Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

ISO/IEC 27005:2011 standard now available

ISO has announced that ISO/IEC 27005:2011 is now available. The standard provides a framework for implementing a risk management approach to managing threats to information security management systems.

Information security risks pose a considerable threat to businesses due to the possibility of financial loss or damage, loss of essential network services, or loss of reputation and customer confidence. Risk management is one of the key elements in preventing online fraud, identity theft, damage to websites, loss of personal data and many other information security incidents. Without a solid risk management framework, organizations expose themselves to many types of cyber threats.

ISO/IEC 27005:2011 ‘Information technology – Security techniques – Information security risk management’ describes the information security risk management process and associated actions, and supports the general concepts specified in ISO/IEC 27001:2005.

Edward Humphreys, Convener of the ISO/IEC working group that developed the standard comments: “ISO/IEC 27005:2011 is an essential standard for those that want to manage their risks effectively and, in particular, to comply with the popular information security management system standard ISO/IEC 27001. Risk management is critical to good business governance, and this standard helps organizations with advice on the why, what and how of managing information security risks in support of their governance objectives.”

In this second edition, the framework outlined in ISO/IEC 27005 has been reviewed and updated to reflect the content of the risk management documents:

* ISO 31000:2009, Risk management – Principles and guidelines
* ISO/IEC 31010:2009, Risk management – Risk assessment techniques
* ISO Guide73:2009, Risk management – Vocabulary.

The standard is intended to align closely to ISO 31000:2009 in order to help organizations that wish to manage their information security risks in a similar way to the way they manage other risks.

ISO/IEC 27005:2011 does not provide any specific methodology for information security risk management. It is up to the organization to define its approach to risk management, depending, for example, on the scope of the information security management system, based on the context of risk management, or the industry sector.


•Date: 5th August 2011 • Region: World •Type: Article • Topic: Enterprise risk management

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here