Understanding the Differences Between ISO 27005:2018 and ISO 27005:2022

Wondering what the differences are between ISO 27005:2018 and ISO 27005:2022? Keep reading for a list of key changes you should know.
Richard Stevenson

by Rick Stevenson

February 24, 2023
ISO 27005 2018 vs. ISO 27005 2022 (1)

The changes that the International Organization for Standardization (ISO) made in its recently published ISO 27001:2022 created a ripple effect across the 27000-series. 

Since ISO 27001:2022 is the foundation upon which ISO 27002:2022 and ISO 27005:2022 rest, ISO updated these publications to reflect its evolving approach to evaluating and managing information security risk.

Although the primary underpinnings of risk analysis and treatment remain the same, you should understand a few key differences between ISO 27005:2018 and ISO 27005:2022. 

What is ISO 27005:2022?

The ISO 27005 publication assists organizations who seek to comply with ISO 27001:2022 by providing guidance about how to perform information security risk management activities. Specifically, ISO 27005 enables organizations of all types, sizes, and industry verticals to engage in the information security risk assessment and treatment process. 

What Are the Primary Differences Between ISO 27005:2018 and ISO 27005:2022?

A quick glance at the publication’s table of contents gives you insight into the changes. Although 10 pages longer than its predecessor, ISO 27005:2022 is divided into 10 clauses and one Annex compared to the 27005:2018’s 12 clauses and 6 Annexes.

Most of the changes focus on aligning ISO 27005’s terminology, structure, and guidance text to the updated ISO 27001:2022 document. However, if you’ve been through the ISO compliance process in the past, you should note the following larger changes:

  • Introduction of risk scenario concepts

  • Difference between event-based and asset-based risk identification approaches

What is a Risk Scenario?

ISO 27005:2022 defines a risk scenario as a sequence or combination of events that lead from an initial cause to an unwanted consequence. 

An event is an occurrence or change to a set of circumstances that can:

  • Be expected and but not happen.

  • Be unexpected and does happen.

  • Have more than one occurrence, cause, or consequence.

A consequence is the outcome of an event, affecting objectives that can:

  • Be certain or uncertain.

  • Have positive or negative effects.

  • Directly or indirectly affect objectives.

  • Be expressed qualitatively or quantitatively.

  • Escalate through cascading and cumulative effects.

What Are Event-Based and Asset-Based Risk Identification Processes?

Although ISO 27005:2022 discusses the two risk identification approaches, it also points out that they complement each other. 

Event-Based Risk Identification

An event-based risk identification approach evaluates events and consequences by:

  • Identifying strategic scenarios.

  • Considering risk sources.

  • Reviewing how risk sources use or impact interested parties.

  • Understanding how interested parties reach their objectives.

Asset-Based Risk Identification

An asset-based approach evaluates operational scenarios by inspecting assets, threats, and vulnerabilities to identify and assess risks by considering:

  • Primary assets by type and priority.

  • Supporting assets by type and priority.

  • Dependencies between primary and supporting assess.

  • Interactions between assets, their risk sources, and the organization’s interested parties.

Combining Event-Based and Asset-Based Processes

The different risk identification processes focus on different basic requirements for the interested parties. Interested parties are defined as internal or external people who perform or are involved in information security risk management, including information security management system (ISMS) professionals and risk owners. 

Organizations can use both approaches to describe the same risk scenario from different perspectives. Consider a risk scenario where malicious actors gain access to personally identifiable information using a stolen password. 

  • Event-based approach: reviews at a high level, the consequences the scenario would have on the internal and external interested parties.

  • Asset-based approach: reviews the steps the malicious actors take from obtaining the password through lateral movement to gaining access to the data. 

Whereas an event-based risk identification approach focuses on the management level objectives and impact, the asset-based approach follows the actor’s attack path through interconnected assets. 

Where Does ISO 27005:2022 Fit Into an Organization’s ISO Compliance Program?

Like most compliance publications, ISO 27005:2022 is one of several documents that you need to understand when putting together your compliance program. Although the documents detail different aspects of your compliance posture, they all reference one another:

  • ISO 27001:2022 defines the processes and controls required for an ISMS.

  • ISO 27002:2022 provides implementation guidance for the information security controls listed in ISO 27001:2022’s Annex A.

  • ISO 27005:2022 details how you define and apply ISO 27001:2022’s information security risk assessment process in Clause 6.1.2 that treats information security risks as required by Clause 6.1.3.

In addition to the documents listed above, ISO also publishes additional supplementary guidance within the same family. ISO 27003 covers additional guidance for implementing the ISMS and required processes defined within ISO 27001, ISO 27004 provides guidance on monitoring and measuring the performance of the ISMS, and ISO 27006 provides guidance for certification bodies performing ISO 27001 audits. 

Not all of these documents have been updated to reflect the changes in ISO 27001:2022, but ISO is currently working to create the new versions. While these documents are not required, they can assist with implementing certain portions of the ISMS, like ISO 27005:2022 does with Clauses 6.1.2 and 6.1.3.

Documenting the ISO 27005 Risk Treatment Process

All three updated documents focus more heavily on documentation than their predecessors did. While ISO 27005:2018 often implied certain documentation, the 2022 publication formally outlines documentation requirements in the implementation guidance sections of Clause 10.4.2 “Documented information about processes” and Clause 10.4.3 “Documented information about results.”

Documented information about the risk treatment process should contain:

  • The method used to select appropriate information security risk treatment options.

  • The method used to determine necessary controls.

  • How ISO 27001:2022 Annex A was used to determine no necessary controls were accidentally overlooked.

  • How the risk treatment plan was produced.

  • How risk owners provide approval.

Additionally, the updated publication formalizes the internal or external audit function’s risk treatment plan review in Clause 10.7 “Corrective action”, noting that audits may detect nonconformities that require you to revise the risk treatment plan. 

Automating and Documenting the Risk Management Process

More than anything else, the 2022 changes to the ISO 27000-series focus on assigning risk owners and documenting activities. The number of internal and external interested parties, as defined within ISO 27005:2022, means that manually coordinating your risk assessment process becomes overwhelming and inefficient. 

With Drata’s platform as your single source of documentation, you can streamline your ISO compliance activities to accelerate audit-readiness. Our library of pre-mapped risks and controls enables you to rapidly complete an event-based risk identification approach, while our customization capabilities ensures that you can define risk scenarios unique to your organization. 

You can leverage Drata’s Risk Management Solution to help you with your asset-based risk identification processes. Our platform provides continuous real-time compliance posture monitoring and evidence collection you need to comply with ISO 27000-series documentation practices. Book a demo today!

Trusted Newsletter
Resources for you
Image - Drataverse '24 Agenda Preview

GRC Growth: Sneak Peek Into the Drataverse ‘24 Agenda

Join us at RSA

FOMO Alert: Why You Won’t Want to Miss Drata at RSA

Harmonize Announcement

Welcoming Harmonize To the Drata Family

Richard Stevenson
Rick Stevenson
Richard Stevenson is Manager of Compliance Advisory Services at Drata. He advises customers on building sound cybersecurity risk management programs and security policies that meet security compliance requirements. Richard is an AWS Certified Cloud Practitioner, CompTIA CySA+, and Shared Assessment Certified Third-Party Risk Assessor specializing in SOC 2, ISO 27001, NIST 800-53, NIST 800-171, SOX, HIPAA, third-party risk management, and enterprise risk management.

Put Security & Compliance on Autopilot®

Close more sales and build trust faster while eliminating hundreds of hours of manual work to maintain compliance.

Related Resources
GRC Maturity: Manual Risk Management Programs Fall Behind

GRC Maturity: Manual Risk Management Programs Fall Behind

Asset - Podcast Episode 13

Compliance Uncomplicated Episode 13: Cloud Compliance and Startups

DDRR Recap

A Recap of Drataverse Digital: Risk and Reward

NIST AI RMF

Drata's New NIST AI RMF: A Game-Changer for AI Risk Management