Purpose
How to use this page
Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.
This is the ISO/IEC 27005 section of the vault. It answers:
Why does the control exist from a risk perspective?
ISO/IEC 27005 is the risk-management companion for this project. It supports ISO/IEC 27001 implementation by making risk context, risk assessment, risk treatment, residual risk, communication, monitoring, and review explicit.
Core risk chain
Risk-management notes
- ISO 27005 Risk Management Guide MOC
- ISO 27005 Risk Process Notes
- Risk Assessment
- Risk and Control Mapping Table
- Statement of Applicability
- A.5 Controls Implementation Audit Risk Mapping
- A.6 People Controls Implementation Audit Risk Mapping
- A.7 Physical Controls Implementation Audit Risk Mapping
- A.8 Technological Controls Implementation Audit Risk Mapping
Risk knowledge base sections
ISO 27005 connection to ISO 27001 and ISO 27002
| Risk activity | ISO 27001 connection | ISO 27002 connection |
|---|---|---|
| Risk context | ISMS scope and interested parties | Control context and applicability |
| Risk identification | Assets, threats, vulnerabilities, impacts | Controls that reduce relevant risks |
| Risk analysis | Likelihood and impact | Control strength and gaps |
| Risk evaluation | Need for treatment | Control selection and prioritization |
| Risk treatment | Treatment plan and SoA | Control implementation guidance |
| Risk acceptance | Residual risk decisions | Evidence that treatment is sufficient |
| Risk monitoring | Audit, management review, improvement | Control review and effectiveness |
Research basis
ISO describes ISO/IEC 27005:2022 as guidance on managing information security risks to support implementation of an ISO/IEC 27001-based ISMS.
External references
Scenario catalog
- RISK-0001 Customer Data Compromise Due to Ransomware Campaign
- RISK-0002 Incident Escalation Failure Due to Unclear Ownership
- RISK-0003 Security Event Misclassification Delays Incident Response
- RISK-0004 Uncoordinated Incident Response Allows Compromise to Spread
- RISK-0005 Repeat Incidents Due to Missing Lessons Learned
- RISK-0006 Evidence Integrity Loss Due to Weak Chain of Custody
- RISK-0007 Excessive Access to Sensitive Assets Due to Weak Access Rules
- RISK-0008 Orphaned Identities After Role or Employment Change
- RISK-0009 Compromised Authentication Information Due to Weak Credential Handling
- RISK-0010 Stale Access Rights After Business Change
- RISK-0011 Unmanaged Supplier Security Exposure Due to Incomplete Supplier Inventory
- RISK-0012 Supplier Access Before Security Requirements Are Agreed
- RISK-0013 Inherited ICT Supply Chain Compromise Through Unreviewed Dependencies
- RISK-0014 Supplier Service Change Without Risk Review
- RISK-0015 Cloud Governance and Exit Failure Due to Weak Cloud Service Controls
- Iso27005
- Knowledge base
- Risk management
- Moc
Note Metadata
Aliases: ISO27005 KB, ISO 27005 KB
Source: 12 ISO 27005 Knowledge Base/ISO 27005 Knowledge Base MOC.md
Graph-sourced resources
Templates and evidence
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Risk Assessment
- Statement of Applicability
- RISK-0001 Customer Data Compromise Due to Ransomware Campaign
- RISK-0002 Incident Escalation Failure Due to Unclear Ownership
- RISK-0003 Security Event Misclassification Delays Incident Response
- RISK-0004 Uncoordinated Incident Response Allows Compromise to Spread
- RISK-0005 Repeat Incidents Due to Missing Lessons Learned
- RISK-0006 Evidence Integrity Loss Due to Weak Chain of Custody
- RISK-0007 Excessive Access to Sensitive Assets Due to Weak Access Rules
- RISK-0008 Orphaned Identities After Role or Employment Change
- RISK-0009 Compromised Authentication Information Due to Weak Credential Handling
- RISK-0010 Stale Access Rights After Business Change
- RISK-0011 Unmanaged Supplier Security Exposure Due to Incomplete Supplier Inventory
- RISK-0012 Supplier Access Before Security Requirements Are Agreed
- RISK-0013 Inherited ICT Supply Chain Compromise Through Unreviewed Dependencies
- RISK-0014 Supplier Service Change Without Risk Review
- RISK-0015 Cloud Governance and Exit Failure Due to Weak Cloud Service Controls
- ISO 27005 Risk Management Guide
- ISO 27005 Risk Process Notes
- A.5 Controls Implementation Audit Risk Mapping
- A.6 People Controls Implementation Audit Risk Mapping
- A.7 Physical Controls Implementation Audit Risk Mapping
- A.8 Technological Controls Implementation Audit Risk Mapping
- ISO 27001 Knowledge Base
- ISO 27002 Knowledge Base
- Asset Threat Vulnerability Risk Control Evidence Data Model
- Risk Knowledge Base
- Template - Risk and Control Mapping Table
- Template Clause Note
- Template Control Card
- Template Risk Scenario
- Annex A Controls MOC
- ISO 27001 Overview
- Templates MOC