Important international standards at a glance

Standards are the concentrated expertise of people who have deep knowledge in their industry and understand the requirements of the organizations they represent: manufacturers, suppliers, clients, users, professional associations, and authorities. Based on this shared wealth of experience, norms and requirements are created that help to work more systematically and successfully.

Discover some of the best-known and most widely used standards, as well as those that address current challenges and changes that affect us all.

ISO/IEC 27005:2022Information security, cybersecurity and privacy protection – Guidance on managing information security risks

(Information security, cybersecurity and privacy protection – Guidance on managing information security risks)

ISO/IEC 27005:2022 is the guideline for information security risk management. It provides structured methods and best practices to systematically identify, assess, and treat risks — the core process of any successful Information Security Management System (ISMS).

The role of ISO/IEC 27005 in the 27000 family:

  • ISO/IEC 27000 → Terminology and overview (What do the terms mean?)

  • ISO/IEC 27001 → Requirements for an ISMS (What must we do?)

  • ISO/IEC 27002 → Practical security controls (How do you implement controls?)

  • ISO/IEC 27005 → Risk management process (How do we identify and treat risks?)

ISO/IEC 27005 is not certifiable — it is a guideline that you use together with ISO/IEC 27001 to build an effective, risk-based ISMS. The standard is based on ISO 31000 (the general risk management standard) and adapts its principles specifically to information security.

What is ISO/IEC 27005:2022?

The Risk Management Process according to ISO/IEC 27005:2022:

The standard describes a 5-step process:

  1. Establish context – Define the framework, risk assessment criteria, and risk acceptance criteria.

  2. Identify risks – Recognize potential threats, vulnerabilities, and scenarios (event-based or asset-based).

  3. Analyze risks – Assess the likelihood and impact of each risk (qualitative, quantitative, semi-quantitative).

  4. Evaluate risks – Compare risks with acceptance criteria and prioritize them.

  5. Treat risks – Decide how to deal with each risk (avoid, reduce, transfer, accept).

Additionally, the standard requires:

  • Communication and consultation – Involve stakeholders throughout the entire process.

  • Monitoring and review – Continuously monitor and adapt risk management.

Benefits for Your Business

Risk management is the heart of every ISMS. ISO/IEC 27001 requires all security controls to be implemented based on risk — but how do you ensure that? ISO/IEC 27005 provides the answer.

Without structured risk management:

  • Organizations waste budget on unimportant controls.

  • Critical risks are overlooked.

  • Security decisions are based on gut feeling, not on facts.

  • Audits fail because risk assessments are insufficient.

With ISO/IEC 27005:

  • Risks are identified systematically and repeatedly.

  • Security investments focus on actual threats.

  • Management can make well-founded decisions.

  • The ISMS becomes more efficient and effective.

Especially important for online service providers:

  • E-learning platforms must manage risks such as data leaks, payment fraud, and platform outages.

  • SaaS providers face risks such as cloud outages, API vulnerabilities, and supply chain attacks.

  • Online coaches and consultants must protect confidential customer data from unauthorized access.

  • E-commerce must secure payment data, customer data, and business secrets.

ISO/IEC 27005 helps these organizations to understand, prioritize, and systematically treat risks.

Summary of the Most Important Benefits

  • Targeted security investments based on actual risks

  • Systematic, repeatable risk management process

  • Fulfillment of risk management requirements of ISO/IEC 27001

  • Well-founded decision-making through transparent risk assessments

  • Proactive identification and treatment of threats

  • Increased resilience and adaptability

  • Trust from customers, partners, and regulatory authorities

  • Flexibly adaptable to any organization

For whom is ISO/IEC 27005:2022 relevant?

ISO/IEC 27005:2022 is relevant for everyone who is building an ISMS or already operating one:

  1. Risk managers and security officers (Performing risk assessments)

  2. CISOs and security teams (Identification and treatment of threats)

  3. IT departments (Assessment of technical risks)

  4. Compliance and audit teams (Proof of risk-based action)

  5. Management and executive board (Strategic decisions based on risk assessments)

  6. Consultants and auditors (Supporting organizations in risk assessments)

  7. Online academies and E-learning platforms (Risks to learner data and platform availability)

  8. SaaS and cloud providers (Risks to cloud infrastructure, APIs, data integrity)

  9. E-commerce and online service providers (Risks to payment data, customer data, business secrets)

  10. Small and medium-sized enterprises (Structured approach to risk management)

How does EAS™ support you with ISO/IEC 27005:2022?

The European Attestation Standard™ (EAS™) aligns with the risk management principles of ISO/IEC 27005:2022 and ensures that your online services and digital offerings are protected on the basis of structured risk assessments — without you necessarily having to be ISO-certified yourself.

By using EAS™ criteria, you can:

  • Build a structured risk management process for your ISMS

  • Systematically identify, analyze, and treat risks

  • Prioritize security investments based on actual threats

  • Fulfill ISO/IEC 27001 requirements for risk-based action

  • Prepare your organization for a future ISO/IEC 27001 certification

  • Build trust among learners, customers, partners, and regulatory authorities

_______________________________________

📌 Learn more: Visit the ISO website or contact an EAS™-certified auditor for a comprehensive consultation on your specific situation.

The Risk Management Process in Detail

1. Establish context

Purpose: Define the framework for risk management. Important questions:

  • What is the scope? (Which systems, data, processes?)

  • Which internal and external factors influence risks? (Compliance requirements, business environment, stakeholders)

  • What are our risk acceptance criteria? (Which risks are acceptable? Which are not?)

  • Who is responsible for which risks? (Risk Ownership) Result: A well-defined framework within which risks are identified and assessed.

2. Identify risks

Purpose: Recognize potential threats, vulnerabilities, and scenarios. ISO/IEC 27005:2022 offers two approaches: Event-based approach (Scenario-based):

  • Focus on threat scenarios (e.g., "ransomware attack", "DDoS attack", "insider threat").

  • Useful for strategic risk assessments and threat landscapes.

  • Example: "What happens if an employee accidentally downloads malware?" Asset-based approach (Asset-oriented):

  • Focus on specific assets (systems, data, processes).

  • For each asset: Which threats? Which vulnerabilities?

  • Useful for detailed technical risk assessments.

  • Example: "Which risks affect our customer database?" Organizations can combine both approaches for a comprehensive risk identification. Result: A list of identified risks with descriptions of threats, vulnerabilities, and affected assets.

3. Analyze risks

Purpose: Assess the likelihood and impact of each risk. ISO/IEC 27005:2022 supports three methods: Qualitative analysis:

  • Risks are categorized into levels (e.g., "high", "medium", "low").

  • Fast and easy, ideal for smaller organizations.

  • Example: "The risk of a DDoS attack is medium (likelihood) and high (impact)." Quantitative analysis:

  • Risks are expressed in numerical values (e.g., "expected loss: 50,000 EUR").

  • Precise but demanding — ideal for large organizations or critical assets.

  • Example: "The risk of a data leak has a 5% likelihood and would cost 200,000 EUR." Semi-quantitative analysis (new in 2022):

  • Combination of qualitative categories and numerical scales.

  • Offers more precision than pure qualitative analysis without the effort of quantitative analysis.

  • Example: "Likelihood: 3 out of 5, Impact: 4 out of 5 → Risk value 12". Result: An assessed list of risks with likelihood and impact evaluations.

4. Evaluate risks

Purpose: Prioritize risks by comparing them with acceptance criteria. Important questions:

  • Which risks exceed our acceptance threshold?

  • Which risks must be treated immediately?

  • Which risks can be accepted? Result: A prioritized list of risks that must be treated.

5. Treat risks

Purpose: Decide how to handle each risk. ISO/IEC 27005 describes four risk treatment options:

  1. Risk Modification (Risk Reduction): Implement security controls to reduce likelihood or impact. Example: Introducing multi-factor authentication to prevent unauthorized access.

  2. Risk Avoidance: Stop the activity that causes the risk. Example: Discontinuing the storage of sensitive data in the public cloud.

  3. Risk Sharing (Risk Transfer): Divide or transfer the risk to third parties (e.g., cyber insurance, outsourcing). Example: Taking out cyber insurance for data packages.

  4. Risk Retention (Risk Acceptance): Consciously accept the risk because the treatment costs exceed the potential damage. Example: A minor risk with minimal impact is accepted. Important: Risk owners must approve the risk treatment plan and accept residual risks. Result: A risk treatment plan with selected controls (which must be aligned with ISO/IEC 27001 Annex A) and a Statement of Applicability (SoA).

Communication and Consultation

Purpose: Involve stakeholders throughout the entire process.

  • Inform management, teams, and external partners about risks.

  • Gather feedback and ensure all relevant perspectives are considered.

  • Document decisions transparently.

Monitoring and Review

Purpose: Continuously monitor and adapt risk management.

  • Review risk assessments regularly (e.g., annually or upon major changes).

  • Monitor for new threats and vulnerabilities.

  • Adapt risk treatment plans if the business environment changes. ISO/IEC 27005 distinguishes between two cycles:

  • Strategic cycle: Fundamental changes in the business environment, new assets, new threat landscape → full risk assessment.

  • Operational cycle: Minor changes, new vulnerabilities → partial updates.

Why is ISO/IEC 27005:2022 important?

Risk-based security measures

You only invest in measures that are actually relevant and necessary for your company. This saves costs and maximizes impact.

Systematic, repeatable process

ISO/IEC 27005 offers a proven approach that can be applied consistently — regardless of who performs the risk assessment. Results are comparable and traceable.

Meeting ISO/IEC 27001 requirements

ISO/IEC 27001 requires risk-based action. With ISO/IEC 27005, you can reliably meet this requirement and excel in audits.

Better decision-making at management level

Risk assessments provide management with clear facts: Which threats exist? How likely are they? What do countermeasures cost? Decisions become transparent and well-founded.

Proactive instead of reactive security

Organizations that use ISO/IEC 27005 identify risks before they lead to incidents. This significantly reduces the likelihood of data leaks, outages, and security breaches.

Increased Resilience

Through continuous monitoring and adaptation of risk management, your organization remains resilient — even in the face of changing threats (e.g., new ransomware variants, zero-day exploits).

Trust from Stakeholders

Customers, partners, investors, and regulatory authorities want to see that risks are managed professionally. ISO/IEC 27005 shows that you do this.

Flexibility for organizations of all sizes

The standard does not prescribe a specific method — organizations can choose event-based, asset-based, or hybrid approaches as needed.

Integration with other frameworks

ISO/IEC 27005 can be easily combined with ISO 31000, NIST Risk Management Framework, and other standards.

Connection to Other Standards

ISO/IEC 27005 and ISO/IEC 27001: ISO/IEC 27001 requires risk management — ISO/IEC 27005 explains how to do it. Both standards work hand in hand.

ISO/IEC 27005 and ISO 31000: ISO/IEC 27005 is based on the principles of ISO 31000 (general risk management) and adapts them specifically for information security.

ISO/IEC 27005 and ISO/IEC 27002: After the risk assessment, you select controls from ISO/IEC 27002 to treat risks. ISO/IEC 27005 tells you which controls are necessary — ISO/IEC 27002 tells you how to implement them.

What is new in ISO/IEC 27005:2022?

The 2022 version is a comprehensive revision of the 2018 version:

  • Consolidation: Reduced from 12 clauses and 6 annexes to 10 clauses and 1 annex.

  • New 5-step process: More clearly structured (previously 6 steps).

  • Focus shift: Risk treatment is now part of the Risk Assessment and no longer a separate step.

  • Two approaches to risk identification: Event-based (scenario-oriented) and asset-based (asset-oriented) — organizations can combine both.

  • Closer link with ISO 27001: Statement of Applicability (SoA) is now part of the risk treatment process.

  • Alignment with ISO 31000: Closer adherence to the general risk management standard.

CONTACTS

Moosbach,
Germany, 92709

kontakt@eas-standard-certification.com

ADDRESS
© 2026 European Attestation Standard (EAS). All rights reserved.

LEGAL NOTICE & PRIVACY POLICY

FOR OUR INTERNATIONAL PARTNERS:
Our website is available in German, Ukrainian, English, and Italian. To support our cooperation, we provide official EAS documents and attestation materials upon request, not only in these languages but also in any other required language by agreement.