This course details the guidelines of ISO/IEC 27005:2018 for information security risk management.
The first part of the course includes generic information about information security management in the context of the ISO/IEC 27000 series of international standards, risk management according to ISO 31000 and information security risk management as per ISO/IEC 27005.
A generic presentation of ISO/IEC 27005 follows, including its relationship with ISO/IEC 27001 and its purpose in the context of an ISMS (Information security risk management system).
The next part of the course is dedicated to the context of the risk management process - covering the scope of risk management, the purpose and the constraints that may affect this process. We will also discuss about the organization for information security risk management.
The following videos are dedicated to the risk assessment part, beginning with the identification and the valuation of assets, the identification of threats and vulnerabilities. Examples of threats and vulnerabilities are provided along the way to facilitate the understanding of the concepts.
The qualitative and quantitative methodologies for risk analysis are presented with examples and followed by a detailed presentation of the risk evaluation step.
Risk treatment is the next part of the course, with a presentation of the options available for treating a risk - avoidance, modification, sharing and retention. Again, the concepts are accompanied by examples to make them easy to understand. We will also discuss in this part of the course about the decision to accept risks and the conditions for that.
The final part is about risk communication and consultation and about the need to monitor and review continually the risk management process in order to ensure that it remains relevant and appropriate.