ISO/IEC 27005:2018 Information Security Risk Management

With the increasing number of internal and external information security threats, organizations recognize the importance of adopting a formal risk management programme. Without a mechanism to identify, analyse and manage information security risks, it’s difficult for organizations to prioritize their security remediation efforts and resource allocation and associated costs. This leaves organizations more susceptible to security breaches, which can lead to financial and reputational damage.

Building on the concepts and framework specified in ISO/IEC 27001, ISO/IEC 27005:2018 provides guidelines for adopting an information security risk management approach that is appropriate to all organizations.

This course aims to provide you with clear and practical guidance on the framework and steps involved to identify, analyse and manage information security risks. It will help you to review your existing risk treatments and controls and ensure they are appropriate to manage and reduce the identified risks. This will give you the confidence to get the most effective allocation of resources in place to address information security issues for your organization.

Who should attend?

Anyone who wants to learn about:

  • Identifying and analysing information security risks
  • How risks can be evaluated
  • What treatments, controls and measures can be implemented in order to mitigate risks
  • Ongoing governance and risk monitoring processes

The course is applicable to individuals from any size or type of organization who are currently involved in (or will be in the future) planning, implementing, maintaining, supervising or assessing information security, as part of an ISO/IEC 27001 ISMS or a standalone system. 


You should have a basic knowledge of ISO/IEC 27001:2013 and ISO/IEC 27002:2013, as well as an understanding of the key principles of an ISMS.

We also recommend that you have an awareness of generic risk assessments and basic understanding of information security principles and terminology.

Some delegates on this course will have already attended our Information Security Management System (ISMS) Requirements of ISO 27001:2013 or Information Security Management System (ISMS) Implementing ISO/IEC 27001:2013 course. 

We also recommend delegates have an understanding of the risk assessment approach currently employed in their organizations, should one exist. 


What will I learn?

By the end of this course delegates will be able to:

  • Explain concepts specific to information risk management, including terms and definitions
  • Recognize typical information security risks faced by organizations
  • Identify typical information security risk management concerns
  • Communicate ISO/IEC 27005:2018 introduction, background, purpose, scope and structure
  • Explain how ISO/IEC 27005:2018 integrates and interfaces with other standards, such as ISO/IEC 27001:2013
  • Implement the topics covered in ISO/IEC 27005:2018 within your organization
  • Determine the value of the information assets under your control
  • Evaluate threats to information assets
  • Identify, analyse and evaluate information security risks
  • Prioritize and choose appropriate risk treatments

How will I benefit?

This course will help you:

  • Identify key benefits associated with using ISO/IEC 27005:2018 for protecting information assets, as part of an effective information security management system (ISMS)
  • Understand the best practice risk management processes contained in    ISO/IEC 27005:2018
  • Understand the rationale behind the processes, usage and implementation
  • Establish an acceptable level of risk for your information assets based on a knowledge and understanding of the risks your organization faces
  • Develop processes for assessing and managing the many different risks related to your organization’s information assets
  • This course will help organizations investigate and score information security risks in a robust, quantifiable and repeatable way.

What is included?

  • Lunch and refreshments
  • Course notes
  • On completion, you will be awarded an internationally recognized BSI Training Academy certificate.

In-house training

If you have a group of people to train and a single location that is practical, an expert tutor can deliver training at your premises. Want to know more?


Request an in-house training quote >

Course Resources

Download Course Guide (PDF)

COVID-19: Important information on classroom-based training courses

BSI is closely monitoring UK Government Advice regarding the safety of classroom-based training courses. In the event of a classroom-based course being deemed unsafe, your training booking will be automatically transferred to online delivery using our highly-interactive virtual classroom - Connected Learning Live.

If you have any questions regarding your booking, please contact or call +46 (0)707 401147.

Booking a course delivered via Connected Learning Live?

Take advantage of our exclusive offers, only available in July and August 2020*

Book a July or August Connected Learning Live course date and you’re entitled to unlock one of the following benefits:

  • Option 1: Get 50% off a second delegate booking fee
    Offer applicable to public courses delivered via Connected Learning Live in July and August 2020 only. Second delegate must attend the same course date
  • Option 2: Save £500 on a BSI Diploma in Quality Management
    Offer applicable to delegates that have booked a public course delivered via Connected Learning Live in July and August 2020 only

Contact our training team today to find out more and book your place. Call +46 (0)707 401147 or email

*Terms and conditions: Applies to all public BSI UK training courses, taking place in July and August 2020 via Connected Learning Live only. Call our training team on +46 (0)707 401147 or email for more information. Second delegate must attend the same course date as the first delegate. Moves, changes and cancellations are not permitted. Payment required or invoice issued at the time of bookings. This offer does not apply to BSI re-sellers or Cybersecurity and BRCGS courses. Offer is for new BSI UK training bookings only. Offer is not to be used in conjunction with any other offer. Offer subject to availability of training courses. Bookings are non-transferable. All other terms and conditions for training courses apply.