ISO/IEC 27005 is the international standard that provides guidelines for managing information security risk. It is not certifiable for organisations, but it is for individuals : the PECB Risk Manager certification qualifies you to lead risk management in line with the standard. And here is the key point : ISO/IEC 27005 is the piece that connects ISO 27001, NIS2 and DORA. Anyone who masters 27005 holds a cross-cutting skill that is valued across all three domains. In this article, I explain what the standard covers, what you will learn in the course and why it is one of the most useful investments in GRC.
What ISO/IEC 27005 is and why it matters
ISO/IEC 27005 is the international standard that provides guidelines for information security risk management. The version in force is ISO/IEC 27005:2022, aligned with ISO/IEC 27001:2022 and with the general risk management framework ISO 31000.
Unlike ISO/IEC 27001 (certifiable for organisations) or ISO/IEC 27002 (a code of good practice), ISO/IEC 27005 is a process-oriented standard : it tells you how to run rigorous, repeatable risk management that is compatible with any ISMS.
Its connection with 27001, NIS2 and DORA
Here is the key reading that many professionals do not fully grasp : ISO/IEC 27005 is the engine that turns the wheel on three fronts :
With ISO/IEC 27001 : clause 6.1.2 of the standard requires a formal risk assessment. ISO 27005 provides the detailed methodology to do it (27001 tells you what, 27005 tells you how).
With NIS2 : article 21 of the directive requires "policies on risk analysis and information security" as the first block of mandatory measures. A 27005 methodology is the natural way to meet this requirement.
With DORA : pillar 1 of the regulation is ICT risk management, with a formally defined risk management framework. ISO 27005 integrates into it directly.
As a result, getting certified in 27005 opens not one door but three at once.
The methodology, step by step
ISO/IEC 27005 defines a risk management cycle in six phases. They are worth knowing, because they are what structure the course :
- Context establishment. Assessment, acceptance and impact criteria. Without this, assessing risk is a subjective exercise.
- Risk identification. Assets, threats, vulnerabilities and existing controls.
- Risk analysis. Estimation of likelihood and impact, qualitative or quantitative methods.
- Risk evaluation. Comparison against the established criteria in order to prioritise.
- Risk treatment. Acceptance, mitigation, transfer or avoidance, with a documented treatment plan.
- Communication, monitoring and review. Living risk, not a report that stays at the bottom of a drawer.
What the Risk Manager course covers
The PECB Certified ISO/IEC 27005 Risk Manager course is a three-day training (PECB category C). The syllabus covers :
- Day 1 : Introduction, context, risk identification, practical cases.
- Day 2 : Analysis, evaluation, risk treatment and communication.
- Day 3 : Review, simulations and the official PECB exam.
The approach is hands-on : we work with real templates (asset register, threat matrices, risk treatment plan, statement of applicability). You do not leave with theory alone, but with the deliverables you will produce from your very first project.
Risk Manager vs Lead Risk Manager : which to choose
PECB offers two certifications in 27005 : Risk Manager (3 days) and Lead Risk Manager (5 days). The difference is one of scope :
Risk Manager qualifies you to execute the methodology on a specific project. It is the natural certification for a consultant or a professional who will work within an already existing ISMS.
Lead Risk Manager adds the steering of the risk management programme across the organisation, integration with other frameworks (ISO 31000, COSO ERM) and team management. It is the natural certification for a risk manager or a CRO.
If you work as a consultant or lead a project, start with Risk Manager. If you manage a programme or lead a team, go straight to Lead Risk Manager.
The exam and certification
The Risk Manager exam lasts two hours and covers the five competency domains (context, identification, analysis, evaluation, treatment). The course grants 21 CPD credits and, as with the rest of the PECB catalogue, the exam includes two attempts.
The certification is valid for maintaining certified-professional status in CISA, CISM, CISSP, CRISC and other certifications that require CPD.
Anyone who masters ISO/IEC 27005 holds a cross-cutting skill : the same methodology serves ISO 27001, NIS2 and DORA. It is one of the few GRC certifications that pays off across three different regulations with a single training.
Training and getting certified
If you want to take the step towards the official PECB certification, the ISO/IEC 27005 Risk Manager course is the direct route : official PECB Self-Study to advance at your own pace, or with one-to-one coaching until you are ready for the exam, in the standards I teach as a PECB Certified Trainer.