ISO/IEC 27005 — Guidance on managing information security risks

ISO/IEC 27005 is a guidance standard helping organizations to establish a process for risk management.

What is ISO/IEC 27005?

ISO/IEC 27005 is a guide to risk management, based on the requirements of the ISO/IEC 27001 standard. The standard provides inspiration for assessing and managing risks related to the organization's information, based on an assessment of the likelihood of occurrence of an incident, together with the impact of the incident on the organization.

ISO/IEC 27005 provides guidance on how to carry out a risk assessment, thus gaining an overview of the organization's threats and vulnerabilities and how risks can be addressed based on the organization's risk acceptance. It provides a range of tools for prioritizing risk, thus contributing to ensuring the optimum level of controls within an organization in relation to the value of the information to be protected.

ISO/IEC 27005 is structured along the lines of the generic risk guidance standard, ISO 31000, in which the risk management process is broken down into a number of different stages; establishing context, identifying risks, risk analysis, risk evaluation and risk treatment. Hence, the standard proposes a process to help the organization establish a more systematic approach to risk management.

As ISO/IEC 27005 suggests, it is important that the risk management process is adaptive and flexible as the risk landscape changes as the organization and the outside world change. Risk management is not a task, but an ongoing process that is to be maintained continually.

Who does the standard cater for?

The standard caters for all types and sizes of organizations, private as well as public, that request a systematic approach to addressing information security risks. The risk management process can be applied at both a strategic and an operational level. It is relevant to everyone who wants to address risk management, whether they merely seek inspiration for their risk management work or they want to build a complete system for the processes. ISO/IEC 27005 has been updated in 2022 and in this connection, focus has been on making the standard as user friendly as possible.

What does it mean that a revised edition of the standard will now be issued?

The new edition of ISO/IEC 27005 is expected to be published in late 2022 or the beginning of 2023. The new edition has been even more closely coupled with the ISO/IEC 27001 management standard in that it provides concrete guidance on and examples on how to meet the risk management requirements set out in 27001. Another new feature of the new edition of 27005 is that a well-known asset-based approach to risk management is supplemented by an incident-based approach. Danish Standards has prepared a white paper reviewing the changes in the new edition of the standard.

Will a Danish version of ISO/IEC 27005 become available?

Yes, the new edition of ISO/IEC 27005 will be translated into Danish. The standard has not been translated into Danish before, but there has been great interest in getting it in Danish. The Danish version is expected to be published in 2023. The process starts as soon as the international version is published.

How does ISO/IEC 27005 connect to other standards?

ISO/IEC 27005 can be used as a source of inspiration for working systematically with risk management for an organization. It can be used with advantage in conjunction with ISO/IEC 27002, which provides guidance to organizations on selecting controls for the implementation of an information security management system (ISMS). ISO/IEC 27002 was updated in 2022 and also a new version of ISO/IEC 27001 is underway in 2022.

New guide for risk management related to cyber and information security is on the way

Danish Standards and the Alexandra Institute are preparing an application guide to help Danish SMEs to focus on and get started with risk management. The guide is based on ISO/IEC 27005, but also takes inspiration from other tools and frameworks based on risk. The guide is expected to become available in early 2023, and will be available from Danish Standards' website.


Berit Aadal
Berit Aadal Chefkonsulent | Chief Consultant
Standardisering | Digital & Bæredygtighed
T: 39 96 62 96





More information

ISO/IEC 27001 Information security management

ISO/IEC 27001

ISO/IEC 27001 Information security management

Owing to increased digitalization, the risk of cyber-attacks and other types of IT crime increases accordingly. Therefore, ISO 27001 on information security is a standard that every company or organization should consider.

ISO/IEC 27002 – Information security controls

ISO/IEC 27002

ISO/IEC 27002 – Information security controls

ISO/IEC 27002 provides guidance on selecting controls for implementing an information security management system.

SoA document – what is a SoA document

Information security

SoA document – what is a SoA document

In the SoA document, the organization selects from a list of possible measures which measures it wants and does not want to implement to address the identified risks.

ISO/IEC 27701 Privacy information management

ISO/IEC 27701

ISO/IEC 27701 Privacy information management

The standard on privacy information management, ISO/IEC 27701, ensures proper processing of personal data.