SlideShare a Scribd company logo

ISO 27005:2022 Overview 221028.pdf

Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

ISO 27005:2022 Overview

Technology
1 of 33
Download to read offline
ISO 27005:2022 Overview by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001 www.patreon.com/AndreyProzorov 1.0, 28.10.2022
Agenda 2 1. Purchasing 2. Life cycle 3. New Name 4. Main changes 5. Abstract 6. Number of pages 7. Contents 8. Introduction 9. 1. Scope 10. 3. Terms and definitions 11. 4. Structure of this document 12. 5. IS risk management 13. 6 Context establishment 14. 7. Information security risk assessment process 15. Approaches to perform risk identification 16. 8. Information security risk treatment process 17. 9. Operations 18. 10. Leveraging related ISMS processes 19. Annexes 20. Annexes. Tables 21. New examples of typical threats 22. New risk sources 23. Qualitative approach (new matrix and scales) 24. Quantitative approach (examples), 2022 25. Annexes. New figures 26. Conclusion
3 www.iso.org/standard/80585.html ≈180 Euro
Life cycle 4
New Name 5 ISO/IEC 27005:2018 ISO/IEC 27005:2022 Information technology — Security techniques — Information security risk management Information security, cybersecurity and privacy protection — Guidance on managing information security risks
Main changes 1. All guidance text has been aligned with ISO/IEC 27001:2022, and ISO 31000:2018 2. The terminology has been aligned with the terminology in ISO 31000:2018 3. The structure of the clauses has been adjusted to the layout of ISO/IEC 27001:2022 4. Risk scenario concepts have been introduced 5. The event-based approach is contrasted with the asset-based approach to risk identification 6. The content of the annexes has been revised and restructured into a single annex. + More examples and models
Abstract 7 ISO/IEC 27005:2018 ISO/IEC 27005:2022 This document provides guidelines for information security risk management. This document supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this document. This document is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that can compromise the organization's information security. This document provides guidance to assist organizations to: • fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; • perform information security risk management activities, specifically information security risk assessment and treatment. This document is applicable to all organizations, regardless of type, size or sector.
Number of pages 8 ISO/IEC 27005:2018 ISO/IEC 27005:2022 56 62
Contents 9 ISO/IEC 27005:2018 ISO/IEC 27005:2022 Foreword Introduction 1. Scope 2. Normative references 3. Terms and definitions 4. Structure of this document 5. Background 6. Overview of the information security risk management process 7. Context establishment 8. Information security risk assessment 9. Information security risk treatment 10. Information security risk acceptance 11. Information security risk communication and consultation 12. Information security risk monitoring and review Annex A. Defining the scope and boundaries of the information security risk management process Annex B. Identification and valuation of assets and impact assessment Annex C. Examples of typical threats Annex D. Vulnerabilities and methods for vulnerability assessment Annex E. Information security risk assessment approaches Annex F. Constraints for risk modification Bibliography Foreword Introduction 1. Scope 2. Normative references 3. Terms and definitions 4. Structure of this document 5. Information security risk management 6. Context establishment 7. Information security risk assessment process 8. Information security risk treatment process 9. Operation 10. Leveraging related ISMS processes Annex A. (informative) Examples of techniques in support of the risk assessment process Bibliography
Introduction This document provides guidance on: • implementation of the information security risk requirements specified in ISO/IEC 27001; • essential references within the standards developed by ISO/IEC JTC 1/SC 27 to support information security risk management activities; • actions that address risks related to information security (see ISO/IEC 27001:2022, 6.1 and Clause 8); • implementation of risk management guidance in ISO 31000 in the context of information security. This document contains detailed guidance on risk management and supplements the guidance in ISO/IEC 27003. This document is intended to be used by: • organizations that intend to establish and implement an information security management system (ISMS) in accordance with ISO/IEC 27001; • persons that perform or are involved in information security risk management (e.g. ISMS professionals, risk owners and other interested parties); • organizations that intend to improve their information security risk management process. 10
1. Scope 11 ISO/IEC 27005:2018 ISO/IEC 27005:2022 This document supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/ IEC 27002 is important for a complete understanding of this document. This document is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that can compromise the organization’s information security. This document provides guidance to assist organizations to: • fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; • perform information security risk management activities, specifically information security risk assessment and treatment. This document is applicable to all organizations, regardless of type, size or sector.
3. Terms and definitions 12 ISO/IEC 27005:2018 ISO/IEC 27005:2022 N/A, just a reference to ISO 27000 and databases: • ISO Online browsing platform: www.iso.org/obp • IEC Electropedia: www.electropedia.org 3.1 Terms related to information security risk (17): external context, internal context, risk, risk scenario, risk owner, risk source, risk criteria, risk appetite, threat, vulnerability, event, information security incident, likelihood, consequence, level of risk, control, residual risk 3.2 Terms related to information security risk management (10): risk management process, risk communication and consultation, risk assessment, risk identification, risk analysis, risk evaluation, risk treatment, risk acceptance, risk sharing, risk retention ”Risk scenario - sequence or combination of events leading from the initial cause to the unwanted consequence.”
4. Structure of this document This document is structured as follows: • Clause 5: Information security risk management; • Clause 6: Context establishment; • Clause 7: Information security risk assessment process; • Clause 8: Information security risk treatment process; • Clause 9: Operation; • Clause 10: Leveraging related ISMS processes. Except for the descriptions given in general subclauses, all risk management activities as presented from Clause 7 to Clause 10 are structured as follows: • Input: Identifies any required information to perform the activity. Action: Describes the activity. • Trigger: Provides guidance on when to start the activity, for example because of a change within the organization or according to a plan or a change in the external context of the organization. • Output: Identifies any information derived after performing the activity, as well as any criteria that such output should satisfy. • Guidance: Provides guidance on performing the activity, keyword and key concept. 13
5. IS risk management Risk management process - systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk. • Classic scheme (2018) + Documented Information (2022) • Risk treatment cyclical process (2018) -> Risk treatment iterative process (2022): — formulating and selecting risk treatment options; — planning and implementing risk treatment; — assessing the effectiveness of that treatment; — deciding whether the remaining risk is acceptable; — taking further treatment if not acceptable. • Added IS risk management cycles: strategic (overall context) and operational (scenarios) • Many changes in the activity descriptions, additional recommendations. See further… 14
6 Context establishment 15 ISO/IEC 27005:2018, pages 5-8 ISO/IEC 27005:2022, pages 9-16 7.1 General considerations 7.2 Basic criteria • 7.2.1 Risk management approach • 7.2.2 Risk evaluation criteria • 7.2.3 Impact criteria • 7.2.4 Risk acceptance criteria 7.3 Scope and boundaries 7.4 Organization for information security risk management 6.1 Organizational considerations 6.2 Identifying basic requirements of interested parties 6.3 Applying risk assessment 6.4 Establishing and maintaining information security risk criteria • 6.4.1 General • 6.4.2 Risk acceptance criteria • 6.4.3 Criteria for performing information security risk assessments • 6.4.3.1 General • 6.4.3.2 Consequence criteria • 6.4.3.3 Likelihood criteria • 6.4.3.4 Criteria for determining the level of risk 6.5 Choosing an appropriate method
7. Information security risk assessment process 16 ISO/IEC 27005:2018, pages 8-16 ISO/IEC 27005:2022, pages 16-23 8.1 General description of information security risk assessment • 8.2 Risk identification 8.2.1 Introduction to risk identification • 8.2.2 Identification of assets • 8.2.3 Identification of threats • 8.2.4 Identification of existing controls • 8.2.5 Identification of vulnerabilities • 8.2.6 Identification of consequences 8.3 Risk analysis • 8.3.1 Risk analysis methodologies • 8.3.2 Assessment of consequences • 8.3.3 Assessment of incident likelihood • 8.3.4 Level of risk determination 8.4 Risk evaluation 7.1 General 7.2 Identifying information security risks • 7.2.1 Identifying and describing information security risks • 7.2.2 Identifying risk owners 7.3 Analysing information security risks • 7.3.1 General • 7.3.2 Assessing potential consequences • 7.3.3 Assessing likelihood • 7.3.4 Determining the levels of risk 7.4 Evaluating the information security risks • 7.4.1 Comparing the results of risk analysis with the risk criteria • 7.4.2 Prioritizing the analysed risks for risk treatment
17
Approaches to perform risk identification 18 Event-based (scenarios) Asset-based Identify strategic scenarios through a consideration of risk sources, and how they use or impact interested parties to reach those risk’s desired objective. Identify operational scenarios, which are detailed in terms of assets, threats and vulnerabilities. The underlying concept is that risks can be identified and assessed through an evaluation of events and consequences. The underlying concept is that risks can be identified and assessed through an inspection of assets, threats and vulnerabilities. • An event-based approach can establish high level or strategic scenarios without spending a considerable amount of time in identification of assets on a detailed level. • This allows the organization to focus its risk treatment efforts on the critical risks. • Interviews with top management • Top-down • An asset is anything that has value to the organization and therefore requires protection. • If all valid combinations of assets, threats and vulnerabilities can be enumerated within the scope of the ISMS, then, in theory, all the risks would be identified. • The asset-based approach can identify asset- specific threats and vulnerabilities and allows the organization to determine specific risk treatment on a detailed level. • Bottom-up
8. Information security risk treatment process 19 ISO/IEC 27005:2018, pages 16-20 ISO/IEC 27005:2022, pages 23-30 9.1 General description of risk treatment 9.2 Risk modification 9.3 Risk retention 9.4 Risk avoidance 9.5 Risk sharing 10 Information security risk acceptance 8.1 General 8.2 Selecting appropriate information security risk treatment options 8.3 Determining all controls that are necessary to implement the information security risk treatment options 8.4 Comparing the controls determined with those in ISO/IEC 27001:2022, Annex A 8.5 Producing a Statement of Applicability 8.6 Information security risk treatment plan 8.6.1 Formulation of the risk treatment plan 8.6.2 Approval by risk owners 8.6.3 Acceptance of the residual information security risks
20
9. Operations, page 31 21 9.1 Performing information security risk assessment process 9.2 Performing information security risk treatment process Input: Documents about the information security risk assessment process including risk assessment and risk acceptance criteria. Action: The risk assessment process should be performed in accordance with Clause 7. Trigger: The need of the organization to assess risks, at planned intervals or based on events. Output: Evaluated risks. Implementation guidance: … Input: Evaluated risk(s). Action: The risk treatment process should be performed in accordance with Clause 8. Trigger: The need of the organization to treat risks, at planned intervals or based on events. Output: Retained or accepted residual risks. Implementation guidance: …
10. Leveraging related ISMS processes, pages 32-40 22 ISMS Actions 10.1 Context of the organization All relevant data should be considered to identify and describe internal and external issues influencing information security risk management and requirements of interested parties. 10.2 Leadership and commitment Appropriate level of management should consider results related to information security risks, to decide on or endorse further actions. 10.3 Communication and consultation Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. 10.4 Documented information Information about the information security risk assessment and treatment processes and results should be documented and retained. 10.5 Monitoring and review Risks and their factors (i.e. value of assets, consequences, threats, vulnerabilities, likelihood of occurrence) should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture. 10.6 Management review The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. 10.7 Corrective action Revise the risk treatment plan and implement it to modify the residual risk to an acceptable level. 10.8 Continual improvement The information security risk management process should be continually monitored, reviewed and improved as necessary. +Inputs/Outputs, Triggers, Implementation guidance
Annexes 23 ISO/IEC 27005:2018, pages 24-52 ISO/IEC 27005:2022, pages 41-61 Annex A. Defining the scope and boundaries of the information security risk management process • A.1 Study of the organization • A.2 List of the constraints affecting the organization • A.3 List of the constraints affecting the scope Annex B. Identification and valuation of assets and impact assessment • B.1 Examples of asset identification (primary and supporting) • B.2 Asset valuation • B.3 Impact assessment Annex C. Examples of typical threats (+ Origin of threat) Annex D. Vulnerabilities and methods for vulnerability assessment • D.1 Examples of vulnerabilities • D.2 Methods for assessment of technical vulnerabilities Annex E. Information security risk assessment approaches • E.1 High-level information security risk assessment • E.2 Detailed information security risk assessment Annex F. Constraints for risk modification Annex A. (informative) Examples of techniques in support of the risk assessment process A.1 Information security risk criteria • A.1.1 Criteria related to risk assessment • A.1.2 Risk acceptance criteria A.2 Practical techniques • A.2.1 Information security risk components • A.2.2 Assets • A.2.3 Risk sources and desired end state • A.2.4 Event-based approach • A.2.5 Asset-based approach • A.2.6 Examples of scenarios applicable in both approaches • A.2.7 Monitoring risk-related events
Annexes. Tables 24 ISO/IEC 27005:2018 ISO/IEC 27005:2022 Examples of typical threats Origin of threats Examples of typical vulnerabilities Table E.1 — The asset values, and the threat and vulnerability levels Table E.2 — Results from the consideration of the likelihood of an incident scenario, mapped against the estimated business impact Table E.3 — The factors of consequences (asset value) and likelihood of threat occurrence (taking account of vulnerability aspects) Table E.3 — Combination of the likelihood of the threat occurring and the ease of exploitation of the vulnerability Table E.4 — The intersection of asset value and likelihood value Table A.1 — Example of consequence scale Table A.2 — Example of likelihood scale Table A.3 — Example of qualitative approach to risk criteria Table A.4 — Example logarithmic likelihood scale Table A.5 — Example logarithmic consequence scale Table A.6 — Example of evaluation scale combined with three-colour risk matrix Table A.7 — Examples and usual methods of attack Table A.8 — Example classification of motivations to express the DES Table A.9 — Examples of target objectives Table A.10 — Examples of typical threats Table A.11 — Examples of typical vulnerabilities Table A.12 — Examples of risk scenarios in both approaches Table A.13 — Example of risk scenario and monitoring risk- related events relationship
New examples of typical threats 25 ISO/IEC 27005:2018 ISO/IEC 27005:2022 1. Physical damage (6) 2. Natural events (5) 3. Loss of essential services (3) 4. Disturbance due to radiation (3) 5. Compromise of information (11) 6. Technical failures (5) 7. Unauthorized actions (5) 8. Compromise of functions (5) Total: 43 1. Physical threats (6) 2. Natural threats (6) 3. Infrastructure failures (8) 4. Technical failures (3) 5. Human actions (26) 6. Compromise of functions or services (4) 7. Organizational threats (4) Total: 56
New risk sources 26 ISO/IEC 27005:2018 ISO/IEC 27005:2022 Annex C, part of threat examples Human threat sources: 1. Hacker, cracker 2. Computer criminal 3. Terrorist 4. Industrial espionage (Intelligence, companies, foreign governments, other government interests) 5. Insiders (poorly trained, disgruntled, malicious, negligent, dishonest, or terminated employees) Table with Motivation and Possible consequences Table A.7 Examples and usual methods of attack Risk source: 1. State-related (States, Intelligence agencies) 2. Organized crime (Cybercriminal organizations (mafias, gangs, criminal outfits)) 3. Terrorist (Cyber-terrorists, cyber-militias) 4. Ideological activist (Cyber-hacktivists, interest groups, sects) 5. Specialized outfits (“Cyber-mercenary”) 6. Amateur 7. Avenger 8. Pathological attacker
Qualitative approach (new matrix and scales) 27 ISO/IEC 27005:2018 ISO/IEC 27005:2022
Quantitative approach (examples), 2022 28
Annexes. New figures 29
30 Instead of a conclusion: 1. General procedures (Assessment and Treatment) are OK, as usual. J J 2. Two approaches: asset-based and event-based (scenarios), finally J 3. «9.Operation» and «10.Leveraging related ISMS processes» are useful for the ISMS implementation. J J 4. Tables «A.10 Examples of typical threats», and «A.11 Examples of typical vulnerabilities», likelihood and consequence scales can be used for inspiration. J 5. «A.2 Practical techniques» are poorly designed and described. New figures and the examples of scenarios are useless. L L 6. ISO 27005:2022 is a very complicated standard and every new version makes it more difficult. L In my opinion, the ISACA IT Risk and IRAM2 are much more useful and practical. I recommend using them.
Thanks! www.linkedin.com/in/andreyprozorov www.patreon.com/AndreyProzorov 31
Have you seen my previous presentation? 32 www.patreon.com/posts/my-presentation-73750394
My ISMS Implementation Toolkit (ISO 27001) 33 www.patreon.com/posts/47806655

Recommended

ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Imran Ahmed
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
PECB
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 

Recommended

ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Imran Ahmed
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
PECB
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
technakama
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
scttmcvy
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
Vigilant Software
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
HasnolAhmad2
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Smart Assessment
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
Uppala Anand
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
ControlCase
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
PECB
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
Maganathin Veeraragaloo
 
ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?
PECB
 

More Related Content

What's hot

Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
PECB
 

What's hot (20)

Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
 

Similar to ISO 27005:2022 Overview 221028.pdf

ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?
PECB
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
PECB
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
PECB
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
MargenePurnell14
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
bagotjesusa
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 

Similar to ISO 27005:2022 Overview 221028.pdf (20)

ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
 
ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?
 
541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdf541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdf
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
 
PECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEsPECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEs
 
2023 ITM Short Course - Week 1.pdf
2023 ITM Short Course - Week 1.pdf2023 ITM Short Course - Week 1.pdf
2023 ITM Short Course - Week 1.pdf
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
pr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdfpr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdf
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
 
Master thesis defence Shu Pei Oei
Master thesis defence Shu Pei OeiMaster thesis defence Shu Pei Oei
Master thesis defence Shu Pei Oei
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
 
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy Frameworks
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001 (20)

NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
 
ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal PurposesMy 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
 
ISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdf
 
How to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdfHow to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdf
 
pr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdfpr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdf
 
ISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdfISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdf
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
 
Employee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdfEmployee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdf
 
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
GDPR RACI.pdf
 
GDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfGDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdf
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
GDPR EU Institutions and bodies.pdf
GDPR EU Institutions and bodies.pdfGDPR EU Institutions and bodies.pdf
GDPR EU Institutions and bodies.pdf
 
Data protection RU vs EU
Data protection RU vs EUData protection RU vs EU
Data protection RU vs EU
 
IS Awareness in practice, isaca moscow 2019 10
IS Awareness in practice, isaca moscow 2019 10IS Awareness in practice, isaca moscow 2019 10
IS Awareness in practice, isaca moscow 2019 10
 
Про работу на Западе (Прозоров)
Про работу на Западе (Прозоров)Про работу на Западе (Прозоров)
Про работу на Западе (Прозоров)
 
About TM for CISO (rus)
About TM for CISO (rus)About TM for CISO (rus)
About TM for CISO (rus)
 

Recently uploaded

API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

ISO 27005:2022 Overview 221028.pdf

  • 1. ISO 27005:2022 Overview by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001 www.patreon.com/AndreyProzorov 1.0, 28.10.2022
  • 2. Agenda 2 1. Purchasing 2. Life cycle 3. New Name 4. Main changes 5. Abstract 6. Number of pages 7. Contents 8. Introduction 9. 1. Scope 10. 3. Terms and definitions 11. 4. Structure of this document 12. 5. IS risk management 13. 6 Context establishment 14. 7. Information security risk assessment process 15. Approaches to perform risk identification 16. 8. Information security risk treatment process 17. 9. Operations 18. 10. Leveraging related ISMS processes 19. Annexes 20. Annexes. Tables 21. New examples of typical threats 22. New risk sources 23. Qualitative approach (new matrix and scales) 24. Quantitative approach (examples), 2022 25. Annexes. New figures 26. Conclusion
  • 5. New Name 5 ISO/IEC 27005:2018 ISO/IEC 27005:2022 Information technology — Security techniques — Information security risk management Information security, cybersecurity and privacy protection — Guidance on managing information security risks
  • 6. Main changes 1. All guidance text has been aligned with ISO/IEC 27001:2022, and ISO 31000:2018 2. The terminology has been aligned with the terminology in ISO 31000:2018 3. The structure of the clauses has been adjusted to the layout of ISO/IEC 27001:2022 4. Risk scenario concepts have been introduced 5. The event-based approach is contrasted with the asset-based approach to risk identification 6. The content of the annexes has been revised and restructured into a single annex. + More examples and models
  • 7. Abstract 7 ISO/IEC 27005:2018 ISO/IEC 27005:2022 This document provides guidelines for information security risk management. This document supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this document. This document is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that can compromise the organization's information security. This document provides guidance to assist organizations to: • fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; • perform information security risk management activities, specifically information security risk assessment and treatment. This document is applicable to all organizations, regardless of type, size or sector.
  • 8. Number of pages 8 ISO/IEC 27005:2018 ISO/IEC 27005:2022 56 62
  • 9. Contents 9 ISO/IEC 27005:2018 ISO/IEC 27005:2022 Foreword Introduction 1. Scope 2. Normative references 3. Terms and definitions 4. Structure of this document 5. Background 6. Overview of the information security risk management process 7. Context establishment 8. Information security risk assessment 9. Information security risk treatment 10. Information security risk acceptance 11. Information security risk communication and consultation 12. Information security risk monitoring and review Annex A. Defining the scope and boundaries of the information security risk management process Annex B. Identification and valuation of assets and impact assessment Annex C. Examples of typical threats Annex D. Vulnerabilities and methods for vulnerability assessment Annex E. Information security risk assessment approaches Annex F. Constraints for risk modification Bibliography Foreword Introduction 1. Scope 2. Normative references 3. Terms and definitions 4. Structure of this document 5. Information security risk management 6. Context establishment 7. Information security risk assessment process 8. Information security risk treatment process 9. Operation 10. Leveraging related ISMS processes Annex A. (informative) Examples of techniques in support of the risk assessment process Bibliography
  • 10. Introduction This document provides guidance on: • implementation of the information security risk requirements specified in ISO/IEC 27001; • essential references within the standards developed by ISO/IEC JTC 1/SC 27 to support information security risk management activities; • actions that address risks related to information security (see ISO/IEC 27001:2022, 6.1 and Clause 8); • implementation of risk management guidance in ISO 31000 in the context of information security. This document contains detailed guidance on risk management and supplements the guidance in ISO/IEC 27003. This document is intended to be used by: • organizations that intend to establish and implement an information security management system (ISMS) in accordance with ISO/IEC 27001; • persons that perform or are involved in information security risk management (e.g. ISMS professionals, risk owners and other interested parties); • organizations that intend to improve their information security risk management process. 10
  • 11. 1. Scope 11 ISO/IEC 27005:2018 ISO/IEC 27005:2022 This document supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/ IEC 27002 is important for a complete understanding of this document. This document is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that can compromise the organization’s information security. This document provides guidance to assist organizations to: • fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; • perform information security risk management activities, specifically information security risk assessment and treatment. This document is applicable to all organizations, regardless of type, size or sector.
  • 12. 3. Terms and definitions 12 ISO/IEC 27005:2018 ISO/IEC 27005:2022 N/A, just a reference to ISO 27000 and databases: • ISO Online browsing platform: www.iso.org/obp • IEC Electropedia: www.electropedia.org 3.1 Terms related to information security risk (17): external context, internal context, risk, risk scenario, risk owner, risk source, risk criteria, risk appetite, threat, vulnerability, event, information security incident, likelihood, consequence, level of risk, control, residual risk 3.2 Terms related to information security risk management (10): risk management process, risk communication and consultation, risk assessment, risk identification, risk analysis, risk evaluation, risk treatment, risk acceptance, risk sharing, risk retention ”Risk scenario - sequence or combination of events leading from the initial cause to the unwanted consequence.”
  • 13. 4. Structure of this document This document is structured as follows: • Clause 5: Information security risk management; • Clause 6: Context establishment; • Clause 7: Information security risk assessment process; • Clause 8: Information security risk treatment process; • Clause 9: Operation; • Clause 10: Leveraging related ISMS processes. Except for the descriptions given in general subclauses, all risk management activities as presented from Clause 7 to Clause 10 are structured as follows: • Input: Identifies any required information to perform the activity. Action: Describes the activity. • Trigger: Provides guidance on when to start the activity, for example because of a change within the organization or according to a plan or a change in the external context of the organization. • Output: Identifies any information derived after performing the activity, as well as any criteria that such output should satisfy. • Guidance: Provides guidance on performing the activity, keyword and key concept. 13
  • 14. 5. IS risk management Risk management process - systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk. • Classic scheme (2018) + Documented Information (2022) • Risk treatment cyclical process (2018) -> Risk treatment iterative process (2022): — formulating and selecting risk treatment options; — planning and implementing risk treatment; — assessing the effectiveness of that treatment; — deciding whether the remaining risk is acceptable; — taking further treatment if not acceptable. • Added IS risk management cycles: strategic (overall context) and operational (scenarios) • Many changes in the activity descriptions, additional recommendations. See further… 14
  • 15. 6 Context establishment 15 ISO/IEC 27005:2018, pages 5-8 ISO/IEC 27005:2022, pages 9-16 7.1 General considerations 7.2 Basic criteria • 7.2.1 Risk management approach • 7.2.2 Risk evaluation criteria • 7.2.3 Impact criteria • 7.2.4 Risk acceptance criteria 7.3 Scope and boundaries 7.4 Organization for information security risk management 6.1 Organizational considerations 6.2 Identifying basic requirements of interested parties 6.3 Applying risk assessment 6.4 Establishing and maintaining information security risk criteria • 6.4.1 General • 6.4.2 Risk acceptance criteria • 6.4.3 Criteria for performing information security risk assessments • 6.4.3.1 General • 6.4.3.2 Consequence criteria • 6.4.3.3 Likelihood criteria • 6.4.3.4 Criteria for determining the level of risk 6.5 Choosing an appropriate method
  • 16. 7. Information security risk assessment process 16 ISO/IEC 27005:2018, pages 8-16 ISO/IEC 27005:2022, pages 16-23 8.1 General description of information security risk assessment • 8.2 Risk identification 8.2.1 Introduction to risk identification • 8.2.2 Identification of assets • 8.2.3 Identification of threats • 8.2.4 Identification of existing controls • 8.2.5 Identification of vulnerabilities • 8.2.6 Identification of consequences 8.3 Risk analysis • 8.3.1 Risk analysis methodologies • 8.3.2 Assessment of consequences • 8.3.3 Assessment of incident likelihood • 8.3.4 Level of risk determination 8.4 Risk evaluation 7.1 General 7.2 Identifying information security risks • 7.2.1 Identifying and describing information security risks • 7.2.2 Identifying risk owners 7.3 Analysing information security risks • 7.3.1 General • 7.3.2 Assessing potential consequences • 7.3.3 Assessing likelihood • 7.3.4 Determining the levels of risk 7.4 Evaluating the information security risks • 7.4.1 Comparing the results of risk analysis with the risk criteria • 7.4.2 Prioritizing the analysed risks for risk treatment
  • 17. 17
  • 18. Approaches to perform risk identification 18 Event-based (scenarios) Asset-based Identify strategic scenarios through a consideration of risk sources, and how they use or impact interested parties to reach those risk’s desired objective. Identify operational scenarios, which are detailed in terms of assets, threats and vulnerabilities. The underlying concept is that risks can be identified and assessed through an evaluation of events and consequences. The underlying concept is that risks can be identified and assessed through an inspection of assets, threats and vulnerabilities. • An event-based approach can establish high level or strategic scenarios without spending a considerable amount of time in identification of assets on a detailed level. • This allows the organization to focus its risk treatment efforts on the critical risks. • Interviews with top management • Top-down • An asset is anything that has value to the organization and therefore requires protection. • If all valid combinations of assets, threats and vulnerabilities can be enumerated within the scope of the ISMS, then, in theory, all the risks would be identified. • The asset-based approach can identify asset- specific threats and vulnerabilities and allows the organization to determine specific risk treatment on a detailed level. • Bottom-up
  • 19. 8. Information security risk treatment process 19 ISO/IEC 27005:2018, pages 16-20 ISO/IEC 27005:2022, pages 23-30 9.1 General description of risk treatment 9.2 Risk modification 9.3 Risk retention 9.4 Risk avoidance 9.5 Risk sharing 10 Information security risk acceptance 8.1 General 8.2 Selecting appropriate information security risk treatment options 8.3 Determining all controls that are necessary to implement the information security risk treatment options 8.4 Comparing the controls determined with those in ISO/IEC 27001:2022, Annex A 8.5 Producing a Statement of Applicability 8.6 Information security risk treatment plan 8.6.1 Formulation of the risk treatment plan 8.6.2 Approval by risk owners 8.6.3 Acceptance of the residual information security risks
  • 20. 20
  • 21. 9. Operations, page 31 21 9.1 Performing information security risk assessment process 9.2 Performing information security risk treatment process Input: Documents about the information security risk assessment process including risk assessment and risk acceptance criteria. Action: The risk assessment process should be performed in accordance with Clause 7. Trigger: The need of the organization to assess risks, at planned intervals or based on events. Output: Evaluated risks. Implementation guidance: … Input: Evaluated risk(s). Action: The risk treatment process should be performed in accordance with Clause 8. Trigger: The need of the organization to treat risks, at planned intervals or based on events. Output: Retained or accepted residual risks. Implementation guidance: …
  • 22. 10. Leveraging related ISMS processes, pages 32-40 22 ISMS Actions 10.1 Context of the organization All relevant data should be considered to identify and describe internal and external issues influencing information security risk management and requirements of interested parties. 10.2 Leadership and commitment Appropriate level of management should consider results related to information security risks, to decide on or endorse further actions. 10.3 Communication and consultation Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. 10.4 Documented information Information about the information security risk assessment and treatment processes and results should be documented and retained. 10.5 Monitoring and review Risks and their factors (i.e. value of assets, consequences, threats, vulnerabilities, likelihood of occurrence) should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture. 10.6 Management review The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. 10.7 Corrective action Revise the risk treatment plan and implement it to modify the residual risk to an acceptable level. 10.8 Continual improvement The information security risk management process should be continually monitored, reviewed and improved as necessary. +Inputs/Outputs, Triggers, Implementation guidance
  • 23. Annexes 23 ISO/IEC 27005:2018, pages 24-52 ISO/IEC 27005:2022, pages 41-61 Annex A. Defining the scope and boundaries of the information security risk management process • A.1 Study of the organization • A.2 List of the constraints affecting the organization • A.3 List of the constraints affecting the scope Annex B. Identification and valuation of assets and impact assessment • B.1 Examples of asset identification (primary and supporting) • B.2 Asset valuation • B.3 Impact assessment Annex C. Examples of typical threats (+ Origin of threat) Annex D. Vulnerabilities and methods for vulnerability assessment • D.1 Examples of vulnerabilities • D.2 Methods for assessment of technical vulnerabilities Annex E. Information security risk assessment approaches • E.1 High-level information security risk assessment • E.2 Detailed information security risk assessment Annex F. Constraints for risk modification Annex A. (informative) Examples of techniques in support of the risk assessment process A.1 Information security risk criteria • A.1.1 Criteria related to risk assessment • A.1.2 Risk acceptance criteria A.2 Practical techniques • A.2.1 Information security risk components • A.2.2 Assets • A.2.3 Risk sources and desired end state • A.2.4 Event-based approach • A.2.5 Asset-based approach • A.2.6 Examples of scenarios applicable in both approaches • A.2.7 Monitoring risk-related events
  • 24. Annexes. Tables 24 ISO/IEC 27005:2018 ISO/IEC 27005:2022 Examples of typical threats Origin of threats Examples of typical vulnerabilities Table E.1 — The asset values, and the threat and vulnerability levels Table E.2 — Results from the consideration of the likelihood of an incident scenario, mapped against the estimated business impact Table E.3 — The factors of consequences (asset value) and likelihood of threat occurrence (taking account of vulnerability aspects) Table E.3 — Combination of the likelihood of the threat occurring and the ease of exploitation of the vulnerability Table E.4 — The intersection of asset value and likelihood value Table A.1 — Example of consequence scale Table A.2 — Example of likelihood scale Table A.3 — Example of qualitative approach to risk criteria Table A.4 — Example logarithmic likelihood scale Table A.5 — Example logarithmic consequence scale Table A.6 — Example of evaluation scale combined with three-colour risk matrix Table A.7 — Examples and usual methods of attack Table A.8 — Example classification of motivations to express the DES Table A.9 — Examples of target objectives Table A.10 — Examples of typical threats Table A.11 — Examples of typical vulnerabilities Table A.12 — Examples of risk scenarios in both approaches Table A.13 — Example of risk scenario and monitoring risk- related events relationship
  • 25. New examples of typical threats 25 ISO/IEC 27005:2018 ISO/IEC 27005:2022 1. Physical damage (6) 2. Natural events (5) 3. Loss of essential services (3) 4. Disturbance due to radiation (3) 5. Compromise of information (11) 6. Technical failures (5) 7. Unauthorized actions (5) 8. Compromise of functions (5) Total: 43 1. Physical threats (6) 2. Natural threats (6) 3. Infrastructure failures (8) 4. Technical failures (3) 5. Human actions (26) 6. Compromise of functions or services (4) 7. Organizational threats (4) Total: 56
  • 26. New risk sources 26 ISO/IEC 27005:2018 ISO/IEC 27005:2022 Annex C, part of threat examples Human threat sources: 1. Hacker, cracker 2. Computer criminal 3. Terrorist 4. Industrial espionage (Intelligence, companies, foreign governments, other government interests) 5. Insiders (poorly trained, disgruntled, malicious, negligent, dishonest, or terminated employees) Table with Motivation and Possible consequences Table A.7 Examples and usual methods of attack Risk source: 1. State-related (States, Intelligence agencies) 2. Organized crime (Cybercriminal organizations (mafias, gangs, criminal outfits)) 3. Terrorist (Cyber-terrorists, cyber-militias) 4. Ideological activist (Cyber-hacktivists, interest groups, sects) 5. Specialized outfits (“Cyber-mercenary”) 6. Amateur 7. Avenger 8. Pathological attacker
  • 27. Qualitative approach (new matrix and scales) 27 ISO/IEC 27005:2018 ISO/IEC 27005:2022
  • 30. 30 Instead of a conclusion: 1. General procedures (Assessment and Treatment) are OK, as usual. J J 2. Two approaches: asset-based and event-based (scenarios), finally J 3. «9.Operation» and «10.Leveraging related ISMS processes» are useful for the ISMS implementation. J J 4. Tables «A.10 Examples of typical threats», and «A.11 Examples of typical vulnerabilities», likelihood and consequence scales can be used for inspiration. J 5. «A.2 Practical techniques» are poorly designed and described. New figures and the examples of scenarios are useless. L L 6. ISO 27005:2022 is a very complicated standard and every new version makes it more difficult. L In my opinion, the ISACA IT Risk and IRAM2 are much more useful and practical. I recommend using them.
  • 32. Have you seen my previous presentation? 32 www.patreon.com/posts/my-presentation-73750394
  • 33. My ISMS Implementation Toolkit (ISO 27001) 33 www.patreon.com/posts/47806655