BS EN ISO/IEC 27005:2024
$215.11
Information security, cybersecurity and privacy protection. Guidance on managing information security risks
| Published By | Publication Date | Number of Pages |
| BSI | 2024 | 72 |
PDF Catalog
| PDF Pages | PDF Title |
|---|---|
| 2 | undefined |
| 4 | European foreword Endorsement notice |
| 7 | Foreword |
| 8 | Introduction |
| 9 | 1 Scope 2 Normative references 3 Terms and definitions 3.1 Terms related to information security risk |
| 13 | 3.2 Terms related to information security risk management |
| 15 | 4 Structure of this document 5 Information security risk management 5.1 Information security risk management process |
| 17 | 5.2 Information security risk management cycles 6 Context establishment 6.1 Organizational considerations |
| 18 | 6.2 Identifying basic requirements of interested parties 6.3 Applying risk assessment |
| 19 | 6.4 Establishing and maintaining information security risk criteria 6.4.1 General 6.4.2 Risk acceptance criteria |
| 21 | 6.4.3 Criteria for performing information security risk assessments |
| 23 | 6.5 Choosing an appropriate method |
| 24 | 7 Information security risk assessment process 7.1 General |
| 25 | 7.2 Identifying information security risks 7.2.1 Identifying and describing information security risks |
| 26 | 7.2.2 Identifying risk owners |
| 27 | 7.3 Analysing information security risks 7.3.1 General 7.3.2 Assessing potential consequences |
| 28 | 7.3.3 Assessing likelihood |
| 30 | 7.3.4 Determining the levels of risk 7.4 Evaluating the information security risks 7.4.1 Comparing the results of risk analysis with the risk criteria |
| 31 | 7.4.2 Prioritizing the analysed risks for risk treatment 8 Information security risk treatment process 8.1 General 8.2 Selecting appropriate information security risk treatment options |
| 32 | 8.3 Determining all controls that are necessary to implement the information security risk treatment options |
| 35 | 8.4 Comparing the controls determined with those in ISO/IEC 27001:2022, Annex A 8.5 Producing a Statement of Applicability |
| 36 | 8.6 Information security risk treatment plan 8.6.1 Formulation of the risk treatment plan |
| 37 | 8.6.2 Approval by risk owners |
| 38 | 8.6.3 Acceptance of the residual information security risks |
| 39 | 9 Operation 9.1 Performing information security risk assessment process 9.2 Performing information security risk treatment process |
| 40 | 10 Leveraging related ISMS processes 10.1 Context of the organization 10.2 Leadership and commitment |
| 41 | 10.3 Communication and consultation |
| 43 | 10.4 Documented information 10.4.1 General 10.4.2 Documented information about processes 10.4.3 Documented information about results |
| 44 | 10.5 Monitoring and review 10.5.1 General |
| 45 | 10.5.2 Monitoring and reviewing factors influencing risks |
| 46 | 10.6 Management review 10.7 Corrective action |
| 47 | 10.8 Continual improvement |
| 49 | Annex A (informative) Examples of techniques in support of the risk assessment process |
| 70 | Bibliography |
