Question

ISO/IEC 27005 -

Description of the standard (What does it cover?)

The intent of standard (How does it address what it intends to cover?)

How would this standard be applied in a mid-sized organization?

Answer 1

ISO/IEC 27005 is the international standard that describes how to conduct an information security risk assessment in accordance with the requirements of ISO 27001. The standard provides guidelines for information security risk management and supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.

The standard is intended to guide organizations about the importance of recording and assessing the risks in a structured sequence of events. The standard does not recommend any specific risk management method. Few activities which the standard suggests the organizations to follow are:

• To establish the scope, compliance obligations, and the risk management method for the organization.
• Assess the relevant information risks involving, assets, threats, controls, and vulnerabilities in case of an incident.
• Prioritize the risks with threat levels
• Keep the stakeholders informed throughout the process with periodic updates
• Monitor the risks on an ongoing basis while responding to significant changes

A mid-sized organization can give the responsibility to individual department managers and conduct a weekly or a monthly risk assessment meeting to bring everyone on the same page. The Risk Register can be discussed and actions can be worked on in the inter-departmental meetings. Every department should identify the risks and assign priority to them.