ISO 27005 Risk Management Standard

Let's continue our look at some risk-related frameworks.  ISO, again, this represents the International Organization of Standards. ISO 27005 is the Information Security Management Standard. Now, ISO's 27000 series, those documents numbered in 27000 range focus on cybersecurity. Of course protecting our information while using a standard of risk management is what this particular framework does. What's you're going to notice if you take a look at this, you're going to see a lot in common with NIST 830 and 39. You're going to see that we start out with context establishment.

‍

If you look at NIST 839, you remember we started out with framing, and framing establishing the context. We're going to see these different frameworks use slightly different terms but we're doing the same thing. We're trying to figure out what is significant about our environment that's going to influence how we address risks. Are we required to follow certain laws, regulations? Are we handling extremely high value data? Those are the types of things that we think about in framing, as well as the risk, appetite and tolerance of the organization risk capacity as well. Then once we have a handle on how we as an organization address risks, then we're going to move into risk assessment. Now, in risk assessment I have the two pieces of identification and then risk estimation.

‍

Risk identification is of course, where we look at threats, vulnerabilities, and our assets, and we figure out what risks exist. Then for risk estimation, this is what we've been calling risk analysis in ISACA's approach to risk. Again, it gets tricky because these terms are a little bit different or they're used differently. But here risk estimation, part of the overarching risk analysis, this is where we get a value for the risk. What is the loss potential? Then the next stage risk evaluation is where we compare the potential for loss up against the cost of a countermeasure, and make a good decision for risk response based on cost-benefit analysis. You can see there are four types of risk response. Treat risk, tolerate them, transfer them, terminate.

‍

This is comparable. Treat would be comparable to mitigation or risk reduction. Tolerate would be accept, transfers still the same, and then terminate would be avoid risk. It can be tricky particularly on an example, you're looking at the same ideas with different lingo. Don't get caught up in that. I don't think they're going to get that detailed in ISO 27005. What I would focus on is that ISO 27005 is an International Framework. I would follow the flow of it, but try not to get too tangled up in the different terms. What I would know is what we focused on as far as how risk management is handled within ISACA. Don't let it get too tangled up with these different frameworks.