User:Dterestenyi/sandbox

ISO/IEC 27005:2011 an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information technology — Security techniques — Information security risk management. This International Standard provides guidelines for information security risk management in an organization, supporting in particular the requirements of an information security management (ISMS) according to ISO/IEC 27001 This International Standard is relevant to managers and staff concerned with information security risk management within an organization ISO/IEC 27005:2011 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security ISO/IEC 27005:2011 describes an information security risk management process and associated actions modelled on the generic risk management processes defined in BS ISO 31000:2009. This information security risk management is then linked back to the risk assessment and risk management requirements of BS ISO/IEC 27001:2005. Annexes provide checklists, examples and other practical advice.

ISO/IEC 27005:2011 does not define or mandate any particular methodology for performing risk assessments. However, some examples of suitable approaches are given as examples in an annex. The standard doesn't specify, recommend or even name any specific risk management method. It does however imply a continual process consisting of a structured sequence of activities, some of which are iterative:


 * Establish the risk management context (e.g. the scope, compliance obligations, approaches/methods to be used and relevant policies and criteria such as the organization’s risk tolerance or appetite);
 * Quantitatively or qualitatively assess (i.e. identify, analyze and evaluate) relevant risks, taking into account the information assets, threats, existing controls and vulnerabilities to determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’;
 * Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share [with third parties]) the risks appropriately, using those ‘levels of risk’ to prioritize them;
 * Keep stakeholders informed throughout the process; and
 * Monitor and review risks, risk treatments, obligations and criteria on an ongoing basis, identifying and responding appropriately to significant changes.
 * Extensive appendices provide additional information, primarily examples to demonstrate the recommended approach.