ISO/IEC 27005:2022
(Main)Information security, cybersecurity and privacy protection — Guidance on managing information security risks
Information security, cybersecurity and privacy protection — Guidance on managing information security risks
This document provides guidance to assist organizations to: — fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; — perform information security risk management activities, specifically information security risk assessment and treatment. This document is applicable to all organizations, regardless of type, size or sector.
Sécurité de l'information, cybersécurité et protection de la vie privée — Préconisations pour la gestion des risques liés à la sécurité de l'information
Le présent document fournit des recommandations pour aider les organismes à: — satisfaire aux exigences de l'ISO/IEC 27001 concernant les actions visant à traiter les risques liés à la sécurité de l'information; — réaliser des activités de gestion des risques liés à la sécurité de l'information, en particulier l'appréciation et le traitement de ces risques. Le présent document est applicable à tous les organismes, quels que soient leur type, leur taille ou leur secteur.
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Navodila za upravljanje informacijskih varnostnih tveganj
Ta dokument zagotavlja navodila za pomoč organizacijam pri:
– izpolnjevanju zahtev iz standarda ISO/IEC 27001 v zvezi z ukrepi za obravnavo tveganj informacijske varnosti;
– izvajanju aktivnosti upravljanja tveganj informacijske varnosti, predvsem ocenjevanje in obvladovanje tveganj informacijske varnosti.
Ta dokument se uporablja za vse organizacije, ne glede na vrsto, velikost ali sektor.
General Information
Relations
Standards Content (Sample)
SLOVENSKI STANDARD
01-april-2024
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Navodila za
upravljanje informacijskih varnostnih tveganj
Information security, cybersecurity and privacy protection - Guidance on managing
information security risks
Sécurité de l'information, cybersécurité et protection de la vie privée - Préconisations
pour la gestion des risques liés à la sécurité de l'information
Ta slovenski standard je istoveten z: ISO/IEC 27005:2022
ICS:
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
INTERNATIONAL ISO/IEC
STANDARD 27005
Fourth edition
2022-10
Information security, cybersecurity
and privacy protection — Guidance on
managing information security risks
Sécurité de l'information, cybersécurité et protection de la vie
privée — Préconisations pour la gestion des risques liés à la sécurité
de l'information
Reference number
© ISO/IEC 2022
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
Contents Page
Foreword .v
Introduction . vi
1 S c op e . 1
2 Nor m at i ve r ef er enc e s . 1
3 Terms and definitions . 1
3.1 T erms related to information security risk . 1
3.2 T erms related to information security risk management . . 5
4 Structure of this document .7
5 I nformation security risk management . 7
5.1 I nformation security risk management process . 7
5.2 I nformation security risk management cycles . 9
6 C ont e x t e s t abl i s h ment .9
6.1 Organizational considerations . 9
6.2 I dentifying basic requirements of interested parties . 10
6.3 A pplying risk assessment . 10
6.4 E stablishing and maintaining information security risk criteria . 11
6.4.1 G eneral . 11
6.4.2 R isk acceptance criteria . 11
6.4.3 C riteria for performing information security risk assessments .13
6.5 C hoosing an appropriate method . 15
7 I nformation security risk assessment process .16
7.1 G eneral . 16
7.2 I dentifying information security risks . 17
7.2.1 I dentifying and describing information security risks . . 17
7.2.2 I dentifying risk owners . 18
7.3 A nalysing information security risks . 19
7.3.1 General . 19
7.3.2 Assessing potential consequences . 19
7.3.3 Assessing likelihood .20
7.3.4 Determining the levels of risk . 22
7.4 E valuating the information security risks. 22
7.4.1 Comparing the results of risk analysis with the risk criteria .22
7.4.2 P rioritizing the analysed risks for risk treatment .23
8 I nformation security risk treatment process .23
8.1 General .23
8.2 S electing appropriate information security risk treatment options .23
8.3 D etermining all controls that are necessary to implement the information security
risk treatment options . 24
8.4 C omparing the controls determined with those in ISO/IEC 27001:2022, Annex A . 27
8.5 P roducing a Statement of Applicability . 27
8.6 I nformation security risk treatment plan .28
8.6.1 Formulation of the risk treatment plan .28
8.6.2 A pproval by risk owners .29
8.6.3 Acceptance of the residual information security risks .30
9 O p er at ion .31
9.1 P erforming information security risk assessment process . 31
9.2 P erforming information security risk treatment process . 31
10 Leveraging related ISMS processes . .32
10.1 C ontext of the organization . . 32
10.2 L eadership and commitment . 32
iii
© ISO/IEC 2022 – All rights reserved
10.3 C ommunication and consultation. 33
10.4 Documented information . 35
10.4.1 G eneral . 35
10.4.2 Documented information about processes . 35
10.4.3 Documented information about results . 35
10.5 M onitoring and review .36
10.5.1 G eneral .36
10.5.2 Monitoring and reviewing factors influencing risks . 37
10.6 M anagement review .38
10.7 Corrective action .38
10.8 Continual improvement .39
Annex A (informative) Examples of techniques in support of the risk assessment process .41
Bibliography .62
iv
© ISO/IEC 2022 – All rights reserved
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This fourth edition cancels and replaces the third edition (ISO/IEC 27005:2018), which has been
technically revised.
The main changes are as follows:
— all guidance text has been aligned with ISO/IEC 27001:2022, and ISO 31000:2018;
— the terminology has been aligned with the terminology in ISO 31000:2018;
— the structure of the clauses has been adjusted to the layout of ISO/IEC 27001:2022;
— risk scenario concepts have been introduced;
— the event-based approach is contrasted with the asset-based approach to risk identification;
— the content of the annexes has been revised and restructured into a single annex.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
v
© ISO/IEC 2022 – All rights reserved
Introduction
This document provides guidance on:
— implementation of the information security risk requirements specified in ISO/IEC 27001;
— essential references within the standards developed by ISO/IEC JTC 1/SC 27 to support information
security risk management activities;
— actions that address risks related to information security (see ISO/IEC 27001:2022, 6.1 and Clause 8);
— implementation of risk management guidance in ISO 31000 in the context of information security.
This document contains detailed guidance on risk management and supplements the guidance in
ISO/IEC 27003.
This document is intended to be used by:
— organizations that intend to establish and implement an information security management system
(ISMS) in accordance with ISO/IEC 27001;
— persons that perform or are involved in information security risk management (e.g. ISMS
professionals, risk owners and other interested parties);
— organizations that intend to improve their information security risk management process.
vi
© ISO/IEC 2022 – All rights reserved
INTERNATIONAL STANDARD ISO/IEC 27005:2022(E)
Information security, cybersecurity and privacy
protection — Guidance on managing information security
risks
1 S cope
This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk
assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.
2 Normat ive references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1 T erms related to information security risk
3.1.1
external context
external environment in which the organization seeks to achieve its objectives
Note 1 to entry: External context can include the following:
— the social, cultural, political, legal, regulatory, financial, technological, economic, geological environment,
whether international, national, regional or local;
— key drivers and trends affecting the objectives of the organization;
— external interested parties’ relationships, perceptions, values, needs and expectations;
— contractual relationships and commitments;
— the complexity of networks and dependencies.
[SOURCE: ISO Guide 73:2009, 3.3.1.1, modified — Note 1 to entry has been modified.]
© ISO/IEC 2022 – All rights reserved
3.1.2
internal context
internal environment in which the organization seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— vision, mission and values;
— governance, organizational structure, roles and accountabilities;
— strategy, objectives and policies;
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems
and technologies);
— data, information systems and information flows;
— relationships with internal interested parties, taking into account their perceptions and values;
— contractual relationships and commitments;
— internal interdependencies and interconnections.
[SOURCE: ISO Guide 73:2009, 3.3.1.2, modified — Note 1 to entry has been modified.]
3.1.3
risk
effect of uncertainty on objectives
Note 1 to entry: An effect is a deviation from the expected, positive or negative.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event (3.1.11), its consequence (3.1.14), or likelihood (3.1.13).
Note 4 to entry: Risk is usually expressed in terms of risk sources (3.1.6), potential events, their consequences
and their likelihood.
Note 5 to entry: In the context of information security management systems, information security risks can be
expressed as effect of uncertainty on information security objectives.
Note 6 to entry: Information security risks are usually associated with a negative effect of uncertainty on
information security objectives.
Note 7 to entry: Information security risks can be associated with the potential that threats (3.1.9) will exploit
vulnerabilities (3.1.10) of an information asset or group of information assets and thereby cause harm to an
organization.
[SOURCE: ISO 31000:2018, 3.1, modified — the phrase: “It can be positive, negative or both, and can
address, create or result in opportunities and threats” has been replaced with “positive or negative” in
Note 1 to entry; the original Note 3 to entry has been renumbered as Note 4 to entry; and Notes 3, 5, 6
and 7 to entry have been added.]
3.1.4
risk scenario
sequence or combination of events (3.1.11) leading from the initial cause to the unwanted consequence
(3.1.14)
[SOURCE: ISO 17666:2016, 3.1.13, modified — Note 1 to entry has been deleted.]
© ISO/IEC 2022 – All rights reserved
3.1.5
risk owner
person or entity with the accountability and authority to manage a risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.5.1.5]
3.1.6
risk source
element which alone or in combination has the potential to give rise to risk (3.1.3)
Note 1 to entry: A risk source can be one of these three types:
— human;
— environmental;
— technical.
Note 2 to entry: A human risk source type can be intentional or unintentional.
[SOURCE: ISO 31000:2018, 3.4, modified — Notes 1 and 2 to entry have been added.]
3.1.7
risk criteria
terms of reference against which the significance of a risk (3.1.3) is evaluated
Note 1 to entry: Risk criteria are based on organizational objectives, and external context (3.1.1) and internal
context (3.1.2).
Note 2 to entry: Risk criteria can be derived from standards, laws, policies and other requirements.
[SOURCE: ISO Guide 73:2009, 3.3.1.3]
3.1.8
risk appetite
amount and type of risk (3.1.3) that an organization is willing to pursue or retain
[SOURCE: ISO Guide 73:2009, 3.7.1.2]
3.1.9
threat
potential cause of an information security incident (3.1.12) that can result in damage to a system or harm
to an organization
3.1.10
vulnerability
weakness of an asset or control (3.1.16) that can be exploited so that an event (3.1.11) with a negative
consequence (3.1.14) occurs
3.1.11
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can have one or more occurrences, and can have several causes and several consequences
(3.1.14).
Note 2 to entry: An event can also be something that is expected which does not happen, or something that is not
expected which does happen.
[SOURCE: ISO 31000:2018, 3.5, modified — Note 3 to entry has been removed.]
© ISO/IEC 2022 – All rights reserved
3.1.12
information security incident
single or a series of unwanted or unexpected information security events that have a significant
probability of compromising business operations and threatening information security
3.1.13
likelihood
chance of something happening
Note 1 to entry: In risk management terminology, the word “likelihood” is used to refer to the chance of something
happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively,
and described using general terms or mathematically (such as a probability or a frequency over a given time
period).
Note 2 to entry: The English term “likelihood” does not have a direct equivalent in some languages; instead, the
equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted
as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it
should have the same broad interpretation as the term “probability” has in many languages other than English.
[SOURCE: ISO 31000:2018, 3.7]
3.1.14
consequence
outcome of an event (3.1.11) affecting objectives
Note 1 to entry: A consequence can be certain or uncertain and can have positive or negative direct or indirect
effects on objectives.
Note 2 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 3 to entry: Any consequence can escalate through cascading and cumulative effects.
[SOURCE: ISO 31000:2018, 3.6]
3.1.15
level of risk
significance of a risk (3.1.3), expressed in terms of the combination of consequences (3.1.14) and their
likelihood (3.1.13)
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — the phrase: “magnitude of a risk or combination of
risks” has been replaced with “significance of a risk”.]
3.1.16
control
measure that maintains and/or modifies risk (3.1.3)
Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice, or other conditions
and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8]
3.1.17
residual risk
risk (3.1.3) remaining after risk treatment (3.2.7)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risks can also contain retained risk.
[SOURCE: ISO Guide 73:2009, 3.8.1.6, modified — Note 2 to entry has been modified.]
© ISO/IEC 2022 – All rights reserved
3.2 T erms related to information security risk management
3.2.1
risk management process
systematic application of management policies, procedures and practices to the activities of
communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating,
monitoring and reviewing risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.1]
3.2.2
risk communication and consultation
set of continual and iterative processes that an organization conducts to provide, share or obtain
information, and to engage in dialogue with interested parties regarding the management of risk (3.1.3)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.1.13), significance,
evaluation, acceptance and treatment of risk.
Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its
interested parties on an issue prior to making a decision or determining a direction on that issue. Consultation is:
— a process which impacts on a decision through influence rather than power;
— an input to decision making, not joint decision making.
3.2.3
risk assessment
overall process of risk identification (3.2.4), risk analysis (3.2.5) and risk evaluation (3.2.6)
[SOURCE: ISO Guide 73:2009, 3.4.1]
3.2.4
risk identification
process of finding, recognizing and describing risks (3.1.3)
Note 1 to entry: Risk identification involves the identification of risk sources (3.1.6), events (3.1.11), their causes
and their potential consequences (3.1.14).
Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions,
and interested parties’ needs.
[SOURCE: ISO Guide 73:2009, 3.5.1, modified — "interested party" has replaced "stakeholder" in Note 2
to entry.]
3.2.5
risk analysis
process to comprehend the nature of risk (3.1.3) and to determine the level of risk (3.1.15)
Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.2.6) and decisions about risk treatment
(3.2.7).
Note 2 to entry: Risk analysis includes risk estimation.
[SOURCE: ISO Guide 73:2009, 3.6.1]
3.2.6
risk evaluation
process of comparing the results of risk analysis (3.2.5) with risk criteria (3.1.7) to determine whether
the risk (3.1.3) and/or its significance is acceptable or tolerable
Note 1 to entry: Risk evaluation assists in the decision about risk treatment (3.2.7).
[SOURCE: ISO Guide 73:2009, 3.7.1, modified — “significance” has replaced “magnitude”.]
© ISO/IEC 2022 – All rights reserved
3.2.7
risk treatment
process to modify risk (3.1.3)
Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source (3.1.6);
— changing the likelihood (3.1.13);
— changing the consequences (3.1.14);
— sharing the risk with another party or parties (including contracts and risk financing); and
— retaining the risk by informed decision.
Note 2 to entry: Information security risk treatment does not include “taking or increasing risk in order to pursue
an opportunity” but the organization can have this option for general risk management.
Note 3 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk
mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
Note 4 to entry: Risk treatment can create new risks or modify existing risks.
[SOURCE: ISO Guide 73:2009, 3.8.1, modified ─ Note 1 to entry has been added and the original Note 1
and 2 to entry have been renumbered as Note 2 and 3 to entry.]
3.2.8
risk acceptance
informed decision to take a particular risk (3.1.3)
Note 1 to entry: Risk acceptance can occur without risk treatment (3.2.7) or during the process of risk treatment.
Note 2 to entry: Accepted risks are subject to monitoring and review.
[SOURCE: ISO Guide 73:2009, 3.7.1.6]
3.2.9
risk sharing
form of risk treatment (3.2.7) involving the agreed distribution of risk (3.1.3) with other parties
Note 1 to entry: Legal or regulatory requirements can limit, prohibit or mandate risk sharing.
Note 2 to entry: Risk sharing can be carried out through insurance or other forms of contract.
Note 3 to entry: The extent to which risk is distributed can depend on the reliability and clarity of the sharing
arrangements.
Note 4 to entry: Risk transfer is a form of risk sharing.
[SOURCE: ISO Guide 73:2009, 3.8.1.3]
3.2.10
risk retention
temporary acceptance of the potential benefit of gain, or burden of loss, from a particular risk (3.1.3)
Note 1 to entry: Retention can be restricted to a certain period of time.
Note 2 to entry: The level of risk (3.1.15) retained can depend on risk criteria (3.1.7).
© ISO/IEC 2022 – All rights reserved
[SOURCE: ISO Guide 73:2009, 3.8.1.5, modified — the word “temporary” has been added at the start of
the definition and the phrase; “Risk retention includes the acceptance of residual risks” has replaced
“Retention can be restricted to a certain period of time “ in Note 1 to entry.]
4 Str ucture of this document
This document is structured as follows:
— Clause 5: Information security risk management;
— Clause 6: Context establishment;
— Clause 7: Information security risk assessment process;
— Clause 8: Information security risk treatment process;
— Clause 9: Operation;
— Clause 10: Leveraging related ISMS processes.
Except for the descriptions given in general subclauses, all risk management activities as presented
from Clause 7 to Clause 10 are structured as follows:
Input: Identifies any required information to perform the activity.
Action: Describes the activity.
Trigger: Provides guidance on when to start the activity, for example because of a change within the
organization or according to a plan or a change in the external context of the organization.
Output: Identifies any information derived after performing the activity, as well as any criteria that
such output should satisfy.
Guidance: Provides guidance on performing the activity, keyword and key concept.
5 In formation security risk management
5.1 Information secur ity risk management process
The information security risk management process is presented in Figure 1.
NOTE This process is based on the general risk management process defined in ISO 31000.
© ISO/IEC 2022 – All rights reserved
Figure 1 — Information security risk management process
As Figure 1 illustrates, the information security risk management process can be iterative for risk
assessment and/or risk treatment activities. An iterative approach to conducting risk assessment can
increase depth and detail of the assessment at each iteration. The iterative approach provides a good
balance between minimizing the time and effort spent in identifying controls, while still ensuring that
risks are appropriately assessed.
Context establishment means assembling the internal and external context for information security
risk management or an information security risk assessment.
If the risk assessment provides sufficient information to effectively determine the actions required
to modify the risks to an acceptable level, then the task is complete and the risk treatment follows.
If the information is insufficient, another iteration of the risk assessment should be performed. This
can involve a change of context of the risk assessment (e.g. revised scope), involvement of expertise in
© ISO/IEC 2022 – All rights reserved
the relevant field, or other ways to collect the information required to enable risk modification to an
acceptable level (see "risk decision point 1" in Figure 1).
Risk treatment involves an iterative process of:
— formulating and selecting risk treatment options;
— planning and implementing risk treatment;
— assessing the effectiveness of that treatment;
— deciding whether the remaining risk is acceptable;
— taking further treatment if not acceptable.
It is possible that the risk treatment does not immediately lead to an acceptable level of residual risks. In
this situation, another attempt to find further risk treatment can be performed, or there can be another
iteration of the risk assessment, either as a whole or in parts. This can involve a change of context of the
risk assessment (e.g. by a revised scope) and involvement of expertise in the relevant field. Knowledge
about relevant threats or vulnerabilities can lead to better decisions about suitable risk treatment
activities in the next iteration of the risk assessment (see "risk decision point 2" in Figure 1).
Context establishment is discussed in detail in Clause 6, risk assessment activities in Clause 7 and risk
treatment activities in Clause 8.
Other activities necessary for managing information security risks are discussed in Clause 10.
5.2 Information secur ity risk management cycles
The risk assessment and the risk treatment should be updated on a regular basis and based on
changes. This should apply to, the entire risk assessment and the updates can be divided into two risk
management cycles:
— strategic cycle, where business assets, risk sources and threats, target objectives or consequences
to information security events are evolving from changes in the overall context of the organization.
This can result as inputs for an overall update of the risk assessment or risk assessments and the
risk treatments. It can also serve as an input for identifying new risks and initiate completely new
risk assessments;
— operational cycle, where the above-mentioned elements serves as input information or changed
criteria that will affect a risk assessment or assessment where the scenarios should be reviewed
and updated. The review should include updating of the corresponding risk treatment as applicable.
The strategic cycle should be conducted at longer time basis or when major changes occur while the
operational cycle should be shorter depending on the detailed risks that are identified and assessed as
well as the related risk treatment.
The strategic cycle applies to the environment in which the organization seeks to achieve its objectives,
while the operational cycle applies to all risk assessments considering the context of the risk
management process. In both cycles, there can be many risk assessments with different contexts and
scope in each assessment.
6 Context establishm ent
6.1 Organizational considerations
NOTE This subclause relates to ISO/IEC 27001:2022, 4.1.
An organization is defined as person or group of people that has its own functions with responsibilities,
authorities and relationships to achieve its objectives. An organization is not necessarily a company,
© ISO/IEC 2022 – All rights reserved
other corporate body or legal entity, it can also be a subset of a legal entity (e.g. the IT department of a
company), and can be considered as the “organization” within the context of ISMS.
It is important to understand that risk appetite, defined as the amount of risk an organization is willing
to pursue or accept, can vary considerably from organization to organization. For instance, factors
affecting an organization’s risk appetite include size, complexity and sector. Risk appetite should be set
and regularly reviewed by top management.
The organization should ensure that the role of the risk owner is determined in terms of the management
activities regarding the identified risks. Risk owners should have appropriate accountability and
authority for managing identified risks.
6.2 Identifying basic r equirements of interested parties
NOTE This subclause relates to ISO/IEC 27001:2022, 4.2.
The basic requirements of relevant interested parties should be identified, as well as the status of
compliance with these requirements. This includes identifying all the reference documents that define
security rules and controls and that apply within the scope of the information security risk assessment.
These reference documents can include, but are not limited to:
a) ISO/IEC 27001:2022, Annex A;
b) additional standards that cover ISMS;
c) additional standards applicable to a specific sector (e.g. financial, healthcare);
d) specific international and/or national regulations;
e) the organization’s internal security rules;
f) security rules and controls from contracts or agreements;
g) security controls implemented based on previous risk treatment activities.
Any non-compliance with the basic requirements should be explained and justified. These basic
requirements and their compliance should be the input for the likelihood assessment and for the risk
treatment.
6.3 A pplying risk assessment
NOTE This subclause relates to ISO/IEC 27001:2022, 4.3.
Organizations can perform risk assessments embedded within many different processes, such as
project management, vulnerability management, incident management, problem management, or even
on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are
performed, they should collectively cover all the issues relevant to the organization within the scope of
an ISMS.
The risk assessment should help the organization make decisions about the management of the risks
that affect the achievement of its objectives. This should therefore be targeted at those risks and
controls that, if managed successfully, will improve the likelihood of the organization achieving its
objectives.
More information about the context of an ISMS and the issues to be understood through risk assessment
is given in ISO/IEC 27003.
© ISO/IEC 2022 – All rights reserved
6.4 Establishing and m aintaining information security risk criteria
6.4.1 General
ISO/IEC 27001:2022, 6.1.2 a), specifies requirements for organizations to define their risk criteria, i.e.
the terms of reference by which they evaluate the significance of the risks that they identify and make
decisions concerning risks.
ISO/IEC 27001 specifies requirements for an organization to establish and maintain information
security risk criteria that include:
a) the risk acceptance criteria;
b) criteria for performing information security risk assessments.
In general, to set risk criteria, the following should be considered:
— the nature and type of uncertainties that can affect outcomes and objectives (both tangible and
intangible);
— how consequence and likelihood will be defined, predicted and measured;
— time-related factors;
— consistency in the use of measurements;
— how the level of risk will be determined;
— how combinations and sequences of multiple risks will be taken into account;
— the organization’s capacity.
Further considerations on risk criteria are presented in Annex A.
6.4.2 Risk acceptance criteria
NOTE This subclause relates to ISO/IEC 27001:2022, 6.1.2 a) 1).
In risk evaluation, risk acceptance criteria should be used to determine whether a risk is acceptable or
not.
In risk treatment, risk acceptance criteria can be used to determine whether the proposed risk
treatment is sufficient to reach an acceptable level of risk, or if further risk treatment is needed.
An organization should define levels of risk acceptance. The following should be considered during
development:
a) consistency between the information security risk acceptance criteria and the organization’s
general risk acceptance criteria;
b) the level of management with delegated authority to make risk acceptance decisions is identified;
c) risk acceptance criteria can include multiple thresholds, and authority for acceptance can be
assigned to different levels of management;
d) risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to
also consider the cost/benefit balance between prospective losses and the cost of controls;
e) different risk acceptance criteria can apply to different classes of risk (e.g. risks that can result in
non-compliance with regulations or laws are not always retained, while acceptance of risks can be
allowed if the acceptance is a result of a contractual requirement);
© ISO/IEC 2022 – All rights reserved
f) risk acceptance criteria can include requirements for future additional treatment (e.g. a risk can
be retained on a short-term basis even when the level of risk exceeds the risk acceptance criteria if
there is approval and commitment to take action to implement a chosen set of controls to reach an
acceptable level within a defined time period);
g) risk acceptance criteria should be defined based upon the risk appetite that indicates amount and
type of risk that the organization is willing to pursue or retain;
h) risk acceptance criteria can be absolute or conditional depending on the context.
Risk acceptance criteria should be established considering the following influencing factors:
— organizational objectives;
— organizational opportunities;
— legal and regulatory aspects;
— operational activities;
— technological constraints;
— financial constraints;
— processes;
— supplier relationships;
— human factors (e.g. related to privacy).
The list of influencing factors is not exhaustive. The organization should consider the influencing
fact
...
INTERNATIONAL ISO/IEC
STANDARD 27005
Fourth edition
2022-10
Information security, cybersecurity
and privacy protection — Guidance on
managing information security risks
Sécurité de l'information, cybersécurité et protection de la vie
privée — Préconisations pour la gestion des risques liés à la sécurité
de l'information
Reference number
© ISO/IEC 2022
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
Contents Page
Foreword .v
Introduction . vi
1 S c op e . 1
2 Nor m at i ve r ef er enc e s . 1
3 Terms and definitions . 1
3.1 T erms related to information security risk . 1
3.2 T erms related to information security risk management . . 5
4 Structure of this document .7
5 I nformation security risk management . 7
5.1 I nformation security risk management process . 7
5.2 I nformation security risk management cycles . 9
6 C ont e x t e s t abl i s h ment .9
6.1 Organizational considerations . 9
6.2 I dentifying basic requirements of interested parties . 10
6.3 A pplying risk assessment . 10
6.4 E stablishing and maintaining information security risk criteria . 11
6.4.1 G eneral . 11
6.4.2 R isk acceptance criteria . 11
6.4.3 C riteria for performing information security risk assessments .13
6.5 C hoosing an appropriate method . 15
7 I nformation security risk assessment process .16
7.1 G eneral . 16
7.2 I dentifying information security risks . 17
7.2.1 I dentifying and describing information security risks . . 17
7.2.2 I dentifying risk owners . 18
7.3 A nalysing information security risks . 19
7.3.1 General . 19
7.3.2 Assessing potential consequences . 19
7.3.3 Assessing likelihood .20
7.3.4 Determining the levels of risk . 22
7.4 E valuating the information security risks. 22
7.4.1 Comparing the results of risk analysis with the risk criteria .22
7.4.2 P rioritizing the analysed risks for risk treatment .23
8 I nformation security risk treatment process .23
8.1 General .23
8.2 S electing appropriate information security risk treatment options .23
8.3 D etermining all controls that are necessary to implement the information security
risk treatment options . 24
8.4 C omparing the controls determined with those in ISO/IEC 27001:2022, Annex A . 27
8.5 P roducing a Statement of Applicability . 27
8.6 I nformation security risk treatment plan .28
8.6.1 Formulation of the risk treatment plan .28
8.6.2 A pproval by risk owners .29
8.6.3 Acceptance of the residual information security risks .30
9 O p er at ion .31
9.1 P erforming information security risk assessment process . 31
9.2 P erforming information security risk treatment process . 31
10 Leveraging related ISMS processes . .32
10.1 C ontext of the organization . . 32
10.2 L eadership and commitment . 32
iii
© ISO/IEC 2022 – All rights reserved
10.3 C ommunication and consultation. 33
10.4 Documented information . 35
10.4.1 G eneral . 35
10.4.2 Documented information about processes . 35
10.4.3 Documented information about results . 35
10.5 M onitoring and review .36
10.5.1 G eneral .36
10.5.2 Monitoring and reviewing factors influencing risks . 37
10.6 M anagement review .38
10.7 Corrective action .38
10.8 Continual improvement .39
Annex A (informative) Examples of techniques in support of the risk assessment process .41
Bibliography .62
iv
© ISO/IEC 2022 – All rights reserved
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This fourth edition cancels and replaces the third edition (ISO/IEC 27005:2018), which has been
technically revised.
The main changes are as follows:
— all guidance text has been aligned with ISO/IEC 27001:2022, and ISO 31000:2018;
— the terminology has been aligned with the terminology in ISO 31000:2018;
— the structure of the clauses has been adjusted to the layout of ISO/IEC 27001:2022;
— risk scenario concepts have been introduced;
— the event-based approach is contrasted with the asset-based approach to risk identification;
— the content of the annexes has been revised and restructured into a single annex.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
v
© ISO/IEC 2022 – All rights reserved
Introduction
This document provides guidance on:
— implementation of the information security risk requirements specified in ISO/IEC 27001;
— essential references within the standards developed by ISO/IEC JTC 1/SC 27 to support information
security risk management activities;
— actions that address risks related to information security (see ISO/IEC 27001:2022, 6.1 and Clause 8);
— implementation of risk management guidance in ISO 31000 in the context of information security.
This document contains detailed guidance on risk management and supplements the guidance in
ISO/IEC 27003.
This document is intended to be used by:
— organizations that intend to establish and implement an information security management system
(ISMS) in accordance with ISO/IEC 27001;
— persons that perform or are involved in information security risk management (e.g. ISMS
professionals, risk owners and other interested parties);
— organizations that intend to improve their information security risk management process.
vi
© ISO/IEC 2022 – All rights reserved
INTERNATIONAL STANDARD ISO/IEC 27005:2022(E)
Information security, cybersecurity and privacy
protection — Guidance on managing information security
risks
1 S cope
This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk
assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.
2 Normat ive references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1 T erms related to information security risk
3.1.1
external context
external environment in which the organization seeks to achieve its objectives
Note 1 to entry: External context can include the following:
— the social, cultural, political, legal, regulatory, financial, technological, economic, geological environment,
whether international, national, regional or local;
— key drivers and trends affecting the objectives of the organization;
— external interested parties’ relationships, perceptions, values, needs and expectations;
— contractual relationships and commitments;
— the complexity of networks and dependencies.
[SOURCE: ISO Guide 73:2009, 3.3.1.1, modified — Note 1 to entry has been modified.]
© ISO/IEC 2022 – All rights reserved
3.1.2
internal context
internal environment in which the organization seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— vision, mission and values;
— governance, organizational structure, roles and accountabilities;
— strategy, objectives and policies;
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems
and technologies);
— data, information systems and information flows;
— relationships with internal interested parties, taking into account their perceptions and values;
— contractual relationships and commitments;
— internal interdependencies and interconnections.
[SOURCE: ISO Guide 73:2009, 3.3.1.2, modified — Note 1 to entry has been modified.]
3.1.3
risk
effect of uncertainty on objectives
Note 1 to entry: An effect is a deviation from the expected, positive or negative.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event (3.1.11), its consequence (3.1.14), or likelihood (3.1.13).
Note 4 to entry: Risk is usually expressed in terms of risk sources (3.1.6), potential events, their consequences
and their likelihood.
Note 5 to entry: In the context of information security management systems, information security risks can be
expressed as effect of uncertainty on information security objectives.
Note 6 to entry: Information security risks are usually associated with a negative effect of uncertainty on
information security objectives.
Note 7 to entry: Information security risks can be associated with the potential that threats (3.1.9) will exploit
vulnerabilities (3.1.10) of an information asset or group of information assets and thereby cause harm to an
organization.
[SOURCE: ISO 31000:2018, 3.1, modified — the phrase: “It can be positive, negative or both, and can
address, create or result in opportunities and threats” has been replaced with “positive or negative” in
Note 1 to entry; the original Note 3 to entry has been renumbered as Note 4 to entry; and Notes 3, 5, 6
and 7 to entry have been added.]
3.1.4
risk scenario
sequence or combination of events (3.1.11) leading from the initial cause to the unwanted consequence
(3.1.14)
[SOURCE: ISO 17666:2016, 3.1.13, modified — Note 1 to entry has been deleted.]
© ISO/IEC 2022 – All rights reserved
3.1.5
risk owner
person or entity with the accountability and authority to manage a risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.5.1.5]
3.1.6
risk source
element which alone or in combination has the potential to give rise to risk (3.1.3)
Note 1 to entry: A risk source can be one of these three types:
— human;
— environmental;
— technical.
Note 2 to entry: A human risk source type can be intentional or unintentional.
[SOURCE: ISO 31000:2018, 3.4, modified — Notes 1 and 2 to entry have been added.]
3.1.7
risk criteria
terms of reference against which the significance of a risk (3.1.3) is evaluated
Note 1 to entry: Risk criteria are based on organizational objectives, and external context (3.1.1) and internal
context (3.1.2).
Note 2 to entry: Risk criteria can be derived from standards, laws, policies and other requirements.
[SOURCE: ISO Guide 73:2009, 3.3.1.3]
3.1.8
risk appetite
amount and type of risk (3.1.3) that an organization is willing to pursue or retain
[SOURCE: ISO Guide 73:2009, 3.7.1.2]
3.1.9
threat
potential cause of an information security incident (3.1.12) that can result in damage to a system or harm
to an organization
3.1.10
vulnerability
weakness of an asset or control (3.1.16) that can be exploited so that an event (3.1.11) with a negative
consequence (3.1.14) occurs
3.1.11
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can have one or more occurrences, and can have several causes and several consequences
(3.1.14).
Note 2 to entry: An event can also be something that is expected which does not happen, or something that is not
expected which does happen.
[SOURCE: ISO 31000:2018, 3.5, modified — Note 3 to entry has been removed.]
© ISO/IEC 2022 – All rights reserved
3.1.12
information security incident
single or a series of unwanted or unexpected information security events that have a significant
probability of compromising business operations and threatening information security
3.1.13
likelihood
chance of something happening
Note 1 to entry: In risk management terminology, the word “likelihood” is used to refer to the chance of something
happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively,
and described using general terms or mathematically (such as a probability or a frequency over a given time
period).
Note 2 to entry: The English term “likelihood” does not have a direct equivalent in some languages; instead, the
equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted
as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it
should have the same broad interpretation as the term “probability” has in many languages other than English.
[SOURCE: ISO 31000:2018, 3.7]
3.1.14
consequence
outcome of an event (3.1.11) affecting objectives
Note 1 to entry: A consequence can be certain or uncertain and can have positive or negative direct or indirect
effects on objectives.
Note 2 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 3 to entry: Any consequence can escalate through cascading and cumulative effects.
[SOURCE: ISO 31000:2018, 3.6]
3.1.15
level of risk
significance of a risk (3.1.3), expressed in terms of the combination of consequences (3.1.14) and their
likelihood (3.1.13)
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — the phrase: “magnitude of a risk or combination of
risks” has been replaced with “significance of a risk”.]
3.1.16
control
measure that maintains and/or modifies risk (3.1.3)
Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice, or other conditions
and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8]
3.1.17
residual risk
risk (3.1.3) remaining after risk treatment (3.2.7)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risks can also contain retained risk.
[SOURCE: ISO Guide 73:2009, 3.8.1.6, modified — Note 2 to entry has been modified.]
© ISO/IEC 2022 – All rights reserved
3.2 T erms related to information security risk management
3.2.1
risk management process
systematic application of management policies, procedures and practices to the activities of
communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating,
monitoring and reviewing risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.1]
3.2.2
risk communication and consultation
set of continual and iterative processes that an organization conducts to provide, share or obtain
information, and to engage in dialogue with interested parties regarding the management of risk (3.1.3)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.1.13), significance,
evaluation, acceptance and treatment of risk.
Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its
interested parties on an issue prior to making a decision or determining a direction on that issue. Consultation is:
— a process which impacts on a decision through influence rather than power;
— an input to decision making, not joint decision making.
3.2.3
risk assessment
overall process of risk identification (3.2.4), risk analysis (3.2.5) and risk evaluation (3.2.6)
[SOURCE: ISO Guide 73:2009, 3.4.1]
3.2.4
risk identification
process of finding, recognizing and describing risks (3.1.3)
Note 1 to entry: Risk identification involves the identification of risk sources (3.1.6), events (3.1.11), their causes
and their potential consequences (3.1.14).
Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions,
and interested parties’ needs.
[SOURCE: ISO Guide 73:2009, 3.5.1, modified — "interested party" has replaced "stakeholder" in Note 2
to entry.]
3.2.5
risk analysis
process to comprehend the nature of risk (3.1.3) and to determine the level of risk (3.1.15)
Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.2.6) and decisions about risk treatment
(3.2.7).
Note 2 to entry: Risk analysis includes risk estimation.
[SOURCE: ISO Guide 73:2009, 3.6.1]
3.2.6
risk evaluation
process of comparing the results of risk analysis (3.2.5) with risk criteria (3.1.7) to determine whether
the risk (3.1.3) and/or its significance is acceptable or tolerable
Note 1 to entry: Risk evaluation assists in the decision about risk treatment (3.2.7).
[SOURCE: ISO Guide 73:2009, 3.7.1, modified — “significance” has replaced “magnitude”.]
© ISO/IEC 2022 – All rights reserved
3.2.7
risk treatment
process to modify risk (3.1.3)
Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source (3.1.6);
— changing the likelihood (3.1.13);
— changing the consequences (3.1.14);
— sharing the risk with another party or parties (including contracts and risk financing); and
— retaining the risk by informed decision.
Note 2 to entry: Information security risk treatment does not include “taking or increasing risk in order to pursue
an opportunity” but the organization can have this option for general risk management.
Note 3 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk
mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
Note 4 to entry: Risk treatment can create new risks or modify existing risks.
[SOURCE: ISO Guide 73:2009, 3.8.1, modified ─ Note 1 to entry has been added and the original Note 1
and 2 to entry have been renumbered as Note 2 and 3 to entry.]
3.2.8
risk acceptance
informed decision to take a particular risk (3.1.3)
Note 1 to entry: Risk acceptance can occur without risk treatment (3.2.7) or during the process of risk treatment.
Note 2 to entry: Accepted risks are subject to monitoring and review.
[SOURCE: ISO Guide 73:2009, 3.7.1.6]
3.2.9
risk sharing
form of risk treatment (3.2.7) involving the agreed distribution of risk (3.1.3) with other parties
Note 1 to entry: Legal or regulatory requirements can limit, prohibit or mandate risk sharing.
Note 2 to entry: Risk sharing can be carried out through insurance or other forms of contract.
Note 3 to entry: The extent to which risk is distributed can depend on the reliability and clarity of the sharing
arrangements.
Note 4 to entry: Risk transfer is a form of risk sharing.
[SOURCE: ISO Guide 73:2009, 3.8.1.3]
3.2.10
risk retention
temporary acceptance of the potential benefit of gain, or burden of loss, from a particular risk (3.1.3)
Note 1 to entry: Retention can be restricted to a certain period of time.
Note 2 to entry: The level of risk (3.1.15) retained can depend on risk criteria (3.1.7).
© ISO/IEC 2022 – All rights reserved
[SOURCE: ISO Guide 73:2009, 3.8.1.5, modified — the word “temporary” has been added at the start of
the definition and the phrase; “Risk retention includes the acceptance of residual risks” has replaced
“Retention can be restricted to a certain period of time “ in Note 1 to entry.]
4 Str ucture of this document
This document is structured as follows:
— Clause 5: Information security risk management;
— Clause 6: Context establishment;
— Clause 7: Information security risk assessment process;
— Clause 8: Information security risk treatment process;
— Clause 9: Operation;
— Clause 10: Leveraging related ISMS processes.
Except for the descriptions given in general subclauses, all risk management activities as presented
from Clause 7 to Clause 10 are structured as follows:
Input: Identifies any required information to perform the activity.
Action: Describes the activity.
Trigger: Provides guidance on when to start the activity, for example because of a change within the
organization or according to a plan or a change in the external context of the organization.
Output: Identifies any information derived after performing the activity, as well as any criteria that
such output should satisfy.
Guidance: Provides guidance on performing the activity, keyword and key concept.
5 In formation security risk management
5.1 Information secur ity risk management process
The information security risk management process is presented in Figure 1.
NOTE This process is based on the general risk management process defined in ISO 31000.
© ISO/IEC 2022 – All rights reserved
Figure 1 — Information security risk management process
As Figure 1 illustrates, the information security risk management process can be iterative for risk
assessment and/or risk treatment activities. An iterative approach to conducting risk assessment can
increase depth and detail of the assessment at each iteration. The iterative approach provides a good
balance between minimizing the time and effort spent in identifying controls, while still ensuring that
risks are appropriately assessed.
Context establishment means assembling the internal and external context for information security
risk management or an information security risk assessment.
If the risk assessment provides sufficient information to effectively determine the actions required
to modify the risks to an acceptable level, then the task is complete and the risk treatment follows.
If the information is insufficient, another iteration of the risk assessment should be performed. This
can involve a change of context of the risk assessment (e.g. revised scope), involvement of expertise in
© ISO/IEC 2022 – All rights reserved
the relevant field, or other ways to collect the information required to enable risk modification to an
acceptable level (see "risk decision point 1" in Figure 1).
Risk treatment involves an iterative process of:
— formulating and selecting risk treatment options;
— planning and implementing risk treatment;
— assessing the effectiveness of that treatment;
— deciding whether the remaining risk is acceptable;
— taking further treatment if not acceptable.
It is possible that the risk treatment does not immediately lead to an acceptable level of residual risks. In
this situation, another attempt to find further risk treatment can be performed, or there can be another
iteration of the risk assessment, either as a whole or in parts. This can involve a change of context of the
risk assessment (e.g. by a revised scope) and involvement of expertise in the relevant field. Knowledge
about relevant threats or vulnerabilities can lead to better decisions about suitable risk treatment
activities in the next iteration of the risk assessment (see "risk decision point 2" in Figure 1).
Context establishment is discussed in detail in Clause 6, risk assessment activities in Clause 7 and risk
treatment activities in Clause 8.
Other activities necessary for managing information security risks are discussed in Clause 10.
5.2 Information secur ity risk management cycles
The risk assessment and the risk treatment should be updated on a regular basis and based on
changes. This should apply to, the entire risk assessment and the updates can be divided into two risk
management cycles:
— strategic cycle, where business assets, risk sources and threats, target objectives or consequences
to information security events are evolving from changes in the overall context of the organization.
This can result as inputs for an overall update of the risk assessment or risk assessments and the
risk treatments. It can also serve as an input for identifying new risks and initiate completely new
risk assessments;
— operational cycle, where the above-mentioned elements serves as input information or changed
criteria that will affect a risk assessment or assessment where the scenarios should be reviewed
and updated. The review should include updating of the corresponding risk treatment as applicable.
The strategic cycle should be conducted at longer time basis or when major changes occur while the
operational cycle should be shorter depending on the detailed risks that are identified and assessed as
well as the related risk treatment.
The strategic cycle applies to the environment in which the organization seeks to achieve its objectives,
while the operational cycle applies to all risk assessments considering the context of the risk
management process. In both cycles, there can be many risk assessments with different contexts and
scope in each assessment.
6 Context establishm ent
6.1 Organizational considerations
NOTE This subclause relates to ISO/IEC 27001:2022, 4.1.
An organization is defined as person or group of people that has its own functions with responsibilities,
authorities and relationships to achieve its objectives. An organization is not necessarily a company,
© ISO/IEC 2022 – All rights reserved
other corporate body or legal entity, it can also be a subset of a legal entity (e.g. the IT department of a
company), and can be considered as the “organization” within the context of ISMS.
It is important to understand that risk appetite, defined as the amount of risk an organization is willing
to pursue or accept, can vary considerably from organization to organization. For instance, factors
affecting an organization’s risk appetite include size, complexity and sector. Risk appetite should be set
and regularly reviewed by top management.
The organization should ensure that the role of the risk owner is determined in terms of the management
activities regarding the identified risks. Risk owners should have appropriate accountability and
authority for managing identified risks.
6.2 Identifying basic r equirements of interested parties
NOTE This subclause relates to ISO/IEC 27001:2022, 4.2.
The basic requirements of relevant interested parties should be identified, as well as the status of
compliance with these requirements. This includes identifying all the reference documents that define
security rules and controls and that apply within the scope of the information security risk assessment.
These reference documents can include, but are not limited to:
a) ISO/IEC 27001:2022, Annex A;
b) additional standards that cover ISMS;
c) additional standards applicable to a specific sector (e.g. financial, healthcare);
d) specific international and/or national regulations;
e) the organization’s internal security rules;
f) security rules and controls from contracts or agreements;
g) security controls implemented based on previous risk treatment activities.
Any non-compliance with the basic requirements should be explained and justified. These basic
requirements and their compliance should be the input for the likelihood assessment and for the risk
treatment.
6.3 A pplying risk assessment
NOTE This subclause relates to ISO/IEC 27001:2022, 4.3.
Organizations can perform risk assessments embedded within many different processes, such as
project management, vulnerability management, incident management, problem management, or even
on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are
performed, they should collectively cover all the issues relevant to the organization within the scope of
an ISMS.
The risk assessment should help the organization make decisions about the management of the risks
that affect the achievement of its objectives. This should therefore be targeted at those risks and
controls that, if managed successfully, will improve the likelihood of the organization achieving its
objectives.
More information about the context of an ISMS and the issues to be understood through risk assessment
is given in ISO/IEC 27003.
© ISO/IEC 2022 – All rights reserved
6.4 Establishing and m aintaining information security risk criteria
6.4.1 General
ISO/IEC 27001:2022, 6.1.2 a), specifies requirements for organizations to define their risk criteria, i.e.
the terms of reference by which they evaluate the significance of the risks that they identify and make
decisions concerning risks.
ISO/IEC 27001 specifies requirements for an organization to establish and maintain information
security risk criteria that include:
a) the risk acceptance criteria;
b) criteria for performing information security risk assessments.
In general, to set risk criteria, the following should be considered:
— the nature and type of uncertainties that can affect outcomes and objectives (both tangible and
intangible);
— how consequence and likelihood will be defined, predicted and measured;
— time-related factors;
— consistency in the use of measurements;
— how the level of risk will be determined;
— how combinations and sequences of multiple risks will be taken into account;
— the organization’s capacity.
Further considerations on risk criteria are presented in Annex A.
6.4.2 Risk acceptance criteria
NOTE This subclause relates to ISO/IEC 27001:2022, 6.1.2 a) 1).
In risk evaluation, risk acceptance criteria should be used to determine whether a risk is acceptable or
not.
In risk treatment, risk acceptance criteria can be used to determine whether the proposed risk
treatment is sufficient to reach an acceptable level of risk, or if further risk treatment is needed.
An organization should define levels of risk acceptance. The following should be considered during
development:
a) consistency between the information security risk acceptance criteria and the organization’s
general risk acceptance criteria;
b) the level of management with delegated authority to make risk acceptance decisions is identified;
c) risk acceptance criteria can include multiple thresholds, and authority for acceptance can be
assigned to different levels of management;
d) risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to
also consider the cost/benefit balance between prospective losses and the cost of controls;
e) different risk acceptance criteria can apply to different classes of risk (e.g. risks that can result in
non-compliance with regulations or laws are not always retained, while acceptance of risks can be
allowed if the acceptance is a result of a contractual requirement);
© ISO/IEC 2022 – All rights reserved
f) risk acceptance criteria can include requirements for future additional treatment (e.g. a risk can
be retained on a short-term basis even when the level of risk exceeds the risk acceptance criteria if
there is approval and commitment to take action to implement a chosen set of controls to reach an
acceptable level within a defined time period);
g) risk acceptance criteria should be defined based upon the risk appetite that indicates amount and
type of risk that the organization is willing to pursue or retain;
h) risk acceptance criteria can be absolute or conditional depending on the context.
Risk acceptance criteria should be established considering the following influencing factors:
— organizational objectives;
— organizational opportunities;
— legal and regulatory aspects;
— operational activities;
— technological constraints;
— financial constraints;
— processes;
— supplier relationships;
— human factors (e.g. related to privacy).
The list of influencing factors is not exhaustive. The organization should consider the influencing
factors based on the context.
A simple acceptance criterion (yes/no) does not always suffice in practice.
In many cases, the decision to accept risk can be made at specific levels of risk (specific combinations
of likelihood and consequence). However, there can be circumstances where it is necessary to set
thresholds of acceptance for extreme consequences regardless of their likelihood, or extremely high
likelihoods regardless of consequences, where the effect on the organization primarily results from one
or the other.
For example, acceptance of a rare event that wipes out the stock value of a company, or a constant
drain on resources resulting from the need to control frequent minor infractions of a policy, should be
considered primarily based on which of the two factors have the dominant effect on the organization.
Consequently, risk acceptance criteria should ideally include consideration of likelihood and
consequence independently, as well as costs of management, rather than merely level of risk as a
combination of likelihood and consequence.
An organization with a keen risk appetite can set a higher threshold of acceptance, thereby accepting
more risks than an organization with a lower risk appetite. This protects the organization from
over-control, i.e. having so many information
...
NORME ISO/IEC
INTERNATIONALE 27005
Quatrième édition
2022-10
Sécurité de l'information,
cybersécurité et protection de la
vie privée — Préconisations pour la
gestion des risques liés à la sécurité
de l'information
Information security, cybersecurity and privacy protection —
Guidance on managing information security risks
Numéro de référence
© ISO/IEC 2022
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO/IEC 2022
Tous droits réservés. Sauf prescription différente ou nécessité dans le contexte de sa mise en œuvre, aucune partie de cette
publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique,
y compris la photocopie, ou la diffusion sur l’internet ou sur un intranet, sans autorisation écrite préalable. Une autorisation peut
être demandée à l’ISO à l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Genève
Tél.: +41 22 749 01 11
Fax: +41 22 749 09 47
E-mail: copyright@iso.org
Web: www.iso.org
Publié en Suisse
ii
© ISO/IEC 2022 – Tous droits réservés
Sommaire Page
Avant-propos .v
Introduction . vi
1 Domaine d'application .1
2 Références normatives .1
3 Termes et définitions . 1
3.1 Termes associés aux risques liés à la sécurité de l'information . 1
3.2 Termes relatifs à la gestion des risques liés à la sécurité de l'information . 5
4 Structure du présent document. 7
5 Gestion des risques liés à la sécurité de l'information . 8
5.1 Processus de gestion des risques liés à la sécurité de l'information . 8
5.2 Cycles de gestion des risques liés à la sécurité de l'information . 9
6 Établissement du contexte .10
6.1 Considérations organisationnelles . 10
6.2 Identification des exigences de base des parties intéressées . 10
6.3 Application de l'appréciation du risque . 10
6.4 Établir et maintenir les critères de risques liés à la sécurité de l'information . 11
6.4.1 Généralités . 11
6.4.2 Critères d'acceptation du risque. 11
6.4.3 Critères de réalisation des appréciations du risque lié à la sécurité de
l'information.13
6.5 Choix d'une méthode appropriée . 16
7 Processus d'appréciation du risque lié à la sécurité de l'information .17
7.1 Généralités . 17
7.2 Identification des risques liés à la sécurité de l'information . 17
7.2.1 Identification et description des risques liés à la sécurité de l'information . 17
7.2.2 Identification des propriétaires du risque . 20
7.3 Analyse du risque lié à la sécurité de l'information . 20
7.3.1 Généralités .20
7.3.2 Appréciation des conséquences potentielles . 21
7.3.3 Vraisemblance de l'appréciation . 21
7.3.4 Détermination des niveaux de risque . 23
7.4 Évaluation du risque lié à la sécurité de l'information . 24
7.4.1 Comparaison des résultats d'analyse du risque avec les critères de risque . 24
7.4.2 Classement des risques analysés par ordre de priorité en vue de leur
traitement . 24
8 Processus de traitement du risque lié à la sécurité de l'information .25
8.1 Généralités . 25
8.2 Sélection des options appropriées de traitement du risque lié à la sécurité de
l'information . 25
8.3 Détermination de l'ensemble des moyens de maîtrise nécessaires pour la mise en
œuvre des options de traitement du risque lié à la sécurité de l'information .26
8.4 Comparaison des moyens de maîtrise déterminés avec celles de l'ISO/
IEC 27001:2022, Annexe A .29
8.5 Préparation d'une déclaration d'applicabilité .30
8.6 Plan de traitement du risque lié à la sécurité de l'information . 31
8.6.1 Formulation du plan de traitement du risque . 31
8.6.2 Approbation par les propriétaires du risque . 32
8.6.3 Acceptation du risque résiduel en matière de sécurité de l'information . 32
9 Réalisation des activités opérationnelles .33
9.1 Réalisation du processus d'appréciation du risque lié à la sécurité de l'information .33
9.2 Réalisation du processus de traitement du risque lié à la sécurité de l'information.34
iii
© ISO/IEC 2022 – Tous droits réservés
10 Exploiter les processus SMSI connexes .34
10.1 Contexte de l'organisme .34
10.2 Leadership et engagement . 35
10.3 Communication et concertation . 36
10.4 Informations documentées .38
10.4.1 Généralités .38
10.4.2 Informations documentées concernant les processus .38
10.4.3 Informations documentées concernant les résultats .39
10.5 Surveillance et revue . 39
10.5.1 Généralités .39
10.5.2 Surveillance et revue des facteurs ayant une influence sur les risques .40
10.6 Revue de direction . 41
10.7 Action corrective . 42
10.8 Amélioration continue . 42
Annexe A (informative) Techniques à l'appui du processus d'appréciation du risque —
Exemples . 44
Bibliographie .66
iv
© ISO/IEC 2022 – Tous droits réservés
Avant-propos
L'ISO (Organisation internationale de normalisation) et l’IEC (Commission électrotechnique
internationale) forment le système spécialisé de la normalisation mondiale. Les organismes
nationaux membres de l'ISO ou de l’IEC participent au développement de Normes internationales
par l'intermédiaire des comités techniques créés par l'organisation concernée afin de s'occuper des
domaines particuliers de l'activité technique. Les comités techniques de l'ISO et de l’IEC collaborent
dans des domaines d'intérêt commun. D'autres organisations internationales, gouvernementales et non
gouvernementales, en liaison avec l'ISO et l’IEC, participent également aux travaux.
Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont
décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier de prendre note des différents
critères d'approbation requis pour les différents types de documents ISO. Le présent document a
été rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2 (voir
www.iso.org/directives ou www.iec.ch/members_experts/refdocs).
L'attention est attirée sur le fait que certains des éléments du présent document peuvent faire l'objet
de droits de propriété intellectuelle ou de droits analogues. L'ISO et l’IEC ne sauraient être tenues pour
responsables de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails
concernant les références aux droits de propriété intellectuelle ou autres droits analogues identifiés
lors de l'élaboration du document sont indiqués dans l'Introduction et/ou dans la liste des déclarations
de brevets reçues par l'ISO (voir www.iso.org/brevets) ou dans la liste des déclarations de brevets
reçues par l'IEC (voir https://patents.iec.ch).
Les appellations commerciales éventuellement mentionnées dans le présent document sont données
pour information, par souci de commodité, à l’intention des utilisateurs et ne sauraient constituer un
engagement.
Pour une explication de la nature volontaire des normes, la signification des termes et expressions
spécifiques de l'ISO liés à l'évaluation de la conformité, ou pour toute information au sujet de
l'adhésion de l'ISO aux principes de l’Organisation mondiale du commerce (OMC) concernant les
obstacles techniques au commerce (OTC), voir www.iso.org/iso/avant-propos. Pour l'IEC, voir
www.iec.ch/understanding-standards.
Le présent document a été élaboré par le comité technique mixte ISO/IEC JTC 1, Technologies de
l'information, sous-comité SC 27, Sécurité de l'information, cybersécurité et protection de la vie privée.
Cette quatrième édition annule et remplace la troisième édition (ISO/IEC 27005:2018), qui a fait l'objet
d'une révision technique.
Les principales modifications sont les suivantes:
— toutes les recommandations ont été alignées sur l'ISO/IEC 27001:2022 et sur l'ISO 31000:2018;
— la terminologie a été alignée sur celle de l'ISO 31000:2018;
— la structure des articles et paragraphes a été ajustée selon la mise en page de l'ISO/IEC 27001:2022;
— des concepts de scénario de risque ont été ajoutés;
— une distinction est faite entre l'approche basée sur les événements et l'approche basée sur les biens
en matière d'identification des risques;
— le contenu des annexes a été révisé et réorganisé au sein d'une seule annexe.
Il convient que l'utilisateur adresse tout retour d'information ou toute question concernant le présent
document à l'organisme national de normalisation de son pays. Une liste exhaustive desdits organismes
se trouve à l'adresse www.iso.org/fr/members.html et www.iec.ch/national-committees.
v
© ISO/IEC 2022 – Tous droits réservés
Introduction
Le présent document fournit des recommandations concernant:
— la mise en œuvre des exigences en matière de risques liés à la sécurité de l'information spécifiées
dans l'ISO/IEC 27001;
— les références essentielles incluses dans les normes développées par l'ISO/IEC JTC 1/SC 27 concernant
les activités de gestion des risques liés à la sécurité de l'information;
— les actions qui traitent des risques liés à la sécurité de l'information (voir l'ISO/IEC 27001:2022, 6.1
et Article 8);
— la mise en œuvre des recommandations en matière de gestion des risques de l'ISO 31000 dans le
contexte de la sécurité de l'information.
Le présent document contient des recommandations détaillées concernant la gestion des risques et
complète les recommandations de l'ISO/IEC 27003.
Le présent document est conçu pour être utilisé par les entités suivantes:
— les organismes qui prévoient d'établir et de mettre en œuvre un système de gestion de la sécurité de
l'information conformément à l'ISO/IEC 27001;
— les personnes chargées de la gestion des risques liés à la sécurité de l'information ou impliquées dans
celle-ci (par exemple les personnes spécialisées dans la gestion de ces risques, les propriétaires du
risque et les autres parties intéressées);
— les organismes qui ont l'intention d'améliorer leur processus de gestion des risques liés à la sécurité
de l'information.
vi
© ISO/IEC 2022 – Tous droits réservés
NORME INTERNATIONALE ISO/IEC 27005:2022(F)
Sécurité de l'information, cybersécurité et protection de
la vie privée — Préconisations pour la gestion des risques
liés à la sécurité de l'information
1 Domaine d'application
Le présent document fournit des recommandations pour aider les organismes à:
— satisfaire aux exigences de l'ISO/IEC 27001 concernant les actions visant à traiter les risques liés à
la sécurité de l'information;
— réaliser des activités de gestion des risques liés à la sécurité de l'information, en particulier
l'appréciation et le traitement de ces risques.
Le présent document est applicable à tous les organismes, quels que soient leur type, leur taille ou leur
secteur.
2 Références normatives
Les documents suivants sont cités dans le texte de sorte qu’ils constituent, pour tout ou partie de leur
contenu, des exigences du présent document. Pour les références datées, seule l’édition citée s’applique.
Pour les références non datées, la dernière édition du document de référence s'applique (y compris les
éventuels amendements).
ISO/IEC 27000, Technologies de l'information — Techniques de sécurité — Systèmes de management de la
sécurité de l'information — Vue d'ensemble et vocabulaire
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions de l'ISO/IEC 27000 ainsi que les
suivants, s'appliquent.
L’ISO et l’IEC tiennent à jour des bases de données terminologiques destinées à être utilisées en
normalisation, consultables aux adresses suivantes:
— ISO Online browsing platform: disponible à l’adresse https:// www .iso .org/ obp
— IEC Electropedia: disponible à l’adresse https:// www .electropedia .org/
3.1 Termes associés aux risques liés à la sécurité de l'information
3.1.1
contexte externe
environnement externe dans lequel l'organisme cherche à atteindre ses objectifs
Note 1 à l'article: Le contexte externe peut comprendre les aspects suivants:
— l'environnement social, culturel, politique, légal, réglementaire, financier, technologique, économique,
géologique, au niveau international, national, régional ou local;
— les facteurs et tendances clés ayant une incidence sur les objectifs de l'organisme;
— les relations avec les parties intéressées externes, leurs perceptions, leurs valeurs, leurs besoins et leurs
attentes;
© ISO/IEC 2022 – Tous droits réservés
— les relations contractuelles et les engagements;
— la complexité des réseaux et des dépendances.
[SOURCE: Guide ISO 73:2009, 3.3.1.1, modifié — La Note 1 à l'article a été modifiée.]
3.1.2
contexte interne
environnement interne dans lequel l'organisme cherche à atteindre ses objectifs
Note 1 à l'article: Le contexte interne peut comprendre:
— la vision, la mission et les valeurs;
— la gouvernance, l'organisation, les rôles et responsabilités;
— la stratégie, les objectifs et les politiques;
— la culture de l'organisme;
— les normes, les lignes directrices et les modèles adoptés par l'organisme;
— les capacités, en termes de ressources et de connaissances (par exemple capital, temps, personnel, processus,
systèmes et technologies);
— les données, les systèmes d'information et la circulation de l'information;
— les relations avec les parties intéressées internes, en tenant compte de leurs perceptions et de leurs valeurs;
— les relations contractuelles et les engagements;
— les interdépendances et les interconnexions internes.
[SOURCE: Guide ISO 73:2009, 3.3.1.2, modifié — La Note 1 à l'article a été modifiée.]
3.1.3
risque
effet de l'incertitude sur les objectifs
Note 1 à l'article: Un effet est un écart, positif ou négatif, par rapport à un attendu.
Note 2 à l'article: Les objectifs peuvent avoir différents aspects, être de catégories différentes, et peuvent
concerner différents niveaux.
Note 3 à l'article: L'incertitude est l'état, même partiel, de manque d'information qui entrave la compréhension ou
la connaissance d'un événement (3.1.11), de ses conséquences (3.1.14) ou de sa vraisemblance (3.1.13).
Note 4 à l'article: Un risque est généralement exprimé en termes de sources de risque (3.1.6), événements
potentiels avec leurs conséquences et leur vraisemblance.
Note 5 à l'article: Dans le contexte des systèmes de gestion de la sécurité de l'information, les risques liés à la
sécurité de l'information peuvent être exprimés comme l'effet de l'incertitude sur les objectifs de sécurité de
l'information.
Note 6 à l'article: Les risques liés à la sécurité de l'information sont généralement associés à un effet négatif de
l'incertitude sur les objectifs de sécurité de l'information.
Note 7 à l'article: Le risque de sécurité de l'information peut être associé à la possibilité que des menaces (3.1.9)
exploitent les vulnérabilités (3.1.10) d'un bien informationnel ou d'un groupe de biens informationnels et portent
ainsi un préjudice à un organisme.
[SOURCE: ISO 31000:2018, 3.1, modifié — La phrase «Il peut être positif, négatif ou les deux à la fois, et
traiter, créer ou entraîner des opportunités et des menaces» a été remplacée par «positif ou négatif»
dans la Note 1 à l'article; la Note 3 à l'article a été renumérotée en Note 4 à l'article; et les Notes 3, 5, 6 et
7 à l'article ont été ajoutées.]
© ISO/IEC 2022 – Tous droits réservés
3.1.4
scénario de risque
séquence ou combinaison d'événements (3.1.11) qui conduisent de la cause initiale à la
conséquence indésirable (3.1.14)
[SOURCE: ISO 17666:2016, 3.1.13, modifié — La Note 1 à l'article a été supprimée.]
3.1.5
propriétaire du risque
personne ou entité ayant la responsabilité du risque (3.1.3) et ayant autorité pour le gérer
[SOURCE: Guide ISO 73:2009, 3.5.1.5]
3.1.6
source de risque
tout élément qui, seul ou combiné à d'autres, est susceptible d'engendrer un risque (3.1.3)
Note 1 à l'article: Une source de risque peut être de l'un de ces trois types:
— humain;
— environnemental;
— technique.
Note 2 à l'article: Une source de risque de type humain peut être volontaire ou involontaire.
[SOURCE: ISO 31000:2018, 3.4, modifié — Les Notes 1 et 2 à l'article ont été ajoutées.]
3.1.7
critères de risque
termes de référence vis-à-vis desquels l'importance d'un risque (3.1.3) est évalué
Note 1 à l'article: Les critères de risque sont fondés sur les objectifs de l'organisme ainsi que sur le contexte
externe (3.1.1) et interne (3.1.2).
Note 2 à l'article: Les critères de risque peuvent être issus de normes, de lois, de politiques et d'autres exigences.
[SOURCE: Guide ISO 73:2009, 3.3.1.3]
3.1.8
goût du risque
importance et type de risque (3.1.3) qu'un organisme est prêt à saisir ou à préserver
[SOURCE: Guide ISO 73:2009, 3.7.1.2]
3.1.9
menace
cause potentielle d'un incident lié à la sécurité de l'information (3.1.12) qui peut entraîner des dommages
pour un système ou porter préjudice à un organisme
3.1.10
vulnérabilité
faille dans un bien ou dans un moyen de maîtrise (3.1.16) qui peut être exploitée de sorte qu'un événement
(3.1.11) ayant une conséquence (3.1.14) négative se produise
3.1.11
événement
occurrence ou changement d'un ensemble particulier de circonstances
Note 1 à l'article: Un événement peut être unique ou se reproduire et peut avoir plusieurs causes et plusieurs
conséquences (3.1.14).
© ISO/IEC 2022 – Tous droits réservés
Note 2 à l'article: Un événement peut être quelque chose qui est attendu, mais qui ne se produit pas, ou quelque
chose auquel on ne s'attend pas, mais qui se produit.
[SOURCE: ISO 31000:2018, 3.5, modifié — La Note 3 à l'article a été supprimée.]
3.1.12
incident lié à la sécurité de l'information
un ou plusieurs événements liés à la sécurité de l'information, indésirables ou inattendus, présentant
une probabilité forte de compromettre les opérations liées à l'activité de l'organisme et de menacer la
sécurité de l'information
3.1.13
vraisemblance
possibilité que quelque chose se produise
Note 1 à l'article: Dans la terminologie de la gestion des risques, le mot «vraisemblance» est utilisé pour indiquer
la possibilité que quelque chose se produise, que cette possibilité soit définie, mesurée ou déterminée de façon
objective ou subjective, qualitative ou quantitative, et qu'elle soit décrite au moyen de termes généraux ou
mathématiques (telles une probabilité ou une fréquence sur une période donnée).
Note 2 à l'article: Le terme anglais «likelihood» (vraisemblance) n'a pas d'équivalent direct dans certaines langues
et c'est souvent l'équivalent du terme «probability» (probabilité) qui est utilisé à la place. En anglais, cependant,
le terme «probability» (probabilité) est souvent limité à son interprétation mathématique. Par conséquent, dans
la terminologie de la gestion des risques, le terme «vraisemblance» est utilisé avec l'intention qu'il fasse l'objet
d'une interprétation aussi large que celle dont bénéficie le terme «probability» (probabilité) dans de nombreuses
langues autres que l'anglais.
[SOURCE: ISO 31000:2018, 3.7]
3.1.14
conséquence
effet d'un événement (3.1.11) affectant les objectifs
Note 1 à l'article: Une conséquence peut être certaine ou incertaine et peut avoir des effets positifs ou négatifs,
directs ou indirects, sur l'atteinte des objectifs.
Note 2 à l'article: Les conséquences peuvent être exprimées de façon qualitative ou quantitative.
Note 3 à l'article: Toute conséquence peut déclencher des effets en cascade et cumulatifs.
[SOURCE: ISO 31000:2018, 3.6]
3.1.15
niveau de risque
importance d'un risque (3.1.3) exprimée en termes de combinaison des conséquences (3.1.14) et de leur
vraisemblance (3.1.13)
[SOURCE: Guide ISO 73:2009, 3.6.1.8, modifié — «importance d'un risque ou combinaison de risques» a
été remplacé par «importance d'un risque».]
3.1.16
moyen de maîtrise
action qui maintient et/ou modifie un risque (3.1.3)
Note 1 à l'article: Un moyen de maîtrise inclut, sans toutefois s'y limiter, n'importe quels processus, politique,
dispositif, pratique ou autres conditions et/ou actions qui maintiennent et/ou modifient un risque.
Note 2 à l'article: Un moyen de maîtrise n'aboutit pas toujours nécessairement à la modification voulue ou
supposée.
[SOURCE: ISO 31000:2018, 3.8]
© ISO/IEC 2022 – Tous droits réservés
3.1.17
risque résiduel
risque (3.1.3) subsistant après le traitement du risque (3.2.7)
Note 1 à l'article: Un risque résiduel peut inclure un risque non identifié.
Note 2 à l'article: Les risques résiduels peuvent également inclure des risques pris.
[SOURCE: Guide ISO 73:2009, 3.8.1.6, modifié — La Note 2 à l'article a été modifiée.]
3.2 Termes relatifs à la gestion des risques liés à la sécurité de l'information
3.2.1
processus de management du risque
application systématique de politiques, procédures et pratiques de management aux activités de
communication, de concertation, d'établissement du contexte, ainsi qu'aux activités d'identification,
d'analyse, d'évaluation, de traitement, de surveillance et de revue des risques (3.1.3)
[SOURCE: Guide ISO 73:2009, 3.1]
3.2.2
communication et concertation relatives au risque
ensemble de processus itératifs et continus mis en œuvre par un organisme afin de fournir, partager ou
obtenir des informations et d'engager un dialogue avec les parties intéressées concernant la gestion des
risques (3.1.3)
Note 1 à l'article: Ces informations peuvent concerner l'existence, la nature, la forme, la vraisemblance (3.1.13),
l'importance, l'évaluation, l'acceptation et le traitement du risque
Note 2 à l'article: La concertation est un processus de communication argumentée à double sens entre un
organisme et ses parties intéressées, sur une question donnée avant de prendre une décision ou de déterminer
une orientation concernant ladite question. La concertation est:
— un processus dont l'effet sur une décision s'exerce par l'influence plutôt que par le pouvoir;
— une contribution à une prise de décision, et non une prise de décision conjointe.
3.2.3
appréciation du risque
ensemble du processus d'identification des risques (3.2.4), d'analyse du risque (3.2.5) et d'évaluation du
risque (3.2.6)
[SOURCE: Guide ISO 73:2009, 3.4.1]
3.2.4
identification des risques
processus de recherche, de reconnaissance et de description des risques (3.1.3)
Note 1 à l'article: L'identification des risques comprend l'identification des sources de risque (3.1.6), des
événements (3.1.11), de leurs causes et de leurs conséquences (3.1.14) potentielles.
Note 2 à l'article: L'identification des risques peut faire appel à des données historiques, des analyses théoriques,
des avis d'experts et autres personnes compétentes et tenir compte des besoins des parties intéressées.
[SOURCE: Guide ISO 73:2009, 3.5.1, modifié — «parties intéressées» a remplacé «parties prenantes»
dans la Note 2 à l'article.]
© ISO/IEC 2022 – Tous droits réservés
3.2.5
analyse du risque
processus mis en œuvre pour comprendre la nature d'un risque (3.1.3) et pour déterminer le niveau de
risque (3.1.15)
Note 1 à l'article: L'analyse du risque fournit la base de l'évaluation du risque (3.2.6) et les décisions relatives au
traitement du risque (3.2.7).
Note 2 à l'article: L'analyse du risque inclut l'estimation du risque.
[SOURCE: Guide ISO 73:2009, 3.6.1]
3.2.6
évaluation du risque
processus de comparaison des résultats de l'analyse du risque (3.2.5) avec les critères de risque (3.1.7)
afin de déterminer si le risque (3.1.3) et/ou son importance sont acceptables ou tolérables
Note 1 à l'article: L'évaluation du risque aide à la prise de décision relative au traitement du risque (3.2.7).
[SOURCE: Guide ISO 73:2009, 3.7.1, modifié — «importance» a remplacé «importance».]
3.2.7
traitement du risque
processus destiné à modifier un risque (3.1.3)
Note 1 à l'article: Le traitement du risque peut inclure:
— un refus du risque en décidant de ne pas démarrer ou poursuivre l'activité porteuse du risque;
— la prise ou l'augmentation d'un risque afin de saisir une opportunité;
— l'élimination de la source de risque (3.1.6);
— une modification de la vraisemblance (3.1.13);
— une modification des conséquences (3.1.14);
— un partage du risque avec une ou plusieurs autres parties (incluant des contrats et un financement du risque);
et
— une prise de risque fondée sur une décision argumentée.
Note 2 à l'article: Le traitement du risque lié à la sécurité de l'information n'inclut pas la «prise ou l'augmentation
d'un risque afin de saisir une opportunité», mais l'organisme peut avoir cette possibilité dans le cadre général de
la gestion des risques.
Note 3 à l'article: Les traitements du risque portant sur les conséquences négatives sont parfois appelés
«atténuation du risque», «élimination du risque», «prévention du risque» et «réduction du risque».
Note 4 à l'article: Le traitement du risque peut créer de nouveaux risques ou modifier des risques existants.
[SOURCE: Guide ISO 73:2009, 3.8.1, modifié — La Note 1 à l'article a été ajoutée et les Notes 1 et 2 à
l'article présentes dans le document d'origine ont été renumérotées en Notes 2 et 3 à l'article.]
3.2.8
acceptation du risque
décision argumentée en faveur de la prise d'un risque (3.1.3) particulier
Note 1 à l'article: L'acceptation du risque peut avoir lieu sans traitement du risque (3.2.7) ou au cours du processus
de traitement du risque.
Note 2 à l'article: Les risques acceptés font l'objet d'une surveillance et d'une revue.
[SOURCE: Guide ISO 73:2009, 3.7.1.6]
© ISO/IEC 2022 – Tous droits réservés
3.2.9
partage du risque
forme de traitement du risque (3.2.7) impliquant la répartition consentie du risque (3.1.3) avec d'autres
parties
Note 1 à l'article: Des obligations légales ou réglementaires peuvent limiter, interdire ou imposer le partage du
risque.
Note 2 à l'article: Le partage du risque peut intervenir sous forme d'assurances ou autres types de contrats.
Note 3 à l'article: Le degré de répartition du risque peut dépendre de la fiabilité et de la clarté des dispositions
prises pour le partage.
Note 4 à l'article: Le transfert du risque est une forme de partage du risque.
[SOURCE: Guide ISO 73:2009, 3.8.1.3]
3.2.10
prise de risque
acceptation temporaire de l'avantage potentiel d'un gain ou de la charge potentielle d'une perte
découlant d'un risque (3.1.3) particulier
Note 1 à l'article: La prise de risque peut être limitée à une certaine période.
Note 2 à l'article: Le niveau de risque (3.1.15) pris peut dépendre des critères de risque (3.1.7).
[SOURCE: Guide ISO 73:2009, 3.8.1.5, modifié — Le mot «temporaire» a été ajouté au début de la
définition et la phrase «La prise de risque comprend l'acceptation des risques résiduels» a été remplacée
par «La prise de risque peut être limitée à une certaine période» dans la Note 1 à l'article.]
4 Structure du présent document
Le présent document est structuré comme suit:
— Article 5: Gestion des risques liés à la sécurité de l'information;
— Article 6: Établissement du contexte;
— Article 7: Processus d'appréciation du risque lié à la sécurité de l'information;
— Article 8: Processus de traitement du risque lié à la sécurité de l'information;
— Article 9: Réalisation des activités opérationnelles;
— Article 10: Exploiter les processus SMSI connexes.
À l'exception des descriptions fournies dans les articles et paragraphes généraux, toutes les activités
liées à la gestion des risques, présentées dans les Articles 7 à 10, sont structurées de la manière suivante:
Élément d'entrée: Identifie les informations requises pour réaliser l'activité.
Action: Décrit l'activité.
Déclencheur: Propose des recommandations quant au moment auquel l'activité doit débuter, par
exemple en raison d'un changement au sein de l'organisme ou conformément à un plan, ou en raison
d'un changement dans le contexte externe de l'organisme.
Élément de sortie: Identifie les informations obtenues après la réalisation de l'activité, ainsi que les
critères qu'il convient de satisfaire.
Recommandations: Propose des recommandations sur la réalisation de l'activité, le mot clé et le concept
clé.
© ISO/IEC 2022 – Tous droits réservés
5 Gestion des risques liés à la sécurité de l'information
5.1 Processus de gestion des risques liés à la sécurité de l'information
Le processus de gestion des risques liés à la sécurité de l'information est présenté à la Figure 1.
NOTE Ce processus est identique au processus général de gestion des risques décrit dans l'ISO 31000.
Figure 1 — Processus de gestion des risques liés à la sécurité de l'information
Comme l'illustre la Figure 1, le processus de gestion des risques liés à la sécurité de l'information peut
être itératif pour les activités d'appréciation et/ou de traitement du risque. Une approche itérative
de conduite de l'appréciation du risque permet d'approfondir et de préciser l'appréciation à chaque
itération. Cette approche itérative assure un bon équilibre entre la minimisation du temps et des efforts
investis dans l'identification des moyens de maîtrise et l'assurance que les risques sont correctement
appréciés.
© ISO/IEC 2022 – Tous droits réservés
L'établissement du contexte implique de rassembler des informations sur les contextes externes et
internes pour la gestion des risques ou l'appréciation du risque liées à la sécurité de l'information.
Si l'appréciation du risque donne suffisamment d'informations pour déterminer correctement les
actions nécessaires pour ramener les risques à un niveau acceptable, la tâche est alors terminée et
suivie par l'étape de traitement du risque. Si les informations sont insuffisantes, il convient d'effectuer
une nouvelle itération de l'appréciation du risque. Cela peut impliquer un changement de contexte
de l'appréciation du risque (par exemple, une révision du domaine d'application), l'implication d'une
expertise dans le domaine concerné, ou d'autres moyens de collecter les informations nécessaires pour
permettre de ramener le risque à un niveau acceptable (voir le «point de décision n°1 relatif au risque»
à la Figure 1).
Le traitement du risque implique un processus itératif:
— formuler et choisir des options de traitement du risque;
— élaborer et mettre en œuvre le traitement du risque;
— apprécier l'efficacité de ce traitement;
— déterminer si le risque résiduel est acceptable;
— envisager un traitement complémentaire s'il n'est pas acceptable.
Il est possible que le traitement du risque ne génère pas immédiatement un niveau acceptable de
risques résiduels. Dans ce cas, il est possible d'effectuer une nouvelle tentative pour identifier un
traitement supplémentaire du risque, ou de procéder à une nouvelle itération complète ou partielle de
l'appréciation du risque. Cela peut impliquer un changement de contexte de l'appréciation du risque (par
exemple en cas de révision du domaine d'application) et l'implication d'une expertise dans le domaine
concerné. La connaissance des menaces ou des vulnérabilités pertinentes peut conduire à de meilleures
décisions concernant les activités de traitement du risque appropriées lors de l'itération suivante de
l'appréciation du risque (voir le «point de décision n°2 relatif au risque» à la Figure 1).
L'établissement du contexte est décrit en détail à l'Article 6, les activités d'appréciation du risque à
l'Article 7 et les activités de traitement du risque à l'Article 8.
D'autres activités nécessaires à la gestion des risques liés à la sécurité de l'information sont décrites à
l'Article 10.
5.2 Cycles de gestion des risques liés à la sécurité de l'information
L'appréciation du risque et le traitement du risque doivent être mis à jour régulièrement et sur la base
des changements effectués. Il convient que cela s'applique à l'appréciation du risque dans sa totalité, et
les mises à jour peuvent être divisées en deux cycles de gestion du risque:
— le cycle stratégique, dans lequel les valeurs métier, les sources de risque et les menaces, les
objectifs visés ou les conséquences sur les événements liés à la sécurité de l'information découlent
des changements survenus dans le contexte général de l'organisme. Ces éléments peuvent servir
d'éléments d'entrée pour une mise à jour globale de la ou des appréciations du risque et des
traitements du risque. Ils peuvent également servir d'éléments d'entrée permettant d'identifier les
nouveaux risques et de lancer des appréciations du risque entièrement nouvelles;
— le cycle opérationnel, dans lequel les éléments mentionnés ci-dessus servent d'informations
d'entrée ou de critères modifiés qui auront une incidence sur une ou des appréciations du risque
lors desquelles il convient que les scénarios soient revus et mis à jour. Il convient que la revue inclue
la mise à jour du traitement du risque correspondant comme applicable.
Il convient que le cycle stratégique se déroule sur une période plus longue ou en cas de changements
importants, tandis qu'il convient que le cycle opérationnel soit plus court en fonction des risques
détaillés qui sont identifiés et appréciés, ainsi que du traitement associé du risque.
© ISO/IEC 2022 – Tous droits réservés
Le cycle stratégique s'applique à l'environnement dans lequel l'organisme cherche à atteindre ses
objectifs, tandis que le cycle opérationnel s'applique à toutes les appréciations du risque en tenant
compte du contexte du processus de gestion des risques. Les deux cycles peuvent impliquer de
nombreuses appréciations du risque avec des contextes et des domaines d'application différents dans
chaque appréciation.
6 Établissement du contexte
6.1 Considérations organisationnelles
NOTE Le présent paragraphe se rapporte à l'ISO/IEC 27001:2022, 4.1.
Un organisme se définit comme une personne ou un groupe de personnes qui exerce ses propres
fonctions associées aux responsabilités, à l'autorité et aux relations qui lui permettent d'atteindre
ses objectifs. Un organisme n'est pas nécessairement une entreprise, une autre personne morale ou
une entité juridique: il peut également s'agir d'un sous-ensemble d'une entité juridique (par exemple,
le département informatique d'une entreprise), et peut être considéré comme l'«organisme» dans le
contexte du SMSI.
Il est important de comprendre que le goût du risque, défini comme le niveau de risque qu'un organisme
est prêt à prendre ou à accepter, peut varier considérablement d'un organisme à l'autre. Par exemple, les
facteurs qui influent sur le goût du risque d'un organisme sont la taille, la complexité et le secteur. Il
convient que le goût du risque soit défini et revu régulièrement par la direction générale.
Il convient que l'organisme s'assure que le rôle du propriétaire du risque est déterminé en fonction
des activités de gestion des risques identifiés. Il convient que les propriétaires du risque disposent du
niveau de responsabilité et d'autorité approprié pour gérer les risques identifiés.
6.2 Identification des exigences de base des parties intéressées
NOTE Le présent paragraphe se rapporte à l'ISO/IEC 27001:2022, 4.2.
Il convient d'identifier les exigences de base des parties intéressées, ainsi que la conformité à ces
exigences. Cela inclut l'identification de tous les documents de référence qui définissent les règles et
moyens de maîtrise qui s'appliquent dans le domaine d'application de l'appréciation du risque lié à la
sécurité de l'information.
Ces documents de référence peuvent inclure, sans toutefois s'y limiter:
a) l'ISO/IEC 27001:2022, Annexe A;
b) des normes supplémentaires couvrant le SMSI;
c) des normes supplémentaires applicables à un secteur spécifique (par exemple, finances, santé);
d) des réglementations internationales et/ou nationales spécifiques;
e) les règles de sécurité internes de l'organisme;
f) les règles et moyens de maîtrise provenant de contrats ou d'accords;
g) les moyens de maîtrise mis en œuvre sur la base des précédentes activités de traitement du risque.
Il convient d'expliquer et de justifier toute non-conformité aux exigences de base. Il convient que ces
exigences de base et leur conformité servent de données d'entrée pour l'appréciation de la vraisemblance
et le traitement du risque.
6.3 Application de l'appréciation du risque
NOTE Le présent paragraphe se rapporte à l'ISO/IEC 27001:2022, 4.3.
© ISO/IEC 2022 – Tous droits réservés
Les organismes peuvent effectuer des appréciations du risque intégrées dans de nombreux processus
différents, tels que la gestion de projet, la gestion des vulnérabilités, la gestion des incidents, la gestion
des problèmes, ou même ponctuellement pour un sujet spécifique. Quelle que soit la manière dont les
appréciations du risque sont effectuées, il convient qu'elles couvrent collectivement tous les enjeux
pertinents pour
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...