INTRODUCTION
____
Information Security Risk Management, as proposed by this standard, goes beyond specific passwords,
firewalls, filters and encryption. Its comprehensive approach, for the time being part of a growing family
of ISO/IEC 27000 series of standards in the area of information security management systems, helps
businesses take a structured approach of managing information security risks. It is a supportive standard
which provides guidelines.
However, this standard does not go into details of giving strict specifications and recommendations or,
naming any specific risk analysis method, although it
specifies rigorous processes which should to be undertaken
by organizations in order to create a risk treatment plan.
Organizations of any size and type can benefit from this
standard, by engaging in a comprehensive and systematic
preventive, protective, preparatory, and mitigation process.
Simply drafting a response plan that anticipates and
minimizes the consequences of information security
Incidents is not sufficient anymore, but organizations also
need to take adaptive and proactive measures to reduce the
probability of such an event.
An effective information security risk management process
as recommended by ISO/IEC 27005 is key to a successful ISMS as the ISO/IEC 27000 series are deliberately
risk-aligned, where at first, it is important for organizations to assess risks before coming with management
and risk treatment plans.
ISO/IEC 27005 is developed on account of helping organizations improve the information security risk
management, and minimize the risk of business disruption.

The information security risk management process can be applied to part of an organization (i.e department,
physical location, service), or to the organization as a whole, and to any information system. It is necessary
that the approach to information security risk management is systematic, so that it can be effective. The
approach should also be aligned with the overall objectives of the organization.