ISO/IEC 27005:2018 Information technology — Security techniques — Information security risk management has been updated to reflect the new version of ISO/IEC 27001 and thus ensure it meets the needs of organizations.

Lock and network cable with computer keyboard background

Protecting the security of company’s and citizen’s information has never been so important, especially in the context of the new EU General Data Protection Regulation (GDPR) and after the recent Facebook and Cambridge Analytica data scandal.

With this update, this standard will provide more accurate guidelines for information security risk management to assist the satisfactory implementation of information security based on a risk management approach.

It will help to demonstrate to customers that an organization could be trusted, as robust risk processes would be in place to protect their data.

EA involvement in information security risk management

To ensure responsive reactions to new market developments and responses to public policy demands, EA contributed to the implementation of the EU General Data Protection Regulation (GDPR) by promoting the use of accreditation by National Accreditation Bodies.EA prepared information materials on the GDPR for its members, for use in their discussions with their national authorities. In April 2018, EA also participated in a Stakeholder workshop, which took place in the framework of a study, supervised by the Directorate-General for Justice and Consumers.
The aims were to:

  • analyze existing certifications;
  • provide recommendations for requirements in data protection certification mechanisms, accreditation criteria, and technical standards;
  • provide relevant output to support the establishment of data protection certification mechanisms/schemes and development of data protection seals and marks pursuant to Articles 42 and 43 of the General Data Protection Regulation (EU) 2016/679.

In the meantime, EA supported the European Commission regarding the proposed new regulation concerning ENISA, the EU Agency for Network and Information Security, on Information and Communication Technology cybersecurity certification (‘’Cybersecurity Act’’). EA and its members are involved to provide information about accreditation and the European Accreditation Infrastructure to support the preparation of the EU Cybersecurity Certification Framework.

This regulation will cover the voluntary certification of ICT (Information and Communication Technologies) products and services and the related accreditation of the Conformity Assessment Bodies.

In an area where confidence is the key word, EA Members and accredited CABs have a major role to play to support regulations in data protection and cybersecurity. Indeed, securing network and information systems in the European Union is essential to keep the online economy running and to ensure prosperity while protecting citizens and consumers on their personal data.