ISO/IEC 13335-2

Published under Risk Management

ISO/IEC 13335-2 (ISO/IEC 27005)

Product identity card

General information
Basic information to identify the product

Method or tool name : ISO/IEC 13335-2: Management of information and communications technology security - Part2: Information security risk management. Remark: This standard is currently under development; completion is expected for 2006. Subject to endorsement of ISO JTC1 the title will change to ISO/IEC 27005 "Information security risk management"
Vendor name : ISO
Country of origin : International (organisation based in Switzerland)

Level of reference of the product
Details about the type of initiator of the product

International Standardization body : ISO

Specify the phases this method supports and a short description

R.A. Method phases supported

  • Risk identification : generic: chapter 5.2, examples: annex C, generic: chapter 5.2, 5.3, examples: annexes C, D
  • Risk analysis : generic: chapter 5.2, examples: annex C
  • Risk evaluation: generic: chapter 5.2, 5.3, examples: annexes C, D

R.M. Method phases supported

  • Risk assessment: generic: chapter 5, examples: annex D
  • Risk treatment : chapter 6, annex E
  • Risk acceptance : chapter 7
  • Risk communication : chapter 8

Brief description of the product

  • ISO/IEC IS 13335-2 is an ISO standard describing the complete process of information security Risk Management in a generic manner. The annexes contain examples of information security Risk Assessment approaches as well as lists of possible threats, vulnerabilities and security controls. ISO/IEC IS 13335-2 can be viewed at as the basic information Risk Management standard at international level, setting a framework for the definition of the Risk Management process.

Date of the first edition, date and number of actual version

Date of first release : 1998 (former ISO/IEC TR 13335-3 and 13335-4)
Date and identification of the last version : A new version is currently under development and expected to be finished in 2006. Presumably the numbering and the title will change to ISO/IEC 27005 "Information security risk management", subject to endorsement of ISO JTC1 . The current version as of January 2006: 1st CD.

Useful links
Link for further information

Official web site :
User group web site : N/A
Relevant web site : N/A

List the available languages that the tool supports

Availability in European languages : English

Specify the price for the method

  • € 100

Page top


Target organisations
Defines the most appropriate type of organisations the product aims at

  • Government, agencies
  • Large companies
  • SME
  • Commercial CIEs
  • Non commercial CIEs

Specific sector : N/A

Geographical spread
Information concerning the spread of this tool

Used in EU member states : Many
Used in non-EU member states : Many

Level of detail
Specify the target kind of users

  • Management
  • Operational

License and certification scheme
Specify the licensing and certification schemes available for this method

Recognized licensing scheme : No
Existing certification scheme : No

Page top

Users viewpoint

Skills needed
Specify the level of skills needed to use and maintain the solution

  • To introduce : Standard
  • To use : Standard
  • To maintain : Standard

Consultancy support
Specify the kind of support available

Consultancy : Not necessary

Regulatory compliance
There is a given compliance of the product with international regulations

  • N/A

Compliance to IT standards
There is a compliance with a national or international standard

Trial before purchase
Details regarding the evaluation period (if any) before purchase of the product.

Availability : Download available (when published), but not for free

Maturity level of the Information system
The product gives a means of measurement for the maturity of the information system security

It is possible to measure the I.S.S. maturity level : No

Tools supporting the method
List of tools that support the product

Non commercial tools

Commercial tools

  • N/A

Technical integration of available tools
Particular supporting tools (see C-7) can be integrated with other tools

Tools can be integrated with other tools : No

Organisation processes integration
The method provides interfaces to existing processes within the organisation

Method provides interfaces to other organisational processes : Yes

Flexible knowledge databases
It is possible to adapt a knowledge database specific to the activity domain of the company.

Method allows use of sector adapted databases : No

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more