ISO 27005 - Cyber MiSC - Obsidian Publish

Another standard from [[ISO|ISO]] in the 27000 series. This one is entitled "Information security, cybersecurity and privacy protection — Guidance on managing information security risks" >[!abstract] >This document provides guidance to assist organizations to: >- fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; > - perform information security risk management activities, specifically information security risk assessment and treatment. > This document is applicable to all organizations, regardless of type, size or sector. It adopts the risk management model established in [[ISO 31000|ISO/IEC ISO 31000]], and provides additional guidance on the three main phases in that standard. ## Clauses ### 5: Information security risk management Much of this builds on [[ISO 31000]]. I'm not sure if there's anything specifically tailored here to information assets, as opposed to other kinds of [[asset]]. ### 6: Context establishment An interesting line here, that states 'organisation' can mean specifically a department within an organisation. That is, 'organisation' is fractal: organisations may contain organisations. [It's turtles all the way down.](https://en.wikipedia.org/wiki/Turtles_all_the_way_down). At the same time, this clause demands that organisations understand their risk appetite. The risk appetite of the IT department cannot possibly be distinct from the wider organisation - can it? It exists to serve the business. If IT owns the servers, it can have a risk appetite for them - but the information [[asset|assets]] on those servers might belong to someone with a different risk appetite. ### 7. [[Information security]] [[risk assessment]] process A restating here of the identify-analyse-evalaute risk assessment cycle. ## Annex A ### 1: Information security risk criteria A really interesting deep dive into risk assessment here. One note stood out to me: >[!quote] When designing a risk matrix \[...\] an organisation's risk profile is normally asymmetrical. \[...] Although a risk matrix that is symmetrical about its low/low to high/high diagonal can seem easy create and naively acceptable, it is unlikely to represent accurately any organistion's real risk profile, and can therefore yield invalid results > > \- ISO 27005: 2022, pp. 43 If the scales used are quantitative, and the values represent indices in the same base ($a^x, a^y$), then the function $f(x, y) : x + y$ can be used to calculate risk levels. However, if too large a base is used, analysts may find there are too many risks in the same level. If the base is not the same ($a^x, b^y$) then summing should not be used.