Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

New global risk management standard

Jared Heng | July 2, 2008
A leading international standards developer has released its latest risk management guide in the war against information security threats.

SINGAPORE, 2 July 2008 -- Organisations may refer to a new international standard guide in their ongoing fight against information security threats.

Titled Information technology Security techniques Information security risk management', ISO/IEC 27005:2008, the new standard describes the information security risk management process and relevant actions for organisations.

According to the guide's developer International Organization for Standardization (ISO), threats include identity theft, on-line transactional risks, denial of service attacks, remote spying and others.

The international organisation defines risk as a combination of consequences, like loss of financial assets, essential network services and customer confidence, due to an unwanted event's occurrence.

Complementing related standards

ISO/IEC 27005:2008 supports general concepts specified in the other standard ISO/IEC 27001:2005, called Information technology Security techniques Information security management systems Requirements'.

The international organisation states that knowledge of concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002: 2005, is crucial for a complete understanding of the new standard. ISO/IEC 27002: 2005 covers code of practice for information security management.

Risk management process

Information security risk management involves context establishment, and assessment, treatment, acceptance, communication, monitoring and review of risk, ISO says.

However, ISO adds that the new standard does not provide any specific methodology for information security risk management. The reason is that an organisation may define its approach to risk management according to environment or industry.

Edward Humphreys, convener of the ISO/IEC working group that developed the new standard, says, ISO/IEC 27005:2008 is relevant to managers and staff concerned with information security risk management within an organisation and, where appropriate, external parties supporting such activities.


Sign up for Computerworld eNewsletters.