Guest user Created: Jun 25, 2019 Last commented: Jun 25, 2019

ISO 27005 and ISO 27001

Our XYZ is in the process of implementing ISO 27001:2013. However, the XYZ has issued a directive saying that information security risk management process should be done accordance with ISO 27005:2011. So, my question is, comparing to ISO 27001 what additionally do we need to implement or consider when adhering to ISO 27005 :2011?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jun 25, 2019

Answer:

ISO 27005 is a supporting standard to ISO 27001, detailing how to implement risk management for information security (basically covering ISO 27001 clauses 6.1.2 and 6.1.3).

Considering that, if you already defined a risk assessment and treatment process for your ISMS, then you have to evaluate if your defined approach is compliant with ISO 27005, and make proper adjustments. If you have not defined your risk assessment and treatment process yet, then you only need to follow ISO 27005 recommendations for each step of ISO 27001 clauses 6.1.2 and 6.1.3.

This article will provide you further explanation about implementing risk management:
- ISO 27001 risk assessment & treatment – 6 basic steps https:// advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

If you want to see how a risk management process compliant with ISO 27005 looks like, I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jun 25, 2019

Expert Advice Community