Risk management is dogged by too many separate camps, doing their own thing, calling it risk management, and oblivious to the different way that other camps manage risk. It is hence very pleasing to notice that ISO and IEC appear to be making serious and concerted efforts to increase the consistency of their risk management guidance. ISO/IEC 27005: 2011 is their recently revised standard for information security risk management. In this press release, Alan Calder, CEO of IT Governance, said the following about the new 27005 standard:
…it is aligned with the risk management standard ISO31000, which makes it easier to integrate Enterprise Risk Management approaches with information security risk management.
Managing risk well necessitates a comprehensive and fair understanding of all the risks faced by the business. The progress being made by ISO and IEC is leading the risk profession in the right direction.