ISO/IEC 27005
Information security risk management on one operating record

ISO/IEC 27005:2022 information security risk management explained

ISO/IEC 27005:2022 (Information security, cybersecurity and privacy protection: Guidance on managing information security risks) is the dedicated ISO standard for information security risk management. It is not a certifiable standard. Instead, it supplies the methodology that satisfies the ISO 27001 clause 6.1.2 (risk assessment) and clause 6.1.3 (risk treatment) requirements, and it sits alongside ISO 31000 as the information-security-specific risk standard most ISO 27001-aligned programmes reference. The 2022 revision aligned the structure with the 2018 revision of ISO 31000 and clarified the relationship to ISO 27001:2022, the event-based and asset-based identification approaches, and the risk treatment option taxonomy.

For GRC owners, ISO 27001 lead auditors, ISMS managers, CISOs, vulnerability management teams, AppSec teams, security engineering teams, security architects, and the internal audit functions that examine the ISMS, ISO/IEC 27005 is the methodology the certification audit reads against when clause 6.1 evidence is requested. Programmes operating against ISO 27001 or planning to certify use 27005 as the underlying assessment process the ISMS produces evidence from. Programmes already operating against ISO 31000 read 27005 as the information-security-specific instantiation that sits inside the ISO 31000 umbrella, and programmes operating against NIST SP 800-30 use 27005 as the deliberately compatible ISO-side counterpart with parallel process structure and similar risk factor decomposition. The methodology is not a replacement for FAIR; FAIR is one of the quantitative methods 27005 accommodates as the analytical approach for the analysis step.

The 27005 process: context, identification, analysis, evaluation, treatment, acceptance

ISO/IEC 27005:2022 organises the risk management process into six sequential steps plus three continuous activities. The steps are sequential in dependency, not in calendar time: monitoring and review feeds the next cycle's context establishment, so the methodology operates as a loop rather than a one-off project. Each step is described in detail in the standard's main clauses.

Continuous activities: communication, recording, monitoring

ISO/IEC 27005:2022 names three activities that run continuously alongside every process step rather than as sequential phases. The continuous activities are where the methodology either becomes operating discipline or collapses into a once-a-year document exercise that no decision references.

Risk identification: event-based and asset-based approaches

The 2022 revision is explicit about the two identification approaches and the choice between them. The standard is approach-agnostic; the context-establishment step names which approach the cycle will use. Mature programmes typically run both and reconcile so neither approach's blind spot truncates the resulting risk set.

Risk treatment options: modify, retain, avoid, share

ISO/IEC 27005:2022 catalogues four treatment options. The choice per risk is recorded in the risk treatment plan with the per-option rationale, the residual risk after treatment, and the named owner. Programmes that default every treatment to modify miss the methodology value the four-option catalogue is meant to add.

CVE, CVSS, EPSS, KEV, and SSVC as 27005 inputs

The vulnerability scoring and prioritisation signals modern programmes already use feed directly into the 27005 identification and analysis steps. The discipline is to treat them as inputs to the methodology rather than as the methodology itself; ISO 27005 adds the threat-source characterisation, the asset and predisposing conditions context, the consequence analysis, and the audience-tailored communication that the vulnerability scores alone do not produce.

• CVSS scores feed the vulnerability factor for technical vulnerabilities the assessment reads against. The Base, Temporal, and Environmental metrics each contribute different signals: Base for the unmitigated severity, Temporal for the current exploit and remediation context, Environmental for the per-system context the ISO 27005 scope is bounded against.
• EPSS estimates feed the likelihood factor for adversarial risk scenarios tied to specific vulnerabilities. EPSS is not the scenario likelihood; it is the probability the vulnerability is exploited within a defined time window, which is one input the analyst combines with the threat source characterisation to estimate the per-scenario likelihood.
• CISA KEV catalogue entries elevate the likelihood factor for the specific vulnerabilities the catalogue lists. KEV is the active-exploitation signal; vulnerabilities on KEV warrant the high or very high likelihood reading regardless of the EPSS estimate, because active exploitation in the wild is observed evidence rather than a probability estimate.
• SSVC decisions feed the risk treatment selection (modify, retain, avoid, share) for the per-vulnerability response. SSVC produces a stakeholder-specific decision (Track, Track*, Attend, Act) for the same input set the ISO 27005 vulnerability factor reads against, and the SSVC output reads as one input into the treatment selection.
• Internal incident history provides the calibration data for the consequence and likelihood estimates the assessment produces. Programmes with a documented incident record validate per-scenario consequence and likelihood against observed events; programmes without an incident record carry higher uncertainty and must reflect that in the confidence the analysis reports against.
• Threat catalogues (Annex of ISO/IEC 27005:2022, MITRE ATT&CK, ENISA threat landscape, vendor and sector ISAC sharing) provide the threat-source characterisation data the identification step reads against. The discipline is to source per-cycle data rather than to carry the prior cycle characterisation forward without re-validation.

27005 next to ISO 27001, ISO 31000, NIST SP 800-30, FAIR, and COSO ERM

ISO/IEC 27005 is the information-security-specific methodology, not the broader risk management framework. The standard sits inside a broader ecosystem with named relationships to the adjacent publications. Mature programmes typically operate several of these standards together; 27005 is the methodology the rest of the ecosystem reads against for the information-security risk question.

• ISO 27001 clauses 6.1.2 and 6.1.3 require a documented information security risk assessment and risk treatment process. ISO/IEC 27005 is the dedicated methodology most ISO 27001 programmes reference to satisfy those clauses, and the per-cycle evidence reads cleanly into the Statement of Applicability and the residual risk acceptance record.
• ISO/IEC 27002 is the control catalogue the modify treatment selects from. The treatment plan reads against the ISO 27002 control set, and the per-control selection feeds the ISO 27001 Statement of Applicability with the per-control rationale.
• ISO 31000 is the enterprise risk management umbrella. ISO/IEC 27005 sits inside the ISO 31000 process structure as the information-security-specific instantiation, with the per-scenario evidence feeding the enterprise risk register the ISO 31000 framework operates against.
• NIST SP 800-30 is the federal-side counterpart to 27005 with parallel process structure and a similar risk factor decomposition. Programmes operating primarily under FISMA, FedRAMP, or CMMC reference 800-30; programmes operating primarily under ISO 27001 reference 27005. The two are deliberately compatible, and the same per-scenario evidence reads cleanly under either methodology with the cross-framework reference recorded once.
• FAIR is the most common operationalisation of the quantitative path within 27005. Programmes requiring board-readable financial expression reference 27005 for the process and FAIR for the analytical method; the FAIR ontology sits underneath the 27005 consequence and likelihood factors.
• COSO ERM consumes 27005 outputs into the enterprise risk portfolio Principles 11 (Assesses Severity of Risk) and 14 (Develops Portfolio View) read against. The per-scenario record produced by 27005 reads cleanly into the portfolio view the audit committee and board approve against.
• NIST AI Risk Management Framework and ISO/IEC 42001 extend the risk question to AI systems with the MEASURE function and the AIMS process reading against 27005-style analytical decomposition for the AI-specific scenarios.
• ISO/IEC 31010 (Risk assessment techniques) is the companion standard that catalogues the analytical techniques (bow-tie, FMEA, HAZOP, scenario analysis, Bayesian analysis, Monte Carlo) the 27005 analysis step selects from. The context-establishment criteria name the techniques the cycle uses, and the analysis output records the per-technique selection.

Recurring failure modes 27005 programmes hit

Programmes that struggle with ISO 27005 typically hit a small set of recurring failure modes. Naming the failure modes upfront lets the programme design the operating model to avoid them rather than discovering them at the certification audit or the residual-risk acceptance defence.

Evidence the methodology expects to see

A defensible 27005 programme produces a stable evidence set per cycle. The same set reads cleanly into ISO 27001 clauses 6.1.2 and 6.1.3, the Statement of Applicability, the residual risk acceptance, and the parallel framework reads (NIST SP 800-30, ISO 31000, COSO ERM, FAIR, SOC 2, PCI DSS, DORA, NIS2, and the regulator-side examinations that consume risk assessment evidence as part of the broader programme review).

• Context establishment record per cycle: external and internal context, scope and boundaries, risk acceptance criteria, impact scale, likelihood scale, evaluation criteria, and organisation for risk management
• Risk register per cycle with the per-scenario record: the threat source, threat event, asset (primary and supporting), vulnerability, predisposing condition, consequence, likelihood, level of risk, treatment, residual risk, and acceptance entries
• Threat catalogue per scope sourced from the ISO/IEC 27005:2022 Annex, MITRE ATT&CK, ENISA threat landscape, sector ISAC sharing, and the internal incident history, with per-cycle refresh evidence
• Vulnerability catalogue per scope sourced from scanner output, audit findings, threat modelling, code scanning, and the internal exception register, with per-cycle refresh evidence
• Risk treatment plan per cycle with per-action owner, control selection from ISO 27001 Annex A (and the Statement of Applicability linkage), milestone, effectiveness measure, and residual risk after treatment
• Residual risk acceptance record per retained risk: the accepting decision-maker, the justification, the conditions of acceptance, the review cadence, and the reassessment triggers
• Communication and consultation log per cycle with the stakeholder engagement record, the per-audience output, the consultation feedback, and the per-decision rationale arising from the exchange
• Monitoring and review record per cycle with the per-trigger reassessment evidence, the input deltas against the prior cycle, the analyst sign-off per refresh, and the impact on the prior risk determinations
• ISO 27001 cross-reference per assessment: the clause 6.1.2 risk assessment evidence, the clause 6.1.3 risk treatment evidence, the Statement of Applicability linkage, the residual risk acceptance evidence the certifier reads against, and the per-control implementation reference

How 27005 reads across enterprise security functions

ISO 27005 is a cross-functional methodology. The same per-scenario record reads differently depending on the function that holds the work. Programmes that run 27005 as a GRC exercise alone lose the engineering depth the inputs require; programmes that run it as an engineering exercise alone lose the governance depth the audience-tailored communication is meant to add. The named functions below own different parts of the same risk record.

Running 27005 on SecPortal

SecPortal is built around the operating record an ISO 27005 programme reads against: the engagement carries the per-cycle assessment lifecycle from context establishment through monitoring, the findings record carries the vulnerability state feeding identification and analysis, the documents area carries the per-cycle artefact set, and the activity log carries the audit trail the certifier reads against. The platform alignment below maps the verified product capabilities to the 27005 process so the methodology is held on one operating record rather than across a separate analytical environment that drifts from the live posture.

• Engagement management as the workspace anchor for the assessment lifecycle, with the per-cycle context establishment, identification, analysis, evaluation, treatment, acceptance, communication, and monitoring tracked as a single engagement rather than as parallel projects that drift apart
• Findings management with CVSS 3.1 calibration so the vulnerability inputs the 27005 assessment reads against carry the same severity vocabulary the scanner intake, the manual finding triage, the exception register, and the remediation SLA record use
• Compliance tracking across ISO 27001, ISO 27002, ISO 31000, NIST SP 800-30, NIST SP 800-37, NIST CSF 2.0, COSO ERM, FAIR, SOC 2, PCI DSS, and the regional regulator frameworks so the 27005 risk determinations feed the parallel framework reads without rebuilding the underlying input set
• Authenticated scanning and external scanning so the vulnerability catalogue feeding the risk identification step carries live posture evidence on the assessed scope rather than a snapshot from the assessment week, with the per-asset coverage record archived per refresh
• Code scanning via Semgrep against connected GitHub, GitLab, and Bitbucket repositories so the AppSec vulnerability inputs feeding application-system risk scenarios read against the live code state rather than against a prior commit
• Document management for the context-establishment record, the risk register, the threat and vulnerability catalogues per scope, the treatment plan, the residual risk acceptance record, the communication log, and the monitoring record so the 27005 evidence package lives on the operating record rather than across a folder hierarchy that drifts from the assessment reality
• Activity log with CSV export so every change to a context entry, a risk scenario, an analyst sign-off, a determined risk level, a treatment selection, an acceptance, or a refresh trigger is reproducible from one source, which is the audit trail the ISO 27001 certifier reads against
• Finding overrides for the per-finding accepted-risk and false-positive entries that feed the risk acceptance record with the per-decision justification, the conditions of acceptance, and the reassessment triggers
• Multi-factor authentication for workspace access so the analyst sign-off, the reviewer counter-signature, and the disposition approval the monitoring record reads against carry the authentication evidence the audit committee expects
• Team management with RBAC so the risk owner role, the analyst role, the reviewer role, the accepting decision-maker role, and the asset owner role the 27005 process names are enforced at the workspace layer rather than at the per-document level
• AI report generation that turns the per-cycle record into the audience-specific outputs the communication step expects: the operating narrative for the risk owner, the residual-position briefing for the executive sponsor, the per-risk acceptance pack for the audit committee, the methodology defence for the certifier, and the cross-clause linkage into the ISO 27001 audit pack
• Retesting workflows paired to the modify treatment commitments arising from the assessment so the verify-after-fix evidence the next monitoring cycle reads against carries the closure record rather than a status statement that has drifted from the operating reality

What SecPortal does not do

SecPortal is the operating record an ISO 27005 programme is held on, not the analytical engine that produces quantitative outputs or the GRC platform that runs the wider risk register across enterprise risk categories. The workspace does not run a built-in Monte Carlo simulation engine, does not maintain a built-in threat intelligence catalogue, does not federate with asset inventory or CMDB systems, does not provide a packaged enterprise risk register editor with quantitative combination logic spanning operational, financial, and strategic risk categories, does not consume real-time CISA KEV or FIRST EPSS feeds through a packaged API, does not auto-route exception approvals through a workflow engine, and does not integrate with GRC platforms (Archer, ServiceNow GRC, Onspring, Hyperproof, OneTrust), ticketing systems (Jira, ServiceNow ITSM), SIEM, or SOAR platforms through packaged connectors. The discipline SecPortal supports is holding the per-cycle context, the per-scenario risk register, the treatment plan, the residual risk acceptance, the communication log, and the monitoring record as workspace evidence the methodology defence reads against; the analytical engine, the external intelligence feeds, and the wider enterprise risk register tooling belong to other systems the programme operates alongside SecPortal.

Related reading on SecPortal

• ISO 27001 clauses 6.1.2 and 6.1.3 read against 27005-aligned assessments as the methodological satisfaction of the risk assessment and risk treatment process requirements.
• ISO/IEC 27002 is the control catalogue the modify treatment selects from and the per-control rationale the Statement of Applicability records.
• ISO 31000 is the enterprise risk management umbrella 27005 operates inside as the information-security-specific instantiation.
• NIST SP 800-30 is the federal-side counterpart with deliberately compatible process structure and a similar risk factor decomposition.
• NIST SP 800-37 (RMF) is the federal operating sequence parallel to ISO 27001 the 800-30 assessment feeds; 27005 plays the same role for the ISO programme.
• FAIR (Factor Analysis of Information Risk) is the most common operationalisation of the quantitative path within 27005.
• COSO ERM consumes 27005 outputs into the enterprise risk portfolio Principles 11 and 14 read against.
• ISO/IEC 42001 extends the information security risk methodology to AI management systems with the AIMS process referencing 27005-style risk decomposition.
• Cybersecurity risk assessment guide covers the wider risk assessment landscape, the methodology comparison, and the operating model that survives the second cycle.
• Cyber risk quantification guide covers the quantitative path within 27005 and the FAIR adoption model that produces the board-readable financial output.
• ISO 27001 audit checklist covers the ISMS audit preparation that consumes the 27005 evidence pack as the clause 6.1 satisfaction.
• Security risk assessment template covers the working template structure programmes use to capture per-scenario 27005 entries in a way that survives the next refresh cycle.
• Risk register template provides the workspace register the per-scenario 27005 entries land in for the per-cycle update and the per-residual-risk acceptance record.
• Risk acceptance form template captures the residual risk acceptance record the 27005 risk acceptance step produces per retained risk.
• Security leadership reporting workflow carries the audience-tailored communication outputs the recording and reporting activity produces for the executive sponsor, audit committee, and board audiences.
• Vulnerability acceptance and exception management carries the per-finding accepted-risk record the 27005 risk acceptance step consumes into the residual risk acceptance evidence.
• Control mapping cross-framework crosswalks carries the per-assessment cross-framework reference that lets 27005 outputs feed parallel framework reads without rebuilding the underlying input set.
• Audit fieldwork evidence request fulfillment carries the certifier read against the per-cycle artefact set during ISO 27001, SOC 2, and regulator-side examinations.
• Asset criticality scoring carries the per-asset criticality input feeding the consequence factor 27005 assessments read against.
• Threat-intelligence-driven prioritisation carries the threat source characterisation input feeding the likelihood factor 27005 assessments read against.
• SecPortal for GRC and compliance teams covers the GRC workspace that holds the cross-framework reconciliation 27005 outputs consume into.
• SecPortal for CISOs covers the executive workspace that holds the 27005 programme alongside the operating record the assessments read against.