What is ISO/IEC 27005?
ISO/IEC 27005 is an international standard that provides guidelines for performing information security risk management. The standard supports the implementation of an Information Security Management System (ISMS) in line with ISO 27001 by providing a structured approach for identifying, analysing, evaluating and treating risks.
ISO 27005 is applicable in both IT and OT environments, provided it is adapted to industrial risks and processes.
🧠 What does ISO 27005 describe?
The standard provides a methodological approach to risk management without prescribing how risks should be calculated. You may therefore choose qualitative or quantitative methods (e.g. scoring models, heat maps, or OCTAVE, FAIR).
Key elements:
- Setting context
- Risk identification
- Determining threats, vulnerabilities, threatened assets and potential impact
- Risk analysis
- Likelihood × Impact → risk estimate (qualitative, semi-quantitative or quantitative)
- Risk evaluation
- Comparing risks against risk criteria → setting priorities
- Risk treatment
- Mitigating measures, acceptance, transfer (insurance) or avoidance
- Risk communication and monitoring
- Stakeholder communication, continuous improvement, PDCA cycle
🔄 Relation to ISO 27001
| ISO 27001 | ISO 27005 |
|---|---|
| Determines that risk management is required | Describes how to perform risk management |
| Focuses on ISMS structure | Focuses on the substantive analysis |
| Requires risk assessment as input for controls | Provides methods to identify and treat risks |
ISO 27005 helps with implementing the Annex A controls of ISO 27001, such as Access Control, Logging, Backup, etc.
🏭 ISO 27005 in an OT context
| Application | Example in OT |
|---|---|
| Asset inventory | PLC, HMI, Historian, Engineering Station |
| Risk: outdated firmware | Threat: exploitable vulnerability |
| Impact: downtime or process disruption | Likelihood: medium without patch policy |
| Control: patch management, Firewall rules, network monitoring |
Combine with IEC 62443-3-2 for a zone/SL-based approach in OT networks.
✅ Benefits of ISO 27005
- Structured approach to risk assessment
- Flexibility in method selection
- Supports Defense in Depth and Security by Design
- Compatible with NIST CSF, IEC 62443, COBIT, NIS2
📌 In summary
ISO/IEC 27005 provides guidelines for performing information security risk management as part of an ISMS. It is applicable in both IT and OT environments and helps substantiate cybersecurity controls.