PlaybookGLOBAL

ISO 27005 Compliance playbook

Run ISO/IEC 27005 as a repeatable risk operating model that supports ISO/IEC 27001.

Focus on criteria, ownership, treatment choices, and review loops rather than abstract methodology alone.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 4, 2026
Updated
Mar 4, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 4, 2026
Updated Mar 4, 2026
Overview

ISO/IEC 27005 is guidance on managing information security risks to support an ISMS based on ISO/IEC 27001. In practice, good ISO 27005 implementation means the organization can explain how it defines risk, how it decides what is acceptable, how it assesses and treats risks, who approves residual exposure, and how those decisions stay current as systems, threats, and business priorities change.

Section 1

Start with context and decision policy

The first thing ISO 27005 needs is context. That means scope, business dependencies, interested-party requirements, assumptions, and the decision boundaries that tell assessors what matters and why.

Without context, risk scoring becomes arbitrary. Without decision policy, risk acceptance becomes inconsistent.

  • Core outputs: scope, key assets and services, dependencies, interested-party requirements, scenario framing
  • Decision policy: risk criteria, risk acceptance criteria, and authority levels for residual risk approval
Section 2

Run assessments that are consistent enough to compare

ISO 27005 is not only about finding risks. It is about finding them in a way that different teams can compare and govern. That requires a common methodology, a defined risk model, and enough rationale in each record to understand why the result was reached.

Do not optimize the method for speed alone. Optimize it for repeatability and clarity.

  • Assessment outputs: risk description, owner, consequence rationale, likelihood rationale, level of risk, and priority for treatment
  • Quality controls: shared scales, calibration sessions, peer review of high-risk items, and explicit uncertainty notes
Section 3

Translate assessed risk into treatment decisions

ISO 27005 covers selecting treatment options, determining necessary controls or actions, building treatment plans, and obtaining approval. The useful distinction is that assessment tells you what matters, while treatment tells you what the organization will do about it.

Treatment plans should be written as delivery plans with owners, milestones, evidence expectations, and clear acceptance criteria.

  • Treatment options usually include modifying, retaining, avoiding, or sharing risk
  • Every treatment item should state owner, deadline, success condition, and linked evidence source
  • Residual risk should be accepted explicitly, with conditions or review dates where needed
Section 4

Keep risk management inside the ISMS, not beside it

ISO 27005 supports ISO 27001. It should not become a separate risk universe with its own vocabulary, owners, and review habits. The most useful model keeps one risk register, one treatment workflow, and one management reporting rhythm.

When the ISMS and the risk process split apart, the Statement of Applicability, treatment plan, and control evidence drift out of alignment.

  • Integrate treatment decisions with control implementation and evidence under the ISMS
  • Bring top risks, exceptions, and stalled treatments into management review
  • Use corrective action when the risk process itself fails or becomes inconsistent
Section 5

Monitor, communicate, and review on purpose

ISO 27005 explicitly covers communication, monitoring, and review. This is where many programs underperform. They assess once, create plans, and then let the risk picture age in place.

Build a small number of review triggers that actually matter and use them rigorously.

  • Periodic review: revisit high-risk items on a defined cadence
  • Change triggers: incidents, control failures, architecture changes, new suppliers, or legal changes
  • Reporting outputs: treatment progress, accepted exceptions, aged risks, and overdue reviews
Recommended next step

Turn ISO 27005 Compliance playbook into an operational assessment

Assessment Autopilot can take ISO 27005 Compliance playbook from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on ISO 27005 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for ISO 27005 Compliance playbook

Start from ISO 27005 Compliance playbook and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through ISO 27005

Review your current process, evidence gaps, and next steps for ISO 27005 Compliance playbook.

Explore next step
Primary sources

References and citations

ISO/IEC 27005:2022 standard page
iso.org
Referenced sections
  • Primary current source for ISO/IEC 27005, including edition, publication timing, and scope of guidance.
Related guides

Explore more topics

ISO 27005 FAQ
Answers to common ISO/IEC 27005 questions on risk criteria, acceptance criteria, risk owners, treatment plans, residual risk, NIST comparisons.
ISO 27005 Risk Assessment Template
Use this ISO/IEC 27005 risk assessment template to capture context, criteria, scenario details, likelihood, consequence, uncertainty, risk owner, evaluation.
ISO 27005 Risk Treatment Plan Template
Use this ISO/IEC 27005 risk treatment plan template to document treatment options, selected actions, owners, milestones, evidence links, acceptance criteria.
ISO 27005 vs NIST SP 800-30
Compare ISO/IEC 27005 and NIST SP 800-30 to see how information security risk management guidance and risk assessment guidance fit together.