SIST EN ISO/IEC 27005:2024
(Main)Information security, cybersecurity and privacy protection - Guidance on managing information security risks (ISO/IEC 27005:2022)
Information security, cybersecurity and privacy protection - Guidance on managing information security risks (ISO/IEC 27005:2022)
This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.
Informationssicherheit, Cybersicherheit und Datenschutz - Leitfaden zur Handhabung von Informationssicherheitsrisiken (ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Préconisations pour la gestion des risques liés à la sécurité de l'information (ISO/IEC 27005:2022)
Le présent document fournit des recommandations pour aider les organismes à:
— satisfaire aux exigences de l'ISO/IEC 27001 concernant les actions visant à traiter les risques liés à la sécurité de l'information;
— réaliser des activités de gestion des risques liés à la sécurité de l'information, en particulier l'appréciation et le traitement de ces risques.
Le présent document est applicable à tous les organismes, quels que soient leur type, leur taille ou leur secteur.
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Navodila za obvladovanje informacijskih varnostnih tveganj (ISO/IEC 27005:2022)
Ta dokument zagotavlja navodila za pomoč organizacijam pri:
– izpolnjevanju zahtev iz standarda ISO/IEC 27001 v zvezi z ukrepi za obravnavo informacijskih varnostnih tveganj;
– izvajanju aktivnosti obvladovanja informacijskih varnostnih tveganj, predvsem njihovega ocenjevanja in obravnave.
Ta dokument se uporablja za vse organizacije, ne glede na vrsto, velikost ali sektor.
General Information
- Status
- Published
- Public Enquiry End Date
- 25-Jun-2024
- Publication Date
- 15-Sep-2024
- Technical Committee
- ITC - Information technology
- Current Stage
- 6060 - National Implementation/Publication (Adopted Project)
- Start Date
- 21-Aug-2024
- Due Date
- 26-Oct-2024
- Completion Date
- 16-Sep-2024
Overview
SIST EN ISO/IEC 27005:2024 (adoption of ISO/IEC 27005:2022 as EN ISO/IEC 27005:2024) provides detailed guidance on managing information security risks to support implementation of an Information Security Management System (ISMS). It helps organizations of any type, size or sector to fulfil ISO/IEC 27001 requirements related to identifying, assessing and treating information security risks, with additional emphasis on cybersecurity and privacy protection.
Key topics and technical coverage
This guidance covers the full information security risk management lifecycle and related ISMS processes, including:
- Risk management process and cycles - principles for establishing iterative risk management activities.
- Context establishment - organizational considerations, stakeholder requirements and risk criteria.
- Risk assessment - identification, description and ownership of information security risks.
- Risk analysis: assessing potential consequences and likelihood to determine risk levels.
- Risk evaluation: comparing results against risk acceptance criteria and prioritizing risks.
- Risk treatment - selecting treatment options, determining and implementing controls, and documenting a risk treatment plan.
- Controls alignment - comparing selected controls with ISO/IEC 27001:2022 Annex A and producing a Statement of Applicability.
- Operation and monitoring - performing assessments and treatments, documented information, communication, monitoring, management review, corrective action and continual improvement.
- Practical techniques - Annex A provides examples of techniques to support risk assessment activities.
- Definitions, normative references and structured guidance to choose appropriate methods and criteria.
Practical applications
ISO/IEC 27005 is practical for organizations that need to:
- Implement or mature an ISMS and meet ISO/IEC 27001 risk requirements.
- Conduct systematic information security and cybersecurity risk assessments.
- Develop risk treatment plans and justify control selections (useful for audits and compliance).
- Integrate privacy risk considerations into security risk workflows.
- Prioritize security investments and supplier/vendor risk measures based on documented risk levels.
- Establish repeatable, auditable processes for monitoring, review and continual improvement.
Who should use this standard
- CISOs, information security and risk managers
- Compliance officers and internal auditors
- IT/security architects and project managers
- Consultants supporting ISO/IEC 27001 implementation
- Organizations across public and private sectors seeking structured risk management
Related standards
- ISO/IEC 27001 - requirements for an Information Security Management System (ISMS)
- The broader ISO/IEC 27000 family - context for security management and implementation guidance
Keywords: ISO/IEC 27005:2024, information security risk management, ISO/IEC 27001, risk assessment, risk treatment, ISMS, cybersecurity, privacy protection, Statement of Applicability.
Frequently Asked Questions
SIST EN ISO/IEC 27005:2024 is a standard published by the Slovenian Institute for Standardization (SIST). Its full title is "Information security, cybersecurity and privacy protection - Guidance on managing information security risks (ISO/IEC 27005:2022)". This standard covers: This document provides guidance to assist organizations to: — fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; — perform information security risk management activities, specifically information security risk assessment and treatment. This document is applicable to all organizations, regardless of type, size or sector.
This document provides guidance to assist organizations to: — fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; — perform information security risk management activities, specifically information security risk assessment and treatment. This document is applicable to all organizations, regardless of type, size or sector.
SIST EN ISO/IEC 27005:2024 is classified under the following ICS (International Classification for Standards) categories: 03.100.70 - Management systems; 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.
You can purchase SIST EN ISO/IEC 27005:2024 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of SIST standards.
Standards Content (Sample)
SLOVENSKI STANDARD
01-oktober-2024
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Navodila za
obvladovanje informacijskih varnostnih tveganj (ISO/IEC 27005:2022)
Information security, cybersecurity and privacy protection - Guidance on managing
information security risks (ISO/IEC 27005:2022)
Informationssicherheit, Cybersicherheit und Datenschutz - Leitfaden zur Handhabung
von Informationssicherheitsrisiken (ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Préconisations
pour la gestion des risques liés à la sécurité de l'information (ISO/IEC 27005:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 27005:2024
ICS:
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN ISO/IEC 27005
NORME EUROPÉENNE
EUROPÄISCHE NORM
August 2024
ICS 35.030
English version
Information security, cybersecurity and privacy protection
- Guidance on managing information security risks
(ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und
de la vie privée - Préconisations pour la gestion des Datenschutz - Leitfaden zur Handhabung von
risques liés à la sécurité de l'information (ISO/IEC Informationssicherheitsrisiken (ISO/IEC 27005:2022)
27005:2022)
This European Standard was approved by CEN on 1 August 2024.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2024 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 27005:2024 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 27005:2022 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by February 2025, and conflicting national standards
shall be withdrawn at the latest by February 2025.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27005:2022 has been approved by CEN-CENELEC as EN ISO/IEC 27005:2024
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 27005
Fourth edition
2022-10
Information security, cybersecurity
and privacy protection — Guidance on
managing information security risks
Sécurité de l'information, cybersécurité et protection de la vie
privée — Préconisations pour la gestion des risques liés à la sécurité
de l'information
Reference number
ISO/IEC 27005:2022(E)
© ISO/IEC 2022
ISO/IEC 27005:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Contents Page
Foreword .v
Introduction . vi
1 S c op e . 1
2 Nor m at i ve r ef er enc e s . 1
3 Terms and definitions . 1
3.1 T erms related to information security risk . 1
3.2 T erms related to information security risk management . . 5
4 Structure of this document .7
5 I nformation security risk management . 7
5.1 I nformation security risk management process . 7
5.2 I nformation security risk management cycles . 9
6 C ont e x t e s t abl i s h ment .9
6.1 Organizational considerations . 9
6.2 I dentifying basic requirements of interested parties . 10
6.3 A pplying risk assessment . 10
6.4 E stablishing and maintaining information security risk criteria . 11
6.4.1 G eneral . 11
6.4.2 R isk acceptance criteria . 11
6.4.3 C riteria for performing information security risk assessments .13
6.5 C hoosing an appropriate method . 15
7 I nformation security risk assessment process .16
7.1 G eneral . 16
7.2 I dentifying information security risks . 17
7.2.1 I dentifying and describing information security risks . . 17
7.2.2 I dentifying risk owners . 18
7.3 A nalysing information security risks . 19
7.3.1 General . 19
7.3.2 Assessing potential consequences . 19
7.3.3 Assessing likelihood .20
7.3.4 Determining the levels of risk . 22
7.4 E valuating the information security risks. 22
7.4.1 Comparing the results of risk analysis with the risk criteria .22
7.4.2 P rioritizing the analysed risks for risk treatment .23
8 I nformation security risk treatment process .23
8.1 General .23
8.2 S electing appropriate information security risk treatment options .23
8.3 D etermining all controls that are necessary to implement the information security
risk treatment options . 24
8.4 C omparing the controls determined with those in ISO/IEC 27001:2022, Annex A . 27
8.5 P roducing a Statement of Applicability . 27
8.6 I nformation security risk treatment plan .28
8.6.1 Formulation of the risk treatment plan .28
8.6.2 A pproval by risk owners .29
8.6.3 Acceptance of the residual information security risks .30
9 O p er at ion .31
9.1 P erforming information security risk assessment process . 31
9.2 P erforming information security risk treatment process . 31
10 Leveraging related ISMS processes . .32
10.1 C ontext of the organization . . 32
10.2 L eadership and commitment . 32
iii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
10.3 C ommunication and consultation. 33
10.4 Documented information . 35
10.4.1 G eneral . 35
10.4.2 Documented information about processes . 35
10.4.3 Documented information about results . 35
10.5 M onitoring and review .36
10.5.1 G eneral .36
10.5.2 Monitoring and reviewing factors influencing risks . 37
10.6 M anagement review .38
10.7 Corrective action .38
10.8 Continual improvement .39
Annex A (informative) Examples of techniques in support of the risk assessment process .41
Bibliography .62
iv
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This fourth edition cancels and replaces the third edition (ISO/IEC 27005:2018), which has been
technically revised.
The main changes are as follows:
— all guidance text has been aligned with ISO/IEC 27001:2022, and ISO 31000:2018;
— the terminology has been aligned with the terminology in ISO 31000:2018;
— the structure of the clauses has been adjusted to the layout of ISO/IEC 27001:2022;
— risk scenario concepts have been introduced;
— the event-based approach is contrasted with the asset-based approach to risk identification;
— the content of the annexes has been revised and restructured into a single annex.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
v
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Introduction
This document provides guidance on:
— implementation of the information security risk requirements specified in ISO/IEC 27001;
— essential references within the standards developed by ISO/IEC JTC 1/SC 27 to support information
security risk management activities;
— actions that address risks related to information security (see ISO/IEC 27001:2022, 6.1 and Clause 8);
— implementation of risk management guidance in ISO 31000 in the context of information security.
This document contains detailed guidance on risk management and supplements the guidance in
ISO/IEC 27003.
This document is intended to be used by:
— organizations that intend to establish and implement an information security management system
(ISMS) in accordance with ISO/IEC 27001;
— persons that perform or are involved in information security risk management (e.g. ISMS
professionals, risk owners and other interested parties);
— organizations that intend to improve their information security risk management process.
vi
© ISO/IEC 2022 – All rights reserved
INTERNATIONAL STANDARD ISO/IEC 27005:2022(E)
Information security, cybersecurity and privacy
protection — Guidance on managing information security
risks
1 S cope
This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk
assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.
2 Normat ive references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1 T erms related to information security risk
3.1.1
external context
external environment in which the organization seeks to achieve its objectives
Note 1 to entry: External context can include the following:
— the social, cultural, political, legal, regulatory, financial, technological, economic, geological environment,
whether international, national, regional or local;
— key drivers and trends affecting the objectives of the organization;
— external interested parties’ relationships, perceptions, values, needs and expectations;
— contractual relationships and commitments;
— the complexity of networks and dependencies.
[SOURCE: ISO Guide 73:2009, 3.3.1.1, modified — Note 1 to entry has been modified.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.2
internal context
internal environment in which the organization seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— vision, mission and values;
— governance, organizational structure, roles and accountabilities;
— strategy, objectives and policies;
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems
and technologies);
— data, information systems and information flows;
— relationships with internal interested parties, taking into account their perceptions and values;
— contractual relationships and commitments;
— internal interdependencies and interconnections.
[SOURCE: ISO Guide 73:2009, 3.3.1.2, modified — Note 1 to entry has been modified.]
3.1.3
risk
effect of uncertainty on objectives
Note 1 to entry: An effect is a deviation from the expected, positive or negative.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event (3.1.11), its consequence (3.1.14), or likelihood (3.1.13).
Note 4 to entry: Risk is usually expressed in terms of risk sources (3.1.6), potential events, their consequences
and their likelihood.
Note 5 to entry: In the context of information security management systems, information security risks can be
expressed as effect of uncertainty on information security objectives.
Note 6 to entry: Information security risks are usually associated with a negative effect of uncertainty on
information security objectives.
Note 7 to entry: Information security risks can be associated with the potential that threats (3.1.9) will exploit
vulnerabilities (3.1.10) of an information asset or group of information assets and thereby cause harm to an
organization.
[SOURCE: ISO 31000:2018, 3.1, modified — the phrase: “It can be positive, negative or both, and can
address, create or result in opportunities and threats” has been replaced with “positive or negative” in
Note 1 to entry; the original Note 3 to entry has been renumbered as Note 4 to entry; and Notes 3, 5, 6
and 7 to entry have been added.]
3.1.4
risk scenario
sequence or combination of events (3.1.11) leading from the initial cause to the unwanted consequence
(3.1.14)
[SOURCE: ISO 17666:2016, 3.1.13, modified — Note 1 to entry has been deleted.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.5
risk owner
person or entity with the accountability and authority to manage a risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.5.1.5]
3.1.6
risk source
element which alone or in combination has the potential to give rise to risk (3.1.3)
Note 1 to entry: A risk source can be one of these three types:
— human;
— environmental;
— technical.
Note 2 to entry: A human risk source type can be intentional or unintentional.
[SOURCE: ISO 31000:2018, 3.4, modified — Notes 1 and 2 to entry have been added.]
3.1.7
risk criteria
terms of reference against which the significance of a risk (3.1.3) is evaluated
Note 1 to entry: Risk criteria are based on organizational objectives, and external context (3.1.1) and internal
context (3.1.2).
Note 2 to entry: Risk criteria can be derived from standards, laws, policies and other requirements.
[SOURCE: ISO Guide 73:2009, 3.3.1.3]
3.1.8
risk appetite
amount and type of risk (3.1.3) that an organization is willing to pursue or retain
[SOURCE: ISO Guide 73:2009, 3.7.1.2]
3.1.9
threat
potential cause of an information security incident (3.1.12) that can result in damage to a system or harm
to an organization
3.1.10
vulnerability
weakness of an asset or control (3.1.16) that can be exploited so that an event (3.1.11) with a negative
consequence (3.1.14) occurs
3.1.11
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can have one or more occurrences, and can have several causes and several consequences
(3.1.14).
Note 2 to entry: An event can also be something that is expected which does not happen, or something that is not
expected which does happen.
[SOURCE: ISO 31000:2018, 3.5, modified — Note 3 to entry has been removed.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.12
information security incident
single or a series of unwanted or unexpected information security events that have a significant
probability of compromising business operations and threatening information security
3.1.13
likelihood
chance of something happening
Note 1 to entry: In risk management terminology, the word “likelihood” is used to refer to the chance of something
happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively,
and described using general terms or mathematically (such as a probability or a frequency over a given time
period).
Note 2 to entry: The English term “likelihood” does not have a direct equivalent in some languages; instead, the
equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted
as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it
should have the same broad interpretation as the term “probability” has in many languages other than English.
[SOURCE: ISO 31000:2018, 3.7]
3.1.14
consequence
outcome of an event (3.1.11) affecting objectives
Note 1 to entry: A consequence can be certain or uncertain and can have positive or negative direct or indirect
effects on objectives.
Note 2 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 3 to entry: Any consequence can escalate through cascading and cumulative effects.
[SOURCE: ISO 31000:2018, 3.6]
3.1.15
level of risk
significance of a risk (3.1.3), expressed in terms of the combination of consequences (3.1.14) and their
likelihood (3.1.13)
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — the phrase: “magnitude of a risk or combination of
risks” has been replaced with “significance of a risk”.]
3.1.16
control
measure that maintains and/or modifies risk (3.1.3)
Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice, or other conditions
and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8]
3.1.17
residual risk
risk (3.1.3) remaining after risk treatment (3.2.7)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risks can also contain retained risk.
[SOURCE: ISO Guide 73:2009, 3.8.1.6, modified — Note 2 to entry has been modified.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.2 T erms related to information security risk management
3.2.1
risk management process
systematic application of management policies, procedures and practices to the activities of
communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating,
monitoring and reviewing risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.1]
3.2.2
risk communication and consultation
set of continual and iterative processes that an organization conducts to provide, share or obtain
information, and to engage in dialogue with interested parties regarding the management of risk (3.1.3)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.1.13), significance,
evaluation, acceptance and treatment of risk.
Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its
interested parties on an issue prior to making a decision or determining a direction on that issue. Consultation is:
— a process which impacts on a decision through influence rather than power;
— an input to decision making, not joint decision making.
3.2.3
risk assessment
overall process of risk identification (3.2.4), risk analysis (3.2.5) and risk evaluation (3.2.6)
[SOURCE: ISO Guide 73:2009, 3.4.1]
3.2.4
risk identification
process of finding, recognizing and describing risks (3.1.3)
Note 1 to entry: Risk identification involves the identification of risk sources (3.1.6), events (3.1.11), their causes
and their potential consequences (3.1.14).
Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions,
and interested parties’ needs.
[SOURCE: ISO Guide 73:2009, 3.5.1, modified — "interested party" has replaced "stakeholder" in Note 2
to entry.]
3.2.5
risk analysis
process to comprehend the nature of risk (3.1.3) and to determine the level of risk (3.1.15)
Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.2.6) and decisions about risk treatment
(3.2.7).
Note 2 to entry: Risk analysis includes risk estimation.
[SOURCE: ISO Guide 73:2009, 3.6.1]
3.2.6
risk evaluation
process of comparing the results of risk analysis (3.2.5) with risk criteria (3.1.7) to determine whether
the risk (3.1.3) and/or its significance is acceptable or tolerable
Note 1 to entry: Risk evaluation assists in the decision about risk treatment (3.2.7).
[SOURCE: ISO Guide 73:2009, 3.7.1, modified — “significance” has replaced “magnitude”.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.2.7
risk treatment
process to modify risk (3.1.3)
Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source (3.1.6);
— changing the likelihood (3.1.13);
— changing the consequences (3.1.14);
— sharing the risk with another party or parties (including contracts and risk financing); and
— retaining the risk by informed decision.
Note 2 to entry: Information security risk treatment does not include “taking or increasing risk in order to pursue
an opportunity” but the organization can have this option for general risk management.
Note 3 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk
mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
Note 4 to entry: Risk treatment can create new risks or modify existing risks.
[SOURCE: ISO Guide 73:2009, 3.8.1, modified ─ Note 1 to entry has been added and the original Note 1
and 2 to entry have been renumbered as Note 2 and 3 to entry.]
3.2.8
risk acceptance
informed decision to take a particular risk (3.1.3)
Note 1 to entry: Risk acceptance can occur without risk treatment (3.2.7) or during the process of risk treatment.
Note 2 to entry: Accepted risks are subject to monitoring and review.
[SOURCE: ISO Guide 73:2009, 3.7.1.6]
3.2.9
risk sharing
form of risk treatment (3.2.7) involving the agreed distribution of risk (3.1.3) with other parties
Note 1 to entry: Legal or regulatory requirements can limit, prohibit or mandate risk sharing.
Note 2 to entry: Risk sharing can be carried out through insurance or other forms of contract.
Note 3 to entry: The extent to which risk is distributed can depend on the reliability and clarity of the sharing
arrangements.
Note 4 to entry: Risk transfer is a form of risk sharing.
[SOURCE: ISO Guide 73:2009, 3.8.1.3]
3.2.10
risk retention
temporary acceptance of the potential benefit of gain, or burden of loss, from a particular risk (3.1.3)
Note 1 to entry: Retention can be restricted to a certain period of time.
Note 2 to entry: The level of risk (3.1.15) retained can depend on risk criteria (3.1.7).
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
[SOURCE: ISO Guide 73:2009, 3.8.1.5, modified — the word “temporary” has been added at the start of
the definition and the phrase; “Risk retention includes the acceptance of residual risks” has replaced
“Retention can be restricted to a certain period of time “ in Note 1 to entry.]
4 Str ucture of this document
This document is structured as follows:
— Clause 5: Information security risk management;
— Clause 6: Context establishment;
— Clause 7: Information security risk assessment process;
— Clause 8: Information security risk treatment process;
— Clause 9: Operation;
— Clause 10: Leveraging related ISMS processes.
Except for the descriptions given in general subclauses, all risk management activities as presented
from Clause 7 to Clause 10 are structured as follows:
Input: Identifies any required information to perform the activity.
Action: Describes the activity.
Trigger: Provides guidance on when to start the activity, for example because of a change within the
organization or according to a plan or a change in the external context of the organization.
Output: Identifies any information derived after performing the activity, as well as any criteria that
such output should satisfy.
Guidance: Provides guidance on performing the activity, keyword and key concept.
5 In formation security risk management
5.1 Information secur ity risk management process
The information security risk management process is presented in Figure 1.
NOTE This process is based on the general risk management process defined in ISO 31000.
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Figure 1 — Information security risk management process
As Figure 1 illustrates, the information security risk management process can be iterative for risk
assessment and/or risk treatment activities. An iterative approach to conducting risk assessment can
increase depth and detail of the assessment at each iteration. The iterative approach provides a good
balance between minimizing the time and effort spent in identifying controls, while still ensuring that
risks are appropriately assessed.
Context establishment means assembling the internal and external context for information security
risk management or an information security risk assessment.
If the risk assessment provides sufficient information to effectively determine the actions required
to modify the risks to an acceptable level, then the task is complete and the risk treatment follows.
If the information is insufficient, another iteration of the risk assessment should be performed. This
can involve a change of context of the risk assessment (e.g. revised scope), involvement of expertise in
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
the relevant field, or other ways to collect the information required to enable risk modification to an
acceptable level (see "risk decision point 1" in Figure 1).
Risk treatment involves an iterative process of:
— formulating and selecting risk treatment options;
— planning and implementing risk treatment;
— assessing the effectiveness of that treatment;
— deciding whether the remaining risk is acceptable;
— taking further treatment if not acceptable.
It is possible that the risk treatment does not immediately lead to an acceptable level of residual risks. In
this situation, another attempt to find further risk treatment can be performed, or there can be another
iteration of the risk assessment, either as a whole or in parts. This can involve a change of context of the
risk assessment (e.g. by a revised scope) and involvement of expertise in the relevant field. Knowledge
about relevant threats or vulnerabilities can lead to better decisions about suitable risk treatment
activities in the next iteration of the risk assessment (see "risk decision point 2" in Figure 1).
Context establishment is discussed in detail in Clause 6, risk assessment activities in Clause 7 and risk
treatment activities in Clause 8.
Other activities necessary for managing information security risks are discussed in Clause 10.
5.2 Information secur ity risk management cycles
The risk assessment and the risk treatment should be updated on a regular basis and based on
changes. This should apply to, the entire risk assessment and the updates can be divided into two risk
management cycles:
— strategic cycle, where business assets, risk sources and threats, target objectives or consequences
to information security events are evolving from changes in the overall context of the organization.
This can result as inputs for an overall update of the risk assessment or risk assessments and the
risk treatments. It can also serve as an input for identifying new risks and initiate completely new
risk assessments;
— operational cycle, where the above-mentioned elements serves as input information or changed
criteria that will affect a risk assessment or assessment where the scenarios should be reviewed
and updated. The review should include updating of the corresponding risk treatment as applicable.
The strategic cycle should be conducted at longer time basis or when major changes occur while the
operational cycle should be shorter depending on the detailed risks that are identified and assessed as
well as the related risk treatment.
The strategic cycle applies to the environment in which the organization seeks to achieve its objectives,
while the operational cycle applies to all risk assessments considering the context of the risk
management process. In both cycles, there can be many risk assessments with different contexts and
scope in each assessment.
6 Context establishm ent
6.1 Organizational considerations
NOTE This subclause relates to ISO/IEC 27001:2022, 4.1.
An organization is defined as person or group of people that has its own functions with responsibilities,
authorities and relationships to achieve its objectives. An organization is not necessarily a company,
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
other corporate body or legal entity, it can also be a subset of a legal entity (e.g. the IT department of a
company), and can be considered as the “organization” within the context of ISMS.
It is important to understand that risk appetite, defined as the amount of risk an organization is willing
to pursue or accept, can vary considerably from organization to organization. For instance, factors
affecting an organization’s risk appetite include size, complexity and sector. Risk appetite should be set
and regularly reviewed by top management.
The organization should ensure that the role of the risk owner is determined in terms of the management
activities regarding the identified risks. Risk owners should have appropriate accountability and
authority for managing identified risks.
6.2 Identifying basic r equirements of interested parties
NOTE This subclause relates to ISO/IEC 27001:2022, 4.2.
The basic requirements of relevant interested parties should be identified, as well as the status of
compliance with these requirements. This includes identifying all the reference documents that define
security rules and controls and that apply within the scope of the information security risk assessment.
These reference documents can include, but are not limited to:
a) ISO/IEC 27001:2022, Annex A;
b) additional standards that cover ISMS;
c) additional standards applicable to a specific sector (e.g. financial, healthcare);
d) specific international and/or national regulations;
e) the organization’s internal security rules;
f) security rules and controls from contracts or agreements;
g) security controls implemented based on previous risk treatment activities.
Any non-compliance with the basic requirements should be explained and justified. These basic
requirements and their compliance should be the input for the likelihood assessment and for the risk
treatment.
6.3 A pplying risk assessment
NOTE This subclause relates to ISO/IEC 27001:2022, 4.3.
Organizations can perform risk a
...
SLOVENSKI STANDARD
01-oktober-2024
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Navodila za
obvladovanje informacijskih varnostnih tveganj (ISO/IEC 27005:2022)
Information security, cybersecurity and privacy protection - Guidance on managing
information security risks (ISO/IEC 27005:2022)
Informationssicherheit, Cybersicherheit und Datenschutz - Leitfaden zur Handhabung
von Informationssicherheitsrisiken (ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Préconisations
pour la gestion des risques liés à la sécurité de l'information (ISO/IEC 27005:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 27005:2024
ICS:
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN ISO/IEC 27005
NORME EUROPÉENNE
EUROPÄISCHE NORM
August 2024
ICS 35.030
English version
Information security, cybersecurity and privacy protection
- Guidance on managing information security risks
(ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und
de la vie privée - Préconisations pour la gestion des Datenschutz - Leitfaden zur Handhabung von
risques liés à la sécurité de l'information (ISO/IEC Informationssicherheitsrisiken (ISO/IEC 27005:2022)
27005:2022)
This European Standard was approved by CEN on 1 August 2024.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2024 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 27005:2024 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 27005:2022 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by February 2025, and conflicting national standards
shall be withdrawn at the latest by February 2025.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27005:2022 has been approved by CEN-CENELEC as EN ISO/IEC 27005:2024
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 27005
Fourth edition
2022-10
Information security, cybersecurity
and privacy protection — Guidance on
managing information security risks
Sécurité de l'information, cybersécurité et protection de la vie
privée — Préconisations pour la gestion des risques liés à la sécurité
de l'information
Reference number
ISO/IEC 27005:2022(E)
© ISO/IEC 2022
ISO/IEC 27005:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Contents Page
Foreword .v
Introduction . vi
1 S c op e . 1
2 Nor m at i ve r ef er enc e s . 1
3 Terms and definitions . 1
3.1 T erms related to information security risk . 1
3.2 T erms related to information security risk management . . 5
4 Structure of this document .7
5 I nformation security risk management . 7
5.1 I nformation security risk management process . 7
5.2 I nformation security risk management cycles . 9
6 C ont e x t e s t abl i s h ment .9
6.1 Organizational considerations . 9
6.2 I dentifying basic requirements of interested parties . 10
6.3 A pplying risk assessment . 10
6.4 E stablishing and maintaining information security risk criteria . 11
6.4.1 G eneral . 11
6.4.2 R isk acceptance criteria . 11
6.4.3 C riteria for performing information security risk assessments .13
6.5 C hoosing an appropriate method . 15
7 I nformation security risk assessment process .16
7.1 G eneral . 16
7.2 I dentifying information security risks . 17
7.2.1 I dentifying and describing information security risks . . 17
7.2.2 I dentifying risk owners . 18
7.3 A nalysing information security risks . 19
7.3.1 General . 19
7.3.2 Assessing potential consequences . 19
7.3.3 Assessing likelihood .20
7.3.4 Determining the levels of risk . 22
7.4 E valuating the information security risks. 22
7.4.1 Comparing the results of risk analysis with the risk criteria .22
7.4.2 P rioritizing the analysed risks for risk treatment .23
8 I nformation security risk treatment process .23
8.1 General .23
8.2 S electing appropriate information security risk treatment options .23
8.3 D etermining all controls that are necessary to implement the information security
risk treatment options . 24
8.4 C omparing the controls determined with those in ISO/IEC 27001:2022, Annex A . 27
8.5 P roducing a Statement of Applicability . 27
8.6 I nformation security risk treatment plan .28
8.6.1 Formulation of the risk treatment plan .28
8.6.2 A pproval by risk owners .29
8.6.3 Acceptance of the residual information security risks .30
9 O p er at ion .31
9.1 P erforming information security risk assessment process . 31
9.2 P erforming information security risk treatment process . 31
10 Leveraging related ISMS processes . .32
10.1 C ontext of the organization . . 32
10.2 L eadership and commitment . 32
iii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
10.3 C ommunication and consultation. 33
10.4 Documented information . 35
10.4.1 G eneral . 35
10.4.2 Documented information about processes . 35
10.4.3 Documented information about results . 35
10.5 M onitoring and review .36
10.5.1 G eneral .36
10.5.2 Monitoring and reviewing factors influencing risks . 37
10.6 M anagement review .38
10.7 Corrective action .38
10.8 Continual improvement .39
Annex A (informative) Examples of techniques in support of the risk assessment process .41
Bibliography .62
iv
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This fourth edition cancels and replaces the third edition (ISO/IEC 27005:2018), which has been
technically revised.
The main changes are as follows:
— all guidance text has been aligned with ISO/IEC 27001:2022, and ISO 31000:2018;
— the terminology has been aligned with the terminology in ISO 31000:2018;
— the structure of the clauses has been adjusted to the layout of ISO/IEC 27001:2022;
— risk scenario concepts have been introduced;
— the event-based approach is contrasted with the asset-based approach to risk identification;
— the content of the annexes has been revised and restructured into a single annex.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
v
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Introduction
This document provides guidance on:
— implementation of the information security risk requirements specified in ISO/IEC 27001;
— essential references within the standards developed by ISO/IEC JTC 1/SC 27 to support information
security risk management activities;
— actions that address risks related to information security (see ISO/IEC 27001:2022, 6.1 and Clause 8);
— implementation of risk management guidance in ISO 31000 in the context of information security.
This document contains detailed guidance on risk management and supplements the guidance in
ISO/IEC 27003.
This document is intended to be used by:
— organizations that intend to establish and implement an information security management system
(ISMS) in accordance with ISO/IEC 27001;
— persons that perform or are involved in information security risk management (e.g. ISMS
professionals, risk owners and other interested parties);
— organizations that intend to improve their information security risk management process.
vi
© ISO/IEC 2022 – All rights reserved
INTERNATIONAL STANDARD ISO/IEC 27005:2022(E)
Information security, cybersecurity and privacy
protection — Guidance on managing information security
risks
1 S cope
This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk
assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.
2 Normat ive references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1 T erms related to information security risk
3.1.1
external context
external environment in which the organization seeks to achieve its objectives
Note 1 to entry: External context can include the following:
— the social, cultural, political, legal, regulatory, financial, technological, economic, geological environment,
whether international, national, regional or local;
— key drivers and trends affecting the objectives of the organization;
— external interested parties’ relationships, perceptions, values, needs and expectations;
— contractual relationships and commitments;
— the complexity of networks and dependencies.
[SOURCE: ISO Guide 73:2009, 3.3.1.1, modified — Note 1 to entry has been modified.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.2
internal context
internal environment in which the organization seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— vision, mission and values;
— governance, organizational structure, roles and accountabilities;
— strategy, objectives and policies;
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems
and technologies);
— data, information systems and information flows;
— relationships with internal interested parties, taking into account their perceptions and values;
— contractual relationships and commitments;
— internal interdependencies and interconnections.
[SOURCE: ISO Guide 73:2009, 3.3.1.2, modified — Note 1 to entry has been modified.]
3.1.3
risk
effect of uncertainty on objectives
Note 1 to entry: An effect is a deviation from the expected, positive or negative.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event (3.1.11), its consequence (3.1.14), or likelihood (3.1.13).
Note 4 to entry: Risk is usually expressed in terms of risk sources (3.1.6), potential events, their consequences
and their likelihood.
Note 5 to entry: In the context of information security management systems, information security risks can be
expressed as effect of uncertainty on information security objectives.
Note 6 to entry: Information security risks are usually associated with a negative effect of uncertainty on
information security objectives.
Note 7 to entry: Information security risks can be associated with the potential that threats (3.1.9) will exploit
vulnerabilities (3.1.10) of an information asset or group of information assets and thereby cause harm to an
organization.
[SOURCE: ISO 31000:2018, 3.1, modified — the phrase: “It can be positive, negative or both, and can
address, create or result in opportunities and threats” has been replaced with “positive or negative” in
Note 1 to entry; the original Note 3 to entry has been renumbered as Note 4 to entry; and Notes 3, 5, 6
and 7 to entry have been added.]
3.1.4
risk scenario
sequence or combination of events (3.1.11) leading from the initial cause to the unwanted consequence
(3.1.14)
[SOURCE: ISO 17666:2016, 3.1.13, modified — Note 1 to entry has been deleted.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.5
risk owner
person or entity with the accountability and authority to manage a risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.5.1.5]
3.1.6
risk source
element which alone or in combination has the potential to give rise to risk (3.1.3)
Note 1 to entry: A risk source can be one of these three types:
— human;
— environmental;
— technical.
Note 2 to entry: A human risk source type can be intentional or unintentional.
[SOURCE: ISO 31000:2018, 3.4, modified — Notes 1 and 2 to entry have been added.]
3.1.7
risk criteria
terms of reference against which the significance of a risk (3.1.3) is evaluated
Note 1 to entry: Risk criteria are based on organizational objectives, and external context (3.1.1) and internal
context (3.1.2).
Note 2 to entry: Risk criteria can be derived from standards, laws, policies and other requirements.
[SOURCE: ISO Guide 73:2009, 3.3.1.3]
3.1.8
risk appetite
amount and type of risk (3.1.3) that an organization is willing to pursue or retain
[SOURCE: ISO Guide 73:2009, 3.7.1.2]
3.1.9
threat
potential cause of an information security incident (3.1.12) that can result in damage to a system or harm
to an organization
3.1.10
vulnerability
weakness of an asset or control (3.1.16) that can be exploited so that an event (3.1.11) with a negative
consequence (3.1.14) occurs
3.1.11
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can have one or more occurrences, and can have several causes and several consequences
(3.1.14).
Note 2 to entry: An event can also be something that is expected which does not happen, or something that is not
expected which does happen.
[SOURCE: ISO 31000:2018, 3.5, modified — Note 3 to entry has been removed.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.1.12
information security incident
single or a series of unwanted or unexpected information security events that have a significant
probability of compromising business operations and threatening information security
3.1.13
likelihood
chance of something happening
Note 1 to entry: In risk management terminology, the word “likelihood” is used to refer to the chance of something
happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively,
and described using general terms or mathematically (such as a probability or a frequency over a given time
period).
Note 2 to entry: The English term “likelihood” does not have a direct equivalent in some languages; instead, the
equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted
as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it
should have the same broad interpretation as the term “probability” has in many languages other than English.
[SOURCE: ISO 31000:2018, 3.7]
3.1.14
consequence
outcome of an event (3.1.11) affecting objectives
Note 1 to entry: A consequence can be certain or uncertain and can have positive or negative direct or indirect
effects on objectives.
Note 2 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 3 to entry: Any consequence can escalate through cascading and cumulative effects.
[SOURCE: ISO 31000:2018, 3.6]
3.1.15
level of risk
significance of a risk (3.1.3), expressed in terms of the combination of consequences (3.1.14) and their
likelihood (3.1.13)
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — the phrase: “magnitude of a risk or combination of
risks” has been replaced with “significance of a risk”.]
3.1.16
control
measure that maintains and/or modifies risk (3.1.3)
Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice, or other conditions
and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8]
3.1.17
residual risk
risk (3.1.3) remaining after risk treatment (3.2.7)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risks can also contain retained risk.
[SOURCE: ISO Guide 73:2009, 3.8.1.6, modified — Note 2 to entry has been modified.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.2 T erms related to information security risk management
3.2.1
risk management process
systematic application of management policies, procedures and practices to the activities of
communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating,
monitoring and reviewing risk (3.1.3)
[SOURCE: ISO Guide 73:2009, 3.1]
3.2.2
risk communication and consultation
set of continual and iterative processes that an organization conducts to provide, share or obtain
information, and to engage in dialogue with interested parties regarding the management of risk (3.1.3)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.1.13), significance,
evaluation, acceptance and treatment of risk.
Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its
interested parties on an issue prior to making a decision or determining a direction on that issue. Consultation is:
— a process which impacts on a decision through influence rather than power;
— an input to decision making, not joint decision making.
3.2.3
risk assessment
overall process of risk identification (3.2.4), risk analysis (3.2.5) and risk evaluation (3.2.6)
[SOURCE: ISO Guide 73:2009, 3.4.1]
3.2.4
risk identification
process of finding, recognizing and describing risks (3.1.3)
Note 1 to entry: Risk identification involves the identification of risk sources (3.1.6), events (3.1.11), their causes
and their potential consequences (3.1.14).
Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions,
and interested parties’ needs.
[SOURCE: ISO Guide 73:2009, 3.5.1, modified — "interested party" has replaced "stakeholder" in Note 2
to entry.]
3.2.5
risk analysis
process to comprehend the nature of risk (3.1.3) and to determine the level of risk (3.1.15)
Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.2.6) and decisions about risk treatment
(3.2.7).
Note 2 to entry: Risk analysis includes risk estimation.
[SOURCE: ISO Guide 73:2009, 3.6.1]
3.2.6
risk evaluation
process of comparing the results of risk analysis (3.2.5) with risk criteria (3.1.7) to determine whether
the risk (3.1.3) and/or its significance is acceptable or tolerable
Note 1 to entry: Risk evaluation assists in the decision about risk treatment (3.2.7).
[SOURCE: ISO Guide 73:2009, 3.7.1, modified — “significance” has replaced “magnitude”.]
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
3.2.7
risk treatment
process to modify risk (3.1.3)
Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source (3.1.6);
— changing the likelihood (3.1.13);
— changing the consequences (3.1.14);
— sharing the risk with another party or parties (including contracts and risk financing); and
— retaining the risk by informed decision.
Note 2 to entry: Information security risk treatment does not include “taking or increasing risk in order to pursue
an opportunity” but the organization can have this option for general risk management.
Note 3 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk
mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
Note 4 to entry: Risk treatment can create new risks or modify existing risks.
[SOURCE: ISO Guide 73:2009, 3.8.1, modified ─ Note 1 to entry has been added and the original Note 1
and 2 to entry have been renumbered as Note 2 and 3 to entry.]
3.2.8
risk acceptance
informed decision to take a particular risk (3.1.3)
Note 1 to entry: Risk acceptance can occur without risk treatment (3.2.7) or during the process of risk treatment.
Note 2 to entry: Accepted risks are subject to monitoring and review.
[SOURCE: ISO Guide 73:2009, 3.7.1.6]
3.2.9
risk sharing
form of risk treatment (3.2.7) involving the agreed distribution of risk (3.1.3) with other parties
Note 1 to entry: Legal or regulatory requirements can limit, prohibit or mandate risk sharing.
Note 2 to entry: Risk sharing can be carried out through insurance or other forms of contract.
Note 3 to entry: The extent to which risk is distributed can depend on the reliability and clarity of the sharing
arrangements.
Note 4 to entry: Risk transfer is a form of risk sharing.
[SOURCE: ISO Guide 73:2009, 3.8.1.3]
3.2.10
risk retention
temporary acceptance of the potential benefit of gain, or burden of loss, from a particular risk (3.1.3)
Note 1 to entry: Retention can be restricted to a certain period of time.
Note 2 to entry: The level of risk (3.1.15) retained can depend on risk criteria (3.1.7).
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
[SOURCE: ISO Guide 73:2009, 3.8.1.5, modified — the word “temporary” has been added at the start of
the definition and the phrase; “Risk retention includes the acceptance of residual risks” has replaced
“Retention can be restricted to a certain period of time “ in Note 1 to entry.]
4 Str ucture of this document
This document is structured as follows:
— Clause 5: Information security risk management;
— Clause 6: Context establishment;
— Clause 7: Information security risk assessment process;
— Clause 8: Information security risk treatment process;
— Clause 9: Operation;
— Clause 10: Leveraging related ISMS processes.
Except for the descriptions given in general subclauses, all risk management activities as presented
from Clause 7 to Clause 10 are structured as follows:
Input: Identifies any required information to perform the activity.
Action: Describes the activity.
Trigger: Provides guidance on when to start the activity, for example because of a change within the
organization or according to a plan or a change in the external context of the organization.
Output: Identifies any information derived after performing the activity, as well as any criteria that
such output should satisfy.
Guidance: Provides guidance on performing the activity, keyword and key concept.
5 In formation security risk management
5.1 Information secur ity risk management process
The information security risk management process is presented in Figure 1.
NOTE This process is based on the general risk management process defined in ISO 31000.
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
Figure 1 — Information security risk management process
As Figure 1 illustrates, the information security risk management process can be iterative for risk
assessment and/or risk treatment activities. An iterative approach to conducting risk assessment can
increase depth and detail of the assessment at each iteration. The iterative approach provides a good
balance between minimizing the time and effort spent in identifying controls, while still ensuring that
risks are appropriately assessed.
Context establishment means assembling the internal and external context for information security
risk management or an information security risk assessment.
If the risk assessment provides sufficient information to effectively determine the actions required
to modify the risks to an acceptable level, then the task is complete and the risk treatment follows.
If the information is insufficient, another iteration of the risk assessment should be performed. This
can involve a change of context of the risk assessment (e.g. revised scope), involvement of expertise in
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
the relevant field, or other ways to collect the information required to enable risk modification to an
acceptable level (see "risk decision point 1" in Figure 1).
Risk treatment involves an iterative process of:
— formulating and selecting risk treatment options;
— planning and implementing risk treatment;
— assessing the effectiveness of that treatment;
— deciding whether the remaining risk is acceptable;
— taking further treatment if not acceptable.
It is possible that the risk treatment does not immediately lead to an acceptable level of residual risks. In
this situation, another attempt to find further risk treatment can be performed, or there can be another
iteration of the risk assessment, either as a whole or in parts. This can involve a change of context of the
risk assessment (e.g. by a revised scope) and involvement of expertise in the relevant field. Knowledge
about relevant threats or vulnerabilities can lead to better decisions about suitable risk treatment
activities in the next iteration of the risk assessment (see "risk decision point 2" in Figure 1).
Context establishment is discussed in detail in Clause 6, risk assessment activities in Clause 7 and risk
treatment activities in Clause 8.
Other activities necessary for managing information security risks are discussed in Clause 10.
5.2 Information secur ity risk management cycles
The risk assessment and the risk treatment should be updated on a regular basis and based on
changes. This should apply to, the entire risk assessment and the updates can be divided into two risk
management cycles:
— strategic cycle, where business assets, risk sources and threats, target objectives or consequences
to information security events are evolving from changes in the overall context of the organization.
This can result as inputs for an overall update of the risk assessment or risk assessments and the
risk treatments. It can also serve as an input for identifying new risks and initiate completely new
risk assessments;
— operational cycle, where the above-mentioned elements serves as input information or changed
criteria that will affect a risk assessment or assessment where the scenarios should be reviewed
and updated. The review should include updating of the corresponding risk treatment as applicable.
The strategic cycle should be conducted at longer time basis or when major changes occur while the
operational cycle should be shorter depending on the detailed risks that are identified and assessed as
well as the related risk treatment.
The strategic cycle applies to the environment in which the organization seeks to achieve its objectives,
while the operational cycle applies to all risk assessments considering the context of the risk
management process. In both cycles, there can be many risk assessments with different contexts and
scope in each assessment.
6 Context establishm ent
6.1 Organizational considerations
NOTE This subclause relates to ISO/IEC 27001:2022, 4.1.
An organization is defined as person or group of people that has its own functions with responsibilities,
authorities and relationships to achieve its objectives. An organization is not necessarily a company,
© ISO/IEC 2022 – All rights reserved
ISO/IEC 27005:2022(E)
other corporate body or legal entity, it can also be a subset of a legal entity (e.g. the IT department of a
company), and can be considered as the “organization” within the context of ISMS.
It is important to understand that risk appetite, defined as the amount of risk an organization is willing
to pursue or accept, can vary considerably from organization to organization. For instance, factors
affecting an organization’s risk appetite include size, complexity and sector. Risk appetite should be set
and regularly reviewed by top management.
The organization should ensure that the role of the risk owner is determined in terms of the management
activities regarding the identified risks. Risk owners should have appropriate accountability and
authority for managing identified risks.
6.2 Identifying basic r equirements of interested parties
NOTE This subclause relates to ISO/IEC 27001:2022, 4.2.
The basic requirements of relevant interested parties should be identified, as well as the status of
compliance with these requirements. This includes identifying all the reference documents that define
security rules and controls and that apply within the scope of the information security risk assessment.
These reference documents can include, but are not limited to:
a) ISO/IEC 27001:2022, Annex A;
b) additional standards that cover ISMS;
c) additional standards applicable to a specific sector (e.g. financial, healthcare);
d) specific international and/or national regulations;
e) the organization’s internal security rules;
f) security rules and controls from contracts or agreements;
g) security controls implemented based on previous risk treatment activities.
Any non-compliance with the basic requirements should be explained and justified. These basic
requirements and their compliance should be the input for the likelihood assessment and for the risk
treatment.
6.3 A pplying risk assessment
NOTE This subclause relates to ISO/IEC 27001:2022, 4.3.
Organizations can perform risk ass
...
SLOVENSKI STANDARD
01-oktober-2024
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Navodila za
obvladovanje informacijskih varnostnih tveganj (ISO/IEC 27005:2022)
Information security, cybersecurity and privacy protection - Guidance on managing
information security risks (ISO/IEC 27005:2022)
Informationssicherheit, Cybersicherheit und Datenschutz - Leitfaden zur Handhabung
von Informationssicherheitsrisiken (ISO/IEC 27005:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Préconisations
pour la gestion des risques liés à la sécurité de l'information (ISO/IEC 27005:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 27005:2024
ICS:
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPÄISCHE NORM EN ISO/IEC 27005
EUROPEAN STANDARD
August 2024
NORME EUROPÉENNE
ICS 35.030
Deutsche Fassung
Informationssicherheit, Cybersicherheit und Datenschutz -
Leitfaden zur Handhabung von
Informationssicherheitsrisiken (ISO/IEC 27005:2022)
Information security, cybersecurity and privacy Sécurité de l'information, cybersécurité et protection
protection - Guidance on managing information de la vie privée - Préconisations pour la gestion des
security risks (ISO/IEC 27005:2022) risques liés à la sécurité de l'information (ISO/IEC
27005:2022)
Diese Europäische Norm wurde vom CEN am 1. August 2024 angenommen.
Die CEN und CENELEC-Mitglieder sind gehalten, die CEN/CENELEC-Geschäftsordnung zu erfüllen, in der die Bedingungen
festgelegt sind, unter denen dieser Europäischen Norm ohne jede Änderung der Status einer nationalen Norm zu geben ist. Auf
dem letzten Stand befindliche Listen dieser nationalen Normen mit ihren bibliographischen Angaben sind beim CEN-CENELEC-
Management-Zentrum oder bei jedem CEN und CENELEC-Mitglied auf Anfrage erhältlich.
Diese Europäische Norm besteht in drei offiziellen Fassungen (Deutsch, Englisch, Französisch). Eine Fassung in einer anderen
Sprache, die von einem CEN und CENELEC-Mitglied in eigener Verantwortung durch Übersetzung in seine Landessprache
gemacht und dem Management-Zentrum mitgeteilt worden ist, hat den gleichen Status wie die offiziellen Fassungen.
CEN- und CENELEC-Mitglieder sind die nationalen Normungsinstitute und elektrotechnischen Komitees von Belgien, Bulgarien,
Dänemark, Deutschland, Estland, Finnland, Frankreich, Griechenland, Irland, Island, Italien, Kroatien, Lettland, Litauen,
Luxemburg, Malta, den Niederlanden, Norwegen, Österreich, Polen, Portugal, der Republik Nordmazedonien, Rumänien,
Schweden, der Schweiz, Serbien, der Slowakei, Slowenien, Spanien, der Tschechischen Republik, der Türkei, Ungarn, dem
Vereinigten Königreich und Zypern.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2024 CEN/CENELEC Alle Rechte der Verwertung, gleich in welcher Form und in Ref. Nr. EN ISO/IEC 27005:2024 D
welchem Verfahren, sind weltweit den nationalen Mitgliedern
von CEN und den Mitgliedern von CENELEC vorbehalten.
Inhalt
Seite
Europäisches Vorwort . 5
Vorwort . 6
Einleitung . 7
1 Anwendungsbereich . 8
2 Normative Verweisungen . 8
3 Begriffe . 8
3.1 Begriffe im Zusammenhang mit Informationssicherheitsrisiken . 8
3.2 Begriffe im Zusammenhang mit der Handhabung von Informationssicherheitsrisiken . 12
4 Aufbau dieses Dokuments . 15
5 Handhabung von Informationssicherheitsrisiken . 15
5.1 Prozess zur Handhabung von Informationssicherheitsrisiken . 15
5.2 Zyklen des Informationssicherheitsrisikomanagements . 17
6 Kontextfestlegung . 18
6.1 Organisatorische Aspekte . 18
6.2 Identifizierung grundlegender Anforderungen von interessierten Parteien . 18
6.3 Anwendung der Risikobeurteilung . 19
6.4 Festlegung und Aufrechterhaltung der Informationssicherheitsrisikokriterien. 19
6.4.1 Allgemeines . 19
6.4.2 Risikoakzeptanzkriterien. 20
6.4.3 Kriterien für die Durchführung von Informationssicherheitsrisikobeurteilungen . 21
6.5 Wahl eines angemessenen Verfahrens . 25
7 Prozess zur Beurteilung von Informationssicherheitsrisiken . 25
7.1 Allgemeines . 25
7.2 Identifizierung von Informationssicherheitsrisiken . 26
7.2.1 Identifizierung und Beschreibung von Informationssicherheitsrisiken . 26
7.2.2 Identifizierung von Risikoeigentümern . 28
7.3 Analyse von Informationssicherheitsrisiken . 29
7.3.1 Allgemeines . 29
7.3.2 Beurteilung potentieller Auswirkungen . 29
7.3.3 Beurteilung der Wahrscheinlichkeit . 30
7.3.4 Bestimmung der Risikoniveaus . 32
7.4 Bewertung der Informationssicherheitsrisiken . 33
7.4.1 Vergleich der Ergebnisse der Risikoanalyse mit den Risikokriterien . 33
7.4.2 Priorisierung der analysierten Risiken für die Risikobehandlung . 34
8 Prozess zur Informationssicherheitsrisikobehandlung . 34
8.1 Allgemeines . 34
8.2 Auswahl geeigneter Optionen zur Behandlung von Informationssicherheitsrisiken . 34
8.3 Festlegung aller Maßnahmen, die zur Umsetzung der gewählten Optionen für die
Informationssicherheitsrisikobehandlung erforderlich sind . 35
8.4 Vergleich der festgelegten Maßnahmen mit denen in ISO/IEC 27001:2022, Anhang A . 39
8.5 Erstellung einer Erklärung zur Anwendbarkeit . 39
8.6 Behandlungsplan für Informationssicherheitsrisiken . 40
8.6.1 Ausarbeitung des Risikobehandlungsplans . 40
8.6.2 Zustimmung durch die Risikoeigentümer . 42
8.6.3 Akzeptanz der Restrisiken für die Informationssicherheit . 42
9 Betrieb . 43
9.1 Durchführung des Prozesses zur Risikobeurteilung der Informationssicherheit . 43
9.2 Durchführung des Prozesses zur Risikobehandlung der Informationssicherheit . 44
10 Unterstützung verbundener ISMS-Prozesse . 44
10.1 Kontext der Organisation . 44
10.2 Führung und Verpflichtung . 45
10.3 Kommunikation und Konsultation . 46
10.4 Dokumentierte Informationen . 48
10.4.1 Allgemeines . 48
10.4.2 Dokumentierte Informationen über Prozesse . 48
10.4.3 Dokumentierte Informationen über Ergebnisse . 49
10.5 Überwachen und Überprüfen . 50
10.5.1 Allgemeines . 50
10.5.2 Überwachung und Überprüfung der die Risiken beeinflussenden Faktoren . 50
10.6 Managementbewertung . 52
10.7 Korrekturmaßnahme . 52
10.8 Fortlaufende Verbesserung . 53
Anhang A (informativ) Beispiele für Techniken zur Unterstützung des
Risikobeurteilungsprozesses . 55
A.1 Risikokriterien für die Informationssicherheit . 55
A.1.1 Kriterien im Zusammenhang mit der Risikobeurteilung . 55
A.1.2 Risikoakzeptanzkriterien . 60
A.2 Praktische Verfahren . 61
A.2.1 Risikokomponenten für die Informationssicherheit . 61
A.2.2 Werte. 62
A.2.3 Risikoquellen und gewünschter Endzustand . 63
A.2.4 Ereignisbasierter Ansatz . 67
A.2.5 Auf Werten basierender Ansatz . 69
A.2.6 Beispiele für Szenarien, die in beiden Ansätzen anwendbar sind . 75
A.2.7 Überwachung risikobehafteter Ereignisse . 76
Literaturhinweise. 79
Bilder
Bild 1 — Prozess zur Handhabung von Informationssicherheitsrisiken . 16
Bild A.1 — Komponenten für die Risikobeurteilung der Informationssicherheit . 62
Bild A.2 — Beispiel eines Diagramms der Abhängigkeiten von Werten . 63
Bild A.3 — Identifizierung der interessierten Parteien des Ökosystems . 68
Bild A.4 — Risikobeurteilung anhand von Risikoszenarien . 76
Bild A.5 — Beispiel für die Anwendung des SFDT-Modells . 78
Tabellen
Tabelle A.1 — Beispiel einer Auswirkungsskala . 55
Tabelle A.2 — Beispiel einer Wahrscheinlichkeitsskala . 57
Tabelle A.3 — Beispiel für einen qualitativen Ansatz bei den Risikokriterien . 57
Tabelle A.4 — Beispiel einer logarithmischen Wahrscheinlichkeitsskala. 59
Tabelle A.5 — Beispiel einer logarithmischen Auswirkungsskala. 60
Tabelle A.6 — Beispiel für eine Bewertungsskala in Kombination mit einer Drei-Farben-
Risikomatrix . 61
Tabelle A.7 — Beispiele und übliche Angriffsmethoden . 64
Tabelle A.8 — Beispielhafte Klassifizierung von Motivationen, die den DES zum Ausdruck bringen
................................................................................................................................................................................... 65
Tabelle A.9 — Beispiele für Zielvorgaben . 65
Tabelle A.10 — Beispiele für typische Bedrohungen . 69
Tabelle A.11 — Beispiele für typische Schwachstellen . 71
Tabelle A.12 — Beispiele für Risikoszenarien in beiden Ansätzen . 76
Tabelle A.13 — Beispiel für ein Risikoszenario und eine Überwachung risikobehafteter
Ereignisse . 77
Europäisches Vorwort
Der Text von ISO/IEC 27005:2022 wurde vom Technischen Komitee ISO/IEC JTC 1 „Information technology“
der Internationalen Organisation für Normung (ISO) erarbeitet und als EN ISO/IEC 27005:2024 durch das
Technische Komitee CEN/CLC/JTC 13 „Cybersicherheit und Datenschutz“ übernommen, dessen Sekretariat
von DIN gehalten wird.
Diese Europäische Norm muss den Status einer nationalen Norm erhalten, entweder durch Veröffentlichung
eines identischen Textes oder durch Anerkennung bis Februar 2025, und etwaige entgegenstehende nationale
Normen müssen bis Februar 2025 zurückgezogen werden.
Es wird auf die Möglichkeit hingewiesen, dass einige Elemente dieses Dokuments Patentrechte berühren
können. CEN-CENELEC ist nicht dafür verantwortlich, einige oder alle diesbezüglichen Patentrechte zu
identifizieren.
Rückmeldungen oder Fragen zu diesem Dokument sollten an das jeweilige nationale Normungsinstitut des
Anwenders gerichtet werden. Eine vollständige Liste dieser Institute ist auf den Internetseiten von CEN
abrufbar.
Entsprechend der CEN-CENELEC-Geschäftsordnung sind die nationalen Normungsinstitute der folgenden
Länder gehalten, diese Europäische Norm zu übernehmen: Belgien, Bulgarien, Dänemark, Deutschland, die
Republik Nordmazedonien, Estland, Finnland, Frankreich, Griechenland, Irland, Island, Italien, Kroatien,
Lettland, Litauen, Luxemburg, Malta, Niederlande, Norwegen, Österreich, Polen, Portugal, Rumänien,
Schweden, Schweiz, Serbien, Slowakei, Slowenien, Spanien, Tschechische Republik, Türkei, Ungarn,
Vereinigtes Königreich und Zypern.
Anerkennungsnotiz
Der Text von ISO/IEC 27005:2022 wurde von CEN-CENELEC als EN ISO/IEC 27005:2024 ohne irgendeine
Abänderung genehmigt.
Vorwort
ISO (die Internationale Organisation für Normung) und IEC (die Internationale Elektrotechnische
Kommission) bilden das auf die weltweite Normung spezialisierte System. Nationale Normungs-
organisationen, die Mitglieder von ISO oder IEC sind, beteiligen sich an der Entwicklung von Internationalen
Normen in Technischen Komitees, die von der jeweiligen Organisation eingerichtet wurden, um spezifische
Gebiete technischer Aktivitäten zu behandeln. Auf Gebieten von beiderseitigem Interesse arbeiten die
Technischen Komitees von ISO und IEC zusammen. Weitere internationale staatliche und nichtstaatliche
Organisationen, die in engem Kontakt mit ISO und IEC stehen, nehmen ebenfalls an der Arbeit teil.
Die Verfahren, die bei der Entwicklung dieses Dokuments angewendet wurden und die für die weitere Pflege
vorgesehen sind, werden in den ISO/IEC-Directives, Teil 1 beschrieben. Im Besonderen sollten die für die
verschiedenen ISO-Dokumentenarten notwendigen Annahmekriterien beachtet werden. Dieses Dokument
wurde in Übereinstimmung mit den Gestaltungsregeln der ISO/IEC-Directives, Teil 2 erarbeitet (siehe
www.iso.org/directives oder www.iec.ch/members_experts/refdocs).
Es wird auf die Möglichkeit hingewiesen, dass einige Elemente dieses Dokuments Patentrechte berühren
können. ISO und IEC sind nicht dafür verantwortlich, einige oder alle diesbezüglichen Patentrechte zu
identifizieren. Details zu allen während der Entwicklung des Dokuments identifizierten Patentrechten finden
sich in der Einleitung und/oder in der ISO-Liste der erhaltenen Patenterklärungen (siehe
www.iso.org/patents) oder in der IEC-Liste der erhaltenen Patenterklärungen (siehe http://patents.iec.ch).
Jeder in diesem Dokument verwendete Handelsname dient nur zur Unterrichtung der Anwender und bedeutet
keine Anerkennung.
Für eine Erläuterung des freiwilligen Charakters von Normen, der Bedeutung ISO-spezifischer Begriffe und
Ausdrücke in Bezug auf Konformitätsbewertungen sowie Informationen darüber, wie ISO die Grundsätze der
Welthandelsorganisation (WTO, en: World Trade Organization) hinsichtlich technischer Handelshemmnisse
(TBT, en: Technical Barriers to Trade) berücksichtigt, siehe www.iso.org/iso/foreword.html. In der IEC, siehe
www.iec.ch/understanding-standards.
Dieses Dokument wurde vom gemeinsamen Technischen Komitee ISO/IEC JTC 1, Information technology,
Unterkomitee SC 27, Information security, cybersecurity and privacy protection, erarbeitet.
Diese vierte Ausgabe ersetzt die dritte Ausgabe (ISO/IEC 27005:2018), die technisch überarbeitet wurde.
Die wesentlichen Änderungen sind folgende:
der gesamte Leitfaden wurde an ISO/IEC 27001:2022 und ISO 31000:2018 angepasst;
die Terminologie wurde an die Terminologie in ISO 31000:2018 angepasst;
die Gliederung der Abschnitte wurde an den Aufbau der ISO/IEC 27001:2022 angepasst;
Konzepte für Risikoszenarien wurden eingeführt;
der ereignisbasierte Ansatz wird dem auf Werten basierenden Ansatz zur Risikoidentifizierung
gegenübergestellt;
der Inhalt der Anhänge wurde überarbeitet und in einem einzigen Anhang zusammengefasst.
Rückmeldungen oder Fragen zu diesem Dokument sollten an das jeweilige nationale Normungsinstitut des
Anwenders gerichtet werden. Eine vollständige Auflistung dieser Institute ist unter
www.iso.org/members.html und www.iec.ch/national-committees zu finden.
Einleitung
Dieses Dokument bietet einen Leitfaden für:
die Implementierung der in ISO/IEC 27001 festgelegten Anforderungen im Hinblick auf Informations-
sicherheitsrisiken;
die wesentlichen Verweisungen innerhalb der von ISO/IEC JTC 1/SC 27 entwickelten Normen zur
Unterstützung von Maßnahmen im Rahmen der Handhabung von Informationssicherheitsrisiken;
Aktionen zur Bewältigung von Risiken im Zusammenhang mit der Informationssicherheit (siehe
ISO/IEC 27001:2022, 6.1 und Abschnitt 8);
die Implementierung eines Leitfadens zum Risikomanagement in ISO 31000 im Zusammenhang mit der
Informationssicherheit.
Dieses Dokument enthält einen ausführlichen Leitfaden zum Risikomanagement und ergänzt die Leitlinien in
ISO/IEC 27003.
Dieses Dokument richtet sich an:
Organisationen, die beabsichtigen, ein Informationssicherheitsmanagementsystem (ISMS) in Überein-
stimmung mit ISO/IEC 27001 einzuführen und umzusetzen;
Personen, die das Informationssicherheitsrisikomanagement durchführen oder daran beteiligt sind (z. B.
Fachkräfte für ISMS, Risikoeigentümer und andere interessierte Parteien);
Organisation, die ihren Risikomanagementprozess im Bereich der Informationssicherheit verbessern
wollen.
1 Anwendungsbereich
Dieses Dokument enthält einen Leitfaden, der Organisationen dabei hilft,
die Anforderungen der ISO/IEC 27001 in Bezug auf Aktionen zur Bewältigung von
Informationssicherheitsrisiken zu erfüllen;
Maßnahmen zur Handhabung von Informationssicherheitsrisiken, insbesondere zur Risikobeurteilung
und -behandlung im Bereich der Informationssicherheit, durchzuführen.
Dieses Dokument gilt für alle Organisationen, unabhängig von ihrer Art, Größe oder Branche.
2 Normative Verweisungen
Die folgenden Dokumente werden im Text in solcher Weise in Bezug genommen, dass einige Teile davon oder
ihr gesamter Inhalt Anforderungen des vorliegenden Dokuments darstellen. Bei datierten Verweisungen gilt
nur die in Bezug genommene Ausgabe. Bei undatierten Verweisungen gilt die letzte Ausgabe des in Bezug
genommenen Dokuments (einschließlich aller Änderungen).
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Begriffe
Für die Anwendung dieses Dokuments gelten die Begriffe nach ISO/IEC 27000 und die folgenden Begriffe.
ISO und IEC stellen terminologische Datenbanken für die Verwendung in der Normung unter den folgenden
Adressen bereit:
ISO Online Browsing Platform: verfügbar unter https://www.iso.org/obp
IEC Electropedia: verfügbar unter https://www.electropedia.org/
3.1 Begriffe im Zusammenhang mit Informationssicherheitsrisiken
3.1.1
externer Kontext
externes Umfeld, in dem die Organisation versucht, ihre Ziele zu erreichen
Anmerkung 1 zum Begriff: Der externe Kontext kann Folgendes beinhalten:
soziale, kulturelle, politische, rechtliche, behördliche, finanzielle, technologische, wirtschaftliche, geologische
Umgebung, seien sie internationaler, nationaler, regionaler oder lokaler Art;
Schlüsselfaktoren und Trends, die die Ziele der Organisation beeinflussen;
die Beziehungen, Wahrnehmungen, Werte, Erfordernisse und Erwartungen externer interessierter Parteien;
vertragliche Beziehungen und Verpflichtungen;
die Komplexität der Netzwerke und Abhängigkeiten.
[QUELLE: ISO Guide 73:2009, 3.3.1.1, modifiziert — Anmerkung 1 zum Begriff wurde modifiziert.]
3.1.2
interner Kontext
interne Umgebung, innerhalb derer die Organisation versucht, ihre Ziele zu erreichen
Anmerkung 1 zum Begriff: Der interne Kontext kann Folgendes beinhalten:
Vision, Mission und Werte;
Leitung, Organisationsstruktur, Rollen und Rechenschaftspflichten;
Strategie, Ziele und Richtlinien;
die Organisationskultur;
von der Organisation übernommene Normen, Leitlinien und Modelle;
Fähigkeiten im Sinne von Ressourcen und Wissen (z. B. Kapital, Zeit, Menschen, Prozesse, Systeme und
Technologien);
Daten, Informationssysteme und Informationsflüsse;
Beziehungen zu internen interessierten Parteien unter Berücksichtigung ihrer Wahrnehmungen und Werte;
vertragliche Beziehungen und Verpflichtungen;
interne gegenseitige Abhängigkeiten und Verbindungen.
[QUELLE: ISO Guide 73:2009, 3.3.1.2, modifiziert — Anmerkung 1 zum Begriff wurde modifiziert.]
3.1.3
Risiko
Auswirkung von Unsicherheit auf Ziele
Anmerkung 1 zum Begriff: Eine Auswirkung ist eine Abweichung vom Erwarteten in positiver oder negativer Hinsicht.
Anmerkung 2 zum Begriff: Ziele können verschiedene Aspekte und Kategorien umfassen und auf verschiedenen
Ebenen angewendet werden.
Anmerkung 3 zum Begriff: Ungewissheit ist der Zustand des auch teilweisen Fehlens von Information im Hinblick auf
das Verständnis oder Wissen über ein Ereignis (3.1.11), seine Auswirkungen (3.1.14) oder seine
Wahrscheinlichkeit (3.1.13).
Anmerkung 4 zum Begriff: Das Risiko wird üblicherweise anhand der Risikoquellen/Risikoursachen (3.1.6), der
potentiellen Ereignisse, ihrer Auswirkungen und ihrer Wahrscheinlichkeit dargestellt.
Anmerkung 5 zum Begriff: Im Kontext von Informationssicherheitsmanagementsystemen können
Informationssicherheitsrisiken als Auswirkung von Ungewissheit auf Informationssicherheitsziele beschrieben werden.
Anmerkung 6 zum Begriff: Informationssicherheitsrisiken sind üblicherweise mit einer negativen Auswirkung von
Ungewissheit auf Informationssicherheitsziele verbunden.
Anmerkung 7 zum Begriff: Informationssicherheitsrisiken können mit der Möglichkeit verbunden sein, dass
Bedrohungen (3.1.9) Schwachstellen (3.1.10) eines Informationswerts oder einer Gruppe solcher Werte ausnutzen und
damit einer Organisation Schaden zufügen.
[QUELLE: ISO 31000:2018, 3.1, modifiziert — die Formulierung: „Sie kann positiv, negativ oder beides sein
und Möglichkeiten und Bedrohungen ansprechen, schaffen oder zu ihnen führen“ wurde durch „in positiver
oder negativer Hinsicht“ in Anmerkung 1 zum Begriff ersetzt; die ursprüngliche Anmerkung 3 zum Begriff
wurde in Anmerkung 4 zum Begriff umnummeriert und Anmerkung 3, Anmerkung 5, Anmerkung 6 und
Anmerkung 7 zum Begriff wurden hinzugefügt.]
3.1.4
Risikoszenario
Abfolge oder Kombination von Ereignissen (3.1.11), die von der ursprünglichen Ursache zur unerwünschten
Folge (3.1.14) führen
[QUELLE: ISO 17666:2016, 3.1.13, modifiziert — Anmerkung 1 zum Begriff wurde gestrichen.]
3.1.5
Risikoeigentümer
Person oder Entität, die Verantwortung und Berechtigung hat, ein Risiko (3.1.3) zu handhaben
[QUELLE: ISO Guide 73:2009, 3.5.1.5]
3.1.6
Risikoquelle
Risikoursache
Element, das allein oder gemeinsam mit anderen Faktoren potentiell zu Risiken (3.1.3) führt
Anmerkung 1 zum Begriff: Eine Risikoquelle kann eine dieser drei Arten sein:
menschlich;
umweltbedingt;
technisch.
Anmerkung 2 zum Begriff: Die Art einer menschlichen Risikoquelle kann absichtlich oder unabsichtlich sein.
[QUELLE: ISO 31000:2018, 3.4, modifiziert — Anmerkung 1 und Anmerkung 2 zum Begriff wurden
hinzugefügt.]
3.1.7
Risikokriterien
Festlegungen, um die Signifikanz eines Risikos (3.1.3) zu bewerten
Anmerkung 1 zum Begriff: Risikokriterien basieren auf Zielen der Organisation sowie dem externen Kontext (3.1.1)
und dem internen Kontext (3.1.2).
Anmerkung 2 zum Begriff: Risikokriterien können aus Normen, Gesetzen, Richtlinien und anderen Anforderungen
abgeleitet werden.
[QUELLE: ISO Guide 73:2009, 3.3.1.3]
3.1.8
Risikobereitschaft
Größe und Art des Risikos (3.1.3), das eine Organisation willens ist, einzugehen oder beizubehalten
[QUELLE: ISO Guide 73:2009, 3.7.1.2]
3.1.9
Bedrohung
mögliche Ursache eines Informationssicherheitsvorfalls (3.1.12), der zu Schaden für ein System oder eine
Organisation führen kann
3.1.10
Schwachstelle
Schwäche eines Wertes oder einer Maßnahme (3.1.16), die so ausgenutzt werden kann, dass ein
Ereignis (3.1.11) mit einer negativen Folge (3.1.14) eintritt
3.1.11
Ereignis
Eintritt oder Veränderung einer bestimmten Kombination von Umständen
Anmerkung 1 zum Begriff: Ein Ereignis kann einmal oder mehrmals eintreten und mehrere Ursachen und mehrere
Auswirkungen (3.1.14) haben.
Anmerkung 2 zum Begriff: Ein Ereignis kann auch etwas sein, das erwartet wird und nicht eintritt oder etwas, das
unerwartet eintritt.
[QUELLE: ISO 31000:2018, 3.5, modifiziert — Anmerkung 3 zum Begriff wurde entfernt.]
3.1.12
Informationssicherheitsvorfall
einzelnes oder eine Reihe von ungewollten oder unerwarteten Informationssicherheitsereignissen, die eine
erhebliche Wahrscheinlichkeit besitzen, den Geschäftsbetrieb zu gefährden und die Informationssicherheit zu
bedrohen
3.1.13
Wahrscheinlichkeit
Möglichkeit, dass etwas geschieht
Anmerkung 1 zum Begriff: In der Terminologie des Risikomanagements bezeichnet der Begriff „Wahrscheinlichkeit“
die Möglichkeit, dass etwas geschieht, gleichgültig ob diese Möglichkeit objektiv oder subjektiv, qualitativ oder quantitativ
definiert, gemessen oder bestimmt und mit allgemeinen Begriffen oder mathematisch (z. B. durch die statistische
Wahrscheinlichkeit oder die Häufigkeit in einer bestimmten Zeitspanne) beschrieben wird.
Anmerkung 2 zum Begriff: Der englische Begriff „likelihood“ hat in einigen Sprachen keine direkte Entsprechung,
stattdessen wird oftmals die Entsprechung des Begriffs „probability“ verwendet. Allerdings wird im Englischen
„probability“ oftmals sehr eng als mathematischer Begriff interpretiert. Deshalb wird in der englischen Terminologie des
Risikomanagements der Begriff „likelihood“ mit der Absicht verwendet, dass er dieselbe weit gefasste Bedeutung haben
sollte wie der Begriff „Wahrscheinlichkeit“ in vielen anderen Sprachen.
[QUELLE: ISO 31000:2018, 3.7]
3.1.14
Auswirkung
Ergebnis eines Ereignisses (3.1.11), welches die Ziele betrifft
Anmerkung 1 zum Begriff: Eine Auswirkung kann gewiss oder ungewiss sein und sich direkt oder indirekt bzw. positiv
oder negativ auf Ziele auswirken.
Anmerkung 2 zum Begriff: Auswirkungen können qualitativ oder quantitativ beschrieben werden.
Anmerkung 3 zum Begriff: Jede Auswirkung kann durch kaskadierende und kumulative Effekte eskalieren.
[QUELLE: ISO 31000:2018, 3.6]
3.1.15
Risikoniveau
Signifikanz eines Risikos (3.1.3), das mittels einer Kombination von Auswirkungen (3.1.14) und deren
Wahrscheinlichkeit (3.1.13) ausgedrückt wird
[QUELLE: ISO Guide 73:2009, 3.6.1.8, modifiziert — die Formulierung: „Größe eines Risikos oder einer
Kombination von Risiken“ wurde durch „Signifikanz eines Risikos“ ersetzt.]
3.1.16
Steuerung
Maßnahme, die das Risiko (3.1.3) beibehält und/oder verändert
Anmerkung 1 zum Begriff: Steuerungen umfassen unter anderem alle Prozesse, Grundsätze, Instrumente, Verfahren
oder andere Bedingungen und/oder Aktionen, welche Risiken beibehalten oder verändern.
Anmerkung 2 zum Begriff: Steuerungen können nicht immer die beabsichtigte oder angenommene verändernde
Wirkung ausüben.
[QUELLE: ISO 31000:2018, 3.8]
3.1.17
Restrisiko
Risiko (3.1.3), das nach einer Risikobehandlung (3.2.7) verbleibt
Anmerkung 1 zum Begriff: Das Restrisiko kann nicht identifizierte Risiken beinhalten.
Anmerkung 2 zum Begriff: Restrisiken können auch ein beibehaltenes Risiko beinhalten.
[QUELLE: ISO Guide 73:2009, 3.8.1.6, modifiziert — Anmerkung 2 zum Begriff wurde modifiziert.]
3.2 Begriffe im Zusammenhang mit der Handhabung von Informationssicherheitsrisiken
3.2.1
Risikomanagementprozess
systematische Anwendung von Managementrichtlinien, -verfahren und -praktiken auf die Tätigkeiten des
Kommunizierens, Abstimmens und Festlegens des Kontextes sowie Identifizierung, Analyse, Bewertung,
Behandlung, Überwachung und Überprüfung von Risiken (3.1.3)
[QUELLE: ISO Guide 73:2009, 3.1]
3.2.2
Risikokommunikation und -konsultation
Satz fortlaufender und iterativer Prozesse, den eine Organisation durchführt, um Informationen zu liefern, zu
teilen oder zu erhalten und den Dialog mit interessierten Parteien in Bezug auf die Handhabung von
Risiken (3.1.3) zu suchen
Anmerkung 1 zum Begriff: Die Information kann sich auf die Existenz, die Beschaffenheit, die Gestalt, die
Wahrscheinlichkeit (3.1.13), die Signifikanz, die Bewertung, die Akzeptanz und die Behandlung von Risiken beziehen.
Anmerkung 2 zum Begriff: Bei Konsultationen handelt es sich um einen bidirektionalen Prozess von fundierter
Kommunikation zwischen einer Organisation und ihren interessierten Parteien zu einer Angelegenheit, bevor eine
Entscheidung getroffen oder eine Zielrichtung für diese Angelegenheit bestimmt wird. Eine Konsultation ist:
ein Prozess, der sich auf eine Entscheidung eher durch Beeinflussung als durch Machtbefugnis auswirkt;
eine Eingabe für das Treffen von Entscheidungen, nicht aber das gemeinsame Treffen von Entscheidungen.
3.2.3
Risikobeurteilung
übergreifender Prozess, der aus Risikoidentifizierung (3.2.4), Risikoanalyse (3.2.5) und Risikobewer-
tung (3.2.6) besteht
[QUELLE: ISO Guide 73:2009, 3.4.1]
3.2.4
Risikoidentifizierung
Prozess des Findens, Erkennens und Beschreibens von Risiken (3.1.3)
Anmerkung 1 zum Begriff: Die Risikoidentifizierung beinhaltet die Identifizierung der Risikoquellen (3.1.6), der
Ereignisse (3.1.11), ihrer Ursachen und möglichen Auswirkungen (3.1.14).
Anmerkung 2 zum Begriff: Die Risikoidentifizierung kann historische Daten, theoretische Analysen, fundierte
Meinungen und Expertenmeinungen sowie Erfordernisse von interessierten Parteien umfassen.
[QUELLE: ISO Guide 73:2009, 3.5.1, modifiziert — in Anmerkung 2 zum Begriff wurde „Stakeholder“ durch
„interessierte Partei“ ersetzt.]
3.2.5
Risikoanalyse
Prozess, um die Beschaffenheit des Risikos (3.1.3) zu verstehen und das Risikoniveau (3.1.15) zu bestimmen
Anmerkung 1 zum Begriff: Die Risikoanalyse liefert die Grundlage für die Risikobewertung (3.2.6) und die
Entscheidungen im Zuge der Risikobehandlung (3.2.7).
Anmerkung 2 zum Begriff: Die Risikoanalyse beinhaltet die Risikoabschätzung.
[QUELLE: ISO Guide 73:2009, 3.6.1]
3.2.6
Risikobewertung
Prozess, bei dem die Ergebnisse der Risikoanalyse (3.2.5) mit den Risikokriterien (3.1.7) verglichen werden,
um zu bestimmen, ob das Risiko (3.1.3) und/oder seine Signifikanz akzeptabel oder tragbar sind
Anmerkung 1 zum Begriff: Die Risikobewertung unterstützt bei der Entscheidung über die Risikobehandlung (3.2.7).
[QUELLE: ISO Guide 73:2009, 3.7.1, modifiziert — „Größe“ wurde durch „Signifikanz“ ersetzt.]
3.2.7
Risikobehandlung
Prozess zur Veränderung eines Risikos (3.1.3)
Anmerkung 1 zum Begriff: Die Risikobehandlung kann Folgendes umfassen:
Vermeiden des Risikos, indem entschieden wird, die Aufgabe, aus der sich ein Risiko ergibt, nicht zu beginnen oder
fortzuführen;
Eingehen oder Vergrößern des Risikos mit dem Ziel, eine Chance wahrzunehmen;
Beseitigen der Risikoursache (3.1.6);
Verändern der Wahrscheinlichkeit (3.1.13);
Verändern der Auswirkungen (3.1.14);
Teilen des Risikos mit einer anderen Partei oder anderen Parteien (einschließlich Verträgen und Risikofinanzierung)
und
Beibehalten des Risikos auf Grundlage einer informierten Entscheidung.
Anmerkung 2 zum Begriff: Die Behandlung von Risiken im Bereich der Informationssicherheit beinhaltet nicht das
„Eingehen oder Vergrößern des Risikos mit dem Ziel, eine Chance wahrzunehmen“, aber die Organisation kann diese
Option für das allgemeine Risikomanagement nutzen.
Anmerkung 3 zum Begriff: Risikobehandlungen, die sich mit negativen Auswirkungen beschäftigen, werden manchmal
auch als „Risikominderung“, „Risikoeliminierung“, „Risikovorsorge“ und „Risikoreduzierung“ bezeichnet.
Anmerkung 4 zum Begriff: Die Risikobehandlung kann zu neuen Risiken führen oder vorhandene Risiken verändern.
[QUELLE: ISO Guide 73:2009, 3.8.1 modifiziert — Anmerkung 1 zum Begriff wurde hinzugefügt und die
ursprüngliche Anmerkung 1 und Anmerkung 2 zum Begriff wurden in Anmerkung 2 und Anmerkung 3 zum
Begriff umnummeriert.]
3.2.8
Risikoakzeptanz
informierte Entscheidung, ein bestimmtes Risiko (3.1.3) zu tragen
Anmerkung 1 zum Begriff: Risikoakzeptanz kann ohne Risikobehandlung (3.2.7) oder während des
Risikobehandlungsprozesses erfolgen.
Anmerkung 2 zum Begriff: Akzeptierte Risiken werden einer Überwachung und Überprüfung unterzogen.
[QUELLE: ISO Guide 73:2009, 3.7.1.6]
3.2.9
Risikoteilung
Form der Risikobehandlung (3.2.7), welche die mit anderen Parteien vereinbarte Verteilung des Risikos (3.1.3)
beinhaltet
Anmerkung 1 zum Begriff: Rechtliche oder behördliche Anforderungen können die Risikoteilung einschränken,
verbieten oder anordnen.
Anmerkung 2 zum Begriff: Die Risikoteilung kann durch Versicherungen oder andere Vertragsformen vollzogen
werden.
Anmerkung 3 zum Begriff: Wie weit das Risiko verteilt wird, kann von der Zuverlässigkeit und Klarheit der
Teilungsvereinbarungen abhängen.
Anmerkung 4 zum Begriff: Die Risikoübertragung ist eine Form der Risikoteilung.
[QUELLE: ISO Guide 73:2009, 3.8.1.3]
3.2.10
Risikobeibehaltung
zeitweilige Akzeptanz des potentiellen Nutzens eines Gewinns oder der Belastung durch einen Verlust
aufgrund eines bestimmten Risikos (3.1.3)
Anmerkung 1 zum Begriff: Die Beibehaltung kann auf eine bestimmte Zeitspanne beschränkt sein.
Anmerkung 2 zum Begriff: Das beibehaltene Risikoniveau (3.1.15) kann von Risikokriterien (3.1.7) abhängen.
[QUELLE: ISO Guide 73:2009, 3.8.1.5, modifiziert — das Wort „zeitweilig“ wurde am Anfang der Definition
hinzugefügt und die Formulierung „Die Risikobeibehaltung schließt die Akzeptanz von Restrisiken ein“ wurde
durch „Die Beibehaltung kann auf eine bestimmte Zeitspanne beschränkt werden“ in Anmerkung 1 zum
Begriff ersetzt.]
4 Aufbau dieses Dokuments
Dieses Dokument ist wie folgt strukturiert:
Abschnitt 5: Handhabung von Informationssicherheitsrisiken;
Abschnitt 6: Kontextfestlegung;
Abschnitt 7: Prozess der Risikobeurteilung der Informationssicherheit;
Abschnitt 8: Prozess der Risikobehandlung der Informationssicherheit;
Abschnitt 9: Betrieb;
Abschnitt 10: Unterstützung verbundener ISMS-Prozesse.
Abgesehen von den Beschreibungen in den allgemeinen Unterabschnitten sind alle
Risikomanagementaufgaben, wie sie in Abschnitt 7 bis Abschnitt 10 dargestellt sind, wie folgt strukturiert:
Eingabe: Identifizierung aller Informationen, die zur Durchführung der Aufgabe erforderlich sind.
Aktion: Beschreibung der Aufgabe.
Auslöser: Bereitstellung eines Leitfadens für den Beginn der Aufgabe, z. B. aufgrund einer Änderung innerhalb
der Organisation oder nach einem Plan oder einer Änderung im externen Kontext der Organisation.
Ausgabe: Identifizierung aller Informationen, die nach der Durchführung der Aufgabe abgeleitet werden,
sowie aller Kriterien, die diese Ausgabe erfüllen sollte.
Leitfaden: Bereitstellung eines Leitfadens zur Durchführung der Aufgabe, eines Schlüsselworts und eines
Schlüsselkonzepts.
5 Handhabung von Informationssicherheitsrisiken
5.1 Prozess zur Handhabung von Informationssicherheitsrisiken
Der Prozess zur Handhabung von Informationssicherheitsrisiken wird in Bild 1 dargestellt.
ANMERKUNG Dieser Prozess beruht auf dem allgemeinen Risikomanagementprozess nach ISO 31000.
Bild 1 — Prozess zur Handhabung von Informationssicherheitsrisiken
Wie in Bild 1 veranschaulicht, kann der Prozess zur Handhabung der Informationssicherheitsrisiken für
Aufgaben zur Risikobeurteilung und/oder Risikobehandlung iterativ sein. Ein iterativer Ansatz bei der
Durchführung von Risikobeurteilungen kann die Tiefe und den Detaillierungsgrad der Beurteilung bei jeder
Iteration erhöhen. Der iterative Ansatz bietet ein gutes Gleichgewicht zwischen der Minimierung des Zeit- und
Arbeitsaufwands für die Festlegung von Maßnahmen und der gleichzeitigen Sicherstellung einer
angemessenen Risikobeurteilung.
Die Kontextfestlegung bedeutet die Zusammenstellung des internen und externen Kontexts für die
Handhabung von Informationssicherheitsrisiken oder eine Risikobeurteilung der Informationssicherheit.
Wenn die Risikobeurteilung genügend Informationen liefert, um die erforderlichen Aktionen zur Änderung
der Risiken auf ein akzeptables Niveau zu bestimmen, ist die Aufgabe abgeschlossen und es folgt die
Risikobehandlung. Sind die Informationen unzureichend, sollte eine weitere Iteration der Risikobeurteilung
durchgeführt werden. Dies kann eine Änderung des K
...
SIST EN ISO/IEC 27005:2024는 정보 보안, 사이버 보안 및 개인정보 보호에 관한 표준으로서, 정보 보안 위험 관리에 대한 지침을 제공합니다. 이 문서는 정보 보안 위험을 해결하기 위한 ISO/IEC 27001의 요구사항을 충족시키기 위해 조직이 수행해야 할 조치들에 대한 가이드를 제공합니다. 또한, 정보 보안 위험 관리 활동, 특히 정보 보안 위험 평가 및 치료를 수행하는 데 필요한 체계적인 접근 방식을 제공합니다. 이 표준의 주요 강점은 모든 유형, 규모, 산업의 조직에 적용 가능하다는 점입니다. 이는 다양한 환경에서 조직이 직면할 수 있는 정보 보안 위험을 효과적으로 관리할 수 있도록 도와줍니다. 특히, SIST EN ISO/IEC 27005:2024는 정보 보안 위험을 평가하고 적절히 치료하는 방법론을 제시함으로써, 조직이 정보 자산을 보호하고 사이버 공격으로부터의 안전성을 높이는 데 기여합니다. 또한, 이 문서는 효과적인 위험 관리 프레임워크를 제공하여 조직이 지속적으로 변화하는 사이버 위협에 적응하는 데 필요한 기반을 마련합니다. 정보 보안 위험에 대한 명확한 이해와 관리 방안을 제시하는 것은 조직의 전략적 목표 달성에 매우 중요하며, 체계적으로 적용할 수 있는 지침이 담겨 있습니다. 따라서 SIST EN ISO/IEC 27005:2024는 정보 보안 위험 관리 분야에서의 필수적인 참고 자료로서, 현대의 사이버 보안 환경에서 중요한 역할을 합니다.
The SIST EN ISO/IEC 27005:2024 standard provides a comprehensive framework for managing information security risks, aligning closely with the requirements of ISO/IEC 27001. This guidance document plays a pivotal role in helping organizations effectively address information security risks through systematic risk management activities, particularly focusing on information security risk assessment and treatment. One of the key strengths of this standard is its applicability across a diverse range of organizations, regardless of their type, size, or sector. This inclusivity ensures that both small enterprises and large corporations can leverage the principles outlined in the standard to safeguard their information assets effectively. Additionally, the standard emphasizes a structured approach to information security risk management, promoting best practices that lead to improved cybersecurity and privacy protection. By providing detailed guidance, it enables organizations to develop tailored risk management strategies that not only comply with international standards but also enhance their overall cybersecurity posture. Moreover, the relevance of SIST EN ISO/IEC 27005:2024 is underscored by the increasing global focus on information security and risk management. As cyber threats evolve, the need for a robust framework that assists organizations in identifying, assessing, and mitigating these risks becomes paramount. This standard not only fulfills a critical requirement for compliance with ISO/IEC 27001 but also establishes a proactive stance in the face of emerging cybersecurity challenges. Overall, the SIST EN ISO/IEC 27005:2024 standard serves as an essential guide for organizations aiming to manage information security risks effectively, ensuring alignment with established international protocols while fostering a culture of security awareness and resilience.
SIST EN ISO/IEC 27005:2024は、情報セキュリティ、サイバーセキュリティ、プライバシー保護に関する標準であり、情報セキュリティリスクの管理に関するガイダンスを提供します。この標準は、ISO/IEC 27001の要件を満たすために、組織が情報セキュリティリスクに対処するための具体的な行動を講じることを助けることを目的としています。 この標準の強みは、情報セキュリティリスク管理活動、特に情報セキュリティリスクの評価と処置に関する詳細な手引きを提供する点にあります。また、全ての組織に適用可能であり、組織の種類、規模、業種に関係なく利用できるため、広範なビジネス環境に対応しています。 さらに、SIST EN ISO/IEC 27005:2024は、企業が情報セキュリティリスクを適切に理解し、評価し、管理するためのフレームワークを提供しており、このプロセスを体系化することにより、リスクへの対処がより効果的になります。組織が持続可能な情報セキュリティ戦略を構築し、データの保護を強化するためには、この標準が不可欠なリソースとなるでしょう。標準のガイダンスに従うことで、企業はサイバー攻撃や情報漏洩のリスクを軽減し、業務の信頼性を高めることが期待できます。 これらの理由から、SIST EN ISO/IEC 27005:2024は、情報セキュリティリスク管理の分野において非常に重要であり、組織が直面するリスクを理解し、対応するための実用的なツールです。
La norme SIST EN ISO/IEC 27005:2024 est un document fondamental pour la gestion des risques liés à la sécurité de l'information, à la cybersécurité et à la protection de la vie privée. Elle s'inscrit dans un cadre d'excellence en fournissant des orientations claires pour aider les organisations à respecter les exigences de la norme ISO/IEC 27001. Ce processus est crucial pour tout organisme souhaitant adresser efficacement les risques associés à la sécurité de l'information. L'un des principaux points forts de cette norme est son applicabilité universelle. En effet, elle est conçue pour convenir à toutes les organisations, quelle que soit leur taille, type ou secteur d'activité. Cette caractéristique renforce sa pertinence dans un monde où la sécurité de l'information est devenue une priorité, indépendamment de la nature des activités menées. La norme offre des directives spécifiques pour effectuer des activités de gestion des risques liés à la sécurité de l'information, ce qui inclut l'évaluation et le traitement des risques. Ces étapes sont essentielles pour établir une approche structurée et proactive face aux menaces potentielles. Elle permet aux organisations de mieux comprendre leurs vulnérabilités et de mettre en place des mesures adaptées pour protéger leurs actifs critiques. En résumé, la SIST EN ISO/IEC 27005:2024 se positionne comme un outil essentiel pour la création d'un cadre robuste de gestion des risques de sécurité de l'information. Sa capacité à s'appliquer à un large éventail d'organisations et sa préconisation de bonnes pratiques en matière d'évaluation et de traitement des risques en font une norme incontournable dans le domaine de la cybersécurité et de la gestion de l'information.
Das Dokument SIST EN ISO/IEC 27005:2024 bietet eine umfassende Anleitung zur Verwaltung von Informationssicherheitsrisiken und ist ein unverzichtbares Werkzeug für Organisationen, die die Anforderungen von ISO/IEC 27001 erfüllen möchten. Der Standard umfasst die wesentlichen Aspekte des Informationssicherheitsrisikomanagements, einschließlich Risikoanalyse und Risikobehandlung. Ein herausragendes Merkmal des Standards ist seine Anwendbarkeit auf Organisationen unterschiedlichster Art, Größe und Branche. Dies ermöglicht es nicht nur großen Unternehmen, sondern auch kleinen und mittleren Betrieben, von den Richtlinien zu profitieren. Die Implementierung der empfohlenen Praktiken kann maßgeblich zur Verbesserung der Sicherheitslage einer Organisation beitragen und potenzielle Risiken proaktiv minimieren. Ein weiterer Vorteil des SIST EN ISO/IEC 27005:2024 ist die klare Struktur und die praktischen Leitlinien, die es Organisationen ermöglichen, ein effektives Informationssicherheitsrisikomanagement aufzubauen und aufrechtzuerhalten. Dies unterstützt die Entwicklung eines kohärenten Sicherheitsrahmens, der auf die spezifischen Bedürfnisse und Anforderungen der jeweiligen Organisation zugeschnitten ist. Die Relevanz des Standards im Kontext steigender Cyberbedrohungen und der wachsenden Bedeutung des Datenschutzes kann nicht genug betont werden. Durch die Einführung von Maßnahmen gemäß den Vorgaben des Standards können Organisationen nicht nur gesetzliche Anforderungen erfüllen, sondern auch das Vertrauen ihrer Stakeholder stärken und ihre Reputation schützen. Zusammenfassend lässt sich sagen, dass das SIST EN ISO/IEC 27005:2024 eine essentielle Ressource für das Informationssicherheitsrisikomanagement bietet. Die Stärken des Standards liegen in seiner breiten Anwendbarkeit, seiner klaren Struktur und seiner Fähigkeit, Organisationen dabei zu unterstützen, die Herausforderungen der Informationssicherheit und des Datenschutzes proaktiv anzugehen.
Le document SIST EN ISO/IEC 27005:2024 constitue une ressource cruciale pour les organisations cherchant à renforcer leur gestion des risques liés à la sécurité de l'information. En se basant sur les exigences de la norme ISO/IEC 27001, ce standard offre des orientations précises sur la manière de répondre aux défis posés par les risques en matière de sécurité de l'information, ce qui est d'une grande pertinence dans un environnement numérique de plus en plus complexe et menacé. L'un des principaux atouts de cette norme est sa capacité à s'appliquer à toutes les organisations, peu importe leur taille, leur type ou leur secteur d'activité. Cela garantit que, quelle que soit la nature d'une organisation, elle peut mettre en œuvre des pratiques efficaces de gestion des risques en matière de sécurité de l'information. La norme fournit des directives claires sur la réalisation d'évaluations des risques de sécurité de l'information et sur les actions appropriées à entreprendre pour leur traitement. De plus, le document souligne l'importance d'une approche systématique à la gestion des risques, encourageant les entreprises à établir des processus structurés qui leur permettent d'identifier, d'évaluer et de traiter les risques de manière proactive. Cette méthodologie contribue à minimiser les impacts potentiels sur la sécurité, la confidentialité et la protection des données, ce qui est particulièrement pertinent à l'ère de la cybersécurité où les menaces évoluent rapidement. Enfin, la norme SIST EN ISO/IEC 27005:2024 renforce l'importance de la sensibilisation et de la formation au sein des organisations, ce qui est essentiel pour cultiver une culture de sécurité robuste. En intégrant ces pratiques dans la gestion globale des risques, les organisations peuvent non seulement se conformer aux exigences réglementaires, mais également renforcer leur résilience face aux menaces potentielles. En somme, le SIST EN ISO/IEC 27005:2024 se révèle être un document fondamental pour toute organisation désireuse d'améliorer sa posture de sécurité de l'information et d'assurer une gestion efficace des risques.
La norme SIST EN ISO/IEC 27005:2024 offre une approche structurée et systématique pour la gestion des risques de sécurité de l'information, répondant aux exigences essentielles de la norme ISO/IEC 27001. Elle est d'une grande importance pour toute organisation, quelle que soit sa taille, son type ou son secteur, car elle fournit des lignes directrices claires pour évaluer et traiter les risques liés à la sécurité de l'information. L'un des principaux points forts de cette norme est sa capacité à aider les organisations à comprendre et à identifier les risques qui peuvent affecter la sécurité de leurs informations. En intégrant des principes de cybersécurité et de protection de la vie privée, la norme permet aux entreprises de se conformer aux exigences de sécurité tout en mettant en œuvre des mesures adaptées pour atténuer les risques. Cette capacité d'adaptation en fait un outil précieux et pertinent dans un environnement numérique en constante évolution, où les menaces à la sécurité de l'information sont omniprésentes. Un autre aspect clé de la norme est sa portée inclusive, qui permet à toutes les organisations, qu'il s'agisse de PME, de grandes entreprises ou d'entités publiques, de bénéficier de ses recommandations. Ce caractère universel assure que chaque entité dispose des moyens nécessaires pour évaluer ses vulnérabilités et établir des protocoles efficaces en matière de traitement des risques. En résumé, la SIST EN ISO/IEC 27005:2024 se positionne comme une ressource incontournable pour toute organisation désireuse de renforcer sa posture de sécurité en matière de gestion des risques liés à l'information. Sa pertinence et ses lignes directrices pratiques en font un standard essentiel pour la mise en œuvre d'une stratégie de sécurité efficace en matière d'information.
The SIST EN ISO/IEC 27005:2024 standard provides comprehensive guidance on managing information security risks, offering organizations a robust framework to align with ISO/IEC 27001 requirements. Its scope is notably inclusive, catering to organizations of all types, sizes, and sectors, making it a versatile resource for effective information security risk management. One of the key strengths of this standard is its clear focus on the critical activities of information security risk assessment and treatment. By outlining systematic approaches to identify, evaluate, and mitigate security risks, the standard empowers organizations to proactively manage vulnerabilities and enhance their overall security posture. This proactive stance is increasingly relevant in today’s digital landscape, where threats are evolving rapidly and organizations must be agile in their risk management strategies. Additionally, the standard emphasizes the importance of integrating information security risk management into the broader organizational context, ensuring that security considerations are incorporated into business processes and decision-making frameworks. This holistic approach not only aids in compliance with existing regulations but also fosters a culture of security awareness among employees. The adaptability of the SIST EN ISO/IEC 27005:2024 standard is another significant advantage. Given its applicability across various sectors, organizations in finance, healthcare, technology, and beyond can implement its guidelines to suit their specific risk profiles and regulatory landscapes. This ensures that diverse organizations can effectively manage their unique security challenges while conforming to international best practices. In summary, the SIST EN ISO/IEC 27005:2024 standard stands out as a vital tool for organizations aiming to strengthen their information security risk management processes. Its comprehensive guidance, emphasis on integration within organizational practices, and broad applicability underscore its relevance and significance in enhancing cybersecurity and privacy protection initiatives across various industries.
SIST EN ISO/IEC 27005:2024는 정보 보안, 사이버 보안, 프라이버시 보호를 위한 중요하고 포괄적인 지침을 제공하는 문서로, ISO/IEC 27001의 요구 사항을 충족하기 위한 정보를 제공합니다. 이 표준은 다양한 조직이 정보 보안 리스크를 관리하는 데 필요한 스탠다드를 마련하며, 특히 정보 보안 리스크 평가 및 관리 활동에 중점을 두고 있습니다. 이 표준의 강점은 모든 종류와 크기의 조직에 적용 가능하다는 점입니다. 업종에 상관없이 모든 조직은 SIST EN ISO/IEC 27005:2024를 통해 정보 보안 리스크를 체계적으로 식별하고 평가할 수 있습니다. 이는 조직이 비즈니스 연속성을 유지하고, 데이터 유출 및 사이버 공격에 대한 저항력을 강화하는 데 기여합니다. 또한, 이 문서는 정보 보안 리스크 관리의 일관성을 보장하며, 효과적인 리스크 처리 방법을 제시합니다. 따라서 조직이 정보 보안 개선을 위해 따라야 할 절차와 방법론을 체계적으로 정리하였으며, 이는 정보 보안의 향상뿐만 아니라, 전반적인 리스크 관리 프레임워크에도 긍정적인 영향을 미칩니다. ISO/IEC 27005:2024는 오늘날의 디지털 환경에서 사이버 보안의 중요성이 증가함에 따라 매우 중요한 표준으로 자리 잡고 있습니다. 정보 보호에 대한 요구 사항이 다양해지고 있는 현 시점에서 이 표준은 조직이 필수적으로 채택해야 할 지침으로 작용하며, 지속 가능한 정보 보안 문화의 토대를 제공합니다.
SIST EN ISO/IEC 27005:2024は、情報セキュリティ、サイバーセキュリティ、プライバシー保護に関する重要な指針を提供する標準です。この文書は、組織が情報セキュリティリスクに対処するためのISO/IEC 27001の要件を満たす手助けをすることを目的としています。また、情報セキュリティリスク管理活動、特に情報セキュリティリスクアセスメントと対策を実施するための指針も含まれています。 この標準の大きな強みは、さまざまなタイプ、規模、セクターのすべての組織に適用可能である点です。これにより、企業は自社のニーズに応じた柔軟なリスク管理戦略を構築できます。具体的には、組織はリスクを特定し、評価し、適切な対策を講じる方針を策定できます。さらに、この標準は、情報セキュリティリスクを効率的かつ効果的に管理するための体系的なアプローチを提供します。 SIST EN ISO/IEC 27005:2024は、組織がサイバーセキュリティに関する最新の脅威に対応するために不可欠であり、その適用により情報漏洩やデータ侵害のリスクを大幅に低減することが期待できます。したがって、この標準は、現代のビジネス環境において非常に関連性が高く、組織の情報セキュリティの強化に寄与する重要な文書です。
The SIST EN ISO/IEC 27005:2024 standard addresses crucial aspects of information security, cybersecurity, and privacy protection by providing comprehensive guidance on managing information security risks. Its primary aim is to assist organizations in fulfilling the requirements set forth by ISO/IEC 27001, particularly in the context of addressing information security risks. This ensures a structured approach to risk management, which is essential for safeguarding sensitive data across various sectors. One of the standout strengths of this standard is its applicability to all organizations, regardless of their type, size, or sector. This universality ensures that small businesses and large enterprises alike can adopt best practices in information security risk management. The guidance offered in the standard covers critical activities such as information security risk assessment and risk treatment, making it an invaluable resource for effectively identifying and mitigating potential threats. Additionally, the standard emphasizes a holistic approach to information security, encouraging organizations to integrate these practices into their overall management processes. By doing so, it not only enhances the organizations’ resilience against cyber threats but also promotes a culture of security awareness among employees. The relevance of the SIST EN ISO/IEC 27005:2024 standard lies in its up-to-date methodologies that reflect the evolving landscape of information security challenges and requirements, enabling organizations to stay proactive rather than reactive. Moreover, the guidance provided fosters a clear understanding of risk management principles, helping organizations to implement systematic risk management processes tailored to their specific environments. This structured guidance ensures that organizations can efficiently manage their information security risks, enhancing their ability to protect sensitive data and comply with legal and regulatory requirements. Overall, the SIST EN ISO/IEC 27005:2024 is a pivotal standard for any organization looking to strengthen its information security framework and manage its cybersecurity risks effectively. Its comprehensive, adaptable approach makes it a critical component in today’s data-driven environments, underlining its significant role in promoting robust information security practices globally.
SIST EN ISO/IEC 27005:2024 표준은 정보 보안, 사이버 보안 및 개인 정보 보호에 관한 지침을 제공하여 조직이 정보 보안 위험을 관리하는 데 도움을 줍니다. 이 표준의 주요 범위는 ISO/IEC 27001의 요구사항을 충족하고 정보 보안 위험 관리 활동, 특히 정보 보안 위험 평가 및 치료를 수행하는 데 필요한 지침을 제공하는 것입니다. SIST EN ISO/IEC 27005:2024의 강점 중 하나는 모든 유형, 크기 또는 산업 부문의 조직에 적용 가능하다는 점입니다. 이는 다양한 환경에서 정보 보안 위험을 효과적으로 관리할 수 있는 유연성을 제공합니다. 또한 이 표준은 실질적인 지침을 통해 조직들이 정보 보안 위험을 인식하고, 평가하며, 적절히 대응할 수 있도록 체계적인 프레임워크를 제공합니다. 특히 ISO/IEC 27001과의 연계성이 강조되어 사이버 보안 리스크 관리 활동을 보다 원활하게 수행할 수 있도록 지원합니다. 이는 정보 보안 관리 체계가 필요로 하는 방향성을 제공하며, 조직이 효과적으로 정보 보안을 강화하는 데 기여합니다. 전반적으로 SIST EN ISO/IEC 27005:2024 표준은 정보 보안 위험 관리에 대한 포괄적이고 실용적인 접근 방식을 제공함으로써, 현대의 복잡한 사이버 환경에서 조직들이 안전하게 운영할 수 있도록 마련된 필수적인 지침이라 할 수 있습니다.
Die SIST EN ISO/IEC 27005:2024 bietet eine umfassende und strukturierte Anleitung zur Verwaltung von Informationssicherheitsrisiken, was sie zu einem unverzichtbaren Dokument für Organisationen aller Art, Größen und Sektoren macht. Der Standard erweitert die Anforderungen von ISO/IEC 27001 und legt dabei besonderes Augenmerk auf die Durchführung von Informationssicherheitsrisikomanagementaktivitäten sowie auf die gezielte Risikoabschätzung und -behandlung. Ein wesentlicher Schwerpunkt des Standards liegt auf der Unterstützung von Organisationen, die spezifischen Anforderungen zu erfüllen, die im Rahmen von ISO/IEC 27001 formuliert sind. Dies fördert nicht nur die Einhaltung von Sicherheitsstandards, sondern stärkt auch die allgemeine Sicherheitsarchitektur innerhalb der Organisation. Die klare Struktur und die detaillierten Leitlinien machen es einfacher, systematisch und effektiv mit Informationssicherheitsrisiken umzugehen. Die Relevanz der SIST EN ISO/IEC 27005:2024 kann nicht hoch genug eingeschätzt werden, insbesondere in einer Zeit, in der Cybersecurity und der Schutz personenbezogener Daten zunehmend in den Fokus rücken. Der Standard fördert ein proaktives Risikomanagement, das Organisationen dabei hilft, potenzielle Bedrohungen frühzeitig zu identifizieren und geeignete Maßnahmen zur Risikominderung zu ergreifen. Zusätzlich berücksichtigt der Standard die verschiedenen typischen Herausforderungen und Anforderungen, die Organisationen in unterschiedlichen Industrien begegnen. Dies fördert eine maßgeschneiderte Herangehensweise an das Informationssicherheitsrisikomanagement, die den spezifischen Bedürfnissen jeder Organisation gerecht wird. Insgesamt zeigt die SIST EN ISO/IEC 27005:2024 erhebliche Stärken in ihrer umfassenden Behandlung von Informationssicherheitsrisiken und bietet eine wertvolle Ressource für Organisationen, die ihre Sicherheitsstrategien optimieren möchten. Der Standard steht somit für ein unverzichtbares Werkzeug, um nicht nur gesetzliche und regulatorische Anforderungen zu erfüllen, sondern auch das Vertrauen von Kunden und Partnern durch robuste Informationssicherheitspraktiken zu stärken.
Die SIST EN ISO/IEC 27005:2024 ist ein wesentlicher Standard, der sich auf die Sicherheitsmanagementpraktiken in Bezug auf Informationssicherheit, Cybersicherheit und Datenschutz konzentriert. Der Standard bietet umfassende Leitlinien, die für alle Organisationen, unabhängig von Typ, Größe oder Sektor, anwendbar sind. Die Relevanz dieses Dokuments liegt besonders in seiner Fähigkeit, Organisationen dabei zu unterstützen, die Anforderungen der ISO/IEC 27001 zu erfüllen. Durch die Bereitstellung von klaren Anweisungen zur Durchführung von Aktivitäten im Bereich des Informationssicherheitsrisikomanagements bietet der Standard einen strukturierten Ansatz zur Identifizierung, Bewertung und zum Umgang mit Informationssicherheitsrisiken. Ein herausragendes Merkmal des Standards ist seine praxisorientierte Herangehensweise. Er ermöglicht eine systematische Durchführung von Risikobewertungen und -behandlungen, wodurch Organisationen proaktive Maßnahmen zum Schutz ihrer Informationen ergreifen können. Darüber hinaus stärkt der Standard das Bewusstsein für Informationssicherheitsrisiken und fördert die Integration von Sicherheitsmaßnahmen in die täglichen Abläufe der Organisation. Die SIST EN ISO/IEC 27005:2024 unterstützt zudem die Schaffung einer Sicherheitskultur innerhalb von Organisationen. Indem sie einen Rahmen für die Risikomanagementpraktiken bereitstellt, ermutigt der Standard Führungskräfte und Mitarbeiter, Verantwortung zu übernehmen und bewusste Entscheidungen im Umgang mit Sicherheitsfragen zu treffen. Diese Stärkung des Sicherheitsbewusstseins ist in der heutigen digitalen Landschaft von größter Bedeutung, in der Bedrohungen ständig zunehmen. Insgesamt ist die SIST EN ISO/IEC 27005:2024 ein unverzichtbares Werkzeug für jede Organisation, die ihre Informationssicherheit ernst nimmt. Mit ihrer detaillierten Anleitung zur Handhabung von Informationssicherheitsrisiken liefert der Standard einen bedeutenden Beitrag zur Schaffung eines robusten Sicherheitsrahmenwerks und hilft Organisationen, sich gegen die vielfältigen Bedrohungen der modernen digitalen Welt abzusichern.
SIST EN ISO/IEC 27005:2024は、情報セキュリティ、サイバーセキュリティ、およびプライバシー保護に関する標準であり、情報セキュリティリスクの管理に関するガイダンスを提供します。この標準は、特にISO/IEC 27001に基づく情報セキュリティリスクに対処するための行動を実施する要件を満たすことを支援するために設計されており、リスク管理活動の中でも、特に情報セキュリティリスク評価および処置に重点を置いています。 この文書の適用範囲は非常に広く、すべてのタイプ、規模、セクターの組織に対して適応可能です。これにより、異なる業界のニーズに応じた柔軟な対応策を提供し、各組織が自身の環境や要件に合った情報セキュリティリスク管理を実施することが可能となります。 SIST EN ISO/IEC 27005:2024の強みは、情報セキュリティリスクを体系的に評価し、適切に扱うための実用的なフレームワークを提供することです。具体的なガイダンスが示されることで、組織はリスクを適切に特定し、リスクに基づく対応策を計画・実行するための道筋が明確になります。また、標準は継続的な改善の重要性も強調しており、組織は常に変化する脅威環境に対応する能力を高めることが求められます。 このように、SIST EN ISO/IEC 27005:2024は、情報セキュリティリスク管理のための実効的なモデルを提供し、組織がリスクを管理する能力を大いに向上させることが期待される業界標準です。この標準を採用することで、企業は自身の情報資産を守り、深刻なサイバー脅威からの防御を強化できます。
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...