This blog is a membership based discussion forum on Project Management, Software Quality, CMMI® for development, ISMS and associated subjects. It provides a common platform for our training participants and others to share views and obtain expert opinion on issues related to above subjects. Also, it is used by QualityMentors training participants to upload their personal details in a secured manner in line to the guidelines laid down in ISO/IEC 17024:2003. This blog draws its strength from its members who are welcome to share professional and personal experiences, comments, articles and reference links to make it a preferred knowledge repository for their collective use. It encourages fact based decision making as an success enabler for projects in member organizations.
Alex Dali from The Global Institute for Risk Management Standards posted this question on LinkedIn group ISO 27001: "ISO 27001:2013 aligns its risk assessment & treatment with ISO 31000 (see clause 6.1.3) but ISO 27002:2013, clause 0.2 says such guidelines are provided by ISO 27005. Which one should be followed?" Here is my response: Answer to this question lies in the titles of the two standards referred by you. ISO 31000 is "Risk Management- Principles and Guidelines" while ISO 27005 is "IT-Security Techniques- Info Security Risk management". So which one is more appropriate for implementing information security? Obviously, ISO 27005. Alex, please let me know if you have different views. Thanks!
Comments are closed.