ISO/IEC 27005. Information security risk management

Name: ISO/IEC 27005. Information security risk management
Rating: 4.6 (2207 reviews)

Understand information security risk management. A step-by-step guide to a proven framework

Highest Rated

Created byCristian Vlad Lupa, rigcert.education

Last updated 5/2026

English

What you'll learn

What is an ISMS (Information Security Management System)
How to determine the risk appetite of an organization
What is risk acceptance criteria and how it can be established
The different approaches for information security risk identification
The relationship between threats and vulnerabilities
How to estimate likelihood and consequences for a risk
How to calculate a risk level
Why risks should be owned and who can be a risk owner
The options for treating information security risks
Key documents for an ISMS such as SoA and risk treatment plan

Course content

5 sections • 26 lectures • 2h 26m total length

Introduction4:04
Welcome to this online course on information security risk management according to the provisions of ISO/IEC 27005:2022
Information security management5:58
About the three attributes of information security (confidentiality, integrity and availability). About what represents an ISMS (Information Security Management System)
The ISO/IEC 27000 series of standards7:30
About the standards in the ISO/IEC 27000 series.
About ISO/IEC 270054:48
About the purpose of ISO/IEC 27005. About the structure of this standard and its revision history.
Information security risk management5:34
About the definition of risk. About what represents risk management. About the steps of the risk management process.

Context establishment5:56
About the identification of stakeholders for the risk management process. About the risk appetite of an organization
Risk acceptance criteria7:04
About the process to establish risk acceptance criteria
Criteria for performing information security risk assessments4:50
About likelihood and consequence as constitutive elements of risk. About establishing a risk level
Qualitative vs. quantitative approaches part 14:19
The differences between using a qualitative and a quantitative approach to defining potential consequences and examples to illustrate
Qualitative vs. quantitative approach part 25:20
About the differences between establishing likelihood and calculating a level of risk using a qualitative and a quantitative approach

Generic requirements for the information security risk assessment2:59
Details on the requirements for the risk assessment to produce consistent, valid and comparable results
The event-based approach to risk identification4:30
About the method to identify information security risks starting from event scenarios and considering potential attackers, their motivation and ability to act
The asset-based approach to risk identification5:12
About the approach to identify information security risks starting from assets and considering the threats and vulnerabilities that may affect them
Identifying risk owners3:47
About who can be a risk owner. About the requirements for risk owners and why it's important to appoint risk owners
Analyzing information security risks8:14
About combining consequences and likelihood to calculate a level of risk. About deliberate and accidental risk sources and what is the difference between them. About the basic sources of assessment uncertainty
Evaluating information security risks5:41
About comparing the calculated level of risk with the risk acceptance criteria to determine those risks that require treatment

Risk treatment options7:47
About the most common options available to an organization to treat its information security risks: avoidance, modification, sharing and retention
Determining the necessary controls5:32
About the security controls from ISO/IEC 27001 with examples and details about their classification
Preventive, detective and corrective controls3:54
About the classification of controls considering their purpose and when they are to be applied
The Statement of Applicability (SoA)5:58
About the requirements of ISO/IEC 27001:2022 regarding the Statement of Applicability
The risk treatment plan6:16
About the risk treatment plan required by ISO/IEC 27001:2022 as part of an ISMS

More considerations about the information security risk management process8:05
About integrating risk management into the organization's operations. About communication and consultation in relation to information security risk management. About evaluating the information security performance of an organization
Continual improvement6:08
Suggestions for improving continually the information security risk management process
Certification for information security management4:30
About the certification of organizations and persons in the context of information security risk management
Thank you and good bye!5:04
Thank you for taking this course!
Bonus lecture - My other courses on information security management7:28

Requirements

Familiarity with the ISO standards on information security management is useful but not mandatory

Description

In today's interconnected world, safeguarding sensitive information is more critical than ever. Join me for this course where we'll discuss in detail the framework for information security risk management proposed by ISO/IEC 27005:2022.

The course covers the guidelines in ISO/IEC 27005 for managing information security risks, applicable to all types of organizations, regardless of size or sector. We will explore the fundamental principles of risk management and its practical application in information security. This internationally recognized standard provides a robust framework for establishing an effective risk management system within your organization.

The course is structured into five sections.

- In the first section, we'll discuss about information security management, the ISO/IEC 27000 series of international standards and I will introduce you to ISO/IEC 27005:2022.

- The second section of the course covers context establishment, including the risk appetite of an organization or how to establish criteria for risk acceptance. We'll also discuss the differences between the qualitative and quantitative approaches to defining consequences and likelihood as constitutive elements of risk.

- Then, in the third section, we'll explore risk assessment including risk identification, using the approaches proposed by ISO/IEC 27005:2022, the event-based approach and the asset-based approach. Detailed insights into risk analysis, risk evaluation (as steps of the risk assessment) and the role of risk owners are discussed in this section as well.

- In section four of the course we will cover risk treatment and the most common options to address information security risks for an organization. We'll discuss about the information security controls from ISO/IEC 27001:2022 and I will tell you about some key documents of an ISMS (Information Security Management System) like the Statement of Applicability (SoA) or the risk treatment plan.

- The last section is dedicated to continual improvement in the risk management process, as well as insights on the certification for organizations and for persons in the context of information security.

By the end of this course, you will have a solid understanding of the information security risk management process, including threat and vulnerability analysis, risk level calculation, and effective risk treatment strategies. Armed with this knowledge, you will be able to implement a successful risk management program, ensuring the confidentiality, integrity, and availability of sensitive data within your organization.

Don't miss this opportunity to enhance your expertise in information security risk management and ISO/IEC 27005:2022. Enroll now and take the next step in protecting your organization's valuable information assets!.

This course includes a promotion.

Who this course is for:

Information security officers
Information security risk managers and analysts
ISO enthusiasts
Information security auditors and consultants

ISO/IEC 27005. Information security risk management

What you'll learn

Explore related topics

Course content

Introductive section5 lectures • 28min

Context establishment5 lectures • 27min

Information security risk assessment6 lectures • 30min

Information security risk treatment5 lectures • 29min

Considerations about the information security risk management process5 lectures • 31min

Requirements

Description

Who this course is for: