ISO/IEC 27005 patched

The ISO27k "information security risk management" standard ISO/IEC 27005:2011 has been revised and re-published ... but you'll be hard pushed to see any difference.

This is an 'interim update' reflecting the 2013 revisions of ISO/IEC 27001 and 27002. Yes, 2013, five years ago. The original 27005 update project fell off the rails, leading eventually to this minimal revision, kind of like a program patch to address shortcomings rather than a new version with improved functionality.

A full revision is now in the works, so with luck the next version of 27005 might just be released to coincide with updates to the core ISO27k standards 27001 and 27002.

Ever the optimist, I like to think there's a fighting chance the next version will be a major improvement with changes such as:
  • Defining ‘information risk’ formally (properly), clearly, helpfully and without the torture and ambiguity of the current gibberish around 'information security risk', explaining it in accessible and understandable terms;
  • Outlining the organizational/business context for information risk management - how it relates to the management of other kinds of risk, and how risk management supports management and governance of the organization;
  • Outlining the core risk management process, elaborating on each of the activities in more depth, offering pragmatic advice on suitable methods and approaches (e.g. the four ways to treat risk; how to measure, evaluate and compare risks; how to spot and react to changes, and how to predict changes using trends, statistical techniques and situational awareness);
  • Describing the process management and governance aspects e.g. scoping and setting objectives, planning and resourcing, forming a competent team, documenting the work, reviewing and authorizing things, and handling issues;
  • Explaining the links to related concepts, citing relevant standards e.g.:
    • Sound reasons for consciously and deliberately taking risks - the upside or opportunities arising;
    • Accountability and responsibility, plus the concept of information [risk] ownership;
    • IT or cyber-risks - specifically relating to networks, IT systems, data, applications, coding and technology;
    • Non-IT/cyber information risks e.g. those relating to people, intellectual property, tangible assets, compliance and more;
    • Mitigating information risks using information security controls, where appropriate (noting that security controls are not necessarily necessary, despite what infosec pro’s commonly think);
    • Business continuity management and cyberinsurance;
    • Cloud, supplier/partner/customer relationship management and the community, social and societal aspects of information risk.
  • Including advice on different methods, systems and approaches to information risk management, risk assessment, risk analysis, risk treatment etc. including those from other fields e.g. commercial risks, health and safety risks, environmental risks, technology risks, innovation risks, strategic risks, relationship risks, project risks, financial risks ...