ISO/IEC 27005:2011英文版BS|So/EC27005:201
so/EC27005:2011E
9.2 Risk modification
22
9. 3 Risk retention
面BB1面面
9.4
Risk avoidance
9.5 Risk sharing
10 Information security risk acceptance..
24
11
Information security risk communication and consultation
24
12
Information security ris k monitoring and review
25
12.1 Monitoring and review of risk factors
25
12.2 Risk management monitoring, review and improvement.....
26
Annex A(informative )Defining the scope and boundaries of the information security risk
management process
A1 Study of the organization..
28
A2 List of the constraints affecting the organization..
A3 List of the legislative and regulatory references applicable to the organization
31
A.4
List of the constraints affecting the scope
Annex B (informative) Identification and valuation of assets and impact assessment
量国
面面国
33
B. 1 Examples of asset identification
33
B.1.1 The identification of primary assets
33
0m-0sz
B12 List and description of supporting assets……………
34
B.2 Asset va| uation.…
38
B3 Impact assessment............
n41
Annex C (informative)Examples of typical threats
42
Annex D (informative) Vulnerabilities and methods for vulnerability assessment.....
D1 Examples of vulnerabilities
45
D2 Methods for assessment of technical vulnerabilities
n…48
Annex E(informative)Information security risk assessment approaches
50
E.1 High-level information security risk assessment.………
50
E2 Detailed information security risk assessment...-.............
E22 Example2 Ranking of Threats by Measures of RisK.………
51
E.2.1 Example 1 Matrix with predefined values
52
E.2.3 Example 3 Assessing a value for the likelihood and the possible consequences of risks... 54
Annex F(informative) Constraints for risk modification..
面
56
Annex G(informative) Differences in definitions between ISO/EC 27005: 2008 and ISo/EC
27005:2011
58
Bibliography
68
O ISO/EC 2011-All rights reserved
BS ISO/EC27005:2011
ISO/EC27005:2011(E
Foreword
Iso(the International Organization for Standardization) and Ec(the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISo or EC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISo and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISONEC JTC 1
International Standards are drafted in accordance with the rules given in the ISo/EC Directives, Part 2
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 of the national bodies casting a vote
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. Iso and iEC shall not be held responsible for identifying any or all such patent rights
0m-0sz
ISO/EC 27005 was prepared by Joint Technical Committee ISO/EC JTC 1, Information technology
Subcommittee SC 27, / T Security techniques
This second edition cancels and replaces the first edition(ISO/EC 27005: 2008)which has been technically
revised
O ISO/EC 2011-All rights reserved
BS|So/EC27005:201
so/EC27005:2011E
Introduction
This International Standard provides guidelines for information security risk management in an organization
supporting in particular the requirements of an information security management(ISMS) according to
ISO/EC 27001. However, this International Standard does not provide any specific method for information
security risk management. It is up to the organization to define their approach to risk management, depending
for example on the scope of the ISMS, context of risk management, or industry sector. A number of existing
methodologies can be used under the framework described in this International Standard to implement the
requirements of an ISMS
This International Standard is relevant to managers and staff concerned with information security risk
management within an organization and, where appropriate, external parties supporting such activities
0m-0sz
O ISO/EC 2011-All rights reserved
BS ISO/EC27005:2011
INTERNATIONAL STANDARD
ISO/EC27005:2011(E
Information technology- Security techniques-Information
security risk management
1 Scope
This International Standard provides guidelines for information security risk management
This International standard supports the general concepts specified in iso/EC 27001 and is designed to
assist the satisfactory implementation of information security based on a risk management approach
Knowledge of the concepts, models, processes and terminologies described in ISo/EC 27001 and
ISO/EC 27002 is important for a complete understanding of this International Standard
This International Standard is applicable to all types of organizations (e.g. commercial enterprises,
0m-0sz
government agencies, non-profit organizations)which intend to manage risks that could compromise the
organizations information securit
2 Normative references
m
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document(including any amendments) applies
ISO/EC 27000, Information technology Security techniques Information security management
systems-Overview and vocabulary
ISO/EC 27001: 2005, Information technology Security techniques Information security management
systems- Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply
NOTE Differences in definitions between iso/ec 27005: 2008 and this international standard are shown in Annex g
3.1
consequence
outcome of an event( 3.3)affecting objectives
ISO Guide 73: 2009
NOTE 1 An event can lead to a range of consequences
NoTE 2 A consequence can be certain or uncertain and in the context of information security is usually negative
nOtE 3 Consequences can be expressed qualitatively or quantitatively
NOTE 4 Initial consequences can escalate through knock-on effects
O ISO/EC 2011-All rights reserved
BS|So/EC27005:201
so/EC27005:2011E
32
control
measure that is modifying risk(3.9)
[SO Guide 73: 2009
structure, which can be administrative, technical, management, or legal in nature which modify information security Inal
NOTE 1 Controls for information security include any process, policy, procedure, guideline, practice or organizati
NOTE 2 Controls may not always exert the intended or assumed modifying effect
NOTE 3 Control is also used as a synonym for safeguard or countermeasure
3.3
event
occurrence or change of a particular set of circumstances
[So Guide 73: 2009
noTE 1 An event can be one or more occurrences and can have several causes
NOTE 2 An event can consist of something not happening
0m-0sz
NOTE 3 An event can sometimes be referred to as an"incident or accident
3.4
external context
external environment in which the organization seeks to achieve its objectives
[ISO Guide 73: 2009
NOTE External context can include
the cultural, social, political, legal, regulatory, financial, technological, economic, natural and
competitive environment, whether international, national, regional or local
key drivers and trends having impact on the objectives of the organization; and
relationships with, and perceptions and values of, external stakeholders
3.5
internal context
nternal environment in which the organization seeks to achieve its objectives
[SO Guide 73: 2009
N○TE
Internal context can include
governance, organizational structure, roles and accountabilities;
policies, objectives, and the strategies that are in place to achieve them
the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people
processes, systems and technologies):
information systems, information flows and decision-making processes(both formal and informal);
relationships with, and perceptions and values of, internal stakeholders
the organizations culture
standards, guidelines and models adopted by the organization; and
form and extent of contractual relationship
O ISO/EC 2011-All rights reserved
BS|SO/EC27005:2011
ISO/EC27005:2011(E)
3.6
level of risk
magnitude of a risk(3. 9), expressed in terms of the combination of consequences (3. 1)and their likelihood
(3.7)
[ISO Guide 73: 2009]
3.7
likelihood
chance of something happening
[ISo Guide 73: 2009]
NOTE 1 In risk management terminology, the word "likelihood"is used to refer to the chance of something happening
whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using
general terms or mathematically(such as a probability or a frequency over a given time period)
NOTE2 The English term"likelihood" does not have a direct equivalent in some languages; instead, the equivalent of
the term "probability is often used. However, in English, "probability"is often narrowly interpreted as a mathematical term
Therefore, in risk management terminology, "likelihood" is used with the intent that it should have the same broad
interpretation as the term "probability has in many languages other than English
3.8
0m-0sz
residual risk
risk (3. 9)remaining after risk treatment (3. 17)
[ISO Guide 73: 2009
NOTE 1 Residual risk can contain unidentified risk
NoTE 2 Residual risk can also be known as"retained risk
3.9
risk
effect of uncertainty on objectives
[ISO Guide 73: 20091
NOTE 1 An effect is a deviation from the expected -positive and/or negative
OTE 2 Objectives can have different aspects (such as financial, health and safety, information security, and
environmental goals)and can apply at different levels (such as strategic, organization-wide, project, product and process
note 3 Risk is often characterized by reference to potential events(3.3 )and consequences(3.1), or a combination o
these
NoTE 4 Information security risk is often expressed in terms of a combination of the consequences of an information
security event and the associated likelihood(3. 9)of occurrence
NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an
event, its consequence, or likelihood
NotE 6 Information security risk is associated with the potential that threats will exploit vulnerabilities of an information
asset or group of information assets and thereby cause harm to an organization.
3.10
risk analysis
rocess to comprehend the nature of risk and to determine the level of risk (3.6)
[SO Guide 73: 2009
O ISO/EC 2011-All rights reserved
BS|So/EC27005:201
so/EC27005:2011E
NoTE 1 Risk analysis provides the basis for risk evaluation and decisions about risk treatment
NoTE 2 Risk analysis includes risk estimation
3.11
risk assessment
overall process of risk identification(3. 15), risk analysis(3.10)and risk evaluation (3.14)
[So Guide 73: 2009
3.12
risk communication and consultation
continual and iterative processes that an organization conducts to provide, share or obtain information, and to
engage in dialogue with stakeholders( 3.18)regarding the management of risk(3. 9)
[So Guide 73: 2009]
NoTE 1 The information can relate to the existence, nature, form, likelihood, significance, evaluation, acceptability and
treatment of risk
NOTE 2 Consultation is a two-way process of informed communication between an organization and its stakeholders
on an issue prior to making a decision or determining a direction on that issue. Consultation is
0m-0sz
a process which impacts on a decision through influence rather than power; and
an input to decision making, not joint decision making
3.13
risk criteria
terms of reference against which the significance of a risk (3. 9)is evaluated
[So Guide 73: 2009]
NOTE 1 Risk criteria are based on organizational objectives, and external and internal context
NOTE 2 Risk criteria can be derived from standards, laws, policies and other requirements
3.14
risk evaluation
process of comparing the results of risk analysis(3.10)with risk criteria(3. 13)to determine whether the risk
and/or its magnitude is acceptable or tolerable
[SO Guide 73: 2009]
NOTE
Risk evaluation assists in the decision about risk treatment
3.15
risk identification
process of finding, recognizing and describing risks
[ISO Guide 73: 2009]
NOTE 1 Risk identification involves the identification of risk sources, events their causes and their potential
consequences.
NOTE 2 Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and
stakeholders needs
O ISO/EC 2011-All rights reserved
BS|SO/EC27005:2011
ISO/EC27005:2011(E)
3.16
risk management
coordinated activities to direct and control an organization with regard to risk
[ SO Guide73:2009]
NOTE
This International Standard uses the term process to describe risk management overall. The elements withir
the risk management process are termed'activities
3.17
risk treatment
process to modify risk
[ISO Guide 73: 2009
NOTE 1 Risk treatment can inyolye
avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
taking or increasing risk in order to pursue an opportunity
removing the risk source
changing the likelihood
0m9
changing the consequences
sharing the risk with another party or parties(including contracts and risk financing); and
retaining the risk by informed choice
NOTE 2 Risk treatments that deal with negative consequences are sometimes referred to as risk mitigation","risk
elimination"," risk prevention"and" risk reduction
NOtE3 Risk treatment can create new risks or modify existing risks
3.18
stakeholder
person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or
activit
[ISO Guide 73: 2009
NOTE
a decision maker can be a stakeholder
4 Structure of this International standard
This International Standard contains the description of the information security risk management process and
its activities
The background information is provided in Clause 5
a general overview of the information security risk management process is given in clause 6
All information security risk management activities as presented in Clause 6 are subsequently described in the
following clauses
Context establishment in clause 7
Risk assessment in Clause 8
Risk treatment in Clause 9
O ISO/EC 2011-All rights reserved
1298
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
