Experton Group - New ISO Information Security Risk Management Standard

Login

Click here to get to the Research Community

Experton Group News

Green on the Rise

Information Infrastructure News

Cisco and OpenPages Show Strong Gains, Siemens Quits

FCC's Power Moves, Clearwire and T-Mobile Report

Major International Data Thieves Caught

IBM's Deals with Ilog and Rackable

Cloud Computing Strategies Underway

Experton Group Weekly IT News

New ISO Information Security Risk Management Standard

By: Cal Braunstein

The International Organization for Standardization announced it is has developed and is making available a new ISO standard. The new International Standard ISO/IEC 27005:2008 describes the information security risk management process and associated actions that can help firms manage risks.

Focal Points:

ISO/IEC 27005:2008, Information technology – Security techniques – Information security risk management, provides guidelines for information security risk management and supports the general concepts first developed and specified in ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements. The new standard is designed to assist the implementation of ISO/IEC 27001, the information security management system standard, which is based on a risk management approach.
The information security risk management process consists of context establishment, risk assessment, risk treatment, risk acceptance, risk communication, and risk monitoring and review. However, ISO/IEC 27005:2008 does not provide any specific methodology for information security risk management. Each organization must define its own approach to risk management, depending on elements such as the scope of the information security management system.
ISO/IEC 27005:2008, Information technology – Security techniques – Information security risk management, was developed by the joint technical committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. The ISO standards materials costs 154 Swiss francs and is available from ISO national member institutes or from ISO Central Secretariat through the ISO Store.

Experton Group believes threats from information security risks – whether they are accidental, deliberate, manmade, or natural – will continue to increase as will enterprise vulnerability. Lack of effective information security risk management will expose enterprises to the potential for major financial losses and/or loss of customer confidence. The ISO frameworks, like other frameworks, offer a methodology that companies can use but do not provide the specific processes that are to be implemented. Thus, it can involve a major investment of resources and time to implement the framework in a manner that works for the company. IT executives should evaluate frameworks such as those offered by the Federal Financial Institutions Examination Council (FFIEC) and ISO, and implement an information security risk management governance process.

<- Back to: Home

Experton Group is the leading fully integrated research, advisory and consulting company for mid-sized and large organizations, maximizing the business value of their ICT investments through innovative, neutral and independent expert advice.

Experton Group offers consulting services, market surveys, conferences, seminars and publications related to information and communications technology issues.

Our consulting portfolio includes technology, business processes, management and business co operations, investments and mergers.