NF ISO/IEC 27005

NF ISO/IEC 27005

April 2013
Standard Cancelled

Information technology - Security techniques - Information security risk management

ISO/IEC 27005:2011 provides guidelines for information security risk management.It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2011.ISO/IEC 27005:2011 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.

See more
View the extract
Main informations

Collections

National standards and national normative documents

Publication date

April 2013

Number of pages

85 p.

Reference

NF ISO/IEC 27005

ICS Codes

03.100.70   Management systems
35.030   IT Security

Classification index

Z74-225

Print number

1 - 15/07/2013

International kinship

ISO/IEC 27005:2011
Sumary
Information technology - Security techniques - Information security risk management

ISO/IEC 27005:2011 provides guidelines for information security risk management.

It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.

Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2011.

ISO/IEC 27005:2011 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.

Replaced standards (1)
NF ISO/IEC 27005
November 2010
Standard Cancelled
Information technology - Security techniques - Information security risk management

ISO/IEC 27005:2008 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2008. ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.

Standard replaced by (1)
NF ISO/IEC 27005
November 2018
Standard Cancelled
Information technology - Security techniques - Information security risk management

This document provides guidelines for information security risk management. This document supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this document. This document is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that can compromise the organization's information security.

Table of contents
  • 1 Domaine d'application
    1
  • 2 Références normatives
    1
  • 3 Termes et définitions
    1
  • 4 Structure de la présente Norme internationale
    6
  • 5 Contexte
    6
  • 6 Présentation générale du processus de gestion des risques en sécurité de l'information
    7
  • 7 Établissement du contexte
    11
  • 7.1 Considérations générales
    11
  • 7.2 Critères de base
    12
  • 7.3 Domaine d'application et limites
    13
  • 7.4 Organisation de la gestion des risques en sécurité de l'information
    14
  • 8 Appréciation des risques en sécurité de l'information
    15
  • 8.1 Description générale de l'appréciation des risques en sécurité de l'information
    15
  • 8.2 Identification des risques
    16
  • 8.3 Analyse des risques
    20
  • 8.4 Évaluation des risques
    23
  • 9 Traitement des risques en sécurité de l'information
    24
  • 9.1 Description générale du traitement des risques
    24
  • 9.2 Réduction du risque
    26
  • 9.3 Maintien des risques
    28
  • 9.4 Refus des risques
    28
  • 9.5 Partage des risques
    28
  • 10 Acceptation des risques en sécurité de l'information
    28
  • 11 Communication et concertation relatives aux risques en sécurité de l'information
    29
  • 12 Surveillance et revue du risque en sécurité de l'information
    30
  • 12.1 Surveillance et revue des facteurs de risque
    30
  • 12.2 Surveillance, revue et amélioration de la gestion des risques
    31
  • Annexe A (informative) Définition du domaine d'application et des limites du processus de gestion des risques en sécurité de l'information
    33
  • Annexe B (informative) Identification et valorisation des actifs et appréciation des impacts
    39
  • Annexe C (informative) Exemples de menaces types
    50
  • Annexe D (informative) Vulnérabilités et méthodes d'appréciation des vulnérabilités
    52
  • Annexe E (informative) Approches d'appréciation des risques en sécurité de l'information
    57
  • Annexe F (informative) Contraintes liées à la réduction du risque
    64
  • Annexe G (informative) Différences de définitions entre l'ISO/IEC 27005:2008 et l'ISO/IEC 27005:2011
    66
  • Bibliographie
    77
ZOOM ON ... the Requirements department
To comply with a standard, you need to quickly understand its issues in order to determine its impact on your activity.

The Requirements department helps you quickly locate within the normative text:
- mandatory clauses to satisfy,
- non-essential but useful clauses to know, such as permissions and recommendations.

The identification of these types of clauses is based on the document “ISO / IEC Directives, Part 2 - Principles and rules of structure and drafting of ISO documents ”as well as on a constantly enriched list of verbal forms.

With Requirements, quickly access the main part of the normative text!

With Requirements, quickly access the main part of the normative text!
What is the Redline format?
The Redline + service - standards comparator allows you to easily and simply identify major changes between the current standard and its last canceled version.

At a glance, you will be able to identify the additions, deletions or modifications to a text, table, figure and formula.
At a glance, you will be able to identify the additions, deletions or modifications to a text, table, figure and formula

The Redlines + service is offered to you on the collection of French standards in force, in French language and in HTML and PDF format.

For an overview of the service, click on View a standard in redline format
Need to identify, monitor and decipher standards?

COBAZ is the simple and effective solution to meet the normative needs related to your activity, in France and abroad.

Available by subscription, CObaz is THE modular solution to compose according to your needs today and tomorrow. Quickly discover CObaz!

Request your free, no-obligation live demo

I discover COBAZ