4. What is ISO 27005 and do you have information security and operational specific policy and procedure documents relating to this well-known standard?

ISO/IEC 27005, Information technology - Security techniques - Information security risk management, provides comprehensive guidelines relating to the broader subject of risk management. While it may not provide explicit guidance on which of the many risk standards and frameworks to utilize, it does offer in-depth information relating to critical topics regarding risk. More specifically, the publication (approximately 55 pages) includes the following content:

  • Foreword
  • Introduction
  • Normative references
  • Terms and definitions
  • Structure
  • Background
  • Overview of the ISRM Process
  • Context Establishment
  • Information Security Risk Assessment (ISRA)
  • Information Security Risk Treatment
  • Information security Risk Acceptance
  • Information security Risk Communication
  • Information security Risk Monitoring and Review
  • Annex A: Defining the scope of the process
  • Annex B: Asset valuation and impact assessment
  • Annex C: Examples of Typical Threats
  • Annex D: Vulnerabilities and vulnerability assessment methods
  • Annex E: ISRA approaches

Information Security Policies for ISO 27005 - Download Risk Program

If you’re seeking to implement an enterprise-wide risk management framework, then ISO 27005 is a great place to begin learning about important considerations regarding the broader subject of risk.  FLANK offers comprehensive risk management consulting services, including industry leading policies, procedures, and forms for conducting risk assessments.