ISO/IEC 27005:2022: Main Changes and Implications

In the current era of digitalization, organizations of all types and sizes are highly concerned about ensuring the privacy and security of their information. The increasing number of cyberattacks, among others, presents a range of threats that could cause downtime, data breaches, compliance violations, loss of reputation and trust, financial loss, and much more if they exploit organizations’ vulnerabilities. 

Therefore, it has become imperative for organizations to adopt a well-structured and systematic approach to manage and treat information security risks.

ISO/IEC 27005 is an international standard intended to serve as guidance for information security risk management. It provides guidelines for organizations on the establishment and improvement of their information security risk management process and the implementation of the ISO/IEC 27001 requirements regarding information security risk assessment and treatment. 

To keep pace with changes and trends in the particular field, ISO reviews its standards normally every five years after their publication. ISO/IEC 27005 went through a review process and was republished in October 2022, four years after its latest publication. The fourth and most recent version of ISO/IEC 27005 cancels and replaces the previous version of the standard.

What Are the Changes in ISO/IEC 27005:2022?

One of the first changes that can be easily noticed in the new version of ISO/IEC 27005 is the title. While the previous version was titled:

• ISO/IEC 27005:2018 Information technology — Security techniques — Information security risk management

The title of the new version is:

• ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection — Guidance on managing information security risks

Other key modifications include:

• The content of the standard has been aligned with ISO/IEC 27001:2022 and ISO 31000:2018.
• The language used has been updated to ensure consistency with the ISO 31000:2018 terminology. For example, the term “impact” has been substituted with the term “consequence.” 
• The structure of the clauses has been rearranged in accordance with the ISO/IEC 27001 structure.
• A trigger criteria has been added to the structure of all clauses that provides guidance on when to initiate an activity, when to complete a stage, or when to make updates to the framework.
• The updated standard has also introduced the concept of “risk scenario,” which is defined as a “sequence or combination of events leading from the initial cause to the unwanted consequence.” This new concept substituted the term, “incident scenario,” used in the 2018 edition.
• The new version of the standard outlines a risk management process that involves five main stages for managing information security risks: context establishment, risk identification, risk analysis, risk evaluation, and risk treatment, whereas the risk acceptance stage has been removed. 
• Clause 10 Information security risk acceptance has also been deleted in the new version of the standard. Nevertheless, ISO/IEC 27005:2022 has introduced a new clause for the acceptance of residual risk, clause 8.6.3 Acceptance of the residual information security risk. This means that the new version simplifies risk acceptance to a decision point that is considered after risk treatment.
• ISO/IEC 27005:2022 has added a new component to the information security risk management process which was not present in the previous version. This component specifies the documentation guidelines which are detailed in clauses 10.4.2 Documented information about processes and 10.4.3 Documented information about results.
• The previous version of the standard explained the risk identification process as a set of activities which included the identification of assets, identification of threats, identification of existing controls, identification of vulnerabilities, and identification of consequences. In the new version of the standard, these activities are no longer specifically mentioned. 
• ISO/IEC 27005:2022 describes the process of identifying information security risks through two possible approaches. While both risk identification approaches can be used to define risk scenarios, they differ based on the level at which the identification of risks is initiated.
  • Event-based approach is a high-level assessment that involves identifying strategic scenarios by considering risk sources and how they impact interested parties in order to achieve their desired objectives. It focuses on the overall threat landscape, it is most appropriate for macroscopic analysis, and it is used to define the consequence and severity of a given scenario.
  • Asset-based approach is an in-depth assessment that can be used to build operational scenarios by considering and identifying assets, threats, and vulnerabilities in detail. The asset-based approach allows organizations to identify asset-specific threats and vulnerabilities, define the likelihood of a particular scenario, and determine specific risk treatment options.
• The updated standard has added the semiquantitative technique for analyzing information security risks in addition to the two existing risk analysis techniques: qualitative and quantitative.
• ISO/IEC 27005:2022 has also introduced a new concept related to monitoring, i.e., clause A.2.7 Monitoring risk-related events, which refers to the identification of factors that can impact an information security risk scenario. 
• A new clause has been added to the standard regarding the Statement of Applicability (SoA), in alignment with ISO/IEC 27001:2022. This clause provides guidelines for producing a SoA that outlines all necessary controls that are planned to be implemented for risk treatment, the justification for implementing the selected controls, and the reasons for excluding the other controls from ISO/IEC 27001:2022, Annex A.
• Clause 10, Leveraging related ISMS processes, has been introduced which provides implementation guidance for some of the main clauses of ISO/IEC 27001:2022 influencing information security risk management.
• All previous annexes of the standard have been updated and restructured into a single annex:
  • Annex A (informative) Defining the scope and boundaries of the information security risk management process
  • Annex B (informative) Identification and valuation of assets and impact assessment
  • Annex C (informative) Examples of typical threats
  • Annex D (informative) Vulnerabilities and methods for vulnerability assessment
  • Annex E (informative) Information security risk assessment approaches 
  • Annex F (informative) Constraints for risk modification

The current structure is as follows:

• Annex A (informative) Examples of techniques in support of the risk assessment process:
  • A.1 Information security risk criteria
    • A.1.1 Criteria related to risk assessment
    • A.1.2 Risk acceptance criteria
  • A.2 Practical techniques
    • A.2.1 Information security risk components
    • A.2.2 Assets
    • A.2.3 Risk sources and desired end state
    • A.2.4 Event-based approach
    • A.2.5 Asset-based approach
    • A.2.6 Examples of scenarios applicable in both approaches
    • A.2.7 Monitoring risk-related events

The new standard places an emphasis on aligning the information security risk management approach with other risk management approaches used within the organization to ensure the consistency, comparability, and validity of results.

Will ISO/IEC 27005:2022 Changes Affect My Current ISO/IEC 27005 Certificate?

The new changes in ISO/IEC 27005:2022 will not affect the current ISO/IEC 27005 certificate. For individuals seeking certification against ISO/IEC 27005:2022, PECB has released an updated version of ISO/IEC 27005 Lead Risk Manager and ISO/IEC 27005 Risk Manager training courses based on the latest edition of the standard.

How is ISO/IEC 27005 Related to Other ISO Standards?

ISO/IEC 27005 and ISO/IEC 27001

Being part of the ISO/IEC 27000 family, ISO/IEC 27005 is closely related to ISO/IEC 27001. ISO/IEC 27001 provides the requirements for an information security management system (ISMS). ISO/IEC 27005, on the other hand, can be used by organizations that have implemented an ISMS as the standard helps in addressing the ISO/IEC 27001 requirements about information security risk management, i.e., clauses 6.1 Actions to address risks and opportunities, 8.2 Information security risk assessment, and 8.3 Information security risk treatment.

ISO/IEC 27005 and ISO 31000

ISO 31000 provides principles, a process, and a framework for managing risks faced by organizations in any industry, regardless of their size or complexity. While both standards address risk management, ISO/IEC 27005 specifically covers the management of information security risks, whereas ISO 31000 provides a general process for managing risks of all types. The guidelines and terminology of ISO/IEC 27005 are harmonized with ISO 31000. As such, organizations can use both standards to manage risks related to information security and other areas.

About the authors

Vlerë Hyseni is the Digital Content Officer at PECB. She is in charge of doing research, creating, and developing digital content for a variety of industries. If you have any questions, please do not hesitate to contact her at: content@pecb.com.

Ernis Kabashi is a Content Developer for IT Security at PECB. He is in charge of designing, developing, and improving training courses and other supporting materials. If you have any questions, please do not hesitate to contact him: ernis.training@pecb.com.