The standard offers advice on systematically identifying, assessing, evaluating and treating information security risks - processes at the very heart of an ISO27k Information Security Management System (ISMS).
Instead it discusses the process in more general/overall terms, drawing on the generic risk management method described by ISO 31000[3] i.e.: Within that broad framework, organizations are encouraged to select/develop and use whichever information risk management methods, strategies and/or approaches best suit their particular needs - for example:[4] The ISO/IEC 27000-series of standards are applicable to all types and sizes of organization - a very diverse group, hence it would not be appropriate to mandate specific approaches, methods, risks or controls for them all.
Managers are encouraged to follow structured methods that are relevant to and appropriate for their organization's particular situation, rationally and systematically dealing with their information risks.
Identifying and bringing information risks under management control helps ensure that they are treated appropriately, in a way that responds to changes and takes advantage of improvement opportunities leading over time to greater maturity and effectiveness of the ISMS.
ISO/IEC 27005:2018 has the conventional structure common to other ISO/IEC standards, with the following main sections:[5] And six appendices: