ISO/IEC 27005:2022
(Main)Information security, cybersecurity and privacy protection — Guidance on managing information security risks
Information security, cybersecurity and privacy protection — Guidance on managing information security risks
This document provides guidance to assist organizations to: — fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; — perform information security risk management activities, specifically information security risk assessment and treatment. This document is applicable to all organizations, regardless of type, size or sector.
Sécurité de l'information, cybersécurité et protection de la vie privée — Préconisations pour la gestion des risques liés à la sécurité de l'information
Le présent document fournit des recommandations pour aider les organismes à: — satisfaire aux exigences de l'ISO/IEC 27001 concernant les actions visant à traiter les risques liés à la sécurité de l'information; — réaliser des activités de gestion des risques liés à la sécurité de l'information, en particulier l'appréciation et le traitement de ces risques. Le présent document est applicable à tous les organismes, quels que soient leur type, leur taille ou leur secteur.
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Navodila za upravljanje informacijskih varnostnih tveganj
General Information
Relations
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 27005
Fourth edition
2022-10
Information security, cybersecurity
and privacy protection — Guidance on
managing information security risks
Sécurité de l'information, cybersécurité et protection de la vie
privée — Préconisations pour la gestion des risques liés à la sécurité
de l'information
Reference number
ISO/IEC 27005:2022(E)
© ISO/IEC 2022
---------------------- Page: 1 ----------------------
ISO/IEC 27005:2022(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27005:2022(E)
Contents Page
Foreword .v
Introduction . vi
1 S c op e . 1
2 Nor m at i ve r ef er enc e s . 1
3 Terms and definitions . 1
3.1 T erms related to information security risk . 1
3.2 T erms related to information security risk management . . 5
4 Structure of this document .7
5 I nformation security risk management . 7
5.1 I nformation security risk management process . 7
5.2 I nformation security risk management cycles . 9
6 C ont e x t e s t abl i s h ment .9
6.1 Organizational considerations . 9
6.2 I dentifying basic requirements of interested parties . 10
6.3 A pplying risk assessment . 10
6.4 E stablishing and maintaining information security risk criteria . 11
6.4.1 G eneral . 11
6.4.2 R isk acceptance criteria . 11
6.4.3 C riteria for performing information security risk assessments .13
6.5 C hoosing an appropriate method . 15
7 I nformation security risk assessment process .16
7.1 G eneral . 16
7.2 I dentifying information security risks . 17
7.2.1 I dentifying and describing information security risks . . 17
7.2.2 I dentifying risk owners . 18
7.3 A nalysing information security risks . 19
7.3.1 General . 19
7.3.2 Assessing potential consequences . 19
7.3.3 Assessing likelihood .20
7.3.4 Determining the levels of risk . 22
7.4 E valuating the information security risks. 22
7.4.1 Comparing the results of risk analysis with the risk criteria .22
7.4.2 P rioritizing the analysed risks for risk treatment .23
8 I nformation security risk treatment process .23
8.1 General .23
8.2 S electing appropriate information security risk treatment options .23
8.3 D etermining all controls that are necessary to implement the information security
risk treatment options . 24
8.4 C omparing the controls determined with those in ISO/IEC 27001:2022, Annex A . 27
8.5 P roducing a Statement of Applicability . 27
8.6 I nformation security risk treatment plan .28
8.6.1 Formulation of the risk treatment plan .28
8.6.2 A pproval by risk owners .29
8.6.3 Acceptance of the residual information security risks .30
9 O p er at ion .31
9.1 P erforming information security risk assessment process . 31
9.2 P erforming information security risk treatment process . 31
10 Leveraging related ISMS processes . .32
10.1 C ontext of the organization . . 32
10.2 L eadership and commitment . 32
iii
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/IEC 27005:2022(E)
10.3 C ommunication and consultation. 33
10.4 Documented information . 35
10.4.1 G eneral . 35
10.4.2 Documented information about processes . 35
10.4.3 Documented information about results . 35
10.5 M onitoring and review .36
10.5.1 G eneral .36
10.5.2 Monitoring and reviewing factors influencing risks . 37
10.6 M anagement review .38
10.7 Corrective action .38
10.8 Continual improvement .39
Annex A (informative) Examples of techniques in support of the risk assessment process .41
Bibliography .62
iv
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27005:2022(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This fourth edition cancels and replaces the third edition (ISO/IEC 27005:2018), which has been
technically revised.
The main changes are as follows:
— all guidance text has been aligned with ISO/IEC 27001:2022, and ISO 31000:2018;
— the terminology has been aligned with the terminology in ISO 31000:2018;
— the structure of the clauses has been adjusted to the layout of ISO/IEC 27001:2022;
— risk scenario concepts have been introduced;
— the event-based approach is contrasted with the asset-based approach to risk identification;
— the content of the annexes has been revised and restructured into a single annex.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
v
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/IEC 27005:2022(E)
Introduction
This document provides guidance on:
— implementation of the information security risk requirements specified in ISO/IEC 27001;
— essential references within the standards developed by ISO/IEC JTC 1/SC 27 to support information
security risk management activities;
— actions that address risks related to information security (see ISO/IEC 27001:2022, 6.1 and Clause 8);
— implementation of risk management guidance in ISO 31000 in the context of information security.
This document contains detailed guidance on risk management and supplements the guidance in
ISO/IEC 27003.
This document is intended to be used by:
— organizations that intend to establish and implement an information security management system
(ISMS) in accordance with ISO/IEC 27001;
— persons that perform or are involved in information security risk management (e.g. ISMS
professionals, risk owners and other interested parties);
— organizations that intend to improve their information security risk management process.
vi
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27005:2022(E)
Information security, cybersecurity and privacy
protection — Guidance on managing information security
risks
1 S cope
This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk
assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.
2 Normat ive references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1 T erms related to information security risk
3.1.1
external context
external environment in which the organization seeks to achieve its objectives
Note 1 to entry: External context can include the following:
— the social, cultural, political, legal, regulatory, financial, technological, economic, geological environment,
whether international, national, regional or local;
— key drivers and trends affecting the objectives of the organization;
— external interested parties’ relationships, perceptions, values, needs and expectations;
— contractual relationships and commitments;
— the complexity of networks and dependencies.
[SOURCE: ISO Guide 73:2009, 3.3.1.1, modified — Note 1 to entry has been modified.]
1
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 27005:2022(E)
3.1.2
internal context
internal environment in which the organization seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— vision, mission and values;
— governance, organizational structure, roles and accountabilities;
— strategy, objectives and policies;
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems
and technologies);
— data, information systems and information flows;
— relationships with internal interested parties, taking into account their perceptions and values;
— contractual relationships and commitments;
— internal interdependencies and interconnections.
[SOURCE: ISO Guide 73:2009, 3.3.1.2, modified — Note 1 to entry has been modified.]
3.1.3
risk
effect of uncertainty on objectives
Note 1 to entry: An effect is a deviation from the expected, positive or negative.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event (3.1.11), its consequence (3.1.14), or likelihood (3.1.13).
Note 4 to entry: Risk is usually expressed in terms of risk sources (3.1.6), potential events, their consequences
and their likelihood.
Note 5 to entry: In the context of information security management systems, information security risks can be
expressed as effect of uncertainty on information security objectives.
Note 6 to entry: Information security risks are usually associated with a negative effect of uncertainty on
information security objectives.
Note 7 to entry: Information security risks can be associated with the potential that threats (3.1.9) will exploit
vulnerabilities (3.1.10) of an information asset or group of information assets and thereby cause harm to an
organization.
[SOURCE: ISO 31000:2018, 3.1, modified — the phrase: “It can be positive, negative or both, and can
address, create or result in opportunities and threats” has been replaced with “positive or negative” in
Note 1 to entry; the original Note 3 to entry has been renumbered as Note 4 to entry; and Notes 3, 5, 6
and 7 to entry have been added.]
3.1.4
risk scenario
sequence or combination of events (3.1.11) leading from the initial cause to the unwanted consequence
(3.1.14)
[SOURCE: ISO 17666:2016, 3.1.13, modified — Note 1 to entry has been deleted.]
2
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 27005:2022(E)
3.1.5
risk owner
person or entity with the accountability and authority to manage a risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.5.1.5]
3.1.6
risk source
element which alone or in combination has the potential to give rise to risk (3.1.3)
Note 1 to entry: A risk source can be one of these three types:
— human;
— environmental;
— technical.
Note 2 to entry: A human risk source type can be intentional or unintentional.
[SOURCE: ISO 31000:2018, 3.4, modified — Notes 1 and 2 to entry have been added.]
3.1.7
risk criteria
terms of reference against which the significance of a risk (3.1.3) is evaluated
Note 1 to entry: Risk criteria are based on organizational objectives, and external context (3.1.1) and internal
context (3.1.2).
Note 2 to entry: Risk criteria can be derived from standards, laws, policies and other requirements.
[SOURCE: ISO Guide 73:2009, 3.3.1.3]
3.1.8
risk appetite
amount and type of risk (3.1.3) that an organization is willing to pursue or retain
[SOURCE: ISO Guide 73:2009, 3.7.1.2]
3.1.9
threat
potential cause of an information security incident (3.1.12) that can result in damage to a system or harm
to an organization
3.1.10
vulnerability
weakness of an asset or control (3.1.16) that can be exploited so that an event (3.1.11) with a negative
consequence (3.1.14) occurs
3.1.11
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can have one or more occurrences, and can have several causes and several consequences
(3.1.14).
Note 2 to entry: An event can also be something that is expected which does not happen, or something that is not
expected which does happen.
[SOURCE: ISO 31000:2018, 3.5, modified — Note 3 to entry has been removed.]
3
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 27005:2022(E)
3.1.12
information security incident
single or a series of unwanted or unexpected information security events that have a significant
probability of compromising business operations and threatening information security
3.1.13
likelihood
chance of something happening
Note 1 to entry: In risk management terminology, the word “likelihood” is used to refer to the chance of something
happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively,
and described using general terms or mathematically (such as a probability or a frequency over a given time
period).
Note 2 to entry: The English term “likelihood” does not have a direct equivalent in some languages; instead, the
equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted
as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it
should have the same broad interpretation as the term “probability” has in many languages other than English.
[SOURCE: ISO 31000:2018, 3.7]
3.1.14
consequence
outcome of an event (3.1.11) affecting objectives
Note 1 to entry: A consequence can be certain or uncertain and can have positive or negative direct or indirect
effects on objectives.
Note 2 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 3 to entry: Any consequence can escalate through cascading and cumulative effects.
[SOURCE: ISO 31000:2018, 3.6]
3.1.15
level of risk
significance of a risk (3.1.3), expressed in terms of the combination of consequences (3.1.14) and their
likelihood (3.1.13)
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — the phrase: “magnitude of a risk or combination of
risks” has been replaced with “significance of a risk”.]
3.1.16
control
measure that maintains and/or modifies risk (3.1.3)
Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice, or other conditions
and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8]
3.1.17
residual risk
risk (3.1.3) remaining after risk treatment (3.2.7)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risks can also contain retained risk.
[SOURCE: ISO Guide 73:2009, 3.8.1.6, modified — Note 2 to entry has been modified.]
4
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 27005:2022(E)
3.2 T erms related to information security risk management
3.2.1
risk management process
systematic application of management policies, procedures and practices to the activities of
communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating,
monitoring and reviewing risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.1]
3.2.2
risk communication and consultation
set of continual and iterative processes that an organization conducts to provide, share or obtain
information, and to engage in dialogue with interested parties regarding the management of risk (3.1.3)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.1.13), significance,
evaluation, acceptance and treatment of risk.
Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its
interested parties on an issue prior to making a decision or determining a direction on that issue. Consultation is:
— a process which impacts on a decision through influence rather than power;
— an input to decision making, not joint decision making.
3.2.3
risk assessment
overall process of risk identification (3.2.4), risk analysis (3.2.5) and risk evaluation (3.2.6)
[SOURCE: ISO Guide 73:2009, 3.4.1]
3.2.4
risk identification
process of finding, recognizing and describing risks (3.1.3)
Note 1 to entry: Risk identification involves the identification of risk sources (3.1.6), events (3.1.11), their causes
and their potential consequences (3.1.14).
Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions,
and interested parties’ needs.
[SOURCE: ISO Guide 73:2009, 3.5.1, modified — "interested party" has replaced "stakeholder" in Note 2
to entry.]
3.2.5
risk analysis
process to comprehend the nature of risk (3.1.3) and to determine the level of risk (3.1.15)
Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.2.6) and decisions about risk treatment
(3.2.7).
Note 2 to entry: Risk analysis includes risk estimation.
[SOURCE: ISO Guide 73:2009, 3.6.1]
3.2.6
risk evaluation
process of comparing the results of risk analysis (3.2.5) with risk criteria (3.1.7) to determine whether
the risk (3.1.3) and/or its significance is acceptable or tolerable
Note 1 to entry: Risk evaluation assists in the decision about risk treatment (3.2.7).
[SOURCE: ISO Guide 73:2009, 3.7.1, modified — “significance” has replaced “magnitude”.]
5
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 27005:2022(E)
3.2.7
risk treatment
process to modify risk (3.1.3)
Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source (3.1.6);
— changing the likelihood (3.1.13);
— changing the consequences (3.1.14);
— sharing the risk with another party or parties (including contracts and risk financing); and
— retaining the risk by informed decision.
Note 2 to entry: Information security risk treatment does not include “taking or increasing risk in order to pursue
an opportunity” but the organization can have this option for general risk management.
Note 3 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk
mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
Note 4 to entry: Risk treatment can create new risks or modify existing risks.
[SOURCE: ISO Guide 73:2009, 3.8.1, modified ─ Note 1 to entry has been added and the original Note 1
and 2 to entry have been renumbered as Note 2 and 3 to entry.]
3.2.8
risk acceptance
informed decision to take a particular risk (3.1.3)
Note 1 to entry: Risk acceptance can occur without risk treatment (3.2.7) or during the process of risk treatment.
Note 2 to entry: Accepted risks are subject to monitoring and review.
[SOURCE: ISO Guide 73:2009, 3.7.1.6]
3.2.9
risk sharing
form of risk treatment (3.2.
...
NORME ISO/IEC
INTERNATIONALE 27005
Quatrième édition
2022-10
Sécurité de l'information,
cybersécurité et protection de la
vie privée — Préconisations pour la
gestion des risques liés à la sécurité
de l'information
Information security, cybersecurity and privacy protection —
Guidance on managing information security risks
Numéro de référence
ISO/IEC 27005:2022(F)
© ISO/IEC 2022
---------------------- Page: 1 ----------------------
ISO/IEC 27005:2022(F)
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO/IEC 2022
Tous droits réservés. Sauf prescription différente ou nécessité dans le contexte de sa mise en œuvre, aucune partie de cette
publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique,
y compris la photocopie, ou la diffusion sur l’internet ou sur un intranet, sans autorisation écrite préalable. Une autorisation peut
être demandée à l’ISO à l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Genève
Tél.: +41 22 749 01 11
Fax: +41 22 749 09 47
E-mail: copyright@iso.org
Web: www.iso.org
Publié en Suisse
ii
© ISO/IEC 2022 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO/IEC 27005:2022(F)
Sommaire Page
Avant-propos .v
Introduction . vi
1 Domaine d'application .1
2 Références normatives .1
3 Termes et définitions . 1
3.1 Termes associés aux risques liés à la sécurité de l'information . 1
3.2 Termes relatifs à la gestion des risques liés à la sécurité de l'information . 5
4 Structure du présent document. 7
5 Gestion des risques liés à la sécurité de l'information . 8
5.1 Processus de gestion des risques liés à la sécurité de l'information . 8
5.2 Cycles de gestion des risques liés à la sécurité de l'information . 9
6 Établissement du contexte .10
6.1 Considérations organisationnelles . 10
6.2 Identification des exigences de base des parties intéressées . 10
6.3 Application de l'appréciation du risque . 10
6.4 Établir et maintenir les critères de risques liés à la sécurité de l'information . 11
6.4.1 Généralités . 11
6.4.2 Critères d'acceptation du risque. 11
6.4.3 Critères de réalisation des appréciations du risque lié à la sécurité de
l'information.13
6.5 Choix d'une méthode appropriée . 16
7 Processus d'appréciation du risque lié à la sécurité de l'information .17
7.1 Généralités . 17
7.2 Identification des risques liés à la sécurité de l'information . 17
7.2.1 Identification et description des risques liés à la sécurité de l'information . 17
7.2.2 Identification des propriétaires du risque . 20
7.3 Analyse du risque lié à la sécurité de l'information . 20
7.3.1 Généralités .20
7.3.2 Appréciation des conséquences potentielles . 21
7.3.3 Vraisemblance de l'appréciation . 21
7.3.4 Détermination des niveaux de risque . 23
7.4 Évaluation du risque lié à la sécurité de l'information . 24
7.4.1 Comparaison des résultats d'analyse du risque avec les critères de risque . 24
7.4.2 Classement des risques analysés par ordre de priorité en vue de leur
traitement . 24
8 Processus de traitement du risque lié à la sécurité de l'information .25
8.1 Généralités . 25
8.2 Sélection des options appropriées de traitement du risque lié à la sécurité de
l'information . 25
8.3 Détermination de l'ensemble des moyens de maîtrise nécessaires pour la mise en
œuvre des options de traitement du risque lié à la sécurité de l'information .26
8.4 Comparaison des moyens de maîtrise déterminés avec celles de l'ISO/
IEC 27001:2022, Annexe A .29
8.5 Préparation d'une déclaration d'applicabilité .30
8.6 Plan de traitement du risque lié à la sécurité de l'information . 31
8.6.1 Formulation du plan de traitement du risque . 31
8.6.2 Approbation par les propriétaires du risque . 32
8.6.3 Acceptation du risque résiduel en matière de sécurité de l'information . 32
9 Réalisation des activités opérationnelles .33
9.1 Réalisation du processus d'appréciation du risque lié à la sécurité de l'information .33
9.2 Réalisation du processus de traitement du risque lié à la sécurité de l'information.34
iii
© ISO/IEC 2022 – Tous droits réservés
---------------------- Page: 3 ----------------------
ISO/IEC 27005:2022(F)
10 Exploiter les processus SMSI connexes .34
10.1 Contexte de l'organisme .34
10.2 Leadership et engagement . 35
10.3 Communication et concertation . 36
10.4 Informations documentées .38
10.4.1 Généralités .38
10.4.2 Informations documentées concernant les processus .38
10.4.3 Informations documentées concernant les résultats .39
10.5 Surveillance et revue . 39
10.5.1 Généralités .39
10.5.2 Surveillance et revue des facteurs ayant une influence sur les risques .40
10.6 Revue de direction . 41
10.7 Action corrective . 42
10.8 Amélioration continue . 42
Annexe A (informative) Techniques à l'appui du processus d'appréciation du risque —
Exemples . 44
Bibliographie .66
iv
© ISO/IEC 2022 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO/IEC 27005:2022(F)
Avant-propos
L'ISO (Organisation internationale de normalisation) et l’IEC (Commission électrotechnique
internationale) forment le système spécialisé de la normalisation mondiale. Les organismes
nationaux membres de l'ISO ou de l’IEC participent au développement de Normes internationales
par l'intermédiaire des comités techniques créés par l'organisation concernée afin de s'occuper des
domaines particuliers de l'activité technique. Les comités techniques de l'ISO et de l’IEC collaborent
dans des domaines d'intérêt commun. D'autres organisations internationales, gouvernementales et non
gouvernementales, en liaison avec l'ISO et l’IEC, participent également aux travaux.
Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont
décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier de prendre note des différents
critères d'approbation requis pour les différents types de documents ISO. Le présent document a
été rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2 (voir
www.iso.org/directives ou www.iec.ch/members_experts/refdocs).
L'attention est attirée sur le fait que certains des éléments du présent document peuvent faire l'objet
de droits de propriété intellectuelle ou de droits analogues. L'ISO et l’IEC ne sauraient être tenues pour
responsables de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails
concernant les références aux droits de propriété intellectuelle ou autres droits analogues identifiés
lors de l'élaboration du document sont indiqués dans l'Introduction et/ou dans la liste des déclarations
de brevets reçues par l'ISO (voir www.iso.org/brevets) ou dans la liste des déclarations de brevets
reçues par l'IEC (voir https://patents.iec.ch).
Les appellations commerciales éventuellement mentionnées dans le présent document sont données
pour information, par souci de commodité, à l’intention des utilisateurs et ne sauraient constituer un
engagement.
Pour une explication de la nature volontaire des normes, la signification des termes et expressions
spécifiques de l'ISO liés à l'évaluation de la conformité, ou pour toute information au sujet de
l'adhésion de l'ISO aux principes de l’Organisation mondiale du commerce (OMC) concernant les
obstacles techniques au commerce (OTC), voir www.iso.org/iso/avant-propos. Pour l'IEC, voir
www.iec.ch/understanding-standards.
Le présent document a été élaboré par le comité technique mixte ISO/IEC JTC 1, Technologies de
l'information, sous-comité SC 27, Sécurité de l'information, cybersécurité et protection de la vie privée.
Cette quatrième édition annule et remplace la troisième édition (ISO/IEC 27005:2018), qui a fait l'objet
d'une révision technique.
Les principales modifications sont les suivantes:
— toutes les recommandations ont été alignées sur l'ISO/IEC 27001:2022 et sur l'ISO 31000:2018;
— la terminologie a été alignée sur celle de l'ISO 31000:2018;
— la structure des articles et paragraphes a été ajustée selon la mise en page de l'ISO/IEC 27001:2022;
— des concepts de scénario de risque ont été ajoutés;
— une distinction est faite entre l'approche basée sur les événements et l'approche basée sur les biens
en matière d'identification des risques;
— le contenu des annexes a été révisé et réorganisé au sein d'une seule annexe.
Il convient que l'utilisateur adresse tout retour d'information ou toute question concernant le présent
document à l'organisme national de normalisation de son pays. Une liste exhaustive desdits organismes
se trouve à l'adresse www.iso.org/fr/members.html et www.iec.ch/national-committees.
v
© ISO/IEC 2022 – Tous droits réservés
---------------------- Page: 5 ----------------------
ISO/IEC 27005:2022(F)
Introduction
Le présent document fournit des recommandations concernant:
— la mise en œuvre des exigences en matière de risques liés à la sécurité de l'information spécifiées
dans l'ISO/IEC 27001;
— les références essentielles incluses dans les normes développées par l'ISO/IEC JTC 1/SC 27 concernant
les activités de gestion des risques liés à la sécurité de l'information;
— les actions qui traitent des risques liés à la sécurité de l'information (voir l'ISO/IEC 27001:2022, 6.1
et Article 8);
— la mise en œuvre des recommandations en matière de gestion des risques de l'ISO 31000 dans le
contexte de la sécurité de l'information.
Le présent document contient des recommandations détaillées concernant la gestion des risques et
complète les recommandations de l'ISO/IEC 27003.
Le présent document est conçu pour être utilisé par les entités suivantes:
— les organismes qui prévoient d'établir et de mettre en œuvre un système de gestion de la sécurité de
l'information conformément à l'ISO/IEC 27001;
— les personnes chargées de la gestion des risques liés à la sécurité de l'information ou impliquées dans
celle-ci (par exemple les personnes spécialisées dans la gestion de ces risques, les propriétaires du
risque et les autres parties intéressées);
— les organismes qui ont l'intention d'améliorer leur processus de gestion des risques liés à la sécurité
de l'information.
vi
© ISO/IEC 2022 – Tous droits réservés
---------------------- Page: 6 ----------------------
NORME INTERNATIONALE ISO/IEC 27005:2022(F)
Sécurité de l'information, cybersécurité et protection de
la vie privée — Préconisations pour la gestion des risques
liés à la sécurité de l'information
1 Domaine d'application
Le présent document fournit des recommandations pour aider les organismes à:
— satisfaire aux exigences de l'ISO/IEC 27001 concernant les actions visant à traiter les risques liés à
la sécurité de l'information;
— réaliser des activités de gestion des risques liés à la sécurité de l'information, en particulier
l'appréciation et le traitement de ces risques.
Le présent document est applicable à tous les organismes, quels que soient leur type, leur taille ou leur
secteur.
2 Références normatives
Les documents suivants sont cités dans le texte de sorte qu’ils constituent, pour tout ou partie de leur
contenu, des exigences du présent document. Pour les références datées, seule l’édition citée s’applique.
Pour les références non datées, la dernière édition du document de référence s'applique (y compris les
éventuels amendements).
ISO/IEC 27000, Technologies de l'information — Techniques de sécurité — Systèmes de management de la
sécurité de l'information — Vue d'ensemble et vocabulaire
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions de l'ISO/IEC 27000 ainsi que les
suivants, s'appliquent.
L’ISO et l’IEC tiennent à jour des bases de données terminologiques destinées à être utilisées en
normalisation, consultables aux adresses suivantes:
— ISO Online browsing platform: disponible à l’adresse https:// www .iso .org/ obp
— IEC Electropedia: disponible à l’adresse https:// www .electropedia .org/
3.1 Termes associés aux risques liés à la sécurité de l'information
3.1.1
contexte externe
environnement externe dans lequel l'organisme cherche à atteindre ses objectifs
Note 1 à l'article: Le contexte externe peut comprendre les aspects suivants:
— l'environnement social, culturel, politique, légal, réglementaire, financier, technologique, économique,
géologique, au niveau international, national, régional ou local;
— les facteurs et tendances clés ayant une incidence sur les objectifs de l'organisme;
— les relations avec les parties intéressées externes, leurs perceptions, leurs valeurs, leurs besoins et leurs
attentes;
1
© ISO/IEC 2022 – Tous droits réservés
---------------------- Page: 7 ----------------------
ISO/IEC 27005:2022(F)
— les relations contractuelles et les engagements;
— la complexité des réseaux et des dépendances.
[SOURCE: Guide ISO 73:2009, 3.3.1.1, modifié — La Note 1 à l'article a été modifiée.]
3.1.2
contexte interne
environnement interne dans lequel l'organisme cherche à atteindre ses objectifs
Note 1 à l'article: Le contexte interne peut comprendre:
— la vision, la mission et les valeurs;
— la gouvernance, l'organisation, les rôles et responsabilités;
— la stratégie, les objectifs et les politiques;
— la culture de l'organisme;
— les normes, les lignes directrices et les modèles adoptés par l'organisme;
— les capacités, en termes de ressources et de connaissances (par exemple capital, temps, personnel, processus,
systèmes et technologies);
— les données, les systèmes d'information et la circulation de l'information;
— les relations avec les parties intéressées internes, en tenant compte de leurs perceptions et de leurs valeurs;
— les relations contractuelles et les engagements;
— les interdépendances et les interconnexions internes.
[SOURCE: Guide ISO 73:2009, 3.3.1.2, modifié — La Note 1 à l'article a été modifiée.]
3.1.3
risque
effet de l'incertitude sur les objectifs
Note 1 à l'article: Un effet est un écart, positif ou négatif, par rapport à un attendu.
Note 2 à l'article: Les objectifs peuvent avoir différents aspects, être de catégories différentes, et peuvent
concerner différents niveaux.
Note 3 à l'article: L'incertitude est l'état, même partiel, de manque d'information qui entrave la compréhension ou
la connaissance d'un événement (3.1.11), de ses conséquences (3.1.14) ou de sa vraisemblance (3.1.13).
Note 4 à l'article: Un risque est généralement exprimé en termes de sources de risque (3.1.6), événements
potentiels avec leurs conséquences et leur vraisemblance.
Note 5 à l'article: Dans le contexte des systèmes de gestion de la sécurité de l'information, les risques liés à la
sécurité de l'information peuvent être exprimés comme l'effet de l'incertitude sur les objectifs de sécurité de
l'information.
Note 6 à l'article: Les risques liés à la sécurité de l'information sont généralement associés à un effet négatif de
l'incertitude sur les objectifs de sécurité de l'information.
Note 7 à l'article: Le risque de sécurité de l'information peut être associé à la possibilité que des menaces (3.1.9)
exploitent les vulnérabilités (3.1.10) d'un bien informationnel ou d'un groupe de biens informationnels et portent
ainsi un préjudice à un organisme.
[SOURCE: ISO 31000:2018, 3.1, modifié — La phrase «Il peut être positif, négatif ou les deux à la fois, et
traiter, créer ou entraîner des opportunités et des menaces» a été remplacée par «positif ou négatif»
dans la Note 1 à l'article; la Note 3 à l'article a été renumérotée en Note 4 à l'article; et les Notes 3, 5, 6 et
7 à l'article ont été ajoutées.]
2
© ISO/IEC 2022 – Tous droits réservés
---------------------- Page: 8 ----------------------
ISO/IEC 27005:2022(F)
3.1.4
scénario de risque
séquence ou combinaison d'événements (3.1.11) qui conduisent de la cause initiale à la
conséquence indésirable (3.1.14)
[SOURCE: ISO 17666:2016, 3.1.13, modifié — La Note 1 à l'article a été supprimée.]
3.1.5
propriétaire du risque
personne ou entité ayant la responsabilité du risque (3.1.3) et ayant autorité pour le gérer
[SOURCE: Guide ISO 73:2009, 3.5.1.5]
3.1.6
source de risque
tout élément qui, seul ou combiné à d'autres, est susceptible d'engendrer un risque (3.1.3)
Note 1 à l'article: Une source de risque peut être de l'un de ces trois types:
— humain;
— environnemental;
— technique.
Note 2 à l'article: Une source de risque de type humain peut être volontaire ou involontaire.
[SOURCE: ISO 31000:2018, 3.4, modifié — Les Notes 1 et 2 à l'article ont été ajoutées.]
3.1.7
critères de risque
termes de référence vis-à-vis desquels l'importance d'un risque (3.1.3) est évalué
Note 1 à l'article: Les critères de risque sont fondés sur les objectifs de l'organisme ainsi que sur le contexte
externe (3.1.1) et interne (3.1.2).
Note 2 à l'article: Les critères de risque peuvent être issus de normes, de lois, de politiques et d'autres exigences.
[SOURCE: Guide ISO 73:2009, 3.3.1.3]
3.1.8
goût du risque
importance et type de risque (3.1.3) qu'un organisme est prêt à saisir ou à préserver
[SOURCE: Guide ISO 73:2009, 3.7.1.2]
3.1.9
menace
cause potentielle d'un incident lié à la sécurité de l'information (3.1.12) qui peut entraîner des dommages
pour un système ou porter préjudice à un organisme
3.1.10
vulnérabilité
faille dans un bien ou dans un moyen de maîtrise (3.1.16) qui peut être exploitée de sorte qu'un événement
(3.1.11) ayant une conséquence (3.1.14) négative se produise
3.1.11
événement
occurrence ou changement d'un ensemble particulier de circonstances
Note 1 à l'article: Un événement peut être unique ou se reproduire et peut avoir plusieurs causes et plusieurs
conséquences (3.1.14).
3
© ISO/IEC 2022 – Tous droits réservés
---------------------- Page: 9 ----------------------
ISO/IEC 27005:2022(F)
Note 2 à l'article: Un événement peut être quelque chose qui est attendu, mais qui ne se produit pas, ou quelque
chose auquel on ne s'attend pas, mais qui se produit.
[SOURCE: ISO 31000:2018, 3.5, modifié — La Note 3 à l'article a été supprimée.]
3.1.12
incident lié à la sécurité de l'information
un ou plusieurs événements liés à la sécurité de l'information, indésirables ou inattendus, présentant
une probabilité forte de compromettre les opérations liées à l'activité de l'organisme et de menacer la
sécurité de l'information
3.1.13
vraisemblance
possibilité que quelque chose se produise
Note 1 à l'article: Dans la terminologie de la gestion des risques, le mot «vraisemblance» est utilisé pour indiquer
la possibilité que quelque chose se produise, que cette possibilité soit définie, mesurée ou déterminée de façon
objective ou subjective, qualitative ou quantitative, et qu'elle soit décrite au moyen de termes généraux ou
mathématiques (telles une probabilité ou une fréquence sur une période donnée).
Note 2 à l'article: Le terme anglais «likelihood» (vraisemblance) n'a pas d'équivalent direct dans certaines langues
et c'est souvent l'équivalent du terme «probability» (probabilité) qui est utilisé à la place. En anglais, cependant,
le terme «probability» (probabilité) est souvent limité à son interprétation mathématique. Par conséquent, dans
la terminologie de la gestion des risques, le terme «vraisemblance» est utilisé avec l'intention qu'il fasse l'objet
d'une interprétation aussi large que celle dont bénéficie le terme «probability» (probabilité) dans de nombreuses
langues autres que l'anglais.
[SOURCE: ISO 31000:2018, 3.7]
3.1.14
conséquence
effet d'un événement (3.1.11) affectant les objectifs
Note 1 à l'article: Une conséquence peut être certaine ou incertaine et peut avoir des effets positifs ou négatifs,
directs ou indirects, sur l'atteinte des objectifs.
Note 2 à l'article: Les conséquences peuvent être exprimées de façon qualitative ou quantitative.
Note 3 à l'article: Toute conséquence peut déclencher des effets en cascade et cumulatifs.
[SOURCE: ISO 31000:2018, 3.6]
3.1.15
niveau de risque
importance d'un risque (3.1.3) exprimée en termes de combinaison des conséquences (3.1.14) et de leur
vraisemblance (3.1.13)
[SOURCE: Guide ISO 73:2009, 3.6.1.8, modifié — «importance d'un risque ou combinaison de risques» a
été remplacé par «importance d'un risque».]
3.1.16
moyen de maîtrise
action qui maintient et/ou modifie un risque (3.1.3)
Note 1 à l'article: Un moyen de maîtrise inclut, sans toutefois s'y limiter, n'importe quels processus, politique,
dispositif, pratique ou autres conditions et/ou actions qui maintiennent et/ou modifient un risque.
Note 2 à l'article: Un moyen de maîtrise n'aboutit pas toujours nécessairement à la modification voulue ou
supposée.
[SOURCE: ISO 31000:2018, 3.8]
4
© ISO/IEC 2022 – Tous droits réservés
---------------------- Page: 10 ----------------------
ISO/IEC 27005:2022(F)
3.1.17
risque résiduel
risque (3.1.3) subsistant après le traitement du risque (3.2.7)
Note 1 à l'article: Un risque résiduel peut inclure un risque non identifié.
Note 2 à l'article: Les risques résiduels peuvent également inclure des risques pris.
[SOURCE: Guide ISO 73:2009, 3.8.1.6, modifié — La Note 2 à l'article a été modifiée.]
3.2 Termes relatifs à la gestion des risques liés à la sécurité de l'information
3.2.1
processus de management du risque
application systématique de politiques, procédures et pratiques de management aux activités de
communication, de concertation, d'établissement du contexte, ainsi qu'aux activités d'identification,
d'analyse, d'évaluation, de traitement, de surveillance et de revue des risques (3.1.3)
[SOURCE: Guide ISO 73:2009, 3.1]
3.2.2
communication et concertation relatives au risque
ensemble de processus itératifs et continus mis en œuvre par un organisme afin de fournir, partager ou
obtenir des informations et d'engager un dialogue avec les parties intéressées concernant la gestion des
risques (3.1.3)
Note 1 à l'article: Ces informations peuvent concerner l'existence, la nature, la forme, la vraisemblance (3.1.13),
l'importance, l'évaluation, l'acceptation et le traitement du risque
Note 2 à l'article: La concertation est un processus de communication argumentée à double sens entre un
organisme et ses parties intéressées, sur une question donnée avant de prendre une décision ou de déterminer
une orientation concernant ladite question. La concertation est:
— un processus dont l'effet sur une décision s'exerce par l'influence plutôt que par le pouvoir;
— une contribution à une prise de décision, et non une prise de décision conjointe.
3.2.3
appréciation du risque
ensemble du processus d'identification des risques (3.2.4), d'analyse du risque (3.2.5) et d'évaluation du
risque (3.2.6)
[SOURCE: Guide ISO 73:2009, 3.4.1]
3.2.4
identification des risques
processus
...
SLOVENSKI STANDARD
oSIST ISO/IEC 27005:2023
01-september-2023
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Navodila za
upravljanje informacijskih varnostnih tveganj
Information security, cybersecurity and privacy protection - Guidance on managing
information security risks
Sécurité de l'information, cybersécurité et protection de la vie privée - Préconisations
pour la gestion des risques liés à la sécurité de l'information
Ta slovenski standard je istoveten z: ISO/IEC 27005:2022
ICS:
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
oSIST ISO/IEC 27005:2023 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
oSIST ISO/IEC 27005:2023
---------------------- Page: 2 ----------------------
oSIST ISO/IEC 27005:2023
INTERNATIONAL ISO/IEC
STANDARD 27005
Fourth edition
2022-10
Information security, cybersecurity
and privacy protection — Guidance on
managing information security risks
Sécurité de l'information, cybersécurité et protection de la vie
privée — Préconisations pour la gestion des risques liés à la sécurité
de l'information
Reference number
ISO/IEC 27005:2022(E)
© ISO/IEC 2022
---------------------- Page: 3 ----------------------
oSIST ISO/IEC 27005:2023
ISO/IEC 27005:2022(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 4 ----------------------
oSIST ISO/IEC 27005:2023
ISO/IEC 27005:2022(E)
Contents Page
Foreword .v
Introduction . vi
1 S c op e . 1
2 Nor m at i ve r ef er enc e s . 1
3 Terms and definitions . 1
3.1 T erms related to information security risk . 1
3.2 T erms related to information security risk management . . 5
4 Structure of this document .7
5 I nformation security risk management . 7
5.1 I nformation security risk management process . 7
5.2 I nformation security risk management cycles . 9
6 C ont e x t e s t abl i s h ment .9
6.1 Organizational considerations . 9
6.2 I dentifying basic requirements of interested parties . 10
6.3 A pplying risk assessment . 10
6.4 E stablishing and maintaining information security risk criteria . 11
6.4.1 G eneral . 11
6.4.2 R isk acceptance criteria . 11
6.4.3 C riteria for performing information security risk assessments .13
6.5 C hoosing an appropriate method . 15
7 I nformation security risk assessment process .16
7.1 G eneral . 16
7.2 I dentifying information security risks . 17
7.2.1 I dentifying and describing information security risks . . 17
7.2.2 I dentifying risk owners . 18
7.3 A nalysing information security risks . 19
7.3.1 General . 19
7.3.2 Assessing potential consequences . 19
7.3.3 Assessing likelihood .20
7.3.4 Determining the levels of risk . 22
7.4 E valuating the information security risks. 22
7.4.1 Comparing the results of risk analysis with the risk criteria .22
7.4.2 P rioritizing the analysed risks for risk treatment .23
8 I nformation security risk treatment process .23
8.1 General .23
8.2 S electing appropriate information security risk treatment options .23
8.3 D etermining all controls that are necessary to implement the information security
risk treatment options . 24
8.4 C omparing the controls determined with those in ISO/IEC 27001:2022, Annex A . 27
8.5 P roducing a Statement of Applicability . 27
8.6 I nformation security risk treatment plan .28
8.6.1 Formulation of the risk treatment plan .28
8.6.2 A pproval by risk owners .29
8.6.3 Acceptance of the residual information security risks .30
9 O p er at ion .31
9.1 P erforming information security risk assessment process . 31
9.2 P erforming information security risk treatment process . 31
10 Leveraging related ISMS processes . .32
10.1 C ontext of the organization . . 32
10.2 L eadership and commitment . 32
iii
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 5 ----------------------
oSIST ISO/IEC 27005:2023
ISO/IEC 27005:2022(E)
10.3 C ommunication and consultation. 33
10.4 Documented information . 35
10.4.1 G eneral . 35
10.4.2 Documented information about processes . 35
10.4.3 Documented information about results . 35
10.5 M onitoring and review .36
10.5.1 G eneral .36
10.5.2 Monitoring and reviewing factors influencing risks . 37
10.6 M anagement review .38
10.7 Corrective action .38
10.8 Continual improvement .39
Annex A (informative) Examples of techniques in support of the risk assessment process .41
Bibliography .62
iv
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 6 ----------------------
oSIST ISO/IEC 27005:2023
ISO/IEC 27005:2022(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This fourth edition cancels and replaces the third edition (ISO/IEC 27005:2018), which has been
technically revised.
The main changes are as follows:
— all guidance text has been aligned with ISO/IEC 27001:2022, and ISO 31000:2018;
— the terminology has been aligned with the terminology in ISO 31000:2018;
— the structure of the clauses has been adjusted to the layout of ISO/IEC 27001:2022;
— risk scenario concepts have been introduced;
— the event-based approach is contrasted with the asset-based approach to risk identification;
— the content of the annexes has been revised and restructured into a single annex.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
v
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 7 ----------------------
oSIST ISO/IEC 27005:2023
ISO/IEC 27005:2022(E)
Introduction
This document provides guidance on:
— implementation of the information security risk requirements specified in ISO/IEC 27001;
— essential references within the standards developed by ISO/IEC JTC 1/SC 27 to support information
security risk management activities;
— actions that address risks related to information security (see ISO/IEC 27001:2022, 6.1 and Clause 8);
— implementation of risk management guidance in ISO 31000 in the context of information security.
This document contains detailed guidance on risk management and supplements the guidance in
ISO/IEC 27003.
This document is intended to be used by:
— organizations that intend to establish and implement an information security management system
(ISMS) in accordance with ISO/IEC 27001;
— persons that perform or are involved in information security risk management (e.g. ISMS
professionals, risk owners and other interested parties);
— organizations that intend to improve their information security risk management process.
vi
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 8 ----------------------
oSIST ISO/IEC 27005:2023
INTERNATIONAL STANDARD ISO/IEC 27005:2022(E)
Information security, cybersecurity and privacy
protection — Guidance on managing information security
risks
1 S cope
This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk
assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.
2 Normat ive references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1 T erms related to information security risk
3.1.1
external context
external environment in which the organization seeks to achieve its objectives
Note 1 to entry: External context can include the following:
— the social, cultural, political, legal, regulatory, financial, technological, economic, geological environment,
whether international, national, regional or local;
— key drivers and trends affecting the objectives of the organization;
— external interested parties’ relationships, perceptions, values, needs and expectations;
— contractual relationships and commitments;
— the complexity of networks and dependencies.
[SOURCE: ISO Guide 73:2009, 3.3.1.1, modified — Note 1 to entry has been modified.]
1
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 9 ----------------------
oSIST ISO/IEC 27005:2023
ISO/IEC 27005:2022(E)
3.1.2
internal context
internal environment in which the organization seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— vision, mission and values;
— governance, organizational structure, roles and accountabilities;
— strategy, objectives and policies;
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems
and technologies);
— data, information systems and information flows;
— relationships with internal interested parties, taking into account their perceptions and values;
— contractual relationships and commitments;
— internal interdependencies and interconnections.
[SOURCE: ISO Guide 73:2009, 3.3.1.2, modified — Note 1 to entry has been modified.]
3.1.3
risk
effect of uncertainty on objectives
Note 1 to entry: An effect is a deviation from the expected, positive or negative.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event (3.1.11), its consequence (3.1.14), or likelihood (3.1.13).
Note 4 to entry: Risk is usually expressed in terms of risk sources (3.1.6), potential events, their consequences
and their likelihood.
Note 5 to entry: In the context of information security management systems, information security risks can be
expressed as effect of uncertainty on information security objectives.
Note 6 to entry: Information security risks are usually associated with a negative effect of uncertainty on
information security objectives.
Note 7 to entry: Information security risks can be associated with the potential that threats (3.1.9) will exploit
vulnerabilities (3.1.10) of an information asset or group of information assets and thereby cause harm to an
organization.
[SOURCE: ISO 31000:2018, 3.1, modified — the phrase: “It can be positive, negative or both, and can
address, create or result in opportunities and threats” has been replaced with “positive or negative” in
Note 1 to entry; the original Note 3 to entry has been renumbered as Note 4 to entry; and Notes 3, 5, 6
and 7 to entry have been added.]
3.1.4
risk scenario
sequence or combination of events (3.1.11) leading from the initial cause to the unwanted consequence
(3.1.14)
[SOURCE: ISO 17666:2016, 3.1.13, modified — Note 1 to entry has been deleted.]
2
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 10 ----------------------
oSIST ISO/IEC 27005:2023
ISO/IEC 27005:2022(E)
3.1.5
risk owner
person or entity with the accountability and authority to manage a risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.5.1.5]
3.1.6
risk source
element which alone or in combination has the potential to give rise to risk (3.1.3)
Note 1 to entry: A risk source can be one of these three types:
— human;
— environmental;
— technical.
Note 2 to entry: A human risk source type can be intentional or unintentional.
[SOURCE: ISO 31000:2018, 3.4, modified — Notes 1 and 2 to entry have been added.]
3.1.7
risk criteria
terms of reference against which the significance of a risk (3.1.3) is evaluated
Note 1 to entry: Risk criteria are based on organizational objectives, and external context (3.1.1) and internal
context (3.1.2).
Note 2 to entry: Risk criteria can be derived from standards, laws, policies and other requirements.
[SOURCE: ISO Guide 73:2009, 3.3.1.3]
3.1.8
risk appetite
amount and type of risk (3.1.3) that an organization is willing to pursue or retain
[SOURCE: ISO Guide 73:2009, 3.7.1.2]
3.1.9
threat
potential cause of an information security incident (3.1.12) that can result in damage to a system or harm
to an organization
3.1.10
vulnerability
weakness of an asset or control (3.1.16) that can be exploited so that an event (3.1.11) with a negative
consequence (3.1.14) occurs
3.1.11
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can have one or more occurrences, and can have several causes and several consequences
(3.1.14).
Note 2 to entry: An event can also be something that is expected which does not happen, or something that is not
expected which does happen.
[SOURCE: ISO 31000:2018, 3.5, modified — Note 3 to entry has been removed.]
3
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 11 ----------------------
oSIST ISO/IEC 27005:2023
ISO/IEC 27005:2022(E)
3.1.12
information security incident
single or a series of unwanted or unexpected information security events that have a significant
probability of compromising business operations and threatening information security
3.1.13
likelihood
chance of something happening
Note 1 to entry: In risk management terminology, the word “likelihood” is used to refer to the chance of something
happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively,
and described using general terms or mathematically (such as a probability or a frequency over a given time
period).
Note 2 to entry: The English term “likelihood” does not have a direct equivalent in some languages; instead, the
equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted
as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it
should have the same broad interpretation as the term “probability” has in many languages other than English.
[SOURCE: ISO 31000:2018, 3.7]
3.1.14
consequence
outcome of an event (3.1.11) affecting objectives
Note 1 to entry: A consequence can be certain or uncertain and can have positive or negative direct or indirect
effects on objectives.
Note 2 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 3 to entry: Any consequence can escalate through cascading and cumulative effects.
[SOURCE: ISO 31000:2018, 3.6]
3.1.15
level of risk
significance of a risk (3.1.3), expressed in terms of the combination of consequences (3.1.14) and their
likelihood (3.1.13)
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — the phrase: “magnitude of a risk or combination of
risks” has been replaced with “significance of a risk”.]
3.1.16
control
measure that maintains and/or modifies risk (3.1.3)
Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice, or other conditions
and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8]
3.1.17
residual risk
risk (3.1.3) remaining after risk treatment (3.2.7)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risks can also contain retained risk.
[SOURCE: ISO Guide 73:2009, 3.8.1.6, modified — Note 2 to entry has been modified.]
4
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 12 ----------------------
oSIST ISO/IEC 27005:2023
ISO/IEC 27005:2022(E)
3.2 T erms related to information security risk management
3.2.1
risk management process
systematic application of management policies, procedures and practices to the activities of
communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating,
monitoring and reviewing risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.1]
3.2.2
risk communication and consultation
set of continual and iterative processes that an organization conducts to provide, share or obtain
information, and to engage in dialogue with interested parties regarding the management of risk (3.1.3)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.1.13), significance,
evaluation, acceptance and treatment of risk.
Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its
interested parties on an issue prior to making a decision or determining a direction on that issue. Consultation is:
— a process which impacts on a decision through influence rather than power;
— an input to decision making, not joint decision making.
3.2.3
risk assessment
overall process of risk identification (3.2.4), risk analysis (3.2.5) and risk evaluation (3.2.6)
[SOURCE: ISO Guide 73:2009, 3.4.1]
3.2.4
risk identification
process of finding, recognizing and describing risks (3.1.3)
Note 1 to entry: Risk identification involves the identification of risk sources (3.1.6), events (3.1.11), their causes
and their potential consequences (3.1.14).
Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions,
and interested parties’ needs.
[SOURCE: ISO Guide 73:2009, 3.5.1, modified — "interested party" has replaced "stakeholder" in Note 2
to entry.]
3.2.5
risk analysis
process to comprehend the nature of risk (3.1.3) and to determine the level of risk (3.1.15)
Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.2.6) and decisions about risk treatment
(3.2.7).
Note 2 to entry: Risk analysis includes risk estimation.
[SOURCE: ISO Guide 73:2009, 3.6.1]
3.2.6
risk evaluation
process of comparing the results of risk analysis (3.2.5) with risk criteria (3.1.7) to determine whether
the risk (3.1.3) and/or its significance is acceptable or tolerable
Note 1 to entry: Risk evaluation assists in the decision about risk treatment (3.2.7).
[SOURCE: ISO Guide 73:2009, 3.7.1, modified — “significance” has replaced “magnitude”.]
5
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 13 ----------------------
oSIST ISO/IEC 27005:2023
ISO/IEC 27005:2022(E)
3.2.7
risk treatment
process to modify risk (3.1.3)
Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source (3.
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.