(Click Category to List Courses)

28 - ISO - ISO (Standardization) Programs

ISO 108 - ISO 27005 Information Security Risk Management

Code Start Date Duration Venue
ISO 108 02 October 2023 5 Days Istanbul Registration Form Link
ISO 108 27 November 2023 5 Days Istanbul Registration Form Link
ISO 108 25 December 2023 5 Days Istanbul Registration Form Link
Please contact us for fees


Course Description

Risk assessment and management provides the foundation for internal controls management, as well as business continuity and disaster recovery management. ISO 27005 provides guidelines for information security risk management, it supports the general concepts specified in ISO 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. In this course, participants develop the competence to master the basic risk management elements related to all assets of relevance for information security using the ISO 27005 standard as a reference framework.

Course Objectives

  • Understanding the concepts, approaches, methods and techniques allowing an effective management of risk according to ISO 27005
  • Interpreting the requirements of ISO 27001 on information security risk management
  • Understanding the relationship between the information security risk management, the security controls and the compliance with the requirements of different stakeholders of an organization
  • Acquiring the competence to effectively advise organizations on the best practices in information security risk management

Who Should Attend?

  • Managers
  • Persons responsible for information security or conformity within an organization
  • Member of the information security team
  • IT consultants
  • Staff organizations implementing or seeking to comply with ISO 27001 or involved in a risk management program

Course Details/Schedule

Day 1

  • Why ISO 27005?
  • Scope  of ISO 27005
  • Concepts and definitions related to risk management
  • Risk management standards, frameworks and methodologies
  • Implementation of an information security risk management program

Day 2

  • Understanding an organization and its context
  • ISMS overview 
  • Major differences in ISMS approachs
  • Recommended approach 
  • Points to consider

Day 3

  • Introduction to the landscape of risk 
  • Asset landscape 
  • Threat landscape 
  • Controls landscape
  • Loss (impact) landscape 
  • Vulnerability landscape  

Day 4

  • What information is necessary for risk analysis? 
  • Define the context for information risk management
  • Risk identification and risk analysis
  • Introduction to risk assessment methodologies
  • Risk assessment with a quantitative method

Day 5

  • Determine the appropriate information risk treatment plan 
  • Develop an information security risk communication plan
  • Describe the information security risk monitoring and review Plan
  • Acceptance of information security risks and management of residual risks