Comparison between ISO 31000 and ISO 27005 risk management processes
by Geraldo Ferreira
Organizations of different sizes and types face both internal and outside influences that can make it uncertain whether or not they will be able to accomplish their objectives. The impact of this uncertainty over a company’s goals is called “risk”. In order to effectively address this issue, two international standards stand out in the risk management space, both of which provide crucial information for performing activities.
The first of these is ISO 31000. With its launch anticipated in October of this year, this norm will serve as a master standard for each and every risk management standard. Because of its general context, it provides overall guidelines to any area of risk management (i.e., finance, engineering, security, among others). Although most organizations already have a defined methodology in place to manage risks, this new standard defines a set of principles that must be followed in order to ensure the effectiveness of risk management. It suggests that companies should continually develop, implement, and improve a framework whose goal is to integrate the process for managing risks associated with governance, strategy, and planning, as well as management, the reporting of data and results, policies, values and culture throughout the entire organization.
The other is ISO 27005. Part of the ISO 27000 since 2008, this standard establishes risk management best practices specifically geared towards risk management for information security, particularly with regards to complying with the requirements of an Information Security Management System (ISMS), as mandated by ABNT NBR ISO/IEC 27001. It establishes that risk management best practices should be defined in accordance with the characteristics of the organization, taking into account the scope of its ISMS, the risk management context, as well as its industry. According to the framework described in this standard for implementing the requirements of ISMS, several different methodologies may be used and different approaches to risk management as it relates to information security may are introduced in the appendix of the document.
Risk Management Best Practices for ISO 31000
Although ISO 31000 depicts the management process more thoroughly, and has differing terms and expressions, both standards address the risk management process in a similar fashion.
According to ISO 31000, organizations typically determine the context and manage risk by identifying it, analyzing it, and subsequently assessing whether the risk should be modified by a strategic approach so as to comply with its risk criteria. Throughout this entire process, these organizations must communicate and consult with stakeholders, while critically monitoring and analyzing the risk and controls that modify it, so as to ensure that no additional risk management approach will be required (see the flow in Figure 1).
Risk Management Best Practices for ISO 27005
As for ISO 27005, risk management as it relates to information security should define the context, evaluate the risks, and address them through a plan, in order to implement the recommendations and decisions. Risk management analyzes the potential events and its consequences prior to deciding what to do and when to do it, so as to reduce risks to an acceptable level. Additionally, the standard includes decisions on the analysis and treatment of risks (illustrated by the two decision points in Figure 2), since risk acceptance activities will ensure that residual risks be explicitly accepted by company management. This is particularly important in situations where control implementation is either omitted or postponed, for example, because of cost.
Although risk management best practices have been developed through time in order to meet specific needs in many areas and industries through the use of distinct methodologies, the adoption of consistent processes within an overarching structure may help ensure that risks are efficiently, effectively, and coherently managed throughout the organization. ISO 31000 is the parent standard, which provides the overall guidelines and principles to manage any type of risk in a systemic, transparent, and reliable manner, within any scope and context; whereas, ISO270005 is the specialized standard that complements the parent by providing the best practices for managing the risks related to information security.