Help: Creating risk management plan under ISO27005
Assign topic to the user
Please note that ISO 27005 is a support standard for ISO 27001, covering security techniques for information security risk management, so it does not have mandatory requirements by itself (i.e., when using only ISO 27005 you can choose only the elements of the standard that suit your needs).
When using it together with ISO 27001, risk communication and risk monitoring review need to be used to fulfill ISO 27001 requirements from clauses 7.4 – Communication, and 9.1 - Monitoring, measurement, analysis, and evaluation.
Justification for risk treatment options is not a mandatory requirement for ISO 27001 (only justification for applicable controls).
This article will provide you a further explanation about risk assessment:
- ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/
Hi,
Thanks for the reply.
So I could drop ISO27001 and use 27005 on its own?
That is something I didn't realise you can do, so I thought it might be acceptable to only include the plan parts in the risk management plan.
Is it common to use 27005 without 27001?
Sorry one last thing, is there anywhere quotable in ISO 27005 that says it's acceptable to leave parts out?
It would be useful for me to quote this to justify leaving out those sections as right now I'm just saying the scope of my plan is the plan stage only, but I have nothing to justify this choice.
1 - So I could drop ISO27001 and use 27005 on its own? That is something I didn't realize you can do, so I thought it might be acceptable to only include the plan parts in the risk management plan.
Answer: It is not mandatory to use ISO 27001 to use ISO 27005, but if want to be compliant with ISO 27001 cannot “drop” it and use 27005 on its own.
2. Is it common to use 27005 without 27001?
Answer: Although ISO 27005 provides a good framework for information security risk management, it is not common to use it without ISO 27001.
3. Sorry one last thing, is there anywhere quotable in ISO 27005 that says it's acceptable to leave parts out?
It would be useful for me to quote this to justify leaving out those sections as right now I'm just saying the scope of my plan is the plan stage only, but I have nothing to justify this choice.
Answer: Such quote does not exist in ISO 27005, but since each section covering steps of the risk management process is structured considering input, action, implementation guidance, and output, you can justify that you are using only a specific step by defining your scope in terms of the outputs you want.
Comment as guest or Sign in
Feb 24, 2022