ISO/IEC 27005:2011-EN下载

ISO/IEC 27005:2011英文版BS|So/EC27005:201 so/EC27005:2011E 9.2 Risk modification 22 9. 3 Risk retention 面BB1面面 9.4 Risk avoidance 9.5 Risk sharing 10 Information security risk acceptance.. 24 11 Information security risk communication and consultation 24 12 Information security ris k monitoring and review 25 12.1 Monitoring and review of risk factors 25 12.2 Risk management monitoring, review and improvement..... 26 Annex A(informative )Defining the scope and boundaries of the information security risk management process A1 Study of the organization.. 28 A2 List of the constraints affecting the organization.. A3 List of the legislative and regulatory references applicable to the organization 31 A.4 List of the constraints affecting the scope Annex B (informative) Identification and valuation of assets and impact assessment 量国 面面国 33 B. 1 Examples of asset identification 33 B.1.1 The identification of primary assets 33 0m-0sz B12 List and description of supporting assets…………… 34 B.2 Asset va| uation.… 38 B3 Impact assessment............ n41 Annex C (informative)Examples of typical threats 42 Annex D (informative) Vulnerabilities and methods for vulnerability assessment..... D1 Examples of vulnerabilities 45 D2 Methods for assessment of technical vulnerabilities n…48 Annex E(informative)Information security risk assessment approaches 50 E.1 High-level information security risk assessment.……… 50 E2 Detailed information security risk assessment...-............. E22 Example2 Ranking of Threats by Measures of RisK.……… 51 E.2.1 Example 1 Matrix with predefined values 52 E.2.3 Example 3 Assessing a value for the likelihood and the possible consequences of risks... 54 Annex F(informative) Constraints for risk modification.. 面 56 Annex G(informative) Differences in definitions between ISO/EC 27005: 2008 and ISo/EC 27005:2011 58 Bibliography 68 O ISO/EC 2011-All rights reserved BS ISO/EC27005:2011 ISO/EC27005:2011(E Foreword Iso(the International Organization for Standardization) and Ec(the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISo or EC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISo and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISONEC JTC 1 International Standards are drafted in accordance with the rules given in the ISo/EC Directives, Part 2 The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 of the national bodies casting a vote Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. Iso and iEC shall not be held responsible for identifying any or all such patent rights 0m-0sz ISO/EC 27005 was prepared by Joint Technical Committee ISO/EC JTC 1, Information technology Subcommittee SC 27, / T Security techniques This second edition cancels and replaces the first edition(ISO/EC 27005: 2008)which has been technically revised O ISO/EC 2011-All rights reserved BS|So/EC27005:201 so/EC27005:2011E Introduction This International Standard provides guidelines for information security risk management in an organization supporting in particular the requirements of an information security management(ISMS) according to ISO/EC 27001. However, this International Standard does not provide any specific method for information security risk management. It is up to the organization to define their approach to risk management, depending for example on the scope of the ISMS, context of risk management, or industry sector. A number of existing methodologies can be used under the framework described in this International Standard to implement the requirements of an ISMS This International Standard is relevant to managers and staff concerned with information security risk management within an organization and, where appropriate, external parties supporting such activities 0m-0sz O ISO/EC 2011-All rights reserved BS ISO/EC27005:2011 INTERNATIONAL STANDARD ISO/EC27005:2011(E Information technology- Security techniques-Information security risk management 1 Scope This International Standard provides guidelines for information security risk management This International standard supports the general concepts specified in iso/EC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach Knowledge of the concepts, models, processes and terminologies described in ISo/EC 27001 and ISO/EC 27002 is important for a complete understanding of this International Standard This International Standard is applicable to all types of organizations (e.g. commercial enterprises, 0m-0sz government agencies, non-profit organizations)which intend to manage risks that could compromise the organizations information securit 2 Normative references m The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document(including any amendments) applies ISO/EC 27000, Information technology Security techniques Information security management systems-Overview and vocabulary ISO/EC 27001: 2005, Information technology Security techniques Information security management systems- Requirements 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply NOTE Differences in definitions between iso/ec 27005: 2008 and this international standard are shown in Annex g 3.1 consequence outcome of an event( 3.3)affecting objectives ISO Guide 73: 2009 NOTE 1 An event can lead to a range of consequences NoTE 2 A consequence can be certain or uncertain and in the context of information security is usually negative nOtE 3 Consequences can be expressed qualitatively or quantitatively NOTE 4 Initial consequences can escalate through knock-on effects O ISO/EC 2011-All rights reserved BS|So/EC27005:201 so/EC27005:2011E 32 control measure that is modifying risk(3.9) [SO Guide 73: 2009 structure, which can be administrative, technical, management, or legal in nature which modify information security Inal NOTE 1 Controls for information security include any process, policy, procedure, guideline, practice or organizati NOTE 2 Controls may not always exert the intended or assumed modifying effect NOTE 3 Control is also used as a synonym for safeguard or countermeasure 3.3 event occurrence or change of a particular set of circumstances [So Guide 73: 2009 noTE 1 An event can be one or more occurrences and can have several causes NOTE 2 An event can consist of something not happening 0m-0sz NOTE 3 An event can sometimes be referred to as an"incident or accident 3.4 external context external environment in which the organization seeks to achieve its objectives [ISO Guide 73: 2009 NOTE External context can include the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local key drivers and trends having impact on the objectives of the organization; and relationships with, and perceptions and values of, external stakeholders 3.5 internal context nternal environment in which the organization seeks to achieve its objectives [SO Guide 73: 2009 N○TE Internal context can include governance, organizational structure, roles and accountabilities; policies, objectives, and the strategies that are in place to achieve them the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people processes, systems and technologies): information systems, information flows and decision-making processes(both formal and informal); relationships with, and perceptions and values of, internal stakeholders the organizations culture standards, guidelines and models adopted by the organization; and form and extent of contractual relationship O ISO/EC 2011-All rights reserved BS|SO/EC27005:2011 ISO/EC27005:2011(E) 3.6 level of risk magnitude of a risk(3. 9), expressed in terms of the combination of consequences (3. 1)and their likelihood (3.7) [ISO Guide 73: 2009] 3.7 likelihood chance of something happening [ISo Guide 73: 2009] NOTE 1 In risk management terminology, the word "likelihood"is used to refer to the chance of something happening whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically(such as a probability or a frequency over a given time period) NOTE2 The English term"likelihood" does not have a direct equivalent in some languages; instead, the equivalent of the term "probability is often used. However, in English, "probability"is often narrowly interpreted as a mathematical term Therefore, in risk management terminology, "likelihood" is used with the intent that it should have the same broad interpretation as the term "probability has in many languages other than English 3.8 0m-0sz residual risk risk (3. 9)remaining after risk treatment (3. 17) [ISO Guide 73: 2009 NOTE 1 Residual risk can contain unidentified risk NoTE 2 Residual risk can also be known as"retained risk 3.9 risk effect of uncertainty on objectives [ISO Guide 73: 20091 NOTE 1 An effect is a deviation from the expected -positive and/or negative OTE 2 Objectives can have different aspects (such as financial, health and safety, information security, and environmental goals)and can apply at different levels (such as strategic, organization-wide, project, product and process note 3 Risk is often characterized by reference to potential events(3.3 )and consequences(3.1), or a combination o these NoTE 4 Information security risk is often expressed in terms of a combination of the consequences of an information security event and the associated likelihood(3. 9)of occurrence NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood NotE 6 Information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organization. 3.10 risk analysis rocess to comprehend the nature of risk and to determine the level of risk (3.6) [SO Guide 73: 2009 O ISO/EC 2011-All rights reserved BS|So/EC27005:201 so/EC27005:2011E NoTE 1 Risk analysis provides the basis for risk evaluation and decisions about risk treatment NoTE 2 Risk analysis includes risk estimation 3.11 risk assessment overall process of risk identification(3. 15), risk analysis(3.10)and risk evaluation (3.14) [So Guide 73: 2009 3.12 risk communication and consultation continual and iterative processes that an organization conducts to provide, share or obtain information, and to engage in dialogue with stakeholders( 3.18)regarding the management of risk(3. 9) [So Guide 73: 2009] NoTE 1 The information can relate to the existence, nature, form, likelihood, significance, evaluation, acceptability and treatment of risk NOTE 2 Consultation is a two-way process of informed communication between an organization and its stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is 0m-0sz a process which impacts on a decision through influence rather than power; and an input to decision making, not joint decision making 3.13 risk criteria terms of reference against which the significance of a risk (3. 9)is evaluated [So Guide 73: 2009] NOTE 1 Risk criteria are based on organizational objectives, and external and internal context NOTE 2 Risk criteria can be derived from standards, laws, policies and other requirements 3.14 risk evaluation process of comparing the results of risk analysis(3.10)with risk criteria(3. 13)to determine whether the risk and/or its magnitude is acceptable or tolerable [SO Guide 73: 2009] NOTE Risk evaluation assists in the decision about risk treatment 3.15 risk identification process of finding, recognizing and describing risks [ISO Guide 73: 2009] NOTE 1 Risk identification involves the identification of risk sources, events their causes and their potential consequences. NOTE 2 Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders needs O ISO/EC 2011-All rights reserved BS|SO/EC27005:2011 ISO/EC27005:2011(E) 3.16 risk management coordinated activities to direct and control an organization with regard to risk [ SO Guide73:2009] NOTE This International Standard uses the term process to describe risk management overall. The elements withir the risk management process are termed'activities 3.17 risk treatment process to modify risk [ISO Guide 73: 2009 NOTE 1 Risk treatment can inyolye avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; taking or increasing risk in order to pursue an opportunity removing the risk source changing the likelihood 0m9 changing the consequences sharing the risk with another party or parties(including contracts and risk financing); and retaining the risk by informed choice NOTE 2 Risk treatments that deal with negative consequences are sometimes referred to as risk mitigation","risk elimination"," risk prevention"and" risk reduction NOtE3 Risk treatment can create new risks or modify existing risks 3.18 stakeholder person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activit [ISO Guide 73: 2009 NOTE a decision maker can be a stakeholder 4 Structure of this International standard This International Standard contains the description of the information security risk management process and its activities The background information is provided in Clause 5 a general overview of the information security risk management process is given in clause 6 All information security risk management activities as presented in Clause 6 are subsequently described in the following clauses Context establishment in clause 7 Risk assessment in Clause 8 Risk treatment in Clause 9 O ISO/EC 2011-All rights reserved