Monthly newsletter Weekly news roundup Breaking news notification    

New standard will help with information security risk management

Get free weekly news by e-mailISO has released a new standard: ISO/IEC 27005:2008 Information technology – Security techniques – Information security risk management.

This provides guidelines for information security risk management and supports the general concepts specified in ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements.

The new standard is designed to assist the implementation of ISO/IEC 27001, the information security management system standard, which is based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002: 2005, Information technology – Security techniques – Code of practice for information security management, is important for a complete understanding of ISO/IEC 27005:2008.

The information security risk management process described in ISO/IEC 27005:2008 consists of:

* Context establishment
* Risk assessment
* Risk treatment
* Risk acceptance
* Risk communication, and
* Risk monitoring and review.

However, ISO/IEC 27005:2008 does not provide any specific methodology for information security risk management. It is up to the organization to define its approach to risk management, depending, for example, on the scope of the information security management system, based on the context of risk management, or the industry sector.

Edward Humphreys, convener of the ISO/IEC working group that developed the standard comments: “Today, most organizations recognize the critical role that information technology plays in supporting their business objectives and with the advent of the Internet and the prospect of performing business online, IT security has been in the forefront. ISO/IEC 27005:2008 is relevant to managers and staff concerned with information security risk management within an organization and, where appropriate, external parties supporting such activities.”

ISO/IEC 27005:2008, Information technology – Security techniques – Information security risk management, was developed by the joint technical committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.

www.iso.org

Date: 20th June 2008• Region: World •Type: Article •Topic: ISM
Rate this article or make a comment - click here

BC Journal



Copyright 2008 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help