ISO 27005 (Risikomanagement)
ISO/IEC 27005 is the international standard for information security risk management. It defines the process for risk identification, assessment, treatment, and communication as part of an ISMS in accordance with ISO 27001. ISO 27005 is a methodological guide, not a certifiable standard, and describes how risks are assessed and treated in a structured manner.
ISO/IEC 27005 is the guideline for information security risk management in the context of ISO 27001. While ISO 27001 requires that risks be assessed and addressed, ISO 27005 explains how to carry out this process in a methodologically sound manner.
The ISO 27005 Risk Management Process
1. Context Establishment
- Define the objective of risk management
- Determine the scope: which assets, processes, systems?
- Define risk acceptance criteria (e.g., “Risks with a score > 15 must be treated”)
- Identify stakeholders
2. Risk Assessment (Risk Assessment)
2a. Risk Identification
- Inventory assets
- Identify threats per asset
- Identify vulnerabilities per asset
- Record existing controls
2b. Risk Analysis
- Likelihood: Scale 1–5
- Impact: Scale 1-5 (Confidentiality/Integrity/Availability)
- Risk Score = Likelihood × Impact
- Inherent Risk (before controls) vs. Residual Risk (after controls)
2c. Risk Evaluation
- Comparison with acceptance criteria
- Prioritization: Which risks to address first?
3. Risk Treatment
Four options:
- Modify (Reduce): Implement controls
- Retain (Accept): Consciously bear the risk (documented!)
- Avoid (Avoid): Discontinue the risky activity
- Share (Share): Insurance, outsourcing
4. Risk Acceptance
- Management approves the residual risk
- Documented and signed
5. Risk Communication and Consultation
- Communicate risks to relevant stakeholders
- Management reporting
6. Risk Monitoring and Review
- Regular review (at least annually)
- Incorporate new threats and vulnerabilities
Risk Analysis Methodology in Practice
Qualitative Risk Analysis (suitable for most SMEs)
Scale of 1–5 for probability and impact; risk value = P × I (1–25).
Risk Register Example:
| ID | Asset | Threat | P | I | Risk | Mitigation |
|---|---|---|---|---|---|---|
| R01 | Production DB | Ransomware | 4 | 5 | 20 KR | Backup, Segmentation, EDR |
| R02 | Email System | Phishing → BEC | 5 | 4 | 20 KR | MFA, Anti-Phishing |
| R03 | VPN Gateway | RCE Vulnerability | 3 | 5 | 15 H | Patch Management |
| R04 | Employee PC | Malware | 5 | 3 | 15 H | EDR, Awareness Training |
| R05 | Cloud Storage | Misconfiguration | 3 | 4 | 12 M | CSPM, Config Review |
| R06 | Website | DDoS | 3 | 2 | 6 N | CDN (accepted) |
P = Probability, I = Impact; CR = Critical (>15), H = High (10-15), M = Medium (5-9), L = Low (<5)
Protection Needs Assessment (according to BSI)
- Normal: Standard protection needs, BSI Basic Protection baseline requirements
- High: Additional measures required
- Very high: Increased requirements, often requiring individual analysis
Example Protection Needs Analysis:
- Asset: Customer database
- Confidentiality: High (GDPR-relevant data)
- Integrity: High (incorrect customer data → damage)
- Availability: normal (24-hour outage tolerable)
- Result: high → increased protective measures required
Quantitative Risk Analysis (for more mature organizations)
ALE = SLE × ARO
ALE = Annualized Loss Expectancy
SLE = Single Loss Expectancy (Loss per incident)
ARO = Annual Rate of Occurrence (Frequency per year)Example - Ransomware attack:
- SLE = 150,000 EUR (Recovery + Downtime + Ransom demand)
- ARO = 0.3 (30% probability this year)
- ALE = 150,000 × 0.3 = 45,000 EUR/year
A control measure costs 10,000 EUR/year and reduces ARO to 0.05:
- New ALE: 150,000 × 0.05 = 7,500 EUR
- Savings: 37,500 EUR/year → Control is cost-effective
Statement of Applicability (SoA)
The SoA is the central ISO 27001 document and contains the list of all ISO 27001 Annex A controls (93 in the 2022 version).
For each control, the following is recorded:
- Applicable (yes/no)?
- If applicable: how implemented?
- If not applicable: justification
- Link to risk management: which controls address which risks?
SoA Example:
| Control ID | Control Name | Applicable | Status | Implementation | Risk Reference |
|---|---|---|---|---|---|
| A.8.5 | Secure Authentication | Yes | Implemented | MFA for all admin accounts | R02 (Phishing) |
| A.6.7 | Remote Work | Yes | Implemented | VPN, MDM, policy | R04 (Malware) |
| A.5.7 | Threat Intelligence | No | N/A | Too small for dedicated TI | - |
Connection between SoA and Risk Management:
Risk R02 “Phishing → BEC” is addressed by the following controls:
- A.6.3 Information Security Awareness (Phishing Training)
- A.8.5 Secure Authentication (MFA)
- A.5.15 Access Control (Least Privilege)
All three controls are marked as “applicable” in the SoA, and the risk is therefore considered addressed.
