I am after some help with creating a risk management plan, I have completed the work but have a few questions. The methodology I chose to apply was ISO27005, but I am unclear on whether the risk communication and risk monitoring review sections are mandatory?
Actually which parts are mandatory? Another thing I am not clear on is how I am supposed to provide justification of the risk treatment options. Is this something which is necessary under ISO27005?
Please note that ISO 27005 is a support standard for ISO 27001, covering security techniques for information security risk management, so it does not have mandatory requirements by itself (i.e., when using only ISO 27005 you can choose only the elements of the standard that suit your needs).
When using it together with ISO 27001, risk communication and risk monitoring review need to be used to fulfill ISO 27001 requirements from clauses 7.4 – Communication, and 9.1 - Monitoring, measurement, analysis, and evaluation.
Justification for risk treatment options is not a mandatory requirement for ISO 27001 (only justification for applicable controls).
This article will provide you a further explanation about risk assessment:
1 - So I could drop ISO27001 and use 27005 on its own? That is something I didn't realize you can do, so I thought it might be acceptable to only include the plan parts in the risk management plan.
Answer: It is not mandatory to use ISO 27001 to use ISO 27005, but if want to be compliant with ISO 27001 cannot “drop” it and use 27005 on its own.
2. Is it common to use 27005 without 27001?
Answer: Although ISO 27005 provides a good framework for information security risk management, it is not common to use it without ISO 27001.
3. Sorry one last thing, is there anywhere quotable in ISO 27005 that says it's acceptable to leave parts out?
It would be useful for me to quote this to justify leaving out those sections as right now I'm just saying the scope of my plan is the plan stage only, but I have nothing to justify this choice.
Answer: Such quote does not exist in ISO 27005, but since each section covering steps of the risk management process is structured considering input, action, implementation guidance, and output, you can justify that you are using only a specific step by defining your scope in terms of the outputs you want.