A new standard has been published on information security risk management, designed to help organisations reach best practice in countering growing threats to business.
ISO/IEC 27005:2008, Information technology – Security techniques – Information Security Risk Management provides guidelines for security risk management and supports the general concepts in ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements.
Edward Humphreys, convener of the ISO/IEC working group that developed the standard, says that the new standard is designed to assist with the implementation of ISO/IEC 27001, which is based on a formal risk management approach.
“Today, most organisations recognise the critical role that IT plays in supporting their business objectives and, with the advent of the Internet and the prospect of performing business online, IT security has been in the forefront. ISO/IEC 27005:2008 is relevant to managers and staff concerned with information security risk management within an organisation and, where appropriate, external parties supporting such activities,” he says.
Disappointingly, ISO/IEC 27005:2008 does not provide any specific methodology for information security risk management. Humphreys suggests that it is up to organisations themselves to define their approach to risk management, depending, for example, on the scope of the management system, the context of risk and the industry sector.
The standard was developed by the joint technical committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. It costs SFR154 and is available from ISO national member institutes and from ISO Central Secretariat.