — Komponenten für die Risikobeurteilung der Informationssicherheit . 62
Bild A.2 — Beispiel eines Diagramms der Abhängigkeiten von Werten . 63
Bild A.3 — Identifizierung der interessierten Parteien des Ökosystems . 68
Bild A.4 — Risikobeurteilung anhand von Risikoszenarien . 76
Bild A.5 — Beispiel für die Anwendung des SFDT-Modells . 78
Tabellen
Tabelle A.1 — Beispiel einer Auswirkungsskala . 55
Tabelle A.2 — Beispiel einer Wahrscheinlichkeitsskala . 57
Tabelle A.3 — Beispiel für einen qualitativen Ansatz bei den Risikokriterien . 57
Tabelle A.4 — Beispiel einer logarithmischen Wahrscheinlichkeitsskala. 59
Tabelle A.5 — Beispiel einer logarithmischen Auswirkungsskala. 60
Tabelle A.6 — Beispiel für eine Bewertungsskala in Kombination mit einer Drei-Farben-
Risikomatrix . 61
Tabelle A.7 — Beispiele und übliche Angriffsmethoden . 64
Tabelle A.8 — Beispielhafte Klassifizierung von Motivationen, die den DES zum Ausdruck bringen
................................................................................................................................................................................... 65
Tabelle A.9 — Beispiele für Zielvorgaben . 65
Tabelle A.10 — Beispiele für typische Bedrohungen . 69
Tabelle A.11 — Beispiele für typische Schwachstellen . 71
Tabelle A.12 — Beispiele für Risikoszenarien in beiden Ansätzen . 76
Tabelle A.13 — Beispiel für ein Risikoszenario und eine Überwachung risikobehafteter
Ereignisse . 77
Europäisches Vorwort
Der Text von ISO/IEC 27005:2022 wurde vom Technischen Komitee ISO/IEC JTC 1 „Information technology“
der Internationalen Organisation für Normung (ISO) erarbeitet und als EN ISO/IEC 27005:2024 durch das
Technische Komitee CEN/CLC/JTC 13 „Cybersicherheit und Datenschutz“ übernommen, dessen Sekretariat
von DIN gehalten wird.
Diese Europäische Norm muss den Status einer nationalen Norm erhalten, entweder durch Veröffentlichung
eines identischen Textes oder durch Anerkennung bis Februar 2025, und etwaige entgegenstehende nationale
Normen müssen bis Februar 2025 zurückgezogen werden.
Es wird auf die Möglichkeit hingewiesen, dass einige Elemente dieses Dokuments Patentrechte berühren
können. CEN-CENELEC ist nicht dafür verantwortlich, einige oder alle diesbezüglichen Patentrechte zu
identifizieren.
Rückmeldungen oder Fragen zu diesem Dokument sollten an das jeweilige nationale Normungsinstitut des
Anwenders gerichtet werden. Eine vollständige Liste dieser Institute ist auf den Internetseiten von CEN
abrufbar.
Entsprechend der CEN-CENELEC-Geschäftsordnung sind die nationalen Normungsinstitute der folgenden
Länder gehalten, diese Europäische Norm zu übernehmen: Belgien, Bulgarien, Dänemark, Deutschland, die
Republik Nordmazedonien, Estland, Finnland, Frankreich, Griechenland, Irland, Island, Italien, Kroatien,
Lettland, Litauen, Luxemburg, Malta, Niederlande, Norwegen, Österreich, Polen, Portugal, Rumänien,
Schweden, Schweiz, Serbien, Slowakei, Slowenien, Spanien, Tschechische Republik, Türkei, Ungarn,
Vereinigtes Königreich und Zypern.
Anerkennungsnotiz
Der Text von ISO/IEC 27005:2022 wurde von CEN-CENELEC als EN ISO/IEC 27005:2024 ohne irgendeine
Abänderung genehmigt.
Vorwort
ISO (die Internationale Organisation für Normung) und IEC (die Internationale Elektrotechnische
Kommission) bilden das auf die weltweite Normung spezialisierte System. Nationale Normungs-
organisationen, die Mitglieder von ISO oder IEC sind, beteiligen sich an der Entwicklung von Internationalen
Normen in Technischen Komitees, die von der jeweiligen Organisation eingerichtet wurden, um spezifische
Gebiete technischer Aktivitäten zu behandeln. Auf Gebieten von beiderseitigem Interesse arbeiten die
Technischen Komitees von ISO und IEC zusammen. Weitere internationale staatliche und nichtstaatliche
Organisationen, die in engem Kontakt mit ISO und IEC stehen, nehmen ebenfalls an der Arbeit teil.
Die Verfahren, die bei der Entwicklung dieses Dokuments angewendet wurden und die für die weitere Pflege
vorgesehen sind, werden in den ISO/IEC-Directives, Teil 1 beschrieben. Im Besonderen sollten die für die
verschiedenen ISO-Dokumentenarten notwendigen Annahmekriterien beachtet werden. Dieses Dokument
wurde in Übereinstimmung mit den Gestaltungsregeln der ISO/IEC-Directives, Teil 2 erarbeitet (siehe
www.iso.org/directives oder www.iec.ch/members_experts/refdocs).
Es wird auf die Möglichkeit hingewiesen, dass einige Elemente dieses Dokuments Patentrechte berühren
können. ISO und IEC sind nicht dafür verantwortlich, einige oder alle diesbezüglichen Patentrechte zu
identifizieren. Details zu allen während der Entwicklung des Dokuments identifizierten Patentrechten finden
sich in der Einleitung und/oder in der ISO-Liste der erhaltenen Patenterklärungen (siehe
www.iso.org/patents) oder in der IEC-Liste der erhaltenen Patenterklärungen (siehe http://patents.iec.ch).
Jeder in diesem Dokument verwendete Handelsname dient nur zur Unterrichtung der Anwender und bedeutet
keine Anerkennung.
Für eine Erläuterung des freiwilligen Charakters von Normen, der Bedeutung ISO-spezifischer Begriffe und
Ausdrücke in Bezug auf Konformitätsbewertungen sowie Informationen darüber, wie ISO die Grundsätze der
Welthandelsorganisation (WTO, en: World Trade Organization) hinsichtlich technischer Handelshemmnisse
(TBT, en: Technical Barriers to Trade) berücksichtigt, siehe www.iso.org/iso/foreword.html. In der IEC, siehe
www.iec.ch/understanding-standards.
Dieses Dokument wurde vom gemeinsamen Technischen Komitee ISO/IEC JTC 1, Information technology,
Unterkomitee SC 27, Information security, cybersecurity and privacy protection, erarbeitet.
Diese vierte Ausgabe ersetzt die dritte Ausgabe (ISO/IEC 27005:2018), die technisch überarbeitet wurde.
Die wesentlichen Änderungen sind folgende:
der gesamte Leitfaden wurde an ISO/IEC 27001:2022 und ISO 31000:2018 angepasst;
die Terminologie wurde an die Terminologie in ISO 31000:2018 angepasst;
die Gliederung der Abschnitte wurde an den Aufbau der ISO/IEC 27001:2022 angepasst;
Konzepte für Risikoszenarien wurden eingeführt;
der ereignisbasierte Ansatz wird dem auf Werten basierenden Ansatz zur Risikoidentifizierung
gegenübergestellt;
der Inhalt der Anhänge wurde überarbeitet und in einem einzigen Anhang zusammengefasst.
Rückmeldungen oder Fragen zu diesem Dokument sollten an das jeweilige nationale Normungsinstitut des
Anwenders gerichtet werden. Eine vollständige Auflistung dieser Institute ist unter
www.iso.org/members.html und www.iec.ch/national-committees zu finden.
Einleitung
Dieses Dokument bietet einen Leitfaden für:
die Implementierung der in ISO/IEC 27001 festgelegten Anforderungen im Hinblick auf Informations-
sicherheitsrisiken;
die wesentlichen Verweisungen innerhalb der von ISO/IEC JTC 1/SC 27 entwickelten Normen zur
Unterstützung von Maßnahmen im Rahmen der Handhabung von Informationssicherheitsrisiken;
Aktionen zur Bewältigung von Risiken im Zusammenhang mit der Informationssicherheit (siehe
ISO/IEC 27001:2022, 6.1 und Abschnitt 8);
die Implementierung eines Leitfadens zum Risikomanagement in ISO 31000 im Zusammenhang mit der
Informationssicherheit.
Dieses Dokument enthält einen ausführlichen Leitfaden zum Risikomanagement und ergänzt die Leitlinien in
ISO/IEC 27003.
Dieses Dokument richtet sich an:
Organisationen, die beabsichtigen, ein Informationssicherheitsmanagementsystem (ISMS) in Überein-
stimmung mit ISO/IEC 27001 einzuführen und umzusetzen;
Personen, die das Informationssicherheitsrisikomanagement durchführen oder daran beteiligt sind (z. B.
Fachkräfte für ISMS, Risikoeigentümer und andere interessierte Parteien);
Organisation, die ihren Risikomanagementprozess im Bereich der Informationssicherheit verbessern
wollen.
1 Anwendungsbereich
Dieses Dokument enthält einen Leitfaden, der Organisationen dabei hilft,
die Anforderungen der ISO/IEC 27001 in Bezug auf Aktionen zur Bewältigung von
Informationssicherheitsrisiken zu erfüllen;
Maßnahmen zur Handhabung von Informationssicherheitsrisiken, insbesondere zur Risikobeurteilung
und -behandlung im Bereich der Informationssicherheit, durchzuführen.
Dieses Dokument gilt für alle Organisationen, unabhängig von ihrer Art, Größe oder Branche.
2 Normative Verweisungen
Die folgenden Dokumente werden im Text in solcher Weise in Bezug genommen, dass einige Teile davon oder
ihr gesamter Inhalt Anforderungen des vorliegenden Dokuments darstellen. Bei datierten Verweisungen gilt
nur die in Bezug genommene Ausgabe. Bei undatierten Verweisungen gilt die letzte Ausgabe des in Bezug
genommenen Dokuments (einschließlich aller Änderungen).
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Begriffe
Für die Anwendung dieses Dokuments gelten die Begriffe nach ISO/IEC 27000 und die folgenden Begriffe.
ISO und IEC stellen terminologische Datenbanken für die Verwendung in der Normung unter den folgenden
Adressen bereit:
ISO Online Browsing Platform: verfügbar unter https://www.iso.org/obp
IEC Electropedia: verfügbar unter https://www.electropedia.org/
3.1 Begriffe im Zusammenhang mit Informationssicherheitsrisiken
3.1.1
externer Kontext
externes Umfeld, in dem die Organisation versucht, ihre Ziele zu erreichen
Anmerkung 1 zum Begriff: Der externe Kontext kann Folgendes beinhalten:
soziale, kulturelle, politische, rechtliche, behördliche, finanzielle, technologische, wirtschaftliche, geologische
Umgebung, seien sie internationaler, nationaler, regionaler oder lokaler Art;
Schlüsselfaktoren und Trends, die die Ziele der Organisation beeinflussen;
die Beziehungen, Wahrnehmungen, Werte, Erfordernisse und Erwartungen externer interessierter Parteien;
vertragliche Beziehungen und Verpflichtungen;
die Komplexität der Netzwerke und Abhängigkeiten.
[QUELLE: ISO Guide 73:2009, 3.3.1.1, modifiziert — Anmerkung 1 zum Begriff wurde modifiziert.]
3.1.2
interner Kontext
interne Umgebung, innerhalb derer die Organisation versucht, ihre Ziele zu erreichen
Anmerkung 1 zum Begriff: Der interne Kontext kann Folgendes beinhalten:
Vision, Mission und Werte;
Leitung, Organisationsstruktur, Rollen und Rechenschaftspflichten;
Strategie, Ziele und Richtlinien;
die Organisationskultur;
von der Organisation übernommene Normen, Leitlinien und Modelle;
Fähigkeiten im Sinne von Ressourcen und Wissen (z. B. Kapital, Zeit, Menschen, Prozesse, Systeme und
Technologien);
Daten, Informationssysteme und Informationsflüsse;
Beziehungen zu internen interessierten Parteien unter Berücksichtigung ihrer Wahrnehmungen und Werte;
vertragliche Beziehungen und Verpflichtungen;
interne gegenseitige Abhängigkeiten und Verbindungen.
[QUELLE: ISO Guide 73:2009, 3.3.1.2, modifiziert — Anmerkung 1 zum Begriff wurde modifiziert.]
3.1.3
Risiko
Auswirkung von Unsicherheit auf Ziele
Anmerkung 1 zum Begriff: Eine Auswirkung ist eine Abweichung vom Erwarteten in positiver oder negativer Hinsicht.
Anmerkung 2 zum Begriff: Ziele können verschiedene Aspekte und Kategorien umfassen und auf verschiedenen
Ebenen angewendet werden.
Anmerkung 3 zum Begriff: Ungewissheit ist der Zustand des auch teilweisen Fehlens von Information im Hinblick auf
das Verständnis oder Wissen über ein Ereignis (3.1.11), seine Auswirkungen (3.1.14) oder seine
Wahrscheinlichkeit (3.1.13).
Anmerkung 4 zum Begriff: Das Risiko wird üblicherweise anhand der Risikoquellen/Risikoursachen (3.1.6), der
potentiellen Ereignisse, ihrer Auswirkungen und ihrer Wahrscheinlichkeit dargestellt.
Anmerkung 5 zum Begriff: Im Kontext von Informationssicherheitsmanagementsystemen können
Informationssicherheitsrisiken als Auswirkung von Ungewissheit auf Informationssicherheitsziele beschrieben werden.
Anmerkung 6 zum Begriff: Informationssicherheitsrisiken sind üblicherweise mit einer negativen Auswirkung von
Ungewissheit auf Informationssicherheitsziele verbunden.
Anmerkung 7 zum Begriff: Informationssicherheitsrisiken können mit der Möglichkeit verbunden sein, dass
Bedrohungen (3.1.9) Schwachstellen (3.1.10) eines Informationswerts oder einer Gruppe solcher Werte ausnutzen und
damit einer Organisation Schaden zufügen.
[QUELLE: ISO 31000:2018, 3.1, modifiziert — die Formulierung: „Sie kann positiv, negativ oder beides sein
und Möglichkeiten und Bedrohungen ansprechen, schaffen oder zu ihnen führen“ wurde durch „in positiver
oder negativer Hinsicht“ in Anmerkung 1 zum Begriff ersetzt; die ursprüngliche Anmerkung 3 zum Begriff
wurde in Anmerkung 4 zum Begriff umnummeriert und Anmerkung 3, Anmerkung 5, Anmerkung 6 und
Anmerkung 7 zum Begriff wurden hinzugefügt.]
3.1.4
Risikoszenario
Abfolge oder Kombination von Ereignissen (3.1.11), die von der ursprünglichen Ursache zur unerwünschten
Folge (3.1.14) führen
[QUELLE: ISO 17666:2016, 3.1.13, modifiziert — Anmerkung 1 zum Begriff wurde gestrichen.]
3.1.5
Risikoeigentümer
Person oder Entität, die Verantwortung und Berechtigung hat, ein Risiko (3.1.3) zu handhaben
[QUELLE: ISO Guide 73:2009, 3.5.1.5]
3.1.6
Risikoquelle
Risikoursache
Element, das allein oder gemeinsam mit anderen Faktoren potentiell zu Risiken (3.1.3) führt
Anmerkung 1 zum Begriff: Eine Risikoquelle kann eine dieser drei Arten sein:
menschlich;
umweltbedingt;
technisch.
Anmerkung 2 zum Begriff: Die Art einer menschlichen Risikoquelle kann absichtlich oder unabsichtlich sein.
[QUELLE: ISO 31000:2018, 3.4, modifiziert — Anmerkung 1 und Anmerkung 2 zum Begriff wurden
hinzugefügt.]
3.1.7
Risikokriterien
Festlegungen, um die Signifikanz eines Risikos (3.1.3) zu bewerten
Anmerkung 1 zum Begriff: Risikokriterien basieren auf Zielen der Organisation sowie dem externen Kontext (3.1.1)
und dem internen Kontext (3.1.2).
Anmerkung 2 zum Begriff: Risikokriterien können aus Normen, Gesetzen, Richtlinien und anderen Anforderungen
abgeleitet werden.
[QUELLE: ISO Guide 73:2009, 3.3.1.3]
3.1.8
Risikobereitschaft
Größe und Art des Risikos (3.1.3), das eine Organisation willens ist, einzugehen oder beizubehalten
[QUELLE: ISO Guide 73:2009, 3.7.1.2]
3.1.9
Bedrohung
mögliche Ursache eines Informationssicherheitsvorfalls (3.1.12), der zu Schaden für ein System oder eine
Organisation führen kann
3.1.10
Schwachstelle
Schwäche eines Wertes oder einer Maßnahme (3.1.16), die so ausgenutzt werden kann, dass ein
Ereignis (3.1.11) mit einer negativen Folge (3.1.14) eintritt
3.1.11
Ereignis
Eintritt oder Veränderung einer bestimmten Kombination von Umständen
Anmerkung 1 zum Begriff: Ein Ereignis kann einmal oder mehrmals eintreten und mehrere Ursachen und mehrere
Auswirkungen (3.1.14) haben.
Anmerkung 2 zum Begriff: Ein Ereignis kann auch etwas sein, das erwartet wird und nicht eintritt oder etwas, das
unerwartet eintritt.
[QUELLE: ISO 31000:2018, 3.5, modifiziert — Anmerkung 3 zum Begriff wurde entfernt.]
3.1.12
Informationssicherheitsvorfall
einzelnes oder eine Reihe von ungewollten oder unerwarteten Informationssicherheitsereignissen, die eine
erhebliche Wahrscheinlichkeit besitzen, den Geschäftsbetrieb zu gefährden und die Informationssicherheit zu
bedrohen
3.1.13
Wahrscheinlichkeit
Möglichkeit, dass etwas geschieht
Anmerkung 1 zum Begriff: In der Terminologie des Risikomanagements bezeichnet der Begriff „Wahrscheinlichkeit“
die Möglichkeit, dass etwas geschieht, gleichgültig ob diese Möglichkeit objektiv oder subjektiv, qualitativ oder quantitativ
definiert, gemessen oder bestimmt und mit allgemeinen Begriffen oder mathematisch (z. B. durch die statistische
Wahrscheinlichkeit oder die Häufigkeit in einer bestimmten Zeitspanne) beschrieben wird.
Anmerkung 2 zum Begriff: Der englische Begriff „likelihood“ hat in einigen Sprachen keine direkte Entsprechung,
stattdessen wird oftmals die Entsprechung des Begriffs „probability“ verwendet. Allerdings wird im Englischen
„probability“ oftmals sehr eng als mathematischer Begriff interpretiert. Deshalb wird in der englischen Terminologie des
Risikomanagements der Begriff „likelihood“ mit der Absicht verwendet, dass er dieselbe weit gefasste Bedeutung haben
sollte wie der Begriff „Wahrscheinlichkeit“ in vielen anderen Sprachen.
[QUELLE: ISO 31000:2018, 3.7]
3.1.14
Auswirkung
Ergebnis eines Ereignisses (3.1.11), welches die Ziele betrifft
Anmerkung 1 zum Begriff: Eine Auswirkung kann gewiss oder ungewiss sein und sich direkt oder indirekt bzw. positiv
oder negativ auf Ziele auswirken.
Anmerkung 2 zum Begriff: Auswirkungen können qualitativ oder quantitativ beschrieben werden.
Anmerkung 3 zum Begriff: Jede Auswirkung kann durch kaskadierende und kumulative Effekte eskalieren.
[QUELLE: ISO 31000:2018, 3.6]
3.1.15
Risikoniveau
Signifikanz eines Risikos (3.1.3), das mittels einer Kombination von Auswirkungen (3.1.14) und deren
Wahrscheinlichkeit (3.1.13) ausgedrückt wird
[QUELLE: ISO Guide 73:2009, 3.6.1.8, modifiziert — die Formulierung: „Größe eines Risikos oder einer
Kombination von Risiken“ wurde durch „Signifikanz eines Risikos“ ersetzt.]
3.1.16
Steuerung
Maßnahme, die das Risiko (3.1.3) beibehält und/oder verändert
Anmerkung 1 zum Begriff: Steuerungen umfassen unter anderem alle Prozesse, Grundsätze, Instrumente, Verfahren
oder andere Bedingungen und/oder Aktionen, welche Risiken beibehalten oder verändern.
Anmerkung 2 zum Begriff: Steuerungen können nicht immer die beabsichtigte oder angenommene verändernde
Wirkung ausüben.
[QUELLE: ISO 31000:2018, 3.8]
3.1.17
Restrisiko
Risiko (3.1.3), das nach einer Risikobehandlung (3.2.7) verbleibt
Anmerkung 1 zum Begriff: Das Restrisiko kann nicht identifizierte Risiken beinhalten.
Anmerkung 2 zum Begriff: Restrisiken können auch ein beibehaltenes Risiko beinhalten.
[QUELLE: ISO Guide 73:2009, 3.8.1.6, modifiziert — Anmerkung 2 zum Begriff wurde modifiziert.]
3.2 Begriffe im Zusammenhang mit der Handhabung von Informationssicherheitsrisiken
3.2.1
Risikomanagementprozess
systematische Anwendung von Managementrichtlinien, -verfahren und -praktiken auf die Tätigkeiten des
Kommunizierens, Abstimmens und Festlegens des Kontextes sowie Identifizierung, Analyse, Bewertung,
Behandlung, Überwachung und Überprüfung von Risiken (3.1.3)
[QUELLE: ISO Guide 73:2009, 3.1]
3.2.2
Risikokommunikation und -konsultation
Satz fortlaufender und iterativer Prozesse, den eine Organisation durchführt, um Informationen zu liefern, zu
teilen oder zu erhalten und den Dialog mit interessierten Parteien in Bezug auf die Handhabung von
Risiken (3.1.3) zu suchen
Anmerkung 1 zum Begriff: Die Information kann sich auf die Existenz, die Beschaffenheit, die Gestalt, die
Wahrscheinlichkeit (3.1.13), die Signifikanz, die Bewertung, die Akzeptanz und die Behandlung von Risiken beziehen.
Anmerkung 2 zum Begriff: Bei Konsultationen handelt es sich um einen bidirektionalen Prozess von fundierter
Kommunikation zwischen einer Organisation und ihren interessierten Parteien zu einer Angelegenheit, bevor eine
Entscheidung getroffen oder eine Zielrichtung für diese Angelegenheit bestimmt wird. Eine Konsultation ist:
ein Prozess, der sich auf eine Entscheidung eher durch Beeinflussung als durch Machtbefugnis auswirkt;
eine Eingabe für das Treffen von Entscheidungen, nicht aber das gemeinsame Treffen von Entscheidungen.
3.2.3
Risikobeurteilung
übergreifender Prozess, der aus Risikoidentifizierung (3.2.4), Risikoanalyse (3.2.5) und Risikobewer-
tung (3.2.6) besteht
[QUELLE: ISO Guide 73:2009, 3.4.1]
3.2.4
Risikoidentifizierung
Prozess des Findens, Erkennens und Beschreibens von Risiken (3.1.3)
Anmerkung 1 zum Begriff: Die Risikoidentifizierung beinhaltet die Identifizierung der Risikoquellen (3.1.6), der
Ereignisse (3.1.11), ihrer Ursachen und möglichen Auswirkungen (3.1.14).
Anmerkung 2 zum Begriff: Die Risikoidentifizierung kann historische Daten, theoretische Analysen, fundierte
Meinungen und Expertenmeinungen sowie Erfordernisse von interessierten Parteien umfassen.
[QUELLE: ISO Guide 73:2009, 3.5.1, modifiziert — in Anmerkung 2 zum Begriff wurde „Stakeholder“ durch
„interessierte Partei“ ersetzt.]
3.2.5
Risikoanalyse
Prozess, um die Beschaffenheit des Risikos (3.1.3) zu verstehen und das Risikoniveau (3.1.15) zu bestimmen
Anmerkung 1 zum Begriff: Die Risikoanalyse liefert die Grundlage für die Risikobewertung (3.2.6) und die
Entscheidungen im Zuge der Risikobehandlung (3.2.7).
Anmerkung 2 zum Begriff: Die Risikoanalyse beinhaltet die Risikoabschätzung.
[QUELLE: ISO Guide 73:2009, 3.6.1]
3.2.6
Risikobewertung
Prozess, bei dem die Ergebnisse der Risikoanalyse (3.2.5) mit den Risikokriterien (3.1.7) verglichen werden,
um zu bestimmen, ob das Risiko (3.1.3) und/oder seine Signifikanz akzeptabel oder tragbar sind
Anmerkung 1 zum Begriff: Die Risikobewertung unterstützt bei der Entscheidung über die Risikobehandlung (3.2.7).
[QUELLE: ISO Guide 73:2009, 3.7.1, modifiziert — „Größe“ wurde durch „Signifikanz“ ersetzt.]
3.2.7
Risikobehandlung
Prozess zur Veränderung eines Risikos (3.1.3)
Anmerkung 1 zum Begriff: Die Risikobehandlung kann Folgendes umfassen:
Vermeiden des Risikos, indem entschieden wird, die Aufgabe, aus der sich ein Risiko ergibt, nicht zu beginnen oder
fortzuführen;
Eingehen oder Vergrößern des Risikos mit dem Ziel, eine Chance wahrzunehmen;
Beseitigen der Risikoursache (3.1.6);
Verändern der Wahrscheinlichkeit (3.1.13);
Verändern der Auswirkungen (3.1.14);
Teilen des Risikos mit einer anderen Partei oder anderen Parteien (einschließlich Verträgen und Risikofinanzierung)
und
Beibehalten des Risikos auf Grundlage einer informierten Entscheidung.
Anmerkung 2 zum Begriff: Die Behandlung von Risiken im Bereich der Informationssicherheit beinhaltet nicht das
„Eingehen oder Vergrößern des Risikos mit dem Ziel, eine Chance wahrzunehmen“, aber die Organisation kann diese
Option für das allgemeine Risikomanagement nutzen.
Anmerkung 3 zum Begriff: Risikobehandlungen, die sich mit negativen Auswirkungen beschäftigen, werden manchmal
auch als „Risikominderung“, „Risikoeliminierung“, „Risikovorsorge“ und „Risikoreduzierung“ bezeichnet.
Anmerkung 4 zum Begriff: Die Risikobehandlung kann zu neuen Risiken führen oder vorhandene Risiken verändern.
[QUELLE: ISO Guide 73:2009, 3.8.1 modifiziert — Anmerkung 1 zum Begriff wurde hinzugefügt und die
ursprüngliche Anmerkung 1 und Anmerkung 2 zum Begriff wurden in Anmerkung 2 und Anmerkung 3 zum
Begriff umnummeriert.]
3.2.8
Risikoakzeptanz
informierte Entscheidung, ein bestimmtes Risiko (3.1.3) zu tragen
Anmerkung 1 zum Begriff: Risikoakzeptanz kann ohne Risikobehandlung (3.2.7) oder während des
Risikobehandlungsprozesses erfolgen.
Anmerkung 2 zum Begriff: Akzeptierte Risiken werden einer Überwachung und Überprüfung unterzogen.
[QUELLE: ISO Guide 73:2009, 3.7.1.6]
3.2.9
Risikoteilung
Form der Risikobehandlung (3.2.7), welche die mit anderen Parteien vereinbarte Verteilung des Risikos (3.1.3)
beinhaltet
Anmerkung 1 zum Begriff: Rechtliche oder behördliche Anforderungen können die Risikoteilung einschränken,
verbieten oder anordnen.
Anmerkung 2 zum Begriff: Die Risikoteilung kann durch Versicherungen oder andere Vertragsformen vollzogen
werden.
Anmerkung 3 zum Begriff: Wie weit das Risiko verteilt wird, kann von der Zuverlässigkeit und Klarheit der
Teilungsvereinbarungen abhängen.
Anmerkung 4 zum Begriff: Die Risikoübertragung ist eine Form der Risikoteilung.
[QUELLE: ISO Guide 73:2009, 3.8.1.3]
3.2.10
Risikobeibehaltung
zeitweilige Akzeptanz des potentiellen Nutzens eines Gewinns oder der Belastung durch einen Verlust
aufgrund eines bestimmten Risikos (3.1.3)
Anmerkung 1 zum Begriff: Die Beibehaltung kann auf eine bestimmte Zeitspanne beschränkt sein.
Anmerkung 2 zum Begriff: Das beibehaltene Risikoniveau (3.1.15) kann von Risikokriterien (3.1.7) abhängen.
[QUELLE: ISO Guide 73:2009, 3.8.1.5, modifiziert — das Wort „zeitweilig“ wurde am Anfang der Definition
hinzugefügt und die Formulierung „Die Risikobeibehaltung schließt die Akzeptanz von Restrisiken ein“ wurde
durch „Die Beibehaltung kann auf eine bestimmte Zeitspanne beschränkt werden“ in Anmerkung 1 zum
Begriff ersetzt.]
4 Aufbau dieses Dokuments
Dieses Dokument ist wie folgt strukturiert:
Abschnitt 5: Handhabung von Informationssicherheitsrisiken;
Abschnitt 6: Kontextfestlegung;
Abschnitt 7: Prozess der Risikobeurteilung der Informationssicherheit;
Abschnitt 8: Prozess der Risikobehandlung der Informationssicherheit;
Abschnitt 9: Betrieb;
Abschnitt 10: Unterstützung verbundener ISMS-Prozesse.
Abgesehen von den Beschreibungen in den allgemeinen Unterabschnitten sind alle
Risikomanagementaufgaben, wie sie in Abschnitt 7 bis Abschnitt 10 dargestellt sind, wie folgt strukturiert:
Eingabe: Identifizierung aller Informationen, die zur Durchführung der Aufgabe erforderlich sind.
Aktion: Beschreibung der Aufgabe.
Auslöser: Bereitstellung eines Leitfadens für den Beginn der Aufgabe, z. B. aufgrund einer Änderung innerhalb
der Organisation oder nach einem Plan oder einer Änderung im externen Kontext der Organisation.
Ausgabe: Identifizierung aller Informationen, die nach der Durchführung der Aufgabe abgeleitet werden,
sowie aller Kriterien, die diese Ausgabe erfüllen sollte.
Leitfaden: Bereitstellung eines Leitfadens zur Durchführung der Aufgabe, eines Schlüsselworts und eines
Schlüsselkonzepts.
5 Handhabung von Informationssicherheitsrisiken
5.1 Prozess zur Handhabung von Informationssicherheitsrisiken
Der Prozess zur Handhabung von Informationssicherheitsrisiken wird in Bild 1 dargestellt.
ANMERKUNG Dieser Prozess beruht auf dem allgemeinen Risikomanagementprozess nach ISO 31000.
Bild 1 — Prozess zur Handhabung von Informationssicherheitsrisiken
Wie in Bild 1 veranschaulicht, kann der Prozess zur Handhabung der Informationssicherheitsrisiken für
Aufgaben zur Risikobeurteilung und/oder Risikobehandlung iterativ sein. Ein iterativer Ansatz bei der
Durchführung von Risikobeurteilungen kann die Tiefe und den Detaillierungsgrad der Beurteilung bei jeder
Iteration erhöhen. Der iterative Ansatz bietet ein gutes Gleichgewicht zwischen der Minimierung des Zeit- und
Arbeitsaufwands für die Festlegung von Maßnahmen und der gleichzeitigen Sicherstellung einer
angemessenen Risikobeurteilung.
Die Kontextfestlegung bedeutet die Zusammenstellung des internen und externen Kontexts für die
Handhabung von Informationssicherheitsrisiken oder eine Risikobeurteilung der Informationssicherheit.
Wenn die Risikobeurteilung genügend Informationen liefert, um die erforderlichen Aktionen zur Änderung
der Risiken auf ein akzeptables Niveau zu bestimmen, ist die Aufgabe abgeschlossen und es folgt die
Risikobehandlung. Sind die Informationen unzureichend, sollte eine weitere Iteration der Risikobeurteilung
durchgeführt werden. Dies kann eine Änderung des K
...
SIST EN ISO/IEC 27005:2024 표준 문서는 정보 보안, 사이버 보안 및 개인 정보 보호에 관한 지침을 제공하여 조직이 정보 보안 리스크를 관리하는 데 큰 도움을 줍니다. 이 표준은 ISO/IEC 27001의 요구 사항을 충족시키기 위해 필요한 조치들을 이행하는 것을 가능하게 하며, 정보 보안 리스크 관리 활동을 수행하는 데 필요한 명확한 프레임워크를 제공합니다. 이 표준의 주요 강점 중 하나는 모든 유형, 규모 또는 산업에 관계없이 모든 조직에 적용될 수 있다는 점입니다. 이는 조직들이 자신의 특정 상황에 맞게 정보 보안 리스크를 평가하고 처리할 수 있는 유연성을 제공합니다. 또한, 표준은 정보 보안 리스크 평가 및 처리 프로세스를 구체적으로 다루고 있어, 실질적이고 실행 가능한 지침을 제시합니다. 정보 보안 리스크 관리의 중요성이 날로 증가하는 현대 사회에서, SIST EN ISO/IEC 27005:2024 표준은 조직들이 그들의 정보 자산을 안전하게 보호하고, 사이버 공격이나 데이터 유출 같은 위협에 효과적으로 대응할 수 있도록 돕는 필수적인 도구입니다. 이 표준의 준수는 기업의 전체적인 보안 태세를 강화하고, 고객과 파트너의 신뢰를 구축하는 데 기여할 것입니다. 결론적으로, SIST EN ISO/IEC 27005:2024 표준은 정보 보안 리스크 관리의 체계화된 접근법을 제공함으로써, 조직의 보안 운영을 효율적으로 지원하는 강력한 지침서라 할 수 있습니다.
Der Standard SIST EN ISO/IEC 27005:2024 bietet eine umfassende Anleitung zur Verwaltung von Informationssicherheitsrisiken und richtet sich an Organisationen jeder Art, Größe und Branche. Dieser Standard stellt sicher, dass die Anforderungen der ISO/IEC 27001 in Bezug auf Maßnahmen zur Bewältigung von Informationssicherheitsrisiken effektiv erfüllt werden können. Dies ist besonders wichtig, da Informationssicherheit in der heutigen digitalen Welt eine grundlegend wichtige Rolle spielt. Ein entscheidender Vorteil des Standards ist seine Flexibilität. Durch die Anwendbarkeit auf alle Organisationen, unabhängig von deren spezifischen Bedingungen, ermöglicht er eine breite Implementierung von Best Practices im Risikomanagement. Die klaren Richtlinien zur Durchführung von Informationssicherheitsrisikobewertungen und -behandlungen fördern ein systematisches Vorgehen, das hilft, potenzielle Bedrohungen zu identifizieren und zu minimieren. Des Weiteren betont der Standard die Bedeutung eines strukturierten Rahmens für das Management von Informationssicherheitsrisiken, was die Effizienz der Implementierung solcher Maßnahmen erheblich steigert. Die sorgfältige Vorgehensweise, die in diesem Dokument dargestellt wird, ist nicht nur relevant für die Einhaltung gesetzlicher Anforderungen, sondern auch für die Verbesserung der allgemeinen Sicherheitslage einer Organisation. Die Relevanz von SIST EN ISO/IEC 27005:2024 kann nicht hoch genug eingeschätzt werden. In einer Zeit, in der Cyberangriffe und Datenpannen zunehmend an Häufigkeit und Komplexität zunehmen, bietet dieser Standard wertvolle Unterstützung in der Entwicklung robuster Sicherheitsstrategien. Er setzt Maßstäbe für die Identifizierung, Bewertung und Behandlung von Risiken, wodurch Organisationen besser in der Lage sind, sich gegen Informationssicherheitsbedrohungen abzuschirmen. Insgesamt vereint der Standard SIST EN ISO/IEC 27005:2024 grundlegende Prinzipien und beständige Praktiken zur Informationssicherheit, die für jedes Unternehmen von wesentlicher Bedeutung sind, um den Schutz sensibler Daten zu gewährleisten und das Vertrauen von Kunden und Partnern zu stärken.
Die SIST EN ISO/IEC 27005:2024 bietet einen umfassenden Leitfaden zur Verwaltung von Informationssicherheitsrisiken und ist somit ein unverzichtbares Dokument für Organisationen, die den Anforderungen von ISO/IEC 27001 gerecht werden wollen. Der Standard unterstützt Unternehmen dabei, spezifische Maßnahmen zur Adressierung von Informationssicherheitsrisiken zu erfüllen, was ihn besonders relevant für alle Arten von Organisationen macht, unabhängig von Größe oder Sektor. Eine der herausragenden Stärken des Standards liegt in seiner detaillierten Anleitung zur Durchführung von Informationssicherheits-Risikomanagementaktivitäten. Der Rahmen, den dieser Standard bietet, umfasst sowohl die Risikenbewertung als auch die Risikobehandlung, was eine strukturierte Herangehensweise an die Identifizierung und das Management von Informationssicherheitsrisiken ermöglicht. Dies fördert nicht nur die Implementierung effektiver Sicherheitsmaßnahmen, sondern auch die Resilienz der Organisation gegenüber Cyberbedrohungen. Darüber hinaus fördert die SIST EN ISO/IEC 27005:2024 eine proaktive Haltung im Umgang mit Datenschutz und Informationssicherheit. Somit wird nicht nur die Sicherheit von Informationen gewährleistet, sondern auch das Vertrauen von Stakeholdern und Kunden gestärkt. In einer Zeit, in der Cyberangriffe und Datenschutzverletzungen häufig auftreten, ist die Relevanz dieses Standards unbestreitbar. Es bietet eine solide Grundlage für die Entwicklung robuster Sicherheitsstrategien und trägt erheblich dazu bei, die Informationssicherheit in der Organisation zu verbessern. Insgesamt ist die SIST EN ISO/IEC 27005:2024 ein essentielles Dokument, das Organisationen bei der Bewältigung von Informationssicherheitsrisiken unterstützt, während es gleichzeitig eine effektive und praxisnahe Anleitung für die Umsetzung der Normen zur Informationssicherheit und zum Datenschutz bietet.
Le document SIST EN ISO/IEC 27005:2024 offre une référence essentielle pour la gestion des risques liés à la sécurité de l'information, à la cybersécurité et à la protection de la vie privée. Son champ d'application est particulièrement pertinent, car il permet aux organisations de se conformer aux exigences de la norme ISO/IEC 27001, qui encadre les actions à entreprendre pour répondre aux risques en matière de sécurité de l'information. Une des principales forces de cette norme est sa capacité à guider toutes les organisations, quelle que soit leur taille, leur type ou leur secteur d'activité. Cette inclusivité fait de la norme un outil précieux, car elle s'adresse à un large éventail d'entités, allant des petites entreprises aux grandes corporations, en passant par les administrations publiques. La norme fournit non seulement un cadre pour la gestion des risques liés à la sécurité de l'information, mais elle met également l'accent sur l'évaluation et le traitement des risques. Cette approche proactive est cruciale face à l'évolution constante des menaces en matière de cybersécurité. De plus, le document se fonde sur une méthodologie solide et des meilleures pratiques, garantissant ainsi que les organisations disposent des moyens nécessaires pour identifier, évaluer et atténuer les risques. En conclusion, la SIST EN ISO/IEC 27005:2024 est une norme d'une grande pertinence dans le domaine de la sécurité de l'information. Sa capacité à guider les organisations dans la mise en œuvre de pratiques efficaces de gestion des risques, en conformité avec les exigences internationales, en fait un document incontournable pour toute organisation soucieuse de renforcer sa résilience face aux menaces de sécurité.
SIST EN ISO/IEC 27005:2024 표준 문서는 정보 보안, 사이버 보안 및 개인 정보 보호와 관련된 정보 보안 위험 관리에 대한 지침을 제공하고 있습니다. 이 표준은 ISO/IEC 27001의 요구 사항을 충족하는 데 필요한 정보 보안 위험 대응 조치를 체계적으로 다루고 있으며, 조직이 정보 보안 위험 관리 활동, 특히 정보 보안 위험 평가 및 처리 작업을 수행하도록 지원합니다. 이 표준의 강점 중 하나는 모든 유형, 크기 또는 부문에 속한 조직에 적용 가능하다는 점입니다. 이로 인해 각기 다른 기업 환경과 요구 사항에 맞춤화된 위험 관리 접근 방식이 가능해져, 보다 효과적인 정보 보안 전략을 개발할 수 있습니다. 특히, ISO/IEC 27005:2024는 조직이 정보 자산의 위협과 취약성을 체계적으로 분석하여 그에 따른 비즈니스 영향도를 평가하고, 이를 바탕으로 적절한 대응 방안을 세울 수 있도록 돕습니다. 또한, 이 표준은 사이버 보안 위협이 날로 증가하는 현재의 환경 속에서 매우 중요한 시사점을 제공합니다. 기업이 정보 보안을 강화하고, 데이터 보호를 위한 구체적인 절차를 마련함으로써, 고객의 신뢰를 구축하고 법적 요구사항을 준수할 수 있도록 합니다. 정보 보안 위험 관리의 체계적인 적용은 결국 조직의 전반적인 안정성을 높이고, 장기적인 성장과 지속 가능성을 지원하는 기반이 됩니다. ISO/IEC 27005:2024는 정보 보안 위험을 효과적으로 관리하기 위한 필수 문서로, 모든 조직이 정보를 안전하게 보호하고 사이버 공격에 대비할 수 있는 실행 가능한 전략을 수립하는 데 중요한 역할을 합니다. 표준의 적용을 통해 조직은 더 나은 정보 보안 문화와 관행을 개발하고 유지할 수 있습니다.
La norme SIST EN ISO/IEC 27005:2024 offre un cadre essentiel pour la gestion des risques liés à la sécurité de l'information, ce qui la rend particulièrement pertinente dans un contexte où la sécurité et la confidentialité des données sont devenues des priorités majeures pour toutes les organisations. Son champ d'application est large et s'applique à tout type d'organisation, indépendamment de sa taille ou de son secteur, ce qui en fait une norme universelle et accessible. Parmi les forces de cette norme, il convient de souligner son alignement avec les exigences de la norme ISO/IEC 27001. Ce lien direct permet aux organisations d'adopter une approche cohérente et intégrée pour traiter les risques liés à la sécurité de l'information. En fournissant des orientations claires pour effectuer des activités de gestion des risques, notamment l'évaluation et le traitement des risques, la norme facilite la mise en œuvre de pratiques robustes et efficaces. De plus, la norme SIST EN ISO/IEC 27005:2024 se distingue par sa capacité à répondre aux défis contemporains en matière de cybersécurité et de protection de la vie privée. Elle offre des recommandations pratiques pour identifier, évaluer et gérer les risques, ce qui est essentiel dans un environnement technologique en constante évolution. Les organisations qui l'adoptent bénéficient non seulement d'une meilleure protection de leurs actifs informationnels, mais aussi d'une confiance accrue de la part de leurs parties prenantes. En somme, la norme SIST EN ISO/IEC 27005:2024 est une ressource précieuse pour les organisations cherchant à améliorer leur posture de sécurité de l'information. Elle combine des directives pragmatiques avec une approche stratégique, faisant d'elle un outil incontournable pour la gestion des risques liés à la sécurité de l'information, à la cybersécurité et à la protection des données.
SIST EN ISO/IEC 27005:2024は、情報セキュリティ、サイバーセキュリティ、及びプライバシー保護に関する重要な標準です。この文書は、ISO/IEC 27001の要件を満たし、情報セキュリティリスクを効果的に管理するための活動を支援することを目的としています。具体的には、情報セキュリティリスクの評価及び処理に関するガイダンスを提供しています。 この標準の強みは、あらゆる種類、規模、セクターの組織に適用可能である点にあります。これにより、様々な業界における情報セキュリティの強化が図られ、共通のフレームワーク内でリスク管理を行うことができます。また、最新のサイバー脅威に対応するための適応性も持たされており、組織は自身のニーズに合わせたリスクアセスメントを実施できるため、実用的であると同時に効果的なリスク管理が可能です。 さらに、この標準は、情報セキュリティリスク管理の継続的な改善を促進する指針を提供し、組織がリスクに対処する際の行動計画を適切に設計する手助けを行います。したがって、EN ISO/IEC 27005:2024は、セキュリティ対策を講じる上で欠かせない有用な文書であり、組織が情報資産を保護するための基盤となります。
The standard EN ISO/IEC 27005:2024 provides comprehensive guidance on managing information security risks, making it a vital resource for organizations aiming to fulfill the requirements of ISO/IEC 27001. Its well-defined scope is particularly strong as it offers a structured approach for organizations to assess and treat information security risks effectively. A significant strength of this standard lies in its applicability to all organizations, regardless of their type, size, or sector. This inclusive nature ensures that its principles can be adopted universally, enhancing the standard's relevance across various industries. By outlining detailed methodologies for information security risk assessment and treatment, EN ISO/IEC 27005:2024 equips organizations with the necessary tools to identify vulnerabilities and implement appropriate countermeasures. The emphasis on aligning information security risk management with broader business objectives further strengthens this standard. It promotes a holistic view of risk management that integrates information security into the overarching organizational strategy, thereby fostering a more robust risk-aware culture. Moreover, the standard provides clear guidance on how to structure risk management processes, ensuring that organizations can systematically address and mitigate risks. This structured approach not only enhances the efficiency of risk management activities but also supports compliance with other relevant regulations and standards. Overall, the EN ISO/IEC 27005:2024 standard stands out as a critical resource in the landscape of information security and cybersecurity. Its strengths in guiding organizations through the complexities of risk management position it as a foundational element for achieving robust information security measures.
SIST EN ISO/IEC 27005:2024は、情報セキュリティ、サイバーセキュリティおよびプライバシー保護に関する国際標準であり、情報セキュリティリスクを管理するためのガイダンスを提供します。この標準は、ISO/IEC 27001の要求事項を満たすために必要な情報セキュリティリスクへの対処行動を明確にし、組織が情報セキュリティリスク管理活動、具体的には情報セキュリティリスク評価およびリスク処理を実施する際の指針となることを目的としています。 この文書の強みは、その包括的なアプローチにあります。すべての種類、サイズ、セクターの組織に適用できるため、どのような環境においても実践可能なフレームワークを提供しています。特に、リスク評価およびリスク処理に関する詳細な手法が解説されており、組織が直面する具体的な情報セキュリティリスクに対して、現実的かつ効果的な対処法を示しています。 また、情報セキュリティリスクの管理は、企業の信頼性を高め、顧客の安心感を向上させるために不可欠であり、SIST EN ISO/IEC 27005:2024は、こうした企業の要求に応える内容が充実しています。リスク管理に関するガイダンスが洗練されているため、組織は自社のニーズに応じた情報セキュリティ対策を講じることができ、持続的なビジネスの継続性を確保するための基盤を構築することが可能です。 さらに、この標準は、法規制や市場の要求に対する適合性を強化するためのツールとしても機能します。情報セキュリティリスクを効果的に管理することで、組織はサイバー攻撃やデータ漏洩といった脅威から自らを保護し、評判や財務的リスクを低減することができます。 このように、SIST EN ISO/IEC 27005:2024は、情報セキュリティリスクの管理に関する現代の要求に即した非常に関連性の高い標準であり、組織にとって極めて重要なガイドラインとなるでしょう。
Le document SIST EN ISO/IEC 27005:2024 constitue une référence essentielle pour la gestion des risques en matière de sécurité de l'information, de cybersécurité et de protection de la vie privée. Cette norme offre des orientations précieuses pour aider les organisations à répondre aux exigences de l'ISO/IEC 27001 concernant les actions à entreprendre pour faire face aux risques liés à la sécurité de l'information. L'une des forces majeures de cette norme est sa capacité à s'appliquer à toutes les organisations, indépendamment de leur type, taille ou secteur d'activité. Cette inclusivité garantit que des entreprises de diverses natures peuvent bénéficier de ces directives, ce qui renforce la pertinence de la norme dans le paysage actuel de la cybersécurité. En outre, le document aborde de manière approfondie les activités de gestion des risques liés à la sécurité de l'information, en mettant particulièrement l'accent sur l'évaluation et le traitement des risques. Cela permet aux organisations de mettre en place des stratégies proactives et réactives adaptées à leurs besoins spécifiques, ce qui renforce leur posture de sécurité globale. Dans un contexte où les menaces à la sécurité de l'information deviennent de plus en plus sophistiquées, le SIST EN ISO/IEC 27005:2024 se positionne comme un outil essentiel pour les professionnels de la sécurité, offrant des lignes directrices claires et pratiques. Cette norme est donc non seulement pertinente mais essentielle pour toute organisation cherchant à minimiser ses risques informatiques et à garantir la continuité de ses opérations.
The EN ISO/IEC 27005:2024 standard serves as a robust framework for organizations aiming to manage information security risks effectively. Its primary scope is to provide guidance that aligns with the requirements set forth in ISO/IEC 27001, specifically regarding actions to address information security risks. This alignment not only fortifies the overall security posture of an organization but also ensures compliance with internationally recognized standards in information security management systems. One of the standout strengths of ISO/IEC 27005:2024 is its comprehensive approach to information security risk management activities. It delves into critical components such as information security risk assessment and treatment, facilitating organizations in identifying, analyzing, and mitigating risks pertinent to their information assets. This structured methodology is vital for establishing a proactive risk management culture, essential for safeguarding sensitive information against potential threats. Moreover, the relevance of this standard extends beyond specific industries or organization sizes, making it universally applicable to all entities. Whether large corporations, small businesses, or non-profit organizations, the guidance offered in EN ISO/IEC 27005:2024 enables diverse sectors to tailor their information security strategies effectively. This inclusivity ensures that organizations can adapt their risk management frameworks to their unique operational contexts while adhering to best practices in information security and cybersecurity. In summary, the EN ISO/IEC 27005:2024 standard is a critical resource for organizations aiming to enhance their information security risk management efforts. Its comprehensive guidance, alignment with ISO/IEC 27001, and universal applicability underscore its importance and efficacy in the domain of information security, cybersecurity, and privacy protection.
標準SIST EN ISO/IEC 27005:2024は、情報セキュリティ、サイバーセキュリティおよびプライバシー保護に関する重要なガイダンスを提供しています。この文書は、ISO/IEC 27001の要求事項を満たしながら、情報セキュリティリスクを適切に管理するための指導を行うことを目的としています。 この標準の強みは、すべての組織に適用可能である点です。規模や業種を問わず、あらゆる組織が情報セキュリティリスクの評価および処置の活動を行う際に役立つため、広範な適用性を持っています。また、具体的で実行可能な手順や情報セキュリティリスクマネジメント活動を行うための具体的な方法論を示しており、組織が独自の状況に応じて適切にリスクを評価し、対策を講じるための指針を提供しています。 さらに、SIST EN ISO/IEC 27005:2024は、ISO/IEC 27001との整合性があり、これに基づくリスク対応策の策定を支援します。情報セキュリティリスクを管理するための体系的な方法を提供することによって、組織はリスクを効果的に特定・分析し、適切な対策を講じることができるようになります。 この標準は、現代の情報セキュリティにおける脅威やリスクがますます複雑化する中で、その関連性が高まっています。サイバーセキュリティの脅威が増大する中、組織は情報セキュリティリスクマネジメントの重要性を再認識する必要があり、この文書が提供するフレームワークはその指針となることでしょう。 総じて、SIST EN ISO/IEC 27005:2024は、情報セキュリティリスクの管理に関連する重要なガイダンスを提供するものであり、組織がリスクを評価し、適切に対応するための基盤を確立する上での有力なツールとなります。
SIST EN ISO/IEC 27005:2024 문서는 정보 보안, 사이버 보안 및 개인정보 보호에 대한 표준화를 지원하는 중요한 지침을 제공합니다. 본 표준은 ISO/IEC 27001의 요구 사항을 충족하며 정보 보안 위험을 다루기 위한 행동을 취하는 방법에 대한 가이드를 제시하고 있습니다. 표준의 주요 강점은 모든 조직에 적용 가능하다는 점입니다. 조직의 유형이나 규모, 섹터에 관계없이 이 문서는 정보를 안전하게 관리하기 위한 필수적인 리소스를 제공합니다. 정보 보안 위험 관리 활동, 특히 정보 보안 위험 평가 및 치료를 수행하는 데 있어 효과적인 프레임워크를 제시합니다. 또한, 이 표준은 정보 보안 위험을 체계적으로 분석하고 평가하는 방법론을 제공하여 조직이 솔루션을 개발하고 위험을 효과적으로 관리할 수 있도록 돕습니다. 이러한 점에서 SIST EN ISO/IEC 27005:2024는 조직의 사이버 보안 전략 수립에 있어 매우 중요한 역할을 합니다. 최신 정보 보안 기준을 반영한 이 표준은 정보 보안을 강화하고 보호하는 데에 실질적인 기여를 하는 만큼, 조직들이 보다 철저한 보안 체계를 구축하는 데 필요한 지침을 제공합니다. 이러한 특성 때문에 SIST EN ISO/IEC 27005:2024는 현대의 정보 보안 환경에서 더욱 중요성이 커지고 있습니다.
Die SIST EN ISO/IEC 27005:2024 bietet umfassende Leitlinien zur Bewältigung von Informationssicherheitsrisiken und ist ein unschätzbares Dokument für alle Organisationen, unabhängig von ihrer Art, Größe oder Branche. Der Schwerpunkt liegt darauf, die Anforderungen der ISO/IEC 27001 zu erfüllen, insbesondere was die notwendigen Maßnahmen zur Adressierung von Informationssicherheitsrisiken betrifft. Ein herausragendes Merkmal dieser Norm ist ihre Fähigkeit, strukturierte Verfahren für die Bewertung und Behandlung von Informationssicherheitsrisiken bereitzustellen. Die im Dokument dargelegten Prozesse fördern ein tiefes Verständnis der Risiken, mit dem Ziel, diese systematisch zu identifizieren, zu bewerten und zu minimieren. Dies unterstützt Organisationen dabei, ein robustes Informationssicherheitsmanagementsystem (ISMS) zu etablieren, das den sich ständig ändernden Bedrohungen im Bereich Cybersecurity und Datenschutz gerecht wird. Zusätzlich wird die Relevanz der Norm durch ihre Anwendung auf alle Arten von Organisationen unterstrichen. Ob kleine Unternehmen oder große multinationale Konzerne, die Richtlinien sind so gestaltet, dass sie leicht an die spezifischen Anforderungen und Gegebenheiten der jeweiligen Organisationen angepasst werden können. Dies macht die SIST EN ISO/IEC 27005:2024 zu einem flexiblen und nützlichen Rahmenwerk für das Management von Informationssicherheitsrisiken. Die Stärkung des Bewusstseins für Informationssicherheit und den Schutz von Daten durch diese Norm trägt dazu bei, dass Organisationen nicht nur compliant bleiben, sondern auch das Vertrauen ihrer Kunden und Stakeholder gewinnen und erhalten. Daher ist die Bedeutung der SIST EN ISO/IEC 27005:2024 in der heutigen digitalen Landschaft nicht zu unterschätzen; sie bieten entscheidende Hilfestellungen für die Entwicklung effektiver Strategien zur Risikominderung im Bereich Informationssicherheit.
The EN ISO/IEC 27005:2024 standard serves a critical role in the field of information security, cybersecurity, and privacy protection by providing comprehensive guidance on managing information security risks. Its scope is notably inclusive, ensuring applicability across all organizations, regardless of their type, size, or sector. One of the strengths of this standard lies in its alignment with ISO/IEC 27001. By facilitating organizations in fulfilling the requirements outlined in ISO/IEC 27001, EN ISO/IEC 27005:2024 not only helps organizations to comply with essential information security protocols but also emphasizes the importance of proactively addressing information security risks. This strengthens the overall framework of risk management within organizations. The standard offers a detailed methodology for conducting information security risk assessments and treatments, which is a fundamental practice for any organization focused on safeguarding its information assets. The emphasis on systematic risk management activities ensures that organizations can identify, evaluate, and mitigate risks effectively. Moreover, the guidelines provided are tailored to enhance decision-making processes and foster a culture of security that is crucial in today’s digital landscape. The relevance of the EN ISO/IEC 27005:2024 cannot be overstated, especially with the increasing prevalence of cyber threats and data breaches. As organizations navigate the complexities of cybersecurity, this standard serves as an essential tool for establishing robust risk management practices. Its practical approach empowers organizations to implement informed security measures that align with their specific risk profiles. In conclusion, EN ISO/IEC 27005:2024 offers invaluable insights and framework necessary for managing information security risks effectively, thereby enhancing the security posture of organizations in an ever-evolving threat landscape.
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...