UnixTime

Research Note

ISO 27005 Knowledge Base

ISO/IEC 27005 is the risk-management companion for this project. It supports ISO/IEC 27001 implementation by making risk context, risk assessment, risk treatment, residual risk,...

On this page

Purpose

How to use this page

Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.

This is the ISO/IEC 27005 section of the vault. It answers:

Why does the control exist from a risk perspective?

ISO/IEC 27005 is the risk-management companion for this project. It supports ISO/IEC 27001 implementation by making risk context, risk assessment, risk treatment, residual risk, communication, monitoring, and review explicit.

Core risk chain

01 Asset What must be protected: data, service, process, person, or facility.
02 Threat Event, actor, or condition that can cause harm.
03 Vulnerability Weakness that makes the threat relevant.
04 Risk Scenario with likelihood, impact, owner, and priority.
05 Treatment Avoid, mitigate, transfer, or accept the risk.
06 Control Safeguard selected through ISO 27001/27002 and the SoA.
07 Evidence Record proving the control exists and operates.
08 Audit Independent verification, finding, or assurance result.

Risk-management notes

Risk knowledge base sections

ISO 27005 connection to ISO 27001 and ISO 27002

Risk activity ISO 27001 connection ISO 27002 connection
Risk context ISMS scope and interested parties Control context and applicability
Risk identification Assets, threats, vulnerabilities, impacts Controls that reduce relevant risks
Risk analysis Likelihood and impact Control strength and gaps
Risk evaluation Need for treatment Control selection and prioritization
Risk treatment Treatment plan and SoA Control implementation guidance
Risk acceptance Residual risk decisions Evidence that treatment is sufficient
Risk monitoring Audit, management review, improvement Control review and effectiveness

Research basis

ISO describes ISO/IEC 27005:2022 as guidance on managing information security risks to support implementation of an ISO/IEC 27001-based ISMS.

External references

Scenario catalog

  • Iso27005
  • Knowledge base
  • Risk management
  • Moc

Note Metadata

Aliases: ISO27005 KB, ISO 27005 KB

Source: 12 ISO 27005 Knowledge Base/ISO 27005 Knowledge Base MOC.md

Graph-sourced resources

Templates and evidence