The two approaches for information security risk identification proposed by ISO/IEC 27005:2022

Published on March 12, 2025
67d1b5a5a6f90_2630

ISO/IEC 27005 is an international standard with guidelines for information security risk management. This standard offers guidance on identifying, assessing, and treating security risks within an organization. 

One key step of risk management is the identification of risks, which can be performed using different approaches. 

The standard proposes two risk identification approaches: the asset-based approach and the event-based approach

There are differences between the two approaches proposed by the standard, but if used correctly, they should lead to similar results.

1. The asset-based approach 

The asset-based approach focuses on identifying information security risks by analyzing the assets that need protection. This method involves the following steps:

  1. Identify information assets: recognizing and cataloging assets such as hardware, software, data, and personnel.
  2. Determine asset importance: primary assets (key to the organization) and supporting assets.
  3. Identify threats and vulnerabilities: determining potential threats that could exploit vulnerabilities in assets and understanding weaknesses.
  4. Evaluate potential consequences: estimating the impact of asset compromise on the organization.

Example of the application of the asset-based approach for risk identification

Scenario - Protecting customer database

  • Asset: customer database containing sensitive personal and financial data.
  • Threats: cyber-attacks, unauthorized access, malware infections.
  • Vulnerabilities: weak password policies, unpatched software, lack of encryption.
  • Potential Impact: data breach leading to financial loss, regulatory fines (GDPR), and reputational damage.

In this approach, risk treatment could involve strengthening authentication mechanisms, applying patches and implementing encryption to reduce vulnerabilities.

2. The event-based approach

The event-based approach, according to ISO/IEC 27005, looks to identify risks by considering various realistic attacks or failure scenarios. This method involves:

  1. Considering possible events (scenarios): understanding possible situations that could lead to security incidents.
  2. Analyzing attack vectors: understanding how attackers or failures could exploit weaknesses, including attackers’ possible motivations.
  3. Assessing impact: evaluating the consequences of each possible event if it were to materialize.
  4. Considering likelihood: estimating the probability of a scenario becoming reality, based on threat intelligence and past incidents.

Application of the event-based approach to real world scenario

Scenario - Ransomware attack on corporate network

  • Scenario: an employee unknowingly clicks on a malicious email attachment, triggering ransomware that encrypts critical files.
  • Attack vector: phishing email with a malicious attachment.
  • Impacted assets: corporate file servers, employee workstations, business-critical data.
  • Potential consequences: operational downtime, loss of business data, ransom demand, regulatory penalties.
  • Risk mitigation strategies:
    • Employee awareness.
    • Implementing email filtering and sandboxing.
    • Maintaining regular and secure backups.
    • Deploying endpoint detection and response (EDR) solutions.

Choosing the right approach

While both approaches are effective, they serve different purposes:

  • The asset-based approach is best suited for structured environments where assets and their values are well-defined, such as financial institutions or government agencies.
  • The event-based approach is more flexible and useful in dynamic environments, such as technology startups or cloud-based businesses.

Conclusion

ISO/IEC 27005 is a guidance standard and its recommendations for risk identification are not mandatory. An organization implementing an information security management system (ISMS) may use a different approach to identify information security risks. However, the solutions recommended by ISO/IEC 27005 represent a good solution for any organization, regardless of activity sector and approach to protecting information assets.

If you are interested in understanding the guidelines for information security risk management proposed by ISO/IEC 27005:2022 you can take our online course available here.

For individuals looking to confirm their competence as ISMS auditors or practioners, our online certification services can be an effective solution.

Recommended Certifications
Information security & privacy ISO/IEC 27001:2022 Information security management system auditor certification image
ISO/IEC 27001:2022 Information security management system auditor certification

Demonstrate your knowledge of the requirements for an information security manag...

Information security & privacy ISO/IEC 27001:2022 Information security management system practitioner certification image
ISO/IEC 27001:2022 Information security management system practitioner certification

The ISO/IEC 27000 series of standards is globally recognized as the gold standar...

Recommended Courses
Information security & privacy ISO/IEC 27005:2022. Information security risk management course image
ISO/IEC 27005:2022. Information security risk management

Gain expert knowledge on the framework proposed by ISO/IEC 27005 for managing in...