ISO27005 and the Risk Assessment Process

The information security risk management standard, ISO/IEC 27005:2011, describes the risk management process for information and cyber security. The following article aims to clarify a few of the terms used in the risk assessment process.

The diagram below illustrates the risk assessment process according to ISO27005.


Guide to each element of the process:

Context establishment

The basic objective in establishing the context of risk management is to know the risk appetite, or the level of risk that an organisation is willing to accept.

ISO27005 provides guidelines for establishing this context. The context determines the criteria for information security risk management.  This could include the criteria for defining the impact of specific risks (e.g. damage to the organisation’s reputation, financial loss, legal penalties, etc.), the criteria for estimating what the acceptable level of risk will be, and what the organisation’s objectives are.

An example of risk acceptance criteria could be a risk that may negatively affect productivity for more than one day. This could be considered an unacceptable level of risk.

Risk analysis (risk identification + risk estimation)

Risk identification

Risk identification involves defining things that could cause a loss to an organisation, such as:

  • Information assets (hardware, personnel, processes)
  • Threats (such as cybercrime)
  • Existing and planned security measures (or ‘controls’)
  • Vulnerabilities (such as a firewall)
  • The potential consequences of those risks to the business (data breach).

A risk is usually defined as a threat (fire) combined with a vulnerability (poor fire safety procedures).

Risk estimation

During risk estimation, an assessment of the likelihood of the risk is made. It can made using either qualitative (based around subjective measurements, such as ‘moderate’, ‘severe’, etc.) or quantitative methods (based on absolute measurements, such as a mathematical calculation), or a combination of qualitative and quantitative methodologies.

Following the likelihood calculation, the risk assessor should assign values to the likelihood and consequences of the risk. Consequences may be expressed in terms of monetary, technical or human impact criteria.

The estimated risk is a combination of the likelihood of a risk incident and its consequences (impact). There are generally three values that are allocated to an information asset, one for the loss of each of the CIA properties of an information asset: confidentiality, integrity and availability.

Risk assessment: risk identification + risk estimation + risk evaluation

The risk assessment includes the above two stages for risk analysis, but also includes an additional step, which refers to risk evaluation.  The risk assessment process enables the risk assessor to make decisions while taking the organisation’s objectives into account.

Risk evaluation

In the risk evaluation phase, the level of risk is compared against the risk evaluation criteria and the risk acceptance criteria, which were defined during the context establishment phase.

The risk evaluation compares each level of risk against the risk acceptance criteria and prioritises the list of risks with plans for treating the risks. The risk assessor is usually required to make a decision about how to respond to the risk based on the outcome of the risk evaluation.

Risk response 

During the risk response phase, the risk assessor has to make a decision about the risk and has four options available.  The risk response can be one of the following:

  • Treat (for instance, implementing a policy to mitigate the risk);
  • Tolerate (in this instance, the company may choose to tolerate the risk because the likelihood of the risk occurring is so small that the cost of treating it would outweigh the benefit. For example, an earthquake occurring in a geographic area where earthquakes are uncommon);
  • Transfer (for instance, transferring the risk by investing in an insurance policy to reduce the impact if the risk occurs);
  • Terminate (the company may choose to terminate a risk that is deemed unacceptable and the cost of treating it would outweigh the benefit. An example of such a risk is a legacy system that poses specific risks. The company may choose to do away with the legacy system and thereby eliminate those risks).

Risk communication

Risk communication is required in the risk management process for achieving agreement about how to manage the risks.  Risk communication can be undertaken in discussions between the decision makers and other key stakeholders.

Risk monitoring and review

Risk monitoring is important for detecting any changes in the context of the organisation, and to maintain an overview of the complete risk management process.

vsRisk is the definitive risk assessment software, enabling you to conduct risk assessments using the ISO27005 framework, and facilitating compliance with ISO27001.


ISO/IEC 27005:2011

Information Security Risk Management for ISO27001/ISO27002 – Alan Calder & Steve G Watkins

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.