Standard
Track updates
AS/NZS ISO/IEC 27005:2024
[Current]Information security, cybersecurity and privacy protection - Guidance on managing information security risks
AS NZS ISO/IEC 27005:2024 identically adopts ISO/IEC 27005:2022, which provides guidance to organizations for fulfilling the requirements of AS/NZS ISO/IEC 27001 concerning actions to address information security risks, and performing information security risk assessment and treatment
Published: 22/11/2024
Pages: 62
Table of contents
Cited references
Content history
Table of contents
Header
About this publication
Preface
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
3.1 Terms related to information security risk
3.2 Terms related to information security risk management
4 Structure of this document
5 Information security risk management
5.1 Information security risk management process
5.2 Information security risk management cycles
6 Context establishment
6.1 Organizational considerations
6.2 Identifying basic requirements of interested parties
6.3 Applying risk assessment
6.4 Establishing and maintaining information security risk criteria
6.4.1 General
6.4.2 Risk acceptance criteria
6.4.3 Criteria for performing information security risk assessments
6.4.3.1 General
6.4.3.2 Consequence criteria
6.4.3.3 Likelihood criteria
6.4.3.4 Criteria for determining the level of risk
6.5 Choosing an appropriate method
7 Information security risk assessment process
7.1 General
7.2 Identifying information security risks
7.2.1 Identifying and describing information security risks
7.2.2 Identifying risk owners
7.3 Analysing information security risks
7.3.1 General
7.3.2 Assessing potential consequences
7.3.3 Assessing likelihood
7.3.4 Determining the levels of risk
7.4 Evaluating the information security risks
7.4.1 Comparing the results of risk analysis with the risk criteria
7.4.2 Prioritizing the analysed risks for risk treatment
8 Information security risk treatment process
8.1 General
8.2 Selecting appropriate information security risk treatment options
8.3 Determining all controls that are necessary to implement the information security risk treatment options
8.4 Comparing the controls determined with those in ISO/IEC 27001:2022, Annex A
8.5 Producing a Statement of Applicability
8.6 Information security risk treatment plan
8.6.1 Formulation of the risk treatment plan
8.6.2 Approval by risk owners
8.6.3 Acceptance of the residual information security risks
9 Operation
9.1 Performing information security risk assessment process
9.2 Performing information security risk treatment process
10 Leveraging related ISMS processes
10.1 Context of the organization
10.2 Leadership and commitment
10.3 Communication and consultation
10.4 Documented information
10.4.1 General
10.4.2 Documented information about processes
10.4.3 Documented information about results
10.5 Monitoring and review
10.5.1 General
10.5.2 Monitoring and reviewing factors influencing risks
10.6 Management review
10.7 Corrective action
10.8 Continual improvement
Annex A
A.1 Information security risk criteria
A.1.1 Criteria related to risk assessment
A.1.1.1 Risk assessment general considerations
A.1.1.2 Qualitative approach
A.1.1.2.1 Consequences scale
A.1.1.2.2 Likelihood scale
A.1.1.2.3 Level of risk
A.1.1.3 Quantitative approach
A.1.1.3.1 Finite scales
A.1.2 Risk acceptance criteria
A.2 Practical techniques
A.2.1 Information security risk components
A.2.2 Assets
A.2.3 Risk sources and desired end state
A.2.4 Event-based approach
A.2.4.1 Ecosystem
A.2.4.2 Strategic scenarios
A.2.5 Asset-based approach
A.2.5.1 Examples of threats
A.2.5.2 Examples of vulnerabilities
A.2.5.3 Methods for assessment of technical vulnerabilities
A.2.5.4 Operational scenarios
A.2.6 Examples of scenarios applicable in both approaches
A.2.7 Monitoring risk-related events
Bibliography
Cited references in this standard
Content history
[Current]
[Superseded]
DR AS/NZS ISO/IEC 27005:2024
One-time Purchase
Access via web browser on any device
One-time purchase
Single publication
Offline access via PDF^
$230.66 AUD
Inclusive of GSTFormat *
Web Reader
Licenses *
1 user
Total$230.66 AUD
IMPORTANT