ISO/IEC 27005:2022. Information security risk management
What you'll learn
- What is an ISMS (Information Security Management System)
- How to determine the risk appetite of an organization
- What is risk acceptance criteria and how it can be established
- The different approaches for information security risk identification
- The relationship between threats and vulnerabilities
- How to estimate likelihood and consequences for a risk
- How to calculate a risk level
- Why risks should be owned and who can be a risk owner
- The options for treating information security risks
- Key documents for an ISMS such as SoA and risk treatment plan
Requirements
- Familiarity with the ISO standards on information security management is useful but not mandatory
Description
In today's interconnected world, safeguarding sensitive information is more critical than ever. Join me for this course where we'll discuss in detail the framework for information security risk management proposed by ISO/IEC 27005:2022.
The course covers the guidelines in ISO/IEC 27005 for managing information security risks, applicable to all types of organizations, regardless of size or sector. We will explore the fundamental principles of risk management and its practical application in information security. This internationally recognized standard provides a robust framework for establishing an effective risk management system within your organization.
The course is structured into five sections.
- In the first section, we'll discuss about information security management, the ISO/IEC 27000 series of international standards and I will introduce you to ISO/IEC 27005:2022.
- The second section of the course covers context establishment, including the risk appetite of an organization or how to establish criteria for risk acceptance. We'll also discuss the differences between the qualitative and quantitative approaches to defining consequences and likelihood as constitutive elements of risk.
- Then, in the third section, we'll explore risk assessment including risk identification, using the approaches proposed by ISO/IEC 27005:2022, the event-based approach and the asset-based approach. Detailed insights into risk analysis, risk evaluation (as steps of the risk assessment) and the role of risk owners are discussed in this section as well.
- In section four of the course we will cover risk treatment and the most common options to address information security risks for an organization. We'll discuss about the information security controls from ISO/IEC 27001:2022 and I will tell you about some key documents of an ISMS (Information Security Management System) like the Statement of Applicability (SoA) or the risk treatment plan.
- The last section is dedicated to continual improvement in the risk management process, as well as insights on the certification for organizations and for persons in the context of information security.
By the end of this course, you will have a solid understanding of the information security risk management process, including threat and vulnerability analysis, risk level calculation, and effective risk treatment strategies. Armed with this knowledge, you will be able to implement a successful risk management program, ensuring the confidentiality, integrity, and availability of sensitive data within your organization.
Don't miss this opportunity to enhance your expertise in information security risk management and ISO/IEC 27005:2022. Enroll now and take the next step in protecting your organization's valuable information assets!.
Who this course is for:
- Information security officers
- Information security risk managers and analysts
- ISO enthusiasts
- Information security auditors and consultants
Instructor
Who am I?
I’ve been working in the field of standards, auditing, and certification since the early 2000s. Over the years, I’ve contributed to hundreds of projects across various industries and disciplines. Today, I work with RIGCERT, an accredited certification body based in Europe.
What do I do?
I translate the knowledge and best practices from international standards into clear, practical language to help individuals and organizations improve.
What are my interests?
My work spans multiple fields, including quality management, information security, artificial intelligence, risk management, business continuity, occupational health and safety, environmental management, social responsibility, project management or food safety.
How do I teach?
Since launching my first course in 2016, I’ve focused on extracting the core ideas from complex standards and delivering them in a clear, concise format. For some topics, I collaborate with other experts to ensure each course provides maximum value.