ISO/IEC 27005 Aims to Assist Organizations in Information Security Risk Management
July 1, 2008 // Published as a news service by IHS
| |
| Electronics & Telecom Docs |
IHS sells a full selection of standards documents & collections from the industry's top organizations.
To learn more, and for a free quote, please complete the form below. |
|
| |
ISO/IEC 27005:2008, a new standard from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), describes the risk management process for information security.
ISO/IEC 27005:2008 - Information technology - Security techniques - Information security risk management, provides guidelines for information security risk management and supports the general concepts specified in ISO/IEC 27001:2005 - Information technology - Security techniques - Information security management systems - Requirements.
According to ISO and IEC, organizations of all types can use the new standard to manage deliberate or accidental threats to either the use and application of IT systems or to IT's physical and environmental aspects.
These threats may take any form from identity theft, risks of doing business online, denial of service attacks, remote spying, theft of equipment or documents through to a seismic or climatic phenomenon, fire, floods or pandemic problems.
For businesses, such threats may result in financial loss or damage, loss of essential network services, loss of customer confidence through to loss of power supply or failure of telecommunication equipment.
ISO and IEC said the new standard is designed to assist the implementation of ISO/IEC 27001, which is based on a risk management approach.
Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002: 2005 - Information technology - Security techniques - Code of practice for information security management, is the foundation for an understanding of this international standard, according to the organizations.
The information security risk management process consists of:
- Context establishment.
- Risk assessment.
- Risk treatment.
- Risk acceptance.
- Risk communication.
- Risk monitoring and review.
However, ISO/IEC 27005:2008 does not provide any specific methodology for information security risk management. It is up to the organization to define its approach to risk management, depending, for example, on the scope of the information security management system, based on the context of risk management, or the industry sector.
Edward Humphreys, convener of the ISO/IEC working group that developed the standard said, "Today, most organizations recognize the critical role that information technology plays in supporting their business objectives and with the advent of the Internet and the prospect of performing business online, IT security has been in the forefront.
"ISO/IEC 27005:2008 is relevant to managers and staff concerned with information security risk management within an organization and, where appropriate, external parties supporting such activities," he said.
Source: International Organization for Standardization (ISO).