Knowledge Center / ISO 27005
ISO / IEC · Global

ISO/IEC 27005 (Information Security Risk Management)

Guidance for managing information security risk.

Introduction: Why ISO/IEC 27005 Matters

ISO/IEC 27005 is the international standard that provides guidance on information security risk management (ISRM) within the context of an Information Security Management System (ISMS). Where ISO/IEC 27001 mandates that an organisation shall establish, implement and maintain an information security risk assessment and risk treatment process, ISO/IEC 27005 tells you how to actually do it. It is the connective tissue between the high-level 'shall' statements of ISO 27001 Clauses 6.1.2 and 6.1.3 and the operational reality of identifying, analysing, evaluating and treating risk on the ground.

The current edition, ISO/IEC 27005:2022, was substantially rewritten to align with ISO/IEC 27001:2022 and the general risk-management vocabulary and process of ISO 31000:2018. It replaced the 2018 edition and reframed the guidance around two lenses: an event-based approach (starting from strategic scenarios and threat sources) and an asset-based approach (starting from assets, threats and vulnerabilities). Crucially, ISO 27005 is a guidance standard — it is not a certifiable standard in its own right. You do not get 'certified to ISO 27005'; rather, you demonstrate conformance to it as the methodology underpinning your certifiable ISO 27001 ISMS. This distinction shapes every audit and every implementation decision in this guide.

For CyberSigma clients across India, the GCC and global markets, ISO 27005 is the practical engine that makes an ISMS defensible. Regulators (RBI, SEBI, IRDAI, SAMA, DPDP-driven data-protection expectations), customers running third-party risk programmes, and CERT-In empanelled auditors all want to see that risk decisions are repeatable, evidence-backed and traceable — which is exactly what a well-run ISO 27005 process delivers.

Copyright & Licensing Note
ISO/IEC 27005:2022 is a copyrighted standard published jointly by ISO and IEC. The normative text, tables and figures are the intellectual property of ISO/IEC and must be purchased from ISO, IEC, BIS (Bureau of Indian Standards, which adopts it as IS/ISO/IEC 27005) or an authorised national standards body. This guide is an original, independent interpretation written for educational and advisory purposes. It paraphrases concepts and does not reproduce ISO/IEC copyrighted wording, clause text, tables or figures. Always work from a licensed copy of the standard for any formal implementation or audit.

What is ISO/IEC 27005?

ISO/IEC 27005 is a guidance document that describes how to perform information security risk management aligned with the requirements of an ISO/IEC 27001 ISMS. It defines a structured, iterative and repeatable process for handling the risks to the confidentiality, integrity and availability (and related properties such as authenticity, non-repudiation and reliability) of information and information systems.

The standard deliberately does not prescribe a single method, tool or quantitative formula. Instead it provides a framework of activities, inputs, actions and outputs that an organisation tailors to its context, sector, risk appetite and maturity. This flexibility is a strength for practitioners but a challenge for auditors, because conformance is assessed against the organisation's own documented method and against the process discipline described in the standard, not against a rigid checklist of controls.

Core purpose and scope of the standard

  • Provides guidance to support the ISMS risk requirements of ISO/IEC 27001 (Clauses 6.1.2 risk assessment and 6.1.3 risk treatment, plus 8.2 and 8.3 for operational execution).
  • Describes the ISRM process: context establishment, risk assessment (identification, analysis, evaluation), risk treatment, acceptance, and the continual activities of communication/consultation and monitoring/review.
  • Supports both the event-based approach (top-down, scenario and threat-source driven, useful for strategic and cyber-threat risk) and the asset-based approach (bottom-up, asset-threat-vulnerability driven, useful for operational granularity).
  • Aligns terminology and process with ISO 31000:2018 so that information security risk integrates into enterprise risk management (ERM).
  • Is applicable to all organisations regardless of type, size or sector — governmental, commercial, not-for-profit.

What ISO 27005 is NOT

  • It is NOT a certifiable standard — there is no accredited certification against ISO 27005 itself.
  • It is NOT a controls catalogue — that is the role of ISO/IEC 27002 and Annex A of ISO/IEC 27001.
  • It is NOT a prescriptive quantitative methodology — it does not mandate FAIR, OCTAVE, EBIOS or any single technique, though these can all be used to implement it.
  • It does NOT replace ISO 31000 — it specialises ISO 31000's generic risk management for the information security domain.

Who Must Comply / Who Should Use ISO 27005

Because ISO 27005 is guidance rather than a mandate, 'compliance' means adopting it as the methodology behind an ISMS risk process. The following table sets out who typically needs it and why.

Audience / SectorWhy ISO 27005 appliesTrigger / Driver
Organisations pursuing ISO/IEC 27001 certification27001 requires a defined risk assessment and treatment process; 27005 is the recognised methodCertification audit, RFP requirements, customer mandates
Banks, NBFCs and financial institutions (India/GCC)Regulatory risk-management expectations map directly to a documented ISRM processRBI Cyber Security Framework, SEBI CSCRF, SAMA CSF
IT / ITES / SaaS and cloud providersCustomer third-party risk programmes demand demonstrable risk methodologySOC 2, vendor security assessments, DPAs
Healthcare and insuranceSensitive personal and health data require formal risk treatmentIRDAI guidelines, DPDP Act 2023, HIPAA (US clients)
Government and CII / critical infrastructure operatorsNational cyber-resilience obligations require risk-based controlsCERT-In directions, NCIIPC guidelines
Manufacturing / OT / ICS environmentsConvergence of IT and OT risk needs a unifying methodologyIEC 62443 alignment, ISO 27019 for energy
Any organisation with an enterprise risk programmeInformation security risk must feed ERM using consistent criteriaISO 31000 alignment, board risk reporting
Key point on 'compliance'
You cannot be non-compliant with a guidance standard in the legal sense. In practice, an ISO 27001 lead auditor will raise a nonconformity if your risk process is undocumented, inconsistent, not risk-criteria-driven, or not traceable to your Statement of Applicability and risk treatment plan. ISO 27005 is the reference you use to close those gaps.

Structure of ISO/IEC 27005:2022

ISO/IEC 27005:2022 is organised as a set of clauses that mirror the risk management process of ISO 31000, specialised for information security. The core normative guidance sits in Clauses 5 to 12, supported by annexes offering examples of assessment techniques, asset and threat catalogues, and vulnerability examples. The table below maps the clause structure so that both auditors and implementers can navigate the standard.

Clause / AreaTitle (paraphrased)What it covers
Clause 1ScopeApplicability of the ISRM guidance to any organisation
Clause 2Normative referencesReference to ISO/IEC 27000 vocabulary
Clause 3Terms and definitionsRisk, likelihood, consequence, risk owner, risk criteria, residual risk
Clause 4Structure of the documentHow the standard is laid out and how it maps to ISO 31000
Clause 5Information security risk management (overview)The full ISRM process and its relationship to the ISMS
Clause 6Context establishmentOrganisational context, risk criteria, scope and boundaries, roles
Clause 7Information security risk assessmentOverview of identification, analysis and evaluation
Clause 7.2Risk identificationIdentify risks via event-based or asset-based approaches
Clause 7.3Risk analysisDetermine likelihood and consequence; qualitative/quantitative
Clause 7.4Risk evaluationCompare estimated risk against criteria; prioritise
Clause 8Information security risk treatmentSelecting options and controls; risk treatment plan
Clause 8.6Risk acceptanceRisk owners accept residual risk against acceptance criteria
Clause 9OperationPerforming assessment and treatment during operation (ties to 27001 8.2/8.3)
Clause 10Leveraging related ISMS processesCommunication, consultation, monitoring, review, documented info
Annex AExamples of techniquesEvent-based and asset-based methods, scales, matrices
Annex (informative)Assets, threats, vulnerabilities, consequencesIllustrative catalogues to seed identification

The six process activities at a glance

  1. Context establishment — define scope, boundaries, risk criteria, roles and the organisation.
  2. Risk identification — find what could go wrong (events/scenarios or assets/threats/vulnerabilities).
  3. Risk analysis — estimate likelihood and consequence to produce a level of risk.
  4. Risk evaluation — compare against risk criteria and prioritise for treatment.
  5. Risk treatment — select options (modify, retain, avoid, share) and controls; build the treatment plan.
  6. Communication & consultation and Monitoring & review — continual activities that wrap the entire process.

Master Assessment Checklist — Every Process Area & Requirement

This is the operational heart of the guide. Each subsection below corresponds to a clause/activity of ISO/IEC 27005:2022. For each, we enumerate exactly what an auditor should verify and the typical evidence an implementer must be able to produce. Do not skip any activity — a conforming ISRM process must demonstrate all of them, iteratively, and keep them synchronised with the ISO 27001 ISMS artefacts (risk assessment, risk treatment plan and Statement of Applicability).

1. Context Establishment (Clause 6)

What to verifyTypical evidence
Purpose of the ISRM is defined and linked to ISMS objectivesISRM policy/methodology document; ISMS scope statement
Basic risk criteria established: risk acceptance, risk evaluation, impact and likelihood criteriaDocumented risk criteria; acceptance-criteria matrix approved by management
Scope and boundaries of risk management definedScope document listing in-scope business units, processes, sites, information systems
Internal and external context captured (interested parties, obligations, dependencies)Context analysis; stakeholder/interested-party register; legal & regulatory register
Roles and responsibilities for ISRM assigned (risk owners, assessors, approvers)RACI matrix; risk owner assignments; job descriptions
Chosen approach (event-based, asset-based, or hybrid) documented and justifiedMethodology section describing the approach and rationale

2. Risk Assessment Overview (Clause 7.1)

What to verifyTypical evidence
A repeatable, structured risk assessment process is definedDocumented assessment procedure with inputs, actions, outputs
Assessment is performed at planned intervals and on significant changeAssessment schedule; change-triggered assessment records
Assessment produces prioritised, documented results retained as documented informationRisk register/assessment report with dates, owners and versions
Consistency, validity and comparability of results across iterationsUse of consistent scales and criteria; comparison of successive registers

3. Risk Identification (Clause 7.2)

What to verifyTypical evidence
Assets / primary and supporting assets identified (asset-based approach)Asset inventory; classification; owner mapping
Risk sources and threats identified (deliberate, accidental, environmental)Threat catalogue; threat modelling outputs; threat intelligence inputs
Vulnerabilities identified and associated with assets/controlsVulnerability register; VA/PT reports; control-gap analysis
Existing controls identified to avoid double countingControl inventory mapped to ISO 27001 Annex A / SoA
Consequences / impacts identified for CIA and related propertiesBusiness impact analysis; consequence descriptions per scenario
Event-based scenarios (strategic risk scenarios, threat sources, objectives) identified where usedRisk scenario library; strategic scenario workshops minutes

4. Risk Analysis (Clause 7.3)

What to verifyTypical evidence
Likelihood/probability assessed using defined scalesLikelihood scale definitions; scored register entries
Consequence/impact assessed against business, legal, financial, reputational dimensionsImpact scale definitions; scored register entries
Method (qualitative, semi-quantitative or quantitative) applied consistentlyMethodology note; risk matrix or quantitative model (e.g., FAIR)
Level of risk determined for each risk (e.g., likelihood x consequence)Calculated inherent risk scores; heat map
Assumptions, data sources and uncertainty documentedAnalysis worksheets; source references; confidence notes

5. Risk Evaluation (Clause 7.4)

What to verifyTypical evidence
Estimated risk levels compared against documented risk evaluation criteriaEvaluation criteria; register showing comparison outcome
Risks prioritised for treatmentRanked/prioritised risk list; risk appetite thresholds
Decisions to treat, retain, avoid or share recorded per riskTreatment decision column in register; management sign-off
Risks above acceptance threshold flagged for treatmentThreshold breach flags; escalation records

6. Risk Treatment (Clause 8)

What to verifyTypical evidence
Treatment options selected per risk (modify, retain, avoid, share)Treatment plan documenting the chosen option and rationale
Controls determined to modify risk, mapped to ISO 27001 Annex A / ISO 27002Statement of Applicability with justification for inclusion/exclusion
Necessary controls compared against Annex A to confirm none omittedSoA cross-check; gap list
Risk Treatment Plan (RTP) produced with owners, timelines, resourcesApproved RTP; project/action tracker
Residual risk calculated after treatmentRegister showing residual (post-treatment) risk levels
Risk owners approve the RTP and residual riskDocumented approval / e-sign records

7. Risk Acceptance (Clause 8.6)

What to verifyTypical evidence
Residual risks accepted by appropriate risk owners against acceptance criteriaSigned risk acceptance forms; register acceptance column
Risks accepted outside normal criteria documented with justificationException log with rationale and approver seniority
Acceptance decisions time-bound and scheduled for reviewReview dates on accepted risks

8. Operation (Clause 9)

What to verifyTypical evidence
Risk assessment performed operationally at planned intervals (ties to 27001 8.2)Executed assessment records with dates
Risk treatment implemented operationally (ties to 27001 8.3)Implementation evidence for each treatment; control test results
Results retained as documented informationVersion-controlled registers and reports

9. Communication & Consultation (Clause 10)

What to verifyTypical evidence
Risk information communicated to and from stakeholders and decision-makersRisk reports to management; committee minutes; dashboards
Risk owners and interested parties consulted during the processWorkshop attendance; consultation records
Escalation paths for high/critical risk defined and usedEscalation procedure; escalation instances

10. Monitoring & Review (Clause 10)

What to verifyTypical evidence
Risk factors (threats, vulnerabilities, likelihood, consequence, assets) monitored for changeThreat intel feeds; vulnerability scans; asset change logs
Risk management process itself reviewed for continuing suitabilityManagement review minutes; internal audit of ISRM
Register updated following incidents, changes and reviewsChange history in register; post-incident risk updates
Effectiveness of controls monitored and fed back into analysisControl KPI/metrics; control test and audit results

Scoping the Risk Management Programme

Scoping in ISO 27005 must be consistent with the ISMS scope defined for ISO 27001 — but it can be applied at multiple granularities: whole organisation, a single business unit, a product line, a specific system, or a project. A poorly scoped risk assessment is the most common root cause of certification findings, because it produces registers that either miss material risk or drown assessors in irrelevant detail.

Scoping dimensions to define

  • Organisational scope: which legal entities, business units, departments and third parties are included.
  • Geographic scope: which sites, data centres, cloud regions and jurisdictions.
  • Information scope: which information assets and classifications (e.g., PII, PHI, cardholder data, IP).
  • Technology scope: applications, infrastructure, networks, OT/ICS, endpoints, SaaS.
  • Process scope: which business processes and their supporting assets.
  • Approach scope: whether event-based, asset-based or hybrid, and the depth of analysis per tier.

Scoping decisions and their consequences

Scoping decisionImplication for the assessment
Asset-based, full inventoryHigh granularity, high effort; strong evidence but risk of analysis fatigue
Event-based, strategic scenariosLower volume, executive-friendly; may miss operational vulnerabilities
Hybrid (event-based over asset-based)Best coverage; strategic scenarios decomposed into asset-level risks
Exclude a third party from scopeMust be justified and covered by supplier risk clauses; auditor will probe
Narrow single-system scopeFast to certify; limited assurance for enterprise stakeholders

Implementation Approach (Phased)

A defensible ISO 27005 implementation is built in phases, each producing concrete deliverables that feed the next. The phasing below is CyberSigma's recommended path for a first full cycle, after which the process becomes iterative and continual.

Phase 1 — Establish Context & Governance

  • Activities: confirm ISMS scope; define ISRM policy and methodology; set risk criteria (impact, likelihood, evaluation, acceptance); assign risk owners and RACI; select event/asset/hybrid approach.
  • Deliverables: ISRM Methodology document, Risk Criteria matrix, Roles & Responsibilities RACI, approved scope statement.

Phase 2 — Identify Risks

  • Activities: build/refresh asset inventory and classification; identify threats and threat sources; identify vulnerabilities via VA/PT and control-gap review; identify consequences; run scenario workshops for event-based risks.
  • Deliverables: Asset register, Threat catalogue, Vulnerability register, initial risk scenario list.

Phase 3 — Analyse & Evaluate Risks

  • Activities: assign likelihood and consequence using defined scales; compute inherent risk; compare against criteria; prioritise and record treat/retain/avoid/share decisions.
  • Deliverables: populated Risk Register, risk heat map, prioritised treatment candidate list.

Phase 4 — Treat Risks

  • Activities: select treatment options and controls; map controls to ISO 27001 Annex A; build the Statement of Applicability; produce the Risk Treatment Plan with owners and timelines; estimate residual risk.
  • Deliverables: Statement of Applicability, Risk Treatment Plan, residual risk register, control implementation backlog.

Phase 5 — Accept, Communicate & Operationalise

  • Activities: obtain risk-owner acceptance of residual risk; brief management and committees; embed treatment actions into projects and BAU; set up dashboards and reporting.
  • Deliverables: signed risk acceptances, management risk report, operational tracking of treatment actions.

Phase 6 — Monitor, Review & Improve

  • Activities: monitor threats/vulnerabilities/assets for change; review risks after incidents and changes; feed control effectiveness back into analysis; conduct internal audit and management review; plan the next iteration.
  • Deliverables: updated register, management review minutes, internal audit report, continual improvement actions.

Maturity / Capability Model for ISRM

ISO 27005 does not define a maturity model, but assessing the capability of an organisation's risk process is essential for prioritising improvement. CyberSigma uses a five-level capability model (aligned to ISO/IEC 33000 / CMMI style scales) to benchmark ISRM maturity.

LevelNameCharacteristics of the ISRM process
0Incomplete / AbsentNo documented risk process; ad hoc, reactive decisions; no register
1Initial / PerformedRisk assessments happen but are inconsistent, undocumented in method, person-dependent
2Managed / RepeatableDocumented methodology and criteria; register maintained; performed on schedule
3Defined / EstablishedStandardised org-wide process; integrated with ISMS and change management; SoA-linked
4Quantitatively ManagedMetrics and KPIs drive decisions; residual risk trended; semi-quantitative or quantitative analysis
5OptimisingContinual improvement; risk fully integrated with ERM; predictive threat-informed decisions

Using the maturity model

  • Level 2 is the practical minimum to pass an ISO 27001 certification audit.
  • Level 3 is the target for regulated organisations and mature vendor programmes.
  • Levels 4-5 suit financial services, critical infrastructure and organisations reporting risk to boards.
  • Assess each process activity (context, identification, analysis, evaluation, treatment, monitoring) separately — maturity is rarely uniform.

Assessment & Audit Approach

When CyberSigma assesses an organisation's conformance to ISO 27005 (typically as part of an ISO 27001 readiness or certification support engagement), we follow a structured lifecycle. Because ISO 27005 is guidance, the audit tests process discipline and traceability rather than a fixed control set.

  1. Define audit scope and objectives — confirm which ISMS scope and which risk registers are under review.
  2. Review documentation — ISRM methodology, risk criteria, scope, RACI, register, RTP, SoA and acceptance records.
  3. Verify context establishment — confirm criteria are defined, approved and consistently applied.
  4. Trace a sample of risks end-to-end — from identification through analysis, evaluation, treatment, control mapping and acceptance.
  5. Test consistency — confirm scales, criteria and scoring are applied uniformly across the register.
  6. Verify linkage to ISO 27001 artefacts — every SoA control justified by risk; every risk treatment reflected in the RTP.
  7. Interview risk owners and assessors — confirm understanding of their responsibilities and of accepted residual risk.
  8. Examine monitoring and review evidence — schedules, change-triggered updates, incident-driven updates, management review.
  9. Assess maturity and identify gaps — score each activity against the capability model.
  10. Report findings and remediation roadmap — nonconformities, observations, opportunities for improvement with priorities.

Evidence Request List

The following categorised evidence list is what CyberSigma requests at the start of an ISO 27005 conformance assessment. Assembling these in advance dramatically shortens the engagement.

Governance & methodology evidence

  • ISRM policy and documented methodology (event/asset/hybrid).
  • Risk criteria: impact scale, likelihood scale, evaluation criteria, acceptance criteria.
  • ISMS scope statement and boundaries.
  • Roles & responsibilities / RACI and risk owner assignments.

Assessment evidence

  • Asset inventory and classification.
  • Threat catalogue and threat intelligence inputs.
  • Vulnerability register, VA/PT reports and control-gap analyses.
  • Populated risk register with likelihood, consequence and inherent risk scores.
  • Risk scenario library (for event-based approach).

Treatment & acceptance evidence

  • Statement of Applicability with inclusion/exclusion justification.
  • Risk Treatment Plan with owners, timelines and status.
  • Residual risk register.
  • Signed risk acceptance records and exception log.

Monitoring & assurance evidence

  • Assessment and review schedules.
  • Change- and incident-triggered risk update records.
  • Control effectiveness metrics and test results.
  • Management review minutes and internal audit reports covering ISRM.

Roles & Responsibilities

RoleResponsibility in the ISRM process
Top management / BoardApprove risk criteria and appetite; accept high/critical residual risk; provide resources
ISMS Manager / CISOOwn the ISRM methodology; ensure process runs; report risk to management
Risk OwnerAccountable for specific risks; approve treatment and residual risk acceptance
Risk Assessor / AnalystPerform identification, analysis and evaluation; maintain the register
Asset OwnerProvide asset information, classification and impact input
Control OwnerImplement and operate treatment controls; report control effectiveness
Internal AuditIndependently assure the ISRM process and its outputs
Interested parties / StakeholdersProvide context, consultation and consequence inputs

KPIs to Track

  • Percentage of in-scope assets covered by a current risk assessment.
  • Number of open risks above the acceptance threshold (and trend over time).
  • Percentage of risks with an assigned, accountable risk owner.
  • Risk treatment plan completion rate and on-time delivery percentage.
  • Average age of overdue treatment actions.
  • Residual risk trend (aggregate score) quarter over quarter.
  • Percentage of accepted risks reviewed within their scheduled review date.
  • Number of risks updated following incidents or significant changes.
  • Control effectiveness pass rate for treatment controls.
  • Time from risk identification to treatment decision.
  • Percentage of SoA controls traceable to a documented risk.
  • Maturity level score per process activity vs target.

Readiness Checklist

  • ISRM methodology documented and approved by management.
  • Risk criteria (impact, likelihood, evaluation, acceptance) defined and applied consistently.
  • ISMS scope and risk management boundaries clearly defined.
  • Risk owners assigned for every material risk.
  • Asset inventory current, classified and owner-mapped.
  • Threats and vulnerabilities identified with credible sources.
  • Risk register populated with likelihood, consequence and risk levels.
  • Risks evaluated against criteria and prioritised.
  • Treatment options selected and controls mapped to ISO 27001 Annex A.
  • Statement of Applicability complete with justifications.
  • Risk Treatment Plan produced with owners and timelines.
  • Residual risk calculated and formally accepted by risk owners.
  • Communication and escalation paths established and used.
  • Monitoring, review and change-triggered update processes operating.
  • ISRM covered by internal audit and management review.
  • Every SoA control traceable back to a documented risk.

Common Gaps We See

  • Risk register exists but is disconnected from the Statement of Applicability — controls cannot be traced to risks.
  • Risk criteria (especially acceptance criteria) are undefined, so acceptance decisions are inconsistent and undocumented.
  • Assessment is a one-off certification exercise, never refreshed after changes or incidents.
  • Likelihood and consequence scales are applied subjectively without documented definitions.
  • Residual risk is not calculated or not formally accepted by an accountable risk owner.
  • Asset inventory is incomplete, so whole categories of risk (SaaS, OT, shadow IT) are missed.
  • Event-based strategic risks are ignored in favour of a purely asset-based checklist, missing systemic threats.
  • Treatment plans lack owners, timelines or tracking, so actions stall silently.
  • Threat identification relies on stale catalogues with no current threat intelligence.
  • No monitoring of control effectiveness feeding back into re-analysis.
  • Confusion between ISO 27005 (method) and ISO 27002 (controls), leading to a controls-first rather than risk-first approach.
  • Attempting to 'get certified to ISO 27005' — a misunderstanding that surfaces in RFPs and vendor questionnaires.

ISO 27005 Mapped to Other Frameworks

ISO 27005 is the risk-methodology hub that connects to many other frameworks. Understanding these mappings helps organisations reuse a single risk process across multiple compliance obligations.

FrameworkRelationship to ISO 27005Practical mapping
ISO/IEC 27001ISO 27005 implements 27001 risk requirementsClauses 6.1.2/6.1.3/8.2/8.3 satisfied by the ISRM process
ISO/IEC 27002Controls catalogue for treatmentSelected controls populate the Statement of Applicability
ISO 31000Generic risk management parentISO 27005 specialises 31000 for information security
NIST SP 800-30 / RMFUS risk assessment and management guidanceEquivalent process; likelihood-impact analysis maps directly
NIST Cybersecurity FrameworkIdentify function risk assessmentID.RA and ID.RM map to ISO 27005 identification/analysis
EBIOS Risk ManagerEvent-based methodology (ANSSI)A concrete method to implement ISO 27005's event-based approach
FAIRQuantitative risk analysis modelA quantitative technique for the analysis activity
PCI DSSRequires annual risk assessment (Req. 12.3.x)ISO 27005 process satisfies the risk-assessment obligation
RBI / SEBI CSCRF / SAMA CSFRegulatory risk management expectationsISRM process evidences risk-based control selection
IEC 62443 / OT securityOT/ICS risk assessment (TARA)ISO 27005 approach extended to OT assets and safety consequences
How CyberSigma Helps
CyberSigma's CERT-In empanelled auditors and PCI QSAs build defensible, audit-ready ISO/IEC 27005 risk management programmes end to end. We establish your risk criteria and methodology, run asset- and event-based identification workshops, deliver a fully populated risk register and heat map, map treatment controls to your ISO 27001 Statement of Applicability, and produce a board-ready Risk Treatment Plan. Our SigmaGRC platform operationalises the entire lifecycle — asset inventory, threat and vulnerability feeds, register, treatment tracking, residual-risk dashboards and evidence retention — so your process stays continual, not a once-a-year scramble. Whether you are pursuing first-time ISO 27001 certification, satisfying RBI/SEBI/SAMA expectations, or maturing an existing programme from Level 2 to Level 4, we take you from ad hoc to optimising. Talk to CyberSigma to turn ISO 27005 from a document on a shelf into a living, evidence-backed engine for risk-based decisions.

Frequently asked questions

Is ISO 27005 certifiable?
No — it is guidance supporting the risk-management requirements of the certifiable ISO 27001 standard.
Official documents
CyberSigma resources

Need help with ISO 27005?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.