Risk assessment is the engine of ISO 27001: it justifies every control you choose. ISO/IEC 27005 is the companion standard that explains how to do information security risk management well. In 2022 it received a significant update, and teams that learned risk management from the 2018 edition need to know what changed and why it matters.
This guide compares ISO 27005:2018 with the 2022 revision in practical terms, and shows how to apply the current guidance to the risk assessment that underpins your iso 27001 certification.
What ISO 27005 is for
ISO/IEC 27005 provides guidance on managing information security risk. It does not certify you and it does not replace ISO 27001; instead it supports clauses 6 and 8, where ISO 27001 requires you to assess and treat risk but deliberately leaves the method to you. ISO 27005 fills that gap with a structured, repeatable approach.
Because ISO 27001 is method-agnostic, you are free to use other risk frameworks too — but ISO 27005 is purpose-built to align with it, which makes it the natural choice for most implementers.
In short, it is the recognised playbook for the single most important activity in your ISMS.
ISO 27005: 2018 vs 2022 at a glance
The table below summarises what changed between the two editions.
| Aspect | ISO 27005:2018 | ISO 27005:2022 |
|---|---|---|
| ISO 31000 alignment | Looser | Closer, harmonised |
| Risk identification | Mainly asset-based | Asset-based + explicit event-based |
| Terminology | Older terms | Streamlined and modernised |
| Emphasis | Asset–threat–vulnerability | Risk scenarios & consequences |
| Status | Superseded | Current edition |
Free resource
The Complete Guide to ISO 27001
A practical, plain-English guide to building your ISMS and earning ISO 27001 certification.
The 2018 edition in brief
ISO 27005:2018 framed risk management around clearly separated steps: context establishment, risk identification (with assets, threats, and vulnerabilities), risk analysis, risk evaluation, risk treatment, and ongoing communication and monitoring.
Its identification approach leaned heavily on an asset-threat-vulnerability model: you inventoried assets, identified threats to each, and the vulnerabilities those threats could exploit. This was rigorous but could become unwieldy for large, fast-moving environments.
For years this was the default mental model practitioners used when building an ISO 27001 risk assessment.
What the 2022 revision changed
The 2022 revision modernised the guidance and aligned its language more closely with ISO 31000, the overarching risk-management standard. The headline shift is flexibility in how risks are identified: alongside the traditional asset-based approach, it more explicitly supports an event-based approach — starting from scenarios and consequences rather than exhaustively cataloguing assets.
It also streamlined terminology, clarified the relationship between risk identification and analysis, and put more emphasis on risk scenarios. The overall effect is guidance that scales better to modern, cloud-heavy organisations.
Nothing in the change forces you to abandon asset-based thinking; it simply gives you a sanctioned alternative.
Asset-based vs event-based identification
The two approaches answer the same question differently. Asset-based identification starts from ‘what do we have, and what could happen to it?’ — thorough but potentially enormous. Event-based identification starts from ‘what scenarios could harm us, and what would the consequences be?’ — often faster and more focused on what actually matters.
Many mature programs blend the two: event-based scenarios for breadth and speed, with asset-based detail where precision is needed. The 2022 edition’s flexibility makes that blend legitimate and easier to document.
Choosing the right mix for your size and complexity is one of the most practical decisions in your risk method.
Alignment with ISO 31000
A key theme of the 2022 revision is closer alignment with ISO 31000, the general risk-management standard used across disciplines. This harmonises information security risk with enterprise risk management, so your security risks can speak the same language as financial, operational, and strategic risks reported to leadership.
For organisations that already run enterprise risk management, this alignment reduces friction and duplication — security risk becomes a branch of the same tree rather than a separate dialect.
It also strengthens the governance story auditors and boards want to see.
What it means for your ISO 27001 risk assessment
If you are building or revising your ISMS, use ISO 27005:2022 as your guide. Establish your context and criteria, choose an identification approach (asset-based, event-based, or blended), analyse and evaluate risks consistently, and document a clear risk treatment plan linking risks to Annex A controls.
The output feeds directly into your Statement of Applicability and gives auditors the traceability they look for: every control justified by an identified, evaluated risk.
Following current guidance also future-proofs your method, since the 2022 alignment reflects where risk management is heading.
Do you have to use ISO 27005?
No. ISO 27001 requires a risk assessment but does not mandate ISO 27005 specifically; you may use any sound methodology, including ISO 31000-based approaches or sector frameworks. ISO 27005 is simply the most directly aligned and widely used option.
What matters to an auditor is that your method is documented, repeatable, and consistently applied — not which standard inspired it. ISO 27005 just makes meeting that bar easier.
If you already have a working enterprise risk method, you can often adapt it rather than adopt 27005 wholesale.
Migrating from a 2018-based method
If your existing risk process was built on the 2018 edition, you do not need to tear it up. Review your terminology against the 2022 language, consider whether an event-based or blended identification approach would serve you better, and check your alignment with ISO 31000 concepts.
Most teams find the migration is an evolution rather than a rebuild — tightening language and adding scenario-based thinking rather than discarding what worked.
Document the updated method so the change is visible and your audit trail stays clean.
Common pitfalls in risk management
The most common pitfall is a risk assessment that exists only to satisfy the auditor — disconnected from the controls and never revisited. Another is over-engineering: an asset register so exhaustive that the analysis never finishes. A third is inconsistent scoring, where similar risks are rated differently by different people.
ISO 27005 helps avoid these by encouraging clear criteria, a repeatable method, and regular review. The goal is a living risk picture that genuinely informs decisions, not a document that gathers dust.
A risk assessment used in real decisions is also far easier to defend in an audit.
The bottom line
ISO 27005 is the guidance behind ISO 27001’s risk requirement, and the 2022 revision modernised it: closer alignment with ISO 31000, more flexible (event-based) risk identification, and clearer terminology. You are not obliged to use it, but it is the most natural fit for an ISO 27001 risk assessment.
Use the current edition to run a method that is documented, repeatable, and genuinely useful, and your Statement of Applicability will trace cleanly to real risks — exactly what auditors reward.
If risk assessment is where your team feels least confident, it is also where expert help pays off most; ISpectra builds ISO 27005-aligned risk processes as part of every engagement, with free VAPT and a multi-framework discount.
Worked example: a cloud risk
Consider a realistic scenario: a misconfigured cloud storage bucket could expose customer data. Using ISO 27005’s event-based lens, you describe the scenario, estimate its likelihood and the consequence to confidentiality, and rate the resulting risk against your criteria.
That single risk then drives several Annex A controls — secure configuration, access control, logging, and cloud service security — each recorded in your treatment plan and Statement of Applicability. The 2022 guidance makes this scenario-first approach explicit and easy to document.
The example shows why method matters: a clear, scenario-based risk produces a focused, defensible set of controls rather than a sprawling asset inventory that never resolves into action.
Keeping the risk assessment alive
Whichever edition shaped your method, the biggest determinant of success is whether the risk assessment is actually used. ISO 27005 stresses ongoing communication and monitoring, and ISO 27001 requires you to review risk at planned intervals and when significant changes occur.
In practice that means revisiting the register when you launch a product, adopt a major new supplier, or suffer an incident — not just once a year before the audit. A living risk picture is what turns the assessment from paperwork into a genuine decision-making tool.
It is also far easier to defend at audit, because the auditor can see risk decisions reflected in real changes to your controls.
Free consultation
Need help with ISO 27001?
Talk to our certified compliance team — we’ve supported 200+ audits.