ISO/IEC 27005:2022 What is new?

Context

After 3 years of efforts the new ISO/IEC 27005:2022 is now publicly available. It is the result of lot of work done by ISO, the co-editors team and all standardisation/security experts that contributed. I am proud to have been part of this journey as expert but also as the coordinator of the ISO 27005 taskforce at the French National Body Expert (AFNOR) Cybersecurity committee for JTC1/SC 27 IT Security Techniques.

It is not the first time this standard is going under revision. A major update was already expected in 2018 but a lack of alignement ended up in a minor update with only a change to the ISO 27001 version to be referred to. The major update expected in 2018 is now being published as part of the 2022 version.

Standard definition

To ensure a common understanding, a standard (French: Norme, German: Norm) is defined here as a technical document designed to be used as a rule, guideline or definition.

It is a consensus-built, repeatable way of doing something.

Standards are created by bringing together all interested parties such as manufacturers, consumers and regulators of a particular material, product, process or service. “

Goal: Have a common language and understanding

Framework vs methodology

A framework is a model. It is defining a skeleton from which it is possible to realise a concrete implementation. It is a reification, providing a general logic. A methodology is one of the possible instantiations of this abstraction. It is by definition a systematic approach while remaining adaptive to the user’s needs and implementation specificities.

What are the changes? Executive summary

Main changes

The main changes are as follow:

• all guidance text has been aligned with ISO/IEC 27001and ISO 31000:2018;
• the terminology has been aligned with the terminology in ISO 31000:2018;
• the structure of the clauses has been adjusted to the layout of ISO/IEC 27001 (impact is being replaced by consequence) - see section 5) below
• risk scenario definition and associated concepts have been introduced instead of incident scenario - see the following section and 10 to 12)
• the new introduced event-based approach is contrasted with the asset-based approach to risk identification - see section 8) below. It is probably the most important change in the standard.
• A trigger criteria has been introduced to keep an up to date and dynamic assessment - see the following section
• A focus on the monitoring of risk scenarios (link to ISO 27035 and SOC/SIEM activities) - see section 19 &20) below
• the content of the annexes is now providing implementation techniques (Annex A2)
• highlight of vulnerabilities exploitation within the asset-based approach. It could open the door to mapping CVE (Common Vulnerabilities and Exposures) to operational scenarios.

The sections below are providing an exhaustive analysis of the changes introduced in the new revision of the standard. Thank you to Adrian Demeter for helping to prepare this detailed analysis.

Standard title

This enforced the relationship between ISO 27001 and ISO 27005. The two standards are highly dependent as the 27005 is providing guidance on how to manage information security risks needed as part of the ISO 27001.

Incident scenario vs Risk scenario

The ISO27005:2018 was not using the term risk scenario. Instead it was referring to incident scenario.

Section 8.2.6 (2018): "An incident scenario is the description of a threat exploiting a certain vulnerability or set of vulnerabilities in an information security incident (see ISO/IEC 27002:2005, Clause 13). The impact of the incident scenarios is to be determined considering impact criteria defined during the context establishment activity. It may affect one or more assets or part of an asset. Thus assets may have assigned values both for their financial cost and because of the business consequences if they are damaged or compromised. Consequences may be of a temporary nature or may be permanent as in the case of the destruction of an asset."

In ISO27005:2022 risk scenario is now being used instead. Its definition is defined as (section 3.1.4) a "sequence or combination of events (3.1.11) leading from the initial cause to the unwanted consequence (3.1.14)" to be aligned with the ISO 17666:2016, 3.1.13.

Trigger criteria

This element is a new addition to the standard. It provides guidance on when to start the activity, a step of the framework, or when to update it. For example because of a change within the organization or according to a plan or a change in external context of the organization the context establishment has to be update and the list of primary assets with it.

This helps to keep a dynamic information security risk assessment.

Core document

Note: the number of the section below is not representative of the section number in the ISO document.

1) Document structure

The risk acceptance and communication has been included in the “Clause 8: Information security risk treatment process” in the 2018 version while the 2022 gives more attention to the ISMS.

Note: In the new ISO27005:2022, the structure is less aligned with the high level process in the next picture.

2) High level process

The high level process in the new ISO27005:2022 reduces the risk acceptance block into a decision point and adds a dedicated block for documented information

3) Risk treatment high level process

The new ISO27005:2022 adds more focus on iterative character of the process instead of the cyclical one in the previous version.

The “assessing the effectiveness of that treatment” is reworded to “taking further treatment if not acceptable” that implies that an assessment is included in the point. Additionally in both versions there is a dedicated block on monitoring and review that includes assessments of the effectiveness.

4) Information security risk management cycles (section 5.2)

The new ISO27005:2022 introduces the need of risk management cycles:

• Strategic cycle
• Operational cycle

This high light the need of regular updates of a security risk assessment in order to ensure that it reflects the current situation and threat landscape.

5) Context establishment (section 6)

The context establishment changed and the new ISO27005:2022 introduces the stakeholders and identification of their requirements.

The granularity and information depth for the criteria is more detailed in the new ISO27005:2022

Impact => Consequences (3.1.14)

In order to align with the terminology from ISO 31000 and 27001 the word "impact" has been replaced by "consequence". It is the outcome of an event (3.1.11) affecting objectives.

Severity (7.3.2)

The severity is the level of magnitude of a given consequence.

Security Baseline (6.2)

Before starting a Security risk assessment it is essential to define the applicable requirements (contractual, regulation, internal rules, etc) and the actual statement of compliance to avoid defining/justifying existing rules.

?6 to 7) Scope and boundaries / Organization of the security risk management

The new ISO 27005:2022 omits the Scope and boundaries section in the Context establishment clause.

The new ISO 27005:2022 defines the need to align the risk management approach and methods with other risk management approaches and methods used in the?organization.

The chosen method should ensure the following properties of results: consistency, comparability, validity.

It also reduces the organizational topic to general information in section 6.1 Organizational considerations.

8) Risk Identification

Probably one of the biggest change in this revision. The new ISO 27005:2022 extends the risk identification to two approaches. The differences are significant and an entire appendix is dedicated to practical details (section A.2).

Both mentioned approaches can be run independent but at the same time they are complementary. The asset based approach is bringing technical detail where the event based brings context to the assessment. A proposition of mapping between the two approaches is defined in the figure A.4.

Event-based approach (7.2.1)

Identify strategic scenarios through a consideration of risk sources, and how they use or impact interested parties to reach those risk’s desired objective. It is a high level assessment focusing on the different threat landscape and is mostly appropriate for macroscopic analysis where the assessment does enter into architecture details.

This approach is used to define the consequence and severity of a given scenario.

Asset-based approach (7.2.1)

Identify operational scenarios, which are detailed in terms of assets, threats and vulnerabilities. This assessment is an in-depth assessment with a focus on supporting assets at an equipment level of granularity and is based on a precise architecture.

This approach is used to define the likelihood and severity of a given scenario.

9) Risk Analysis

The new ISO27005:2022 introduces the semiquantitative risk analysis, using qualitative scales with assigned values.

10 to 12) Assessing consequences/Likelihood/level of risk

Consequence: The previous ISO 27005:2018 includes the asset valuation information and relates it to the consequences.

The new ISO 27005:2022 uses more generic description.

Likelihood: The new ISO 27005:2022 extends the implementation guidance and adds three basic sources of assessment uncertainty: personal, methodological, systematic. It also adds considerations to increase the reliability of estimating the likelihood.

Risk level: The new ISO 27002:2022 gives more freedom in the determination of the risk level and has the asset valuation as an option, or expecting that the calculation may not be linear.

?The figure above (Informative annex) provides a mapping between the approaches (section 7.2.1) and the criteria.

13) Risk evaluation

The new ISO 27005:2022 significantly extends the description.

There is an important new statement that the risk owners need to have good understanding?of the risks as they are accountable.

14 to 17) Security risk treatment and Statement of Applicability

Security Risk treatment: The wording and the division of the chapter differs significantly.

The core message is consistent in both ISO versions and leads to the risk treatment. The general information is the different risk treatment options: risk avoidance, modification, retention and sharing. While the previous ISO 27005:2018 details out these four options, the new ISO 27005:2022 focuses on the formulation of the risk treatment plan approval of the risk owners and acceptance of the residual risks.

The previous ISO 27005:2018 details out the four options of the risk treatment. This is not in that detailed focus in the new ISO 27005:2022 and just a high level description is provided.

The new ISO 27005:2022 adds a section on Determining all controls that are necessary to implement the information security risk treatment options. This section relates to the ISO 27001 and ISMS conformity.

Statement of applicability (SoA): The new ISO 27005:2022 introduces the Statement of applicability of the controls that contains the necessary controls, justifications, implementation status and justifications for exclusions (Section 8.4&8.5).

As part of the risk treatment, in case of risk modification all necessary controls shall be compared with those listed in ISO/IEC 27001 Annex?A.

18) Risk acceptance

The previous ISO 27005:2018 uses general wording to accept risks.

The new ISO 27005:2022 comes out treating all risks (maybe by simple accepting) and emphasizes the residual risks. The outcome is the same but the new ISO 27005:2022 describes the risk acceptance in more structured way.

19 to 20) Communication and consultation / Monitoring and Review

Communication and consultation: The previous ISO 27005:2018 has a chapter dedicated to Communication and consultation but the content is very brief.

The new ISO 27005:2022 inserts the Communication and consultation topic under the Leveraging related ISMS processes chapter. It also states that risk communication may be voluntarily forwarded to third parties.

Monitoring and Review: Both ISO versions give attention to monitoring and review just structured differently. The new ISO 27005:2022 provides better structured description. A new concept is introduced as part of this monitoring with the Monitoring risk related events.

Monitoring risk related events (section 10.5.1 and A.2.7)

Also called monitoring scenarios, they are a link to the information security incident management (ISO 27035) with the Detection phase. They are a translation of an information security risk scenario into into correlation rules for monitoring perspectives (SIEM, etc.). This concept is also explained in the a French security risk technical committee (Club EBIOS).

Annexes

There are significant differences how the Annex A is composed.

The previous ISO 27005:2018 gives Annex A as the definition of the scope. The new ISO 27005:2022 provides examples of techniques.

Normative vs Informative

What is the different between the core document and annexes? The first one is normative (mandatory) and the second one is informative (facultative).

All the elements presented in the annexes are a proposition to the reader and it is up to him to use it or not in its methodology.

Primary asset/Support asset definition

The difference between a primary or business asset and a supporting asset is still informative. This can lead to various interpretations where in some methodologies assets are a mix between supporting and primary and where the assessment is focusing on physical/logical assets rather than the processes and information they carry or support.

—???primary/business assets - information or processes of value for an organization;

—???supporting assets - components of the information system on which one or several business assets are based.

Desired end state vs Target objectives (A.2.3 b).)

A desired end state (DES) is the overall situation or end goal that the risk source wants to reach after the confrontation while the target objective can be seen as intermediary steps.

For example a risk source might target an Obstacle to functioning ( consequence on the Availability) in order to Conquer (market shares etc).

Ecosystem and interested parties

In an event-based approach, strategic scenarios should be built by analyzing the different paths, relevant for interactions between the organization and interested parties, that all form an ecosystem that risk sources can use to reach the business assets and their DES (desired end state or target objective). The objective for identification of interested parties is to obtain a clear view of the ecosystem, in order to identify the most vulnerable ones. Ecosystem awareness should be addressed as a preliminary risk study. The figure below shows the identification of interested parties of the ecosystem.

Conclusion

The new revision of the ISO/IEC 27005 standard is strengthening the link with the ISMS (ISO/IEC 27001). By proposing an additional approach (event-based), the framework allows to capture risk scenarios with a higher level analysis taking into account the organisation's ecosystem and the relationship between the processes and information. Preliminary information security risk assessments are now possible when an architecture is not available.

The addition of the trigger criteria allows to keep an up to date and dynamic assessment.