User:I72bemof/sandbox

ISO/IEC 27005 Information technology — Security techniques — Information security risk management, provides guidelines for managing the risks that the information of a company may suffer, mainly based on ISO/IEC 27001, focusing mainly on the information security requirements. It is necessary to remark that this standard is part of a big family of standards about information security management system (ISMS), so this standard appears in ISO/IEC 27000-series (find more information in ISO/IEC 27000).

What does the standard establishes?
ISO/IEC 27005 is an standard that does not specify or recomend any risk management method. It implys or includes a continual process that consist in an structured sequence of activies and some of the iteratives:


 * Establish the risk management context.
 * Quantitatively or qualitatively assess relevant information.
 * Treat the risks appropriately.
 * Keep stakeholders informed throughout the process.
 * Monitor and review risks, risk treatments, obligations and criteria, responding appropriately to significant changes.

Objetives
This standard is mainly oriented to companies, although it is useful for any type of organization that wants to improve its Information Security Management System (ISMS) or that may suffer certain security problems in its company, for which it is not necessary to apply the entire methodology of the standard, just focus on a number of factors, such as the actual scope of the Information Security Management System (ISMS), or the commercial sector of the industry itself.

Therefore, its main objective is to improve information security risk management in an organization, implying the specific methodology for each information security problem, that is, a specific methodology that will not be used for all Information Security Management System.

Terms and structure
The sections that are part of the standard ISO/IEC 27005 are teh following ones:


 * Foreword.
 * Introduction.
 * Scope.
 * Normative References.
 * Terms and definitions.
 * Structure of this document.
 * Background.
 * Description of the process of ISRM.
 * Context establishment.
 * Information on Security Risk Assessment (ISRA).
 * Treatment of Information Security Risks.
 * Risk Admission Information security.
 * Communication of information security risks.
 * Safety Information Risk Tracking and Review.
 * Annexes
 * Annex A: Definition of the scope of the process.
 * Annex B: Asset valuation and impact evaluation.
 * Annex C: Examples of typical threats.
 * Annex D: Vulnerabilities and vulnerability assessment methods.
 * Annex E: ISRA approaches.

It is important to remark that the annexes iformed about impacts, threats and vulnerabilities that can help us to see how to face risks of the same type with information assets under evaluation.

Benefits of certification
PECB (Personal Evaluation and Certification Board) is an organization for ISO training in which you can obtain the ISO/IEC 27005 Certificate, that will prove that you have gain certain benefits:


 * Gained skills to support an effective implementation of an information security risk management process in an organization.
 * Acquired the expertise to responsibly manage an information security risk management process and ensure conformity with legal and regulatory requirements.
 * Ability to manage an information security and risk management team.
 * Ability to support an organization to align their ISMS objectives with ISRM objectives.