Embrace Best Practices in ISMS Risk Management based on ISO/IEC 27005

ISO/IEC 27005 is an internationally recognised standard that provides guidance and support for the information security risk management as specified in ISO/IEC 27001. ISO/IEC 27005 supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. ISO/IEC 27005 is applicable to all types of organisations which intend to manage risks that could compromise the organisation's information security.

ISO/IEC 27005 belongs to the ISO/IEC 27000 family that comprises standards and best practices on information security management, the management of information risks through information security controls within the context of the ISMS. The essential elements in ISO/IEC 27005 helps organisations with advice on the why, what and how of managing information security risks in support of their governance objectives. Gaining the understanding and accreditation of ISO/IEC 27005 enables effective governance and management of information security risks within your organisations. The key benefit of the ISO/IEC 27005 standard is its full alignment with the international standard for Risk Management, ISO 31000. By combining ISO/IEC 27005 and ISO 31000, approaches to managing risks within your organisations can be enhanced effectively and sustainable.

By attending our ISO/IEC 27005 courses, you are expected to learn the following:

  • The knowledge necessary for the implementation, management and maintenance of an ongoing risk management program
  • The concepts, approaches, standards, methods and techniques essential to an effective management of risks according to ISO/IEC 27005
  • The relationship between the Information Security Management System (ISMS) (including risk management), relevant security controls and how to comply with the requirements of different stakeholders of your organisations
  • Approaches to interpret the requirements of ISO/IEC 27001 on information security risk management
  • Approaches to acquire the competence to implement, maintain and manage an ongoing information security risk management program according to ISO/IEC 27005
  • Competence to effectively advise your or other organisations on the best practices in information security risk management

What is the ISO/IEC 27005 certification?

PECB LogoISO/IEC 27005 aims at providing guidelines for Information Security Risk Management and supporting the general concepts specified in ISO/IEC 27001. ISO/IEC 27005 is designed to assist the satisfactory implementation of an Information Security Management System (ISMS) based on a risk management approach.  The ISO/IEC 27005 certification can help individuals and organisations develop competence to refer to the ISO/IEC 27005 standard and best practices as a reference framework to master the risk management elements related to all assets managed and controlled by an ISMS.

Target Audience

The ISO/IEC 27005 certification is designed for candidates:

  • who are senior managers or senior consultants who want to consider and implement risk management approaches in an Information Security Management System (ISMS);
  • who are portfolio managers, programme managers, project manager or senior consultants who want to master practices to managing risks in the implementation process of an Information Security Management System (ISMS) or be involved in a risk management program;
  • who are auditors who want to perform and lead the audit process of an Information Security Management System (ISMS);
  • who are staff members who are responsible for information security risk management activities in the organisation;
  • who are team members of information security, risk management, legal and compliance, governance and controls or relevant departments in the organisations; or
  • who are experts who are responsible for providing advice about information security risk management.

Course Outline

ISO/IEC 27005 Introduction

PECB ISO/IEC 27005 Introduction

This one-day course allows participants to familiarise themselves with the fundamentals of risk management related to information security using the standard ISO/IEC 27005:2011 as a reference framework. Participants will see different parts of a risk management program and the implementation stages of an optimal risk assessment. It should be noted that this course fits perfectly into the framework of a process of implementation of ISO/IEC 27001.

  • Concepts and definitions related to risk management
  • Standards, frameworks and methodologies in risk management
  • Implementation of a risk management program
  • Risk identification and risk analysis
  • Risk evaluation and risk treatment
  • Acceptance of risk and management of residual risks
  • Communicating, monitoring and controlling risks

ISO/IEC 27005 Foundation

PECB ISO/IEC 27001 Foundation

This two-day course enables participants to learn about the best practices in risk management based on ISO/IEC 27005, as well as understanding how different parts of a risk management program and the implementation stages of an optimal risk assessment are conducted.

  • All the concepts covered in the ISO/IEC 27005 Introduction training
  • Introduction to risk management concepts as required by ISO/IEC 27001
  • Identification and assessment of risk management in information security according to ISO/IEC 27005
  • ISO/IEC 27005 Foundation exam, covering 2 domains:
    • Domain 1: Fundamental principles and concepts of risk management in information security
    • Domain 2: Information security risk management methods.

ISO/IEC 27005 Risk Manager

PECB ISO/IEC 27005 Risk Manager

This three-day intensive course enables participants to develop the competence to master the basic risk management elements related to all the assets of relevance for information security using the ISO/IEC 27005 standard as a reference framework. Based on practical exercises and case studies, participants acquire the necessary knowledge and skills to perform an optimal Information Security Risk Assessment and manage risks in time by being familiar with their life cycle. This course fits perfectly the framework of an ISO/IEC 27001 standard implementation process.

Day 1: Introduction, Risk Management Program according to ISO/IEC 27005

  • Concepts and definitions related to risk management
  • Risk management standards, frameworks and methodologies
  • Implementation of an information security risk management program
  • Understanding of an organisation and its context

Day 2: Risk Identification and Assessment, Risk Evaluation, Treatment, Acceptance, Communication and Surveillance according to ISO/IEC 27005

  • Risk identification
  • Risk analysis and risk evaluation
  • Risk assessment with a quantitative method
  • Risk treatment
  • Risk acceptance and residual risk management
  • Information security risk communication and consultation
  • Risk monitoring and review

Day 3: Overview of other Information Security Risk Assessment Methods and Certification Exam

  • Presentation of OCTAVE method
  • Presentation of MEHARI method
  • Presentation of EBIOS method
  • Presentation of Harmonized TRA method
  • Certification exam which covers the following domains:
    • Domain 1: Fundamental concepts, approaches, methods and techniques of information security risk management
    • Domain 2: Implementation of an information security risk management program
    • Domain 3: Information security risk assessment based on ISO/IEC 27005

ISO/IEC 27005 with Mehari

PECB ISO/IEC 27005 with MEHARI

This five-day intensive course enables participants to develop the competence to master the basic risk management elements related to all assets of relevance for information security using the ISO/IEC 27005:2011 standard as a reference framework and MEHARI method. MEHARI method was developed by “Club de la Sécurité des Systèmes d’Information Français” (CLUSIF) in France. Based on practical exercises and case studies, participants acquire the necessary knowledge and skills needed to perform an optimal information security risk assessment and manage risks in time by being familiar with their life cycle. This course fits perfectly in the framework of an ISO/IEC 27001:2005 standard implementation process.

Day 1: Introduction, Risk Management Program according to ISO/IEC 27005

  • Concepts and definitions related to risk management
  • Risk management standards, frameworks and methodologies
  • Implementation of an information security risk management program
  • Understanding of an organisation and its context

Day 2: Risk Identification and Assessment, Risk Evaluation, Treatment, Acceptance, Communication and Surveillance according to ISO/IEC 27005

  • Risk identification
  • Risk analysis and risk evaluation
  • Risk assessment with a quantitative method
  • Risk treatment
  • Risk acceptance and residual risk management
  • Information security risk communication and consultation
  • Risk monitoring and review

Day 3: Certification Exam and Start of Risk Assessment with MEHARI

  • Certification exam which covers the following domains:
    • Domain 1: Fundamental concepts, approaches, methods and techniques of information security risk management
    • Domain 2: Implementation of an information security risk management program
    • Domain 3: Information security risk assessment based on ISO/IEC 27005
  • MEHARI Presentation
  • Assessment and classification issues
  • Overview of the process
  • The value chain for failures
  • Classification of resources

Day 4: Assessment of Vulnerabilities and Risks according to MEHARI

  • Assessment of Vulnerabilities
  • Qualities of a security service
  • Measuring the quality of a security service
  • Evaluation process
  • Risk assessment

Day 5: Security Planning according to MEHARI and Exam

  • Security plans and procedures
  • Tools to support the implementation of MEHARI
  • "MEHARI advanced" exam which covers the following domains:
    • Domain 1: Fundamental concepts, approaches, methods and techniques of information security risk management
    • Domain 2: Implementation of an information security risk management program
    • Domain 3: Information security risk assessment based on ISO/IEC 27005
    • Domain 4: Information security risk treatment based on MEHARI
    • Domain 5: Information security risk communication, monitoring and improvement based on MEHARI

ISO/IEC 27005 Exam Format

 ISO/IEC 27005 FoundationISO/IEC 27005 Risk ManagerISO/IEC 27005 MEHARI
Question TypeEssay; short and long questionsEssay; short and long questionsEssay; short and long questions
No. of Questions488
Duration60 minutes2 hours2 hours
Passing Score (%)70%70%70%

Requirements for ISO/IEC 27005

Participant(s) can apply for the ISO/IEC 27005 certification(s) if the following requirements are fulfilled.

CredentialExamProfessional ExperienceRisk Assessment ExperienceOther Requirements
ISO/IEC 27005 FoundationPECB Certified ISO/IEC 27005 Foundation Exam or equivalentNoneNoneSigning the PECB code of ethics
ISO/IEC 27005 Provisional Risk ManagerPECB Certified ISO/IEC 27005 Risk Manager Exam or equivalentNoneNoneSigning the PECB code of ethics
ISO/IEC 27005 Risk ManagerPECB Certified ISO/IEC 27005 Risk Manager Exam or equivalentTwo years: One year of Risk management work experienceRisk management activities totalling 200 hoursSigning the PECB code of ethics
ISO/IEC 27005 Lead Risk ManagerPECB Certified ISO/IEC 27005 Lead Risk Manager exam or equivalentFive years: Two years of Risk management work experienceRisk management activities totalling 300 hoursSigning the PECB code of ethics
MEHARI Provisional Risk ManagerPECB Certified MEHARI exam or equivalentNoneNoneSigning the PECB code of ethics
MEHARI Risk ManagerPECB Certified MEHARI exam or equivalentTwo years: One year of Risk Management work experienceRisk Management activities totalling 200 hoursSigning the PECB code of ethics

"The whole is more than the sum of its parts."

~ Aristotle

CONNECT WITH US