Skip to main content
Image coming soon

ISO/IEC 27005:2022 Information Security Risk Evidence & Implementation Kit

$249.00
Adding to cart… The item has been added
ISO/IEC 27005:2022 · Information Security Risk · Evidence & Implementation Kit
Run the ISO 27001 risk process to ISO 27005, without designing the risk methodology yourself.
Every ISO 27005 step handed to you as an adopt-ready control, from context and risk criteria through identification, treatment and the Statement of Applicability, with the evidence an ISO 27001 auditor examines.
Risk-assessment-ready in a weekend, not a quarter.

Here is the honest situation. ISO 27001 stands or falls on the risk assessment, and ISO 27005 is the standard that tells you how to run it: establishing context and risk criteria, identifying risks by an asset-based or event-based approach, analysing and evaluating them, treating them, and producing the Statement of Applicability and risk treatment plan with risk-owner approval. Building that methodology, running it, and evidencing it, is weeks of work, and a risk assessment that does not trace to the Statement of Applicability is the finding an ISO 27001 auditor raises first.

This Kit removes that build. It is every ISO 27005 step written as an adopt-ready control you personalize in a weekend, with the evidence an auditor examines.

What you get, the moment you buy

30
Steps as adopt-ready controls. Every ISO 27005 step, from context and criteria through identification, analysis, treatment and the Statement of Applicability, written so you personalize and run it. The asset-based and event-based approaches are built in.
30
Evidence-they-examine checklists. For each step, exactly what an ISO 27001 auditor examines, plus the finding they most often raise, so you close it before the audit.
1
Risk Management Control Matrix, pre-built. Every step in a working spreadsheet, ready to record status and evidence location across the risk process.
1
Gap & Readiness Assessment. Score each step and the workbook returns your readiness as a single percentage, and exactly what to fix next.

Grounded in ISO/IEC 27005:2022, aligned to ISO 27001 and ISO 31000, with the asset-based and event-based identification approaches and the Statement of Applicability called out. Editable Word and Excel files.

The risk assessment must trace to the SoA
An ISO 27001 auditor follows the thread from risk to control to the Statement of Applicability to the risk treatment plan. ISO 27005 builds that traceability. This Kit makes it explicit, so the chain an auditor tests is complete and evidenced end to end.

What one control looks like

This is risk identification by the asset-based approach, a choice the 2022 revision makes explicit. All 30 are built to this depth.

7.2 Apply the asset-based identification approach RISK IDENTIFICATION
Implement this

[Organization] shall, where the asset-based approach is used, identify information assets within scope, the threats applicable to each asset, and the vulnerabilities that those threats could exploit, and shall combine these into risk scenarios describing how the confidentiality, integrity, or availability of each asset could be compromised.

Practitioner note.

The asset-based approach suits detailed operational analysis; it can be resource intensive for large asset populations.

Evidence your auditor examines
  • Inventory of in-scope information assets with owners
  • Threat catalogue mapped to asset types
  • Vulnerability assessment or register linked to assets
  • Asset-based risk scenarios recorded in the risk register
Common finding they raise: Asset, threat, and vulnerability data are held separately and never combined into concrete risk scenarios.

Why this is not another template pack

  • The evidence is the point. A risk process you cannot evidence fails the audit. This tells you exactly what an auditor examines and the finding they raise, for every step.
  • Aligned to the 2022 revision. The asset-based and event-based identification approaches and the determine-controls-then-compare-to-Annex-A ordering match the 2022 standard, not an old reading.
  • Built on a mapped compliance corpus, not one person's opinion, from a graph of thousands of controls across standards.
  • It compounds. ISO 27005 drives the ISO 27001 risk requirements and follows ISO 31000, so this work is the engine of your whole ISMS.

Who buys this

Organizations running an ISO 27001 ISMS, the risk and security managers who own the risk assessment, and consultants building a risk methodology. Whether it is a first assessment or a maturity uplift, you save weeks and walk in with the methodology, the SoA and the evidence structured.

By the end of the weekend you will have
✓  An adopt-ready control for all 30 steps
✓  A completed risk management control matrix
✓  The evidence your auditor examines
✓  Your risk methodology and SoA anchored
✓  A readiness percentage and a fix list
✓  The common findings closed before the audit

Common questions

Is it really editable? Yes. Word and Excel files you own and adapt. No portal, no subscription.

How does it relate to ISO 27001? ISO 27005 is the guidance for the ISO 27001 risk requirements (clauses 6.1.2, 6.1.3, 8.2, 8.3). This Kit builds that risk process and its evidence.

Asset-based or event-based? Both. The 2022 revision makes the two identification approaches explicit, and the Kit builds each as a selectable control.

Does it produce the Statement of Applicability? It builds the risk treatment and the Statement of Applicability as controls, with risk-owner approval and residual-risk acceptance.

What if it is not for me? A 30-day money-back guarantee.

Do not design a risk methodology from a blank page.
Every ISO 27005 step is fast to adopt with the Kit. It is instant, and it is guaranteed.
Add it to your cart and run your risk assessment this weekend.

Instant digital download · 30-day money-back guarantee · The Art of Service Pty Ltd, GPO Box 2673, Brisbane QLD 4001 · support@theartofservice.com