ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection — Guidance on managing information security risks

Foreword
Introduction
1 ​Scope
2 ​Normative references
3 ​Terms and definitions
	3.1 ​Terms related to information security risk
	3.2 ​Terms related to information security risk management
4 ​Structure of this document
5 ​Information security risk management
	5.1 ​Information security risk management process
	5.2 ​Information security risk management cycles
6 ​Context establishment
	6.1 ​Organizational considerations
	6.2 ​Identifying basic requirements of interested parties
	6.3 ​Applying risk assessment
	6.4 ​Establishing and maintaining information security risk criteria
		6.4.1 ​General
		6.4.2 ​Risk acceptance criteria
		6.4.3 ​Criteria for performing information security risk assessments
	6.5 ​Choosing an appropriate method
7 ​Information security risk assessment process
	7.1 ​General
	7.2 ​Identifying information security risks
		7.2.1 ​Identifying and describing information security risks
		7.2.2 ​Identifying risk owners
	7.3 ​Analysing information security risks
		7.3.1 ​General
		7.3.2 ​Assessing potential consequences
		7.3.3 ​Assessing likelihood
		7.3.4 ​Determining the levels of risk
	7.4 ​Evaluating the information security risks
		7.4.1 ​Comparing the results of risk analysis with the risk criteria
		7.4.2 ​Prioritizing the analysed risks for risk treatment
8 ​Information security risk treatment process
	8.1 ​General
	8.2 ​Selecting appropriate information security risk treatment options
	8.3 ​Determining all controls that are necessary to implement the information security risk treatment options
	8.4 ​Comparing the controls determined with those in ISO/IEC 27001:2022, Annex A
	8.5 ​Producing a Statement of Applicability
	8.6 ​Information security risk treatment plan
		8.6.1 ​Formulation of the risk treatment plan
		8.6.2 ​Approval by risk owners
		8.6.3 ​Acceptance of the residual information security risks
9 ​Operation
	9.1 ​Performing information security risk assessment process
	9.2 ​Performing information security risk treatment process
10 ​Leveraging related ISMS processes
	10.1 ​Context of the organization
	10.2 ​Leadership and commitment
	10.3 ​Communication and consultation
	10.4 ​Documented information
		10.4.1 ​General
		10.4.2 ​Documented information about processes
		10.4.3 ​Documented information about results
	10.5 ​Monitoring and review
		10.5.1 ​General
		10.5.2 ​Monitoring and reviewing factors influencing risks
	10.6 ​Management review
	10.7 ​Corrective action
	10.8 ​Continual improvement
Annex A (informative) Examples of techniques in support of the risk assessment process
Bibliography