SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Help: Creating risk management plan under ISO27005

  Quote
Guest
Paul Created:   Feb 19, 2022 Last commented:   Feb 24, 2022

Help: Creating risk management plan under ISO27005

Hi, I am after some help with creating a risk management plan, I have completed the work but have a few questions. The methodology I chose to apply was ISO27005, but I am unclear on whether the risk communication and risk monitoring review sections are mandatory? Actually which parts are mandatory? Another thing I am not clear on is how I am supposed to provide justification of the risk treatment options. Is this something which is necessary under ISO27005? Thanks
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 22, 2022

Please note that ISO 27005 is a support standard for ISO 27001, covering security techniques for information security risk management, so it does not have mandatory requirements by itself (i.e., when using only ISO 27005 you can choose only the elements of the standard that suit your needs).  

When using it together with ISO 27001, risk communication and risk monitoring review need to be used to fulfill ISO 27001 requirements from clauses 7.4 – Communication, and 9.1 - Monitoring, measurement, analysis, and evaluation.

Justification for risk treatment options is not a mandatory requirement for ISO 27001 (only justification for applicable controls).  

This article will provide you a further explanation about risk assessment:

These materials will also help you regarding risk assessment:

Quote
0 1
Guest
Paul Feb 22, 2022

Hi,

 

Thanks for the reply.

So I could drop ISO27001 and use 27005 on its own?

That is something I didn't realise you can do, so I thought it might be acceptable to only include the plan parts in the risk management plan.

Is it common to use 27005 without 27001?

Quote
0 0
Guest
Paul Feb 22, 2022

Sorry one last thing, is there anywhere quotable in ISO 27005 that says it's acceptable to leave parts out?

It would be useful for me to quote this to justify leaving out those sections as right now I'm just saying the scope of my plan is the plan stage only, but I have nothing to justify this choice.

 

Quote
0 1
Expert
Rhand Leal Feb 24, 2022

1 - So I could drop ISO27001 and use 27005 on its own? That is something I didn't realize you can do, so I thought it might be acceptable to only include the plan parts in the risk management plan.

Answer: It is not mandatory to use ISO 27001 to use ISO 27005, but if want to be compliant with ISO 27001 cannot “drop” it and use 27005 on its own.

2. Is it common to use 27005 without 27001?

Answer: Although ISO 27005 provides a good framework for information security risk management, it is not common to use it without ISO 27001.

3. Sorry one last thing, is there anywhere quotable in ISO 27005 that says it's acceptable to leave parts out?

It would be useful for me to quote this to justify leaving out those sections as right now I'm just saying the scope of my plan is the plan stage only, but I have nothing to justify this choice.

Answer: Such quote does not exist in ISO 27005, but since each section covering steps of the risk management process is structured considering input, action, implementation guidance, and output, you can justify that you are using only a specific step by defining your scope in terms of the outputs you want.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Feb 19, 2022

Feb 24, 2022

Suggested Topics