Plain-language meaning
ISO/IEC 27005 gives guidance for managing information security risk in support of an ISO/IEC 27001 ISMS. It helps turn risk thinking into a repeatable process for deciding what to protect, what could go wrong, how bad it is, what to do about it, and whether the remaining risk is acceptable.
Practical risk process
| Risk activity | Plain-language question | ISO 27001 connection | Vault link |
|---|---|---|---|
| Establish context | What are we protecting and what matters? | Scope, interested parties, requirements | Information Security Management System, Field of Application, Usage, and Compliance |
| Define criteria | How do we score and accept risk? | Risk assessment and acceptance criteria | Risk Assessment |
| Identify risk | What could happen to information assets/processes? | Risk assessment input | Information and Associated Asset Inventory |
| Analyze risk | How likely and severe is it? | Risk assessment results | Risk and Control Mapping Table |
| Evaluate risk | Which risks need treatment? | Risk treatment decisions | Statement of Applicability |
| Treat risk | What controls or actions are needed? | Annex A and additional controls | Annex A and the Statement of Applicability, A.5 Organizational Controls MOC |
| Accept residual risk | Who accepts what remains? | Risk owner/management decision | Management Review |
| Communicate and consult | Who needs to know or decide? | Leadership, control owners, interested parties | Roles and Responsibilities |
| Monitor and review | Has risk or control effectiveness changed? | Internal audit, management review, improvement | Internal Audit, Management Review, Corrective Action Tracker |
Risk-to-control logic
Use this chain:
- information asset or process;
- threat or event;
- vulnerability or weakness;
- consequence to confidentiality, integrity, or availability;
- inherent risk;
- selected treatment option;
- control or action;
- residual risk;
- acceptance decision;
- review trigger.
Treatment options
| Option | Plain-language meaning | Example |
|---|---|---|
| Modify risk | Add or improve controls | Implement access reviews for excessive access risk |
| Retain risk | Accept the risk knowingly | Accept low-risk supplier exposure after review |
| Avoid risk | Stop the risky activity | Do not use a supplier that cannot meet critical requirements |
| Share risk | Transfer or share impact | Contract terms, insurance, outsourced service with controls |
Verify exact terminology against the official ISO/IEC 27005 text when preparing formal study notes.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
Strong evidence
- Approved risk methodology.
- Risk criteria and acceptance criteria.
- Risk register linked to assets, owners, controls, and SoA decisions.
- Documented treatment decisions and residual risk acceptance.
- Review triggers after incidents, supplier changes, projects, or audit findings.
- Management review includes risk status and treatment progress.
Weak evidence
- Risk register exists but controls are not mapped.
- Risks scored without criteria.
- Risk owners are missing.
- Annex A controls selected without risk rationale.
- Residual risk accepted informally.
- Risk review is annual only, even after major changes.
Related notes
- Iso27005
- Risk management
- Risk assessment
- Isms
Note Metadata
Aliases: ISO27005 Risk Process
Source: 07 ISO 27005 Risk Guide/ISO 27005 Risk Process Notes.md
Graph-sourced resources
Templates and evidence
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Annex A and the Statement of Applicability
- Field of Application, Usage, and Compliance
- Information Security Management System
- Internal Audit
- Management Review
- Risk Assessment
- Roles and Responsibilities
- Statement of Applicability
- A.5 Organizational Controls MOC
- A.5 Organizational Controls Implementation Guide
- ISMS Implementation Roadmap
- ISO27001-A.5.7 Threat Intelligence
- ISO 27005 Risk Management Guide
- A.5 Controls Implementation Audit Risk Mapping
- ISO 27001 Requirements to Implementation and Audit Map
- ISO 27002 Annex A Control Interpretation Map
- ISO 27005 Knowledge Base
- Asset Threat Vulnerability Risk Control Evidence Data Model
- Risk Knowledge Base
- Template - Corrective Action Tracker
- Information and Associated Asset Inventory
- Template - Risk and Control Mapping Table
- ISO 27001 Overview