Overview
What is ISO 27005 ?
ISO/IEC 27005 provides guidelines for information security risk management. It supports the risk assessment and treatment requirements of ISO 27001. The standard describes an iterative process including context establishment, risk identification, risk analysis, risk evaluation, and risk treatment, along with communication and monitoring. It is compatible with other methodologies such as EBIOS RM or NIST SP 800-30.
Key Points
- Iterative process: context establishment, identification, analysis, evaluation, and risk treatment
- Compatible with ISO 27001: addresses the risk assessment requirements of clauses 6.1.2 and 8.2
- Approach based on assets, threats, vulnerabilities, and consequences
- Four treatment options: risk reduction, acceptance, avoidance, and transfer
- Continuous monitoring and review of the risk management process
Why Zaxyr
Zaxyr integrates a risk analysis engine compliant with ISO 27005. The platform automates asset inventory, threat and vulnerability identification, risk level calculation, and treatment plan generation. Results directly feed the ISO 27001 SoA and are tracked in an auditable risk register.