ISO/IEC 27005 is dedicated to provide guidelines for information security risk management which is a

part of ISMS standards family, the “ISO/IEC 27000 series”. It backs up the concepts specified in ISO/IEC
27001 and assist implementation of information security based on a risk management approach. The
standard is officially titled ISO/IEC 27005.2008. International Organization for Standardization has taken
about three years to document the particular standard and still there are developments that have being
introduced under ISO 31000.2009 to address the similar issues.

It is a fact that “risk” is an ambiguous state which is dependent on hundreds or thousands of factors.
Risk to a one organization might make profit for another and so forth. It could be the reason that even
the International Organization for Standardization is keep on introducing developments and trying
different approaches to come up with a generic module which could be suits for most of the
organizations in the world.

In fact ISO 27005 have major modules defined as Context establishment, Risk assessment, Risk
treatment, Risk acceptance, Risk communication and Risk monitoring and review which are poorly
differentiated from one another. The mentioned modules cum steps include many overlapping
processes which might cause due to mentioned ambiguity of the risk factor. Some may argue that the
ISO 27005 does not include estimation of the risk for organization. However I believe that due to the
ambiguity of the risk factor and numerous dependencies would not allow a generic terminology to be
designed to measure the risk factor either quantitatively or qualitatively. Omission of the risk
measurement factor from the ISO 27005 would appear that the it’s an incomplete set of guidelines
while it’s axiomatic that what cannot be measured are not being able to be managed.

ISO 27005 suggest that to use quantitative estimation instead of qualitative estimation which would
show magnitude of any information security risk to be “high” and likelihood “low” like scenario that
would not be the case in every instance and every place. As I mentioned above as well it is an dependent
factor for most align with the state of the organization at that particular time interval.

Groups that suggest improvements to the ISO 27005 suggest usage of fuzzy set theory devised by L. A.
Zadeh in 1965 to be apply on risk management. If I’m to summarize the suggestions, First suggest that to
replace the “probability” with “credibility”, convey large amount of information with few words, clearly
state the definitions of qualitative terms and use of quantitative measures for confidence levels.

However Steven J. Ross, the author of the article “Applying the ISO 27005 risk management standard”
high insist on the fact that “It is axiomatic that what cannot be measured cannot be managed”. He also
have the doubt that authors of ISO 27005 ever had idea of measurement of the risk when they were
wrote the standard. But I suggest that they might have had something but could not be able to translate
in to a generic module that suits for the rest of the standard