ISO/IEC 27005:2011 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2011.
ISO/IEC 27005:2011 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization’s information security.
Effective information safety management requires the identification and evaluation of risks, which could negatively influence the information processed by the organization. e-risk supports the management of these risks thanks to the possibility to monitor the risk and to evaluate the effectiveness of the present protections. The possibility to generate breakdowns and reports facilitates the risk analysis and risk management and simultaneously enables fulfilling the requirements of the standard.
Additionally, conducting risk analysis in e-risk ensures the comparison of data in the individual risk analysis iterations, due to which compliance with the standard requirements is easily maintained.