ISO/IEC 27005 is a set of standards from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) that provides guidelines and techniques for managing information security risks. ISO/IEC 27005 is designed to assist in the implementation of information security, based on a risk management approach.

ISO/IEC 27005 is part of a larger set of standards in the information security management system (ISMS), the ISO/IEC 27000-series.

In the ISO/IEC 27000 family of standards, it is listed as ISO/IEC 27005 Information security risk management. ISO/IEC 27001 and ISO/IEC 27002 standards serve as the foundation to fully understand ISO/IEC 27005.

The third edition of ISO/IEC 27005 was published in 2018 and the fourth edition is at Draft Stage.


ISO/IEC 27005 is a standard that does not specify or recommend any risk management methods. It involves a steady process that consists of a structured sequence of activities. Some of these structured activities include:

  • Establishing a risk management context.
  • Assessing relevant information quantitatively or qualitatively.
  • Addressing any risks properly.
  • Keeping the stakeholders informed throughout the process.
  • Delivery of products and services in an organised and consistent fashion.
  • Monitoring and reviewing risks, uncertainty treatments, obligations, and criteria; responding to significant changes appropriately.
  • Trade facilitation while complying with regulations and legislation.


Its main objective is to improve Information Security Risk Management (ISMS) in any company or organisation. Additionally, it implies a specific methodology for each information security problem. The ISO/IEC 27005 standard mainly applies to companies, although it is useful for any type of organisation that wants to improve its Information Security Management System (ISMS). Companies and organisations with ISMS problems may focus on the individual factors, such as the actual scope of the ISMS or commercial sector of the industry itself, rather than applying the entire methodology of the standard.


An ISO/IEC 27005 Certificate can be obtained to gain certain benefits. For example, the skills gained from this certification can be used to support the effective implementation of an information security risk management process in an organization. Additionally, the knowledge acquired can be used to responsibly manage an information security risk management process and ensure compliance with legal and regulatory requirements. The certificate can also provide the ability to manage an information security and risk management team, as well as the ability to support an organization to align its ISMS objectives with ISRM process objectives. The Personal Evaluation and Certification Board (PECB) is an organization that provides ISO training.


  1. "BS EN ISO/IEC 27005:2018 – What is ISO/IEC 27005?". Retrieved 7 April 2020.
  2. "BS EN ISO/IEC 27005:2018 – Content of the standard". Retrieved 7 April 2020.
  3. "BS EN ISO/IEC 27005:2018 – Sections of ISO/IEC 27005". Retrieved 7 April 2020.
  4. "BS EN ISO/IEC 27005:2018 – Benefits of Certification". Retrieved 7 April 2020.

External links