What is ISO/IEC 27005:2018 ?

ISO/IEC 27005:2018 and ISO-IEC 27005:2019 are both important international standards for managing information security risks within an organization. While both standards are similar in some aspects, they have distinct differences in their scope and objectives.

ISO/IEC 27005:2018 is a professional technical standard that provides guidelines for risk management related to information security. It serves as a framework to establish and maintain an effective information security risk management process within an organization. ISO/IEC 27005:2018 focuses on the identification, assessment, and treatment of information security risks, which are typically associated with the organization's business operations and the handling of sensitive data.

ISO-IEC 27005:2019, on the other hand, is a widely recognized international standard for managing risks to the security of information assets within an organization. It provides a systematic approach to identify, analyze, evaluate, and treat information security risks. The primary purpose of ISO-IEC 27005:2019 is to help organizations establish and maintain an effective risk management process to protect their sensitive information from unauthorized access, use, disclosure, disruption, modification, or destruction.

ISO-IEC 27005:2019 is more focused on the risk management process, including the development of risk management strategies, the establishment of risk management policies and procedures, and the implementation of risk management controls. It also provides guidance on the documentation and reporting of the organization's risk management activities.

In conclusion, both ISO/IEC 27005:2018 and ISO-IEC 27005:2019 play important roles in helping organizations manage information security risks and protect their sensitive information. While they share some similarities in their scope and objectives, ISO-IEC 27005:2019 is more focused on the risk management process, while ISO/IEC 27005:2018 is more focused on the information security risk management process. Both standards are important references for organizations looking to establish or maintain an effective information security risk management process.