UnixTime

Research Note

ISO 27005 Risk Process Notes

ISO/IEC 27005 gives guidance for managing information security risk in support of an ISO/IEC 27001 ISMS. It helps turn risk thinking into a repeatable process for deciding what...

On this page

Plain-language meaning

ISO/IEC 27005 gives guidance for managing information security risk in support of an ISO/IEC 27001 ISMS. It helps turn risk thinking into a repeatable process for deciding what to protect, what could go wrong, how bad it is, what to do about it, and whether the remaining risk is acceptable.

Practical risk process

Risk activity Plain-language question ISO 27001 connection Vault link
Establish context What are we protecting and what matters? Scope, interested parties, requirements Information Security Management System, Field of Application, Usage, and Compliance
Define criteria How do we score and accept risk? Risk assessment and acceptance criteria Risk Assessment
Identify risk What could happen to information assets/processes? Risk assessment input Information and Associated Asset Inventory
Analyze risk How likely and severe is it? Risk assessment results Risk and Control Mapping Table
Evaluate risk Which risks need treatment? Risk treatment decisions Statement of Applicability
Treat risk What controls or actions are needed? Annex A and additional controls Annex A and the Statement of Applicability, A.5 Organizational Controls MOC
Accept residual risk Who accepts what remains? Risk owner/management decision Management Review
Communicate and consult Who needs to know or decide? Leadership, control owners, interested parties Roles and Responsibilities
Monitor and review Has risk or control effectiveness changed? Internal audit, management review, improvement Internal Audit, Management Review, Corrective Action Tracker

Risk-to-control logic

Use this chain:

  1. information asset or process;
  2. threat or event;
  3. vulnerability or weakness;
  4. consequence to confidentiality, integrity, or availability;
  5. inherent risk;
  6. selected treatment option;
  7. control or action;
  8. residual risk;
  9. acceptance decision;
  10. review trigger.

Treatment options

Option Plain-language meaning Example
Modify risk Add or improve controls Implement access reviews for excessive access risk
Retain risk Accept the risk knowingly Accept low-risk supplier exposure after review
Avoid risk Stop the risky activity Do not use a supplier that cannot meet critical requirements
Share risk Transfer or share impact Contract terms, insurance, outsourced service with controls

Verify exact terminology against the official ISO/IEC 27005 text when preparing formal study notes.

Evidence examples

Evidence quality

Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.

Strong evidence

  • Approved risk methodology.
  • Risk criteria and acceptance criteria.
  • Risk register linked to assets, owners, controls, and SoA decisions.
  • Documented treatment decisions and residual risk acceptance.
  • Review triggers after incidents, supplier changes, projects, or audit findings.
  • Management review includes risk status and treatment progress.

Weak evidence

  • Risk register exists but controls are not mapped.
  • Risks scored without criteria.
  • Risk owners are missing.
  • Annex A controls selected without risk rationale.
  • Residual risk accepted informally.
  • Risk review is annual only, even after major changes.