Compare 14 ISO/IEC 27005 implementation partners delivering information security risk management programmes aligned with the 2022 revision, covering risk identification, analysis, evaluation, and treatment integrated with an ISO 27001 information security management system. Engagements cover the risk management framework establishment, the context determination including internal and external issues and interested parties, the risk criteria definition for acceptance and impact, the asset-based and event-based risk identification approaches, the qualitative and quantitative risk analysis methods, the risk treatment plan and Statement of Applicability mapping, the integration with ISO 31000 enterprise risk management and the NIST CSF 2.0 and CIS Controls v8 control libraries, and the operational handover including risk register tooling, KRI design, and management review cadence. Listings cover Big Four risk practices, dedicated ISO advisory firms, accredited certification bodies, India-heritage SIs, and the boutique risk consultancies handling the methodology-heavy work. No partner pays for placement on this directory.
ISO 27005 programmes break into four workstreams. Context and framework, where the partner establishes the risk management context under ISO 27005:2022, defines the risk owner roles, sets the risk acceptance criteria aligned with organisational risk appetite, configures the risk register tooling (ServiceNow IRM, Archer, OneTrust, MetricStream, LogicGate), and integrates the framework with the ISO 27001 ISMS scope and Statement of Applicability. Risk identification, where the partner runs the asset-based identification mapping information assets, primary and supporting assets, and their dependencies, alongside the event-based identification focused on threats, vulnerabilities, and the scenarios most likely to drive material impact. The 2022 revision allows both approaches in parallel and partners typically combine them rather than choosing one. Risk analysis and evaluation, where the partner applies qualitative scales for likelihood and impact, layered with quantitative methods (FAIR, Monte Carlo) for material risks, and produces the prioritised risk register with treatment options aligned to ISO 27001 Annex A controls and supplementary frameworks like NIST CSF 2.0, CIS Controls v8, and sector-specific lists. Risk treatment and monitoring, where the partner builds the risk treatment plan with mitigate, transfer, accept, and avoid decisions documented per risk, designs the KRIs and monitoring cadence, and operates the management review cycle and the residual risk acceptance workflow.
Three procurement archetypes recur. Accredited certification bodies and ISO specialists (BSI, DNV, TUV SUD, Schellman) lead at organisations preparing for or holding ISO 27001 certification, where methodology rigour and audit-firm relationship determine the outcome. Big Four risk practices (Deloitte, PwC, KPMG, EY) lead at regulated and listed enterprises where ISO 27005 sits inside a broader enterprise risk programme spanning operational, financial, and regulatory risk, and where the audit committee dialogue matters. Quantitative and threat-led boutiques (Fox-IT, Control Risks, Kroll) lead where threat intelligence, FAIR-based quantification, or geopolitical risk add material value, particularly for critical infrastructure, financial services, and government work. Friction point: ISO 27005 is methodology guidance rather than mandatory specification, and consultants often over-engineer risk taxonomies that the operational risk team cannot sustain. The most expensive failures are heavy registers that fall stale within a year because no one owns the update cadence. Buyers should insist on a sustainable register design before paying for advanced quantification.
For complementary research see GRC platforms, risk quantification tools, vendor risk platforms, policy management software, and threat intelligence platforms. For adjacent services see ISO 27001 implementation, NIST CSF implementation, IT governance and compliance, vCISO services, identity security consulting, and cybersecurity services.
Tell us what you're evaluating and we'll send a tailored shortlist of vendors that actually fit — no vendor funding, no pay-to-play.
6,000+ vendors · 893 comparisons · 48 country guides · Independent & vendor-neutral