ISO 27005

ISO 27005 is a supplement to the ISO 27001 standard and also serves to explain strategies and guidelines and is intended to support their successful implementation. This standard is particularly relevant for companies in the Information Technology sector or for companies with relevant processes in the field of IT. ISO 27005 uses the Risk Management Process defined in ISO 31000 and extends it. This process can be carried out iteratively in order to take changing parameters into account. ISO 27005 does not provide specific methods for IT Risk Management, but leaves it up to the organization to deliberately find these methods, as they are best able to assess the scope of the potential IT systems at risk themselves. For a comprehensive explanation of different methods, please refer to our "Methods and Guidelines" as well as ISO 31010. As in all Risk Management Processes, Communication and Cooperation between all stakeholders is also of high importance in the context of ISO 27005. ³⁵

The process of the ISO 27005 standard is shown below and includes two decision points. First, the context of a potential risk must be identified and evaluated. At the first decision point, it must be decided whether there is enough information about a risk or whether the Risk Identification and Assessment phase must be repeated. If enough information is available, the Risk Treatment can be started, after which, at the second decision point, the risk is considered to be minimized or a further iteration of the process must be performed. Finally, Risk Acceptance is an essential part of the process, since there is always a residual risk or a conscious decision not to treat a risk (e.g., for cost reasons).³⁵
  own illustration of Figure 2 in [35]