SIST ISO/IEC 27000:2011
(Main)Information technology - Security techniques - Information security management systems - Overview and vocabulary
Information technology - Security techniques - Information security management systems - Overview and vocabulary
This International Standard provides:
a) an overview of the ISMS family of standards;
b) an introduction to information security management systems (ISMS);
c) a brief description of the Plan-Do-Check-Act (PDCA) process; and
d) terms and definitions for use in the ISMS family of standards.
This International Standard is applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations).
Technologies de l'information - Techniques de sécurité - Systèmes de management de la sécurité de l'information - Vue d'ensemble et vocabulaire
L'ISO/CEI 27000:2009 fournit une vue d'ensemble des syst�mes de management de la s�curit� de l'information (SMSI); cette vue d'ensemble constitue l'objet de la famille des normes SMSI et d�finit les termes qui s'y rattachent. Suite � la mise en oeuvre de l'ISO/CEI 27000:2009, tous les types d'organismes (par exemple entreprises commerciales, organismes publics et organismes � but non lucratif) sont cens�s obtenir
une vue d'ensemble de la famille des normes SMSI,
une introduction aux SMSI,
une br�ve description du processus Planifier-D�ployer-Contr�ler-Agir (PDCA), et
les termes et d�finitions utilis�s dans la famille des normes SMSI.
Les objectifs de l'ISO/CEI 27000:2009 sont la fourniture de termes et d�finitions, et une introduction � la famille des normes SMSI qui
d�finissent les exigences pour un SMSI et pour les organismes certifiant de tels syst�mes,
apportent un soutien direct, des recommandations d�taill�es et/ou une interpr�tation des processus et des exigences g�n�rales selon le mod�le Planifier-D�ployer-Contr�ler-Agir (PDCA),
traitent des lignes directrices propres � des secteurs particuliers en mati�re de SMSI, et
traitent de l'�valuation de la conformit� d'un SMSI.
Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske varnosti - Pregled in izrazoslovje
Ta mednarodni standard določa:
a) pregled družine standardov ISMS;
b) predstavitev sistemov upravljanja informacijske varnosti (ISMS);
c) kratek opis postopka planiraj-izvedi-preveri-ukrepaj (PDCA); ter
d) izraze in definicije za uporabo pri družini standardov ISMS.
Ta mednarodni standard velja za vse vrste organizacij (npr. trgovinska podjetja, vladne službe, neprofitne organizacije).
General Information
Relations
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 27000
First edition
2009-05-01
Information technology — Security
techniques — Information security
management systems — Overview and
vocabulary
Technologies de l'information — Techniques de sécurité — Systèmes
de gestion de la sécurité des informations — Vue d'ensemble et
vocabulaire
Reference number
ISO/IEC 27000:2009(E)
©
ISO/IEC 2009
---------------------- Page: 1 ----------------------
ISO/IEC 27000:2009(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2009 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27000:2009(E)
Contents Page
Foreword. iv
0 Introduction . v
1 Scope . 1
2 Terms and definitions. 1
3 Information security management systems . 6
3.1 Introduction . 6
3.2 What is an ISMS?. 7
3.3 Process approach. 8
3.4 Why an ISMS is important. 9
3.5 Establishing, monitoring, maintaining and improving an ISMS . 10
3.6 ISMS critical success factors . 11
3.7 Benefits of the ISMS family of standards. 11
4 ISMS family of standards . 12
4.1 General information. 12
4.2 Standards describing an overview and terminology . 13
4.3 Standards specifying requirements. 13
4.4 Standards describing general guidelines . 14
4.5 Standards describing sector-specific guidelines. 15
Annex A (informative) Verbal forms for the expression of provisions . 16
Annex B (informative) Categorized terms. 17
Bibliography . 19
© ISO/IEC 2009 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27000:2009(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27000 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
iv © ISO/IEC 2009 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27000:2009(E)
0 Introduction
0.1 Overview
International Standards for management systems provide a model to follow in setting up and operating a
management system. This model incorporates the features on which experts in the field have reached a
consensus as being the international state of the art. ISO/IEC JTC 1 SC 27 maintains an expert committee
dedicated to the development of international management systems standards for information security,
otherwise known as the Information Security Management System (ISMS) family of standards.
Through the use of the ISMS family of standards, organizations can develop and implement a framework for
managing the security of their information assets and prepare for an independent assessment of their ISMS
applied to the protection of information, such as financial information, intellectual property, and employee
details, or information entrusted to them by customers or third parties.
0.2 ISMS family of standards
1)
The ISMS family of standards is intended to assist organizations of all types and sizes to implement and
operate an ISMS. The ISMS family of standards consists of the following International Standards, under the
general title Information technology — Security techniques:
⎯ ISO/IEC 27000:2009, Information security management systems — Overview and vocabulary
⎯ ISO/IEC 27001:2005, Information security management systems — Requirements
⎯ ISO/IEC 27002:2005, Code of practice for information security management
⎯ ISO/IEC 27003, Information security management system implementation guidance
⎯ ISO/IEC 27004, Information security management — Measurement
⎯ ISO/IEC 27005:2008, Information security risk management
⎯ ISO/IEC 27006:2007, Requirements for bodies providing audit and certification of information security
management systems
⎯ ISO/IEC 27007, Guidelines for information security management systems auditing
⎯ ISO/IEC 27011, Information security management guidelines for telecommunications organizations based
on ISO/IEC 27002
NOTE The general title “Information technology — Security techniques” indicates that these standards were prepared
by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.
International Standards not under the same general title that are also part of the ISMS family of standards are
as follows:
⎯ ISO 27799:2008, Health informatics — Information security management in health using ISO/IEC 27002
1) Standards identified throughout this subclause with no release year indicated are still under development.
© ISO/IEC 2009 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 27000:2009(E)
0.3 Purpose of this International Standard
This International Standard provides an overview of information security management systems, which form
the subject of the ISMS family of standards, and defines related terms.
NOTE Annex A provides clarification on how verbal forms are used to express requirements and/or guidance in the
ISMS family of standards.
The ISMS family of standards includes standards that:
a) define requirements for an ISMS and for those certifying such systems;
b) provide direct support, detailed guidance and/or interpretation for the overall Plan-Do-Check-Act (PDCA)
processes and requirements;
c) address sector-specific guidelines for ISMS; and
d) address conformity assessment for ISMS.
The terms and definitions provided in this International Standard:
⎯ cover commonly used terms and definitions in the ISMS family of standards;
⎯ will not cover all terms and definitions applied within the ISMS family of standards; and
⎯ do not limit the ISMS family of standards in defining terms for own use.
Standards addressing only the implementation of controls, as opposed to addressing all controls, from
ISO/IEC 27002 are excluded from the ISMS family of standards.
To reflect the changing status of the ISMS family of standards, this International Standard is expected to be
continually updated on a more frequent basis than would normally be the case for other ISO/IEC standards.
vi © ISO/IEC 2009 – All rights reserved
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27000:2009(E)
Information technology — Security techniques — Information
security management systems — Overview and vocabulary
1 Scope
This International Standard provides:
a) an overview of the ISMS family of standards;
b) an introduction to information security management systems (ISMS);
c) a brief description of the Plan-Do-Check-Act (PDCA) process; and
d) terms and definitions for use in the ISMS family of standards.
This International Standard is applicable to all types of organization (e.g. commercial enterprises, government
agencies, non-profit organizations).
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
NOTE A term in a definition or note which is defined elsewhere in this clause is indicated by boldface followed by its
entry number in parentheses. Such a boldface term can be replaced in the definition by its complete definition.
For example:
attack (2.4) is defined as “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make
unauthorized use of an asset (2.3)”;
asset is defined as “anything that has value to the organization”.
If the term “asset” is replaced by its definition:
attack then becomes “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make
unauthorized use of anything that has value to the organization”.
2.1
access control
means to ensure that access to assets (2.3) is authorized and restricted based on business and security
requirements
2.2
accountability
responsibility of an entity for its actions and decisions
© ISO/IEC 2009 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC 27000:2009(E)
2.3
asset
anything that has value to the organization
NOTE There are many types of assets, including:
a) information (2.18);
b) software, such as a computer program;
c) physical, such as computer;
d) services;
e) people, and their qualifications, skills, and experience; and
f) intangibles, such as reputation and image.
2.4
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of
an asset (2.3)
2.5
authentication
provision of assurance that a claimed characteristic of an entity is correct
2.6
authenticity
property that an entity is what it claims to be
2.7
availability
property of being accessible and usable upon demand by an authorized entity
2.8
business continuity
processes (2.31) and/or procedures (2.30) for ensuring continued business operations
2.9
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or processes
(2.31)
2.10
control
means of managing risk (2.34), including policies (2.28), procedures (2.30), guidelines (2.16), practices or
organizational structures, which can be administrative, technical, management, or legal in nature
NOTE Control is also used as a synonym for safeguard or countermeasure.
2.11
control objective
statement describing what is to be achieved as a result of implementing controls (2.10)
2.12
corrective action
action to eliminate the cause of a detected nonconformity or other undesirable situation
[ISO 9000:2005]
2 © ISO/IEC 2009 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 27000:2009(E)
2.13
effectiveness
extent to which planned activities are realized and planned results achieved
[ISO 9000:2005]
2.14
efficiency
relationship between the results achieved and how well the resources have been used
2.15
event
occurrence of a particular set of circumstances
[ISO/IEC Guide 73:2002]
2.16
guideline
recommendation of what is expected to be done to achieve an objective
2.17
impact
adverse change to the level of business objectives achieved
2.18
information asset
knowledge or data that has value to the organization
2.19
information security
preservation of confidentiality (2.9), integrity (2.25) and availability (2.7) of information
NOTE In addition, other properties, such as authenticity (2.6), accountability (2.2), non-repudiation (2.27), and
reliability (2.33) can also be involved.
2.20
information security event
identified occurrence of a system, service or network state indicating a possible breach of information
security (2.19) policy (2.28) or failure of controls (2.10), or a previously unknown situation that may be
security relevant
2.21
information security incident
single or a series of unwanted or unexpected information security events (2.20) that have a significant
probability of compromising business operations and threatening information security (2.19)
2.22
information security incident management
processes (2.31) for detecting, reporting, assessing, responding to, dealing with, and learning from
information security incidents (2.21)
2.23
information security management system
ISMS
part of the overall management system (2.26), based on a business risk approach, to establish, implement,
operate, monitor, review, maintain and improve information security (2.19)
© ISO/IEC 2009 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC 27000:2009(E)
2.24
information security risk
potential that a threat (2.45) will exploit a vulnerability (2.46) of an asset (2.3) or group of assets and thereby
cause harm to the organization
2.25
integrity
property of protecting the accuracy and completeness of assets (2.3)
2.26
management system
framework of policies (2.28), procedures (2.30), guidelines (2.16) and associated resources to achieve the
objectives of the organization
2.27
non-repudiation
ability to prove the occurrence of a claimed event (2.15) or action and its originating entities, in order to
resolve disputes about the occurrence or non-occurrence of the event (2.15) or action and involvement of
entities in the event (2.15)
2.28
policy
overall intention and direction as formally expressed by management
2.29
preventive action
action to eliminate the cause of a potential nonconformity or other undesirable potential situation
[ISO 9000:2005]
2.30
procedure
specified way to carry out an activity or a process (2.31)
[ISO 9000:2005]
2.31
process
set of interrelated or interacting activities which transforms inputs into outputs
[ISO 9000:2005]
2.32
record
document stating results achieved or providing evidence of activities performed
[ISO 9000:2005]
2.33
reliability
property of consistent intended behaviour and results
2.34
risk
combination of the probability of an event (2.15) and its consequence
[ISO/IEC Guide 73:2002]
4 © ISO/IEC 2009 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 27000:2009(E)
2.35
risk acceptance
decision to accept a risk (2.34)
[ISO/IEC Guide 73:2002]
2.36
risk analysis
systematic use of information to identify sources and to estimate risk (2.34)
[ISO/IEC Guide 73:2002]
NOTE Risk analysis provides a basis for risk evaluation (2.41), risk treatment (2.43) and risk acceptance (2.35).
2.37
risk assessment
overall process (2.31) of risk analysis (2.36) and risk evaluation (2.41)
[ISO/IEC Guide 73:2002]
2.38
risk communication
exchange or sharing of information about risk (2.34) between the decision-maker and other stakeholders
[ISO/IEC Guide 73:2002]
2.39
risk criteria
terms of reference by which the significance of risk (2.34) is assessed
[ISO/IEC Guide 73:2002]
2.40
risk estimation
activity to assign values to the probability and consequences of a risk (2.34)
[ISO/IEC Guide 73:2002]
2.41
risk evaluation
process (2.31) of comparing the estimated risk (2.34) against given risk criteria (2.39) to determine the
significance of the risk (2.34)
[ISO/IEC Guide 73:2002]
2.42
risk management
coordinated activities to direct and control an organization with regard to risk (2.34)
[ISO/IEC Guide 73:2002]
NOTE Risk management generally includes risk assessment (2.37), risk treatment (2.43), risk acceptance (2.35),
risk communication (2.38), risk monitoring and risk review.
2.43
risk treatment
process (2.31) of selection and implementation of measures to modify risk (2.34)
[ISO/IEC Guide 73:2002]
© ISO/IEC 2009 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO/IEC 27000:2009(E)
2.44
statement of applicability
documented statement describing the control objectives (2.11) and controls (2.10) that are relevant and
applicable to the organization's ISMS (2.23)
2.45
threat
potential cause of an unwanted incident, which may result in harm to a system or organization
2.46
vulnerability
weakness of an asset (2.3) or control (2.10) that can be exploited by a threat (2.45)
3 Information security management systems
3.1 Introduction
Organizations of all types and sizes:
a) collect, process, store, and transmit large amounts of information;
b) recognise that information, and related processes, systems, networks and people are important assets for
achieving organization objectives;
c) face a range of risks that may affect the functioning of assets; and
d) modify risks by implementing information security controls.
All information held and processed by an organization is subject to threats of attack, error, nature (for example,
flood or fire), etc, and is subject to vulnerabilities inherent in its use. The term information security is generally
based on information being considered as an asset which has a value requiring appropriate protection, for
example, against the loss of availability, confidentiality and integrity. Enabling accurate and complete
information to be available in a timely manner to those with an authorized need is a catalyst for business
efficiency.
Protecting information assets through defining, achieving, maintaining, and improving information security
effectively is essential to enable an organization to achieve its objectives, and maintain and enhance its legal
compliance and image. These coordinated activities directing the implementation of suitable controls and
treating unacceptable information security risks are generally known as elements of information security
management.
As information security risks and the effectiveness of controls change depending on shifting circumstances,
organizations need to:
a) monitor and evaluate the effectiveness of implemented controls and procedures;
b) identify emerging risks to be treated; and
c) select, implement and improve appropriate controls as needed.
To interrelate and coordinate such information security activities, each organization needs to establish its
policy and objectives for information security and achieve those objectives effectively by using a management
system.
6 © ISO/IEC 2009 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/IEC 27000:2009(E)
3.2 What is an ISMS?
3.2.1 Overview and principles
An ISMS (Information Security Management System) provides a model for establishing, implementing,
operating, monitoring, reviewing, maintaining and improving the protection of information assets to achieve
business objectives based upon a risk assessment and the organization's risk acceptance levels designed to
effectively treat and manage risks. Analysing requirements for the protection of information assets and
applying appropriate controls to ensure the protection of these information assets, as required, contributes to
the successful implementation of an ISMS. The following fundamental principles also contribute to the
successful implementation of an ISMS:
a) awareness of the need for information security;
b) assignment of responsibility for information security;
c) incorporating management commitment and the interests of stakeholders;
d) enhancing societal values;
e) risk assessments determining appropriate controls to reach acceptable levels of risk;
f) security incorporated as an essential element of information networks and systems;
g) active prevention and detection of information security incidents;
h) ensuring a comprehensive approach to information security management; and
i) continual reassessment of information security and making of modifications as appropriate.
3.2.2 Information
Information is an asset that, like other important business assets, is essential to an organization's business
and consequently needs to be suitably protected. Information can be stored in many forms, including: digital
form (e.g. data files stored on electronic or optical media), material form (e.g. on paper), as well as
unrepresented information in the form of knowledge of the employees. Information may be transmitted by
various means including: courier, electronic or verbal communication. Whatever form information takes, or the
means by which the information is transmitted, it always needs appropriate protection.
An organization's information is dependent upon information and communications technology. This technology
is an essential element in any organization and assists in facilitating the creation, processing, storing,
transmitting, protection and destruction of information. Where the extent of the interconnected global business
environment expands so does the requirement to protect information as this information is now exposed to a
wider variety of threats and vulnerabilities.
3.2.3 Information security
Information security includes three main dimensions: confidentiality, availability and integrity. With the aim of
ensuring sustained business success and continuity, and in minimising impacts, information security involves
the application and management of appropriate security measures that involves consideration of a wide range
of threats.
Information security is achieved through the implementation of an applicable set of controls, selected through
the chosen risk management process and managed using an ISMS, including policies, processes, procedures,
organizational structures, software and hardware to protect the identified information assets. These controls
need to be specified, implemented, monitored, reviewed and improved where necessary, to ensure that the
specific security and business objectives of the organization are met. Relevant information security controls
are expected to be seamlessly integrated with an organization's business processes.
© ISO/IEC 2009 – All rights reserved 7
---------------------- Page: 13 ----------------------
ISO/IEC 27000:2009(E)
3.2.4 Management
Management involves activities to direct, control and continually improve the organization within appropriate
structures. Management activities include the act, manner, or practice of organizing, handling, directing,
supervising, and controlling resources. Management structures extend from one person in a small
organization to management hierarchies consisting of many individuals in large organizations.
In terms of an ISMS, management involves the supervision and making of decisions necessary to achieve
business objectives through the protection of the organization's information assets. Management of
information security is expressed through the formulation and use of information security policies, standards,
procedures and guidelines, which are then applied throughout the organization by all individuals associated
with the organization.
NOTE The term “management” may sometimes refer to people (i.e. a person or group of people with authority and
responsibility for the conduct and control of an organization). The term “management” addressed in this clause is not in
this sense.
3.2.5 Management system
A management system uses a framework of resources to achieve an organization's objectives. The
management system includes organizational structure, policies, planning activities, responsibilities, practices,
procedures, processes and resources.
In terms of information security, a management system allows an organization to:
a) satisfy the security requirements of customers and other stakeholders;
b) improve an organization's plans and activities;
c) meet the organization's information security objectives;
d) comply with regulations, legislation and industry mandates; and
e) manage information assets in an organized way that facilitates continual improvement and adjustment to
current organizational goals and to the environment.
3.3 Process approach
Organizations need to identify and manage many activities in order to function effectively and efficiently. Any
activity using resources needs to be managed to enable the transformation of inputs into outputs using a set
of interrelated or interacting activities – this is also known as a process. The output from one process can
directly form the input to another process and generally this transformation is carried out under planned and
controlled conditions. The application of a system of processes within an organization, together with the
identification and interactions of these processes, and their management, can be referred to as a “process
approach”.
The process approach for the ISMS presented in the ISMS family of standards is based on the operating
principle adopted in ISO's management system standards commonly known as the Plan – Do – Check – Act
(PDCA) process.
a) Plan – establish objectives and make plans (analyze the organization's situation, establish the overall
objectives and set targets, and develop plans to achieve them);
b) Do – implement plans (do what was planned to do);
c) Check – measure results (measure/monitor the extent to which achievements meet planned objectives);
and
d) Act – correct and improve activities (learn from mistakes to improve activities to achieve better results).
8 © ISO/IEC 2009 – All rights reserved
---------------------- Page: 14 ----------------------
ISO/IEC 27000:2009(E)
3.4 Why an ISMS is important
As part of an organization's ISMS, risks associated with an organization's information assets need to be
addressed. Achieving information security requires the management of risk, and encompasses risks from
physical, human and technology related threats associated with all forms of information within or used by the
organization.
The adoption of an ISMS is expected to be a strategic decision for an organization and it is necessary that this
decision is seamlessly integrated, scaled and updated in accordance with the needs of the organization.
The design and implementation of an organization's ISMS is influenced by the needs and objectives of the
organization, security requirements, the business processes employed and the size and structure of the
organization. The design
...
SLOVENSKI STANDARD
SIST ISO/IEC 27000:2011
01-marec-2011
Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske
varnosti - Pregled in izrazoslovje
Information technology - Security techniques - Information security management systems
- Overview and vocabulary
Technologies de l'information - Techniques de sécurité - Systèmes de management de
la sécurité de l'information - Vue d'ensemble et vocabulaire
Ta slovenski standard je istoveten z: ISO/IEC 27000:2009
ICS:
01.040.35 Informacijska tehnologija. Information technology.
Pisarniški stroji (Slovarji) Office machines
(Vocabularies)
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
SIST ISO/IEC 27000:2011 en,fr
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST ISO/IEC 27000:2011
---------------------- Page: 2 ----------------------
SIST ISO/IEC 27000:2011
INTERNATIONAL ISO/IEC
STANDARD 27000
First edition
2009-05-01
Information technology — Security
techniques — Information security
management systems — Overview and
vocabulary
Technologies de l'information — Techniques de sécurité — Systèmes
de gestion de la sécurité des informations — Vue d'ensemble et
vocabulaire
Reference number
ISO/IEC 27000:2009(E)
©
ISO/IEC 2009
---------------------- Page: 3 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2009 – All rights reserved
---------------------- Page: 4 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
Contents Page
Foreword. iv
0 Introduction . v
1 Scope . 1
2 Terms and definitions. 1
3 Information security management systems . 6
3.1 Introduction . 6
3.2 What is an ISMS?. 7
3.3 Process approach. 8
3.4 Why an ISMS is important. 9
3.5 Establishing, monitoring, maintaining and improving an ISMS . 10
3.6 ISMS critical success factors . 11
3.7 Benefits of the ISMS family of standards. 11
4 ISMS family of standards . 12
4.1 General information. 12
4.2 Standards describing an overview and terminology . 13
4.3 Standards specifying requirements. 13
4.4 Standards describing general guidelines . 14
4.5 Standards describing sector-specific guidelines. 15
Annex A (informative) Verbal forms for the expression of provisions . 16
Annex B (informative) Categorized terms. 17
Bibliography . 19
© ISO/IEC 2009 – All rights reserved iii
---------------------- Page: 5 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27000 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
iv © ISO/IEC 2009 – All rights reserved
---------------------- Page: 6 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
0 Introduction
0.1 Overview
International Standards for management systems provide a model to follow in setting up and operating a
management system. This model incorporates the features on which experts in the field have reached a
consensus as being the international state of the art. ISO/IEC JTC 1 SC 27 maintains an expert committee
dedicated to the development of international management systems standards for information security,
otherwise known as the Information Security Management System (ISMS) family of standards.
Through the use of the ISMS family of standards, organizations can develop and implement a framework for
managing the security of their information assets and prepare for an independent assessment of their ISMS
applied to the protection of information, such as financial information, intellectual property, and employee
details, or information entrusted to them by customers or third parties.
0.2 ISMS family of standards
1)
The ISMS family of standards is intended to assist organizations of all types and sizes to implement and
operate an ISMS. The ISMS family of standards consists of the following International Standards, under the
general title Information technology — Security techniques:
⎯ ISO/IEC 27000:2009, Information security management systems — Overview and vocabulary
⎯ ISO/IEC 27001:2005, Information security management systems — Requirements
⎯ ISO/IEC 27002:2005, Code of practice for information security management
⎯ ISO/IEC 27003, Information security management system implementation guidance
⎯ ISO/IEC 27004, Information security management — Measurement
⎯ ISO/IEC 27005:2008, Information security risk management
⎯ ISO/IEC 27006:2007, Requirements for bodies providing audit and certification of information security
management systems
⎯ ISO/IEC 27007, Guidelines for information security management systems auditing
⎯ ISO/IEC 27011, Information security management guidelines for telecommunications organizations based
on ISO/IEC 27002
NOTE The general title “Information technology — Security techniques” indicates that these standards were prepared
by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.
International Standards not under the same general title that are also part of the ISMS family of standards are
as follows:
⎯ ISO 27799:2008, Health informatics — Information security management in health using ISO/IEC 27002
1) Standards identified throughout this subclause with no release year indicated are still under development.
© ISO/IEC 2009 – All rights reserved v
---------------------- Page: 7 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
0.3 Purpose of this International Standard
This International Standard provides an overview of information security management systems, which form
the subject of the ISMS family of standards, and defines related terms.
NOTE Annex A provides clarification on how verbal forms are used to express requirements and/or guidance in the
ISMS family of standards.
The ISMS family of standards includes standards that:
a) define requirements for an ISMS and for those certifying such systems;
b) provide direct support, detailed guidance and/or interpretation for the overall Plan-Do-Check-Act (PDCA)
processes and requirements;
c) address sector-specific guidelines for ISMS; and
d) address conformity assessment for ISMS.
The terms and definitions provided in this International Standard:
⎯ cover commonly used terms and definitions in the ISMS family of standards;
⎯ will not cover all terms and definitions applied within the ISMS family of standards; and
⎯ do not limit the ISMS family of standards in defining terms for own use.
Standards addressing only the implementation of controls, as opposed to addressing all controls, from
ISO/IEC 27002 are excluded from the ISMS family of standards.
To reflect the changing status of the ISMS family of standards, this International Standard is expected to be
continually updated on a more frequent basis than would normally be the case for other ISO/IEC standards.
vi © ISO/IEC 2009 – All rights reserved
---------------------- Page: 8 ----------------------
SIST ISO/IEC 27000:2011
INTERNATIONAL STANDARD ISO/IEC 27000:2009(E)
Information technology — Security techniques — Information
security management systems — Overview and vocabulary
1 Scope
This International Standard provides:
a) an overview of the ISMS family of standards;
b) an introduction to information security management systems (ISMS);
c) a brief description of the Plan-Do-Check-Act (PDCA) process; and
d) terms and definitions for use in the ISMS family of standards.
This International Standard is applicable to all types of organization (e.g. commercial enterprises, government
agencies, non-profit organizations).
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
NOTE A term in a definition or note which is defined elsewhere in this clause is indicated by boldface followed by its
entry number in parentheses. Such a boldface term can be replaced in the definition by its complete definition.
For example:
attack (2.4) is defined as “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make
unauthorized use of an asset (2.3)”;
asset is defined as “anything that has value to the organization”.
If the term “asset” is replaced by its definition:
attack then becomes “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make
unauthorized use of anything that has value to the organization”.
2.1
access control
means to ensure that access to assets (2.3) is authorized and restricted based on business and security
requirements
2.2
accountability
responsibility of an entity for its actions and decisions
© ISO/IEC 2009 – All rights reserved 1
---------------------- Page: 9 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
2.3
asset
anything that has value to the organization
NOTE There are many types of assets, including:
a) information (2.18);
b) software, such as a computer program;
c) physical, such as computer;
d) services;
e) people, and their qualifications, skills, and experience; and
f) intangibles, such as reputation and image.
2.4
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of
an asset (2.3)
2.5
authentication
provision of assurance that a claimed characteristic of an entity is correct
2.6
authenticity
property that an entity is what it claims to be
2.7
availability
property of being accessible and usable upon demand by an authorized entity
2.8
business continuity
processes (2.31) and/or procedures (2.30) for ensuring continued business operations
2.9
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or processes
(2.31)
2.10
control
means of managing risk (2.34), including policies (2.28), procedures (2.30), guidelines (2.16), practices or
organizational structures, which can be administrative, technical, management, or legal in nature
NOTE Control is also used as a synonym for safeguard or countermeasure.
2.11
control objective
statement describing what is to be achieved as a result of implementing controls (2.10)
2.12
corrective action
action to eliminate the cause of a detected nonconformity or other undesirable situation
[ISO 9000:2005]
2 © ISO/IEC 2009 – All rights reserved
---------------------- Page: 10 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
2.13
effectiveness
extent to which planned activities are realized and planned results achieved
[ISO 9000:2005]
2.14
efficiency
relationship between the results achieved and how well the resources have been used
2.15
event
occurrence of a particular set of circumstances
[ISO/IEC Guide 73:2002]
2.16
guideline
recommendation of what is expected to be done to achieve an objective
2.17
impact
adverse change to the level of business objectives achieved
2.18
information asset
knowledge or data that has value to the organization
2.19
information security
preservation of confidentiality (2.9), integrity (2.25) and availability (2.7) of information
NOTE In addition, other properties, such as authenticity (2.6), accountability (2.2), non-repudiation (2.27), and
reliability (2.33) can also be involved.
2.20
information security event
identified occurrence of a system, service or network state indicating a possible breach of information
security (2.19) policy (2.28) or failure of controls (2.10), or a previously unknown situation that may be
security relevant
2.21
information security incident
single or a series of unwanted or unexpected information security events (2.20) that have a significant
probability of compromising business operations and threatening information security (2.19)
2.22
information security incident management
processes (2.31) for detecting, reporting, assessing, responding to, dealing with, and learning from
information security incidents (2.21)
2.23
information security management system
ISMS
part of the overall management system (2.26), based on a business risk approach, to establish, implement,
operate, monitor, review, maintain and improve information security (2.19)
© ISO/IEC 2009 – All rights reserved 3
---------------------- Page: 11 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
2.24
information security risk
potential that a threat (2.45) will exploit a vulnerability (2.46) of an asset (2.3) or group of assets and thereby
cause harm to the organization
2.25
integrity
property of protecting the accuracy and completeness of assets (2.3)
2.26
management system
framework of policies (2.28), procedures (2.30), guidelines (2.16) and associated resources to achieve the
objectives of the organization
2.27
non-repudiation
ability to prove the occurrence of a claimed event (2.15) or action and its originating entities, in order to
resolve disputes about the occurrence or non-occurrence of the event (2.15) or action and involvement of
entities in the event (2.15)
2.28
policy
overall intention and direction as formally expressed by management
2.29
preventive action
action to eliminate the cause of a potential nonconformity or other undesirable potential situation
[ISO 9000:2005]
2.30
procedure
specified way to carry out an activity or a process (2.31)
[ISO 9000:2005]
2.31
process
set of interrelated or interacting activities which transforms inputs into outputs
[ISO 9000:2005]
2.32
record
document stating results achieved or providing evidence of activities performed
[ISO 9000:2005]
2.33
reliability
property of consistent intended behaviour and results
2.34
risk
combination of the probability of an event (2.15) and its consequence
[ISO/IEC Guide 73:2002]
4 © ISO/IEC 2009 – All rights reserved
---------------------- Page: 12 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
2.35
risk acceptance
decision to accept a risk (2.34)
[ISO/IEC Guide 73:2002]
2.36
risk analysis
systematic use of information to identify sources and to estimate risk (2.34)
[ISO/IEC Guide 73:2002]
NOTE Risk analysis provides a basis for risk evaluation (2.41), risk treatment (2.43) and risk acceptance (2.35).
2.37
risk assessment
overall process (2.31) of risk analysis (2.36) and risk evaluation (2.41)
[ISO/IEC Guide 73:2002]
2.38
risk communication
exchange or sharing of information about risk (2.34) between the decision-maker and other stakeholders
[ISO/IEC Guide 73:2002]
2.39
risk criteria
terms of reference by which the significance of risk (2.34) is assessed
[ISO/IEC Guide 73:2002]
2.40
risk estimation
activity to assign values to the probability and consequences of a risk (2.34)
[ISO/IEC Guide 73:2002]
2.41
risk evaluation
process (2.31) of comparing the estimated risk (2.34) against given risk criteria (2.39) to determine the
significance of the risk (2.34)
[ISO/IEC Guide 73:2002]
2.42
risk management
coordinated activities to direct and control an organization with regard to risk (2.34)
[ISO/IEC Guide 73:2002]
NOTE Risk management generally includes risk assessment (2.37), risk treatment (2.43), risk acceptance (2.35),
risk communication (2.38), risk monitoring and risk review.
2.43
risk treatment
process (2.31) of selection and implementation of measures to modify risk (2.34)
[ISO/IEC Guide 73:2002]
© ISO/IEC 2009 – All rights reserved 5
---------------------- Page: 13 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
2.44
statement of applicability
documented statement describing the control objectives (2.11) and controls (2.10) that are relevant and
applicable to the organization's ISMS (2.23)
2.45
threat
potential cause of an unwanted incident, which may result in harm to a system or organization
2.46
vulnerability
weakness of an asset (2.3) or control (2.10) that can be exploited by a threat (2.45)
3 Information security management systems
3.1 Introduction
Organizations of all types and sizes:
a) collect, process, store, and transmit large amounts of information;
b) recognise that information, and related processes, systems, networks and people are important assets for
achieving organization objectives;
c) face a range of risks that may affect the functioning of assets; and
d) modify risks by implementing information security controls.
All information held and processed by an organization is subject to threats of attack, error, nature (for example,
flood or fire), etc, and is subject to vulnerabilities inherent in its use. The term information security is generally
based on information being considered as an asset which has a value requiring appropriate protection, for
example, against the loss of availability, confidentiality and integrity. Enabling accurate and complete
information to be available in a timely manner to those with an authorized need is a catalyst for business
efficiency.
Protecting information assets through defining, achieving, maintaining, and improving information security
effectively is essential to enable an organization to achieve its objectives, and maintain and enhance its legal
compliance and image. These coordinated activities directing the implementation of suitable controls and
treating unacceptable information security risks are generally known as elements of information security
management.
As information security risks and the effectiveness of controls change depending on shifting circumstances,
organizations need to:
a) monitor and evaluate the effectiveness of implemented controls and procedures;
b) identify emerging risks to be treated; and
c) select, implement and improve appropriate controls as needed.
To interrelate and coordinate such information security activities, each organization needs to establish its
policy and objectives for information security and achieve those objectives effectively by using a management
system.
6 © ISO/IEC 2009 – All rights reserved
---------------------- Page: 14 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
3.2 What is an ISMS?
3.2.1 Overview and principles
An ISMS (Information Security Management System) provides a model for establishing, implementing,
operating, monitoring, reviewing, maintaining and improving the protection of information assets to achieve
business objectives based upon a risk assessment and the organization's risk acceptance levels designed to
effectively treat and manage risks. Analysing requirements for the protection of information assets and
applying appropriate controls to ensure the protection of these information assets, as required, contributes to
the successful implementation of an ISMS. The following fundamental principles also contribute to the
successful implementation of an ISMS:
a) awareness of the need for information security;
b) assignment of responsibility for information security;
c) incorporating management commitment and the interests of stakeholders;
d) enhancing societal values;
e) risk assessments determining appropriate controls to reach acceptable levels of risk;
f) security incorporated as an essential element of information networks and systems;
g) active prevention and detection of information security incidents;
h) ensuring a comprehensive approach to information security management; and
i) continual reassessment of information security and making of modifications as appropriate.
3.2.2 Information
Information is an asset that, like other important business assets, is essential to an organization's business
and consequently needs to be suitably protected. Information can be stored in many forms, including: digital
form (e.g. data files stored on electronic or optical media), material form (e.g. on paper), as well as
unrepresented information in the form of knowledge of the employees. Information may be transmitted by
various means including: courier, electronic or verbal communication. Whatever form information takes, or the
means by which the information is transmitted, it always needs appropriate protection.
An organization's information is dependent upon information and communications technology. This technology
is an essential element in any organization and assists in facilitating the creation, processing, storing,
transmitting, protection and destruction of information. Where the extent of the interconnected global business
environment expands so does the requirement to protect information as this information is now exposed to a
wider variety of threats and vulnerabilities.
3.2.3 Information security
Information security includes three main dimensions: confidentiality, availability and integrity. With the aim of
ensuring sustained business success and continuity, and in minimising impacts, information security involves
the application and management of appropriate security measures that involves consideration of a wide range
of threats.
Information security is achieved through the implementation of an applicable set of controls, selected through
the chosen risk management process and managed using an ISMS, including policies, processes, procedures,
organizational structures, software and hardware to protect the identified information assets. These controls
need to be specified, implemented, monitored, reviewed and improved where necessary, to ensure that the
specific security and business objectives of the organization are met. Relevant information security controls
are expected to be seamlessly integrated with an organization's business processes.
© ISO/IEC 2009 – All rights reserved 7
---------------------- Page: 15 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
3.2.4 Management
Management involves activities to direct, control and continually improve the organization within appropriate
structures. Management activities include the act, manner, or practice of organizing, handling, directing,
supervising, and controlling resources. Management structures extend from one person in a small
organization to management hierarchies consisting of many individuals in large organizations.
In terms of an ISMS, management involves the supervision and making of decisions necessary to achieve
business objectives through the protection of the organization's information assets. Management of
information security is expressed through the formulation and use of information security policies, standards,
procedures and guidelines, which are then applied throughout the organization by all individuals associated
with the organization.
NOTE The term “management” may sometimes refer to people (i.e. a person or group of people with authority and
responsibility for the conduct and control of an organization). The term “management” addressed in this clause is not in
this sense.
3.2.5 Management system
A management system uses a framework of resources to achieve an organization's objectives. The
management system includes organizational structure, policies, planning activities, responsibilities, practices,
procedures, processes and resources.
In terms of information security, a management system allows an organization to:
a) satisfy the security requirements of customers and other stakeholders;
b) improve an organization's plans and activities;
c) meet the organization's information security objectives;
d) comply with regulations, legislation and industry mandates; and
e) manage information assets in an organized way that facilitates continual improvement and adjustment to
current organizational goals and to the environment.
3.3 Process approach
Organizations need to identify and manage many activities in order to function effectively and efficiently. Any
activity using resources needs to be managed to enable the transformation of inputs into outputs using a set
of interrelated or interacting activities – this is also known as a process. The output from one process can
directly form the input to another process and generally this transformation is carried out under planned and
controlled conditions. The application of a system of processes within an organization, together with the
identification and interactions of these processes, and their management, can be referred to as a “process
approach”.
The process approach for the ISMS presented in the ISMS family of standards is based on the operating
principle adopted in ISO's management system standards commonly known as the Plan – Do – Check – Act
(PDCA) process.
a) Plan – establish objectives and ma
...
NORME ISO/CEI
INTERNATIONALE 27000
Première édition
2009-05-01
Technologies de l'information —
Techniques de sécurité — Systèmes de
management de la sécurité de
l'information — Vue d'ensemble et
vocabulaire
Information technology — Security techniques — Information security
management systems — Overview and vocabulary
Numéro de référence
ISO/CEI 27000:2009(F)
©
ISO/CEI 2009
---------------------- Page: 1 ----------------------
ISO/CEI 27000:2009(F)
PDF – Exonération de responsabilité
Le présent fichier PDF peut contenir des polices de caractères intégrées. Conformément aux conditions de licence d'Adobe, ce fichier
peut être imprimé ou visualisé, mais ne doit pas être modifié à moins que l'ordinateur employé à cet effet ne bénéficie d'une licence
autorisant l'utilisation de ces polices et que celles-ci y soient installées. Lors du téléchargement de ce fichier, les parties concernées
acceptent de fait la responsabilité de ne pas enfreindre les conditions de licence d'Adobe. Le Secrétariat central de l'ISO décline toute
responsabilité en la matière.
Adobe est une marque déposée d'Adobe Systems Incorporated.
Les détails relatifs aux produits logiciels utilisés pour la création du présent fichier PDF sont disponibles dans la rubrique General Info
du fichier; les paramètres de création PDF ont été optimisés pour l'impression. Toutes les mesures ont été prises pour garantir
l'exploitation de ce fichier par les comités membres de l'ISO. Dans le cas peu probable où surviendrait un problème d'utilisation,
veuillez en informer le Secrétariat central à l'adresse donnée ci-dessous.
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO/CEI 2009
Droits de reproduction réservés. Sauf prescription différente, aucune partie de cette publication ne peut être reproduite ni utilisée sous
quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et les microfilms, sans l'accord écrit
de l'ISO à l'adresse ci-après ou du comité membre de l'ISO dans le pays du demandeur.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Version française parue en 2010
Publié en Suisse
ii © ISO/CEI 2009 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO/CEI 27000:2009(F)
Sommaire Page
Avant-propos .iv
0 Introduction.v
1 Domaine d'application .1
2 Termes et définitions .1
3 Systèmes de management de la sécurité de l'information .1
3.1 Introduction.6
3.2 Qu'est ce qu'un SMSI ?.6
3.3 Approche processus.8
3.4 Raisons pour lesquelles un SMSI est important.8
3.5 Établissement, surveillance, mise à jour et amélioration d'un SMSI.9
3.6 Facteurs critiques de succès du SMSI.11
3.7 Avantages de la famille des normes SMSI.11
4 La famille des normes SMSI.12
4.1 Informations générales.12
4.2 Normes décrivant une vue d'ensemble et une terminologie .13
4.3 Normes spécifiant des exigences.14
4.4 Normes décrivant des lignes directrices générales .15
4.5 Normes décrivant des lignes directrices propres à un secteur .16
Annexe A (informative) Expressions verbales pour exprimer des dispositions.17
Annexe B (informative) Termes classés par catégories .18
Bibliographie.20
© ISO/CEI 2009 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO/CEI 27000:2009(F)
Avant-propos
L'ISO (Organisation internationale de normalisation) et la CEI (Commission électrotechnique internationale)
forment le système spécialisé de la normalisation mondiale. Les organismes nationaux membres de l'ISO ou
de la CEI participent au développement de Normes internationales par l'intermédiaire des comités techniques
créés par l'organisation concernée afin de s'occuper des domaines particuliers de l'activité technique. Les
comités techniques de l'ISO et de la CEI collaborent dans des domaines d'intérêt commun. D'autres
organisations internationales, gouvernementales et non gouvernementales, en liaison avec l'ISO et la CEI
participent également aux travaux. Dans le domaine des technologies de l'information, l'ISO et la CEI ont créé
un comité technique mixte, l'ISO/CEI JTC 1.
Les Normes internationales sont rédigées conformément aux règles données dans les Directives ISO/CEI,
Partie 2.
La tâche principale du comité technique mixte est d'élaborer les Normes internationales. Les projets de
Normes internationales adoptés par le comité technique mixte sont soumis aux organismes nationaux pour
vote. Leur publication comme Normes internationales requiert l'approbation de 75 % au moins des
organismes nationaux votants.
L'attention est appelée sur le fait que certains des éléments du présent document peuvent faire l'objet de
droits de propriété intellectuelle ou de droits analogues. L'ISO et la CEI ne sauraient être tenues pour
responsables de ne pas avoir identifié de tels droits de propriété et averti de leur existence.
L'ISO/CEI 27000 a été élaborée par le comité technique mixte ISO/CEI JTC 1, Technologies de l'information,
sous-comité SC 27, Techniques de sécurité des technologies de l'information.
iv © ISO/CEI 2009 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO/CEI 27000:2009(F)
0 Introduction
0.1 Vue d'ensemble
Les Normes internationales relatives aux systèmes de management fournissent un modèle en matière
d'établissement et d'exploitation d'un système de management. Ce modèle comprend les caractéristiques que
les experts dans le domaine s'accordent à reconnaître comme reflétant l'état de l'art au niveau international.
Le sous-comité ISO/CEI JTC 1 SC 27 bénéficie de l'expérience d'un comité d'experts qui se consacre à
l'élaboration des Normes internationales sur les systèmes de management pour la sécurité de l'information,
connues également comme famille de normes des Systèmes de Management de la Sécurité de l'Information
(SMSI).
Grâce à l'utilisation de la famille de normes du SMSI, les organisations peuvent élaborer et mettre en œuvre
un cadre de référence pour gérer la sécurité de leurs actifs informationnels et se préparer à une évaluation
indépendante de leurs SMSI en matière de protection de l'information, comme par exemple les informations
financières, la propriété intellectuelle, les informations sur les employés, etc., ou les informations qui leur sont
confiées par des clients ou des tiers.
0.2 La famille de normes du SMSI
1)
La famille de normes du SMSI a pour objet d'aider les organisations de tous types et de toutes tailles à
déployer et exploiter un SMSI. Dans le domaine des «Technologies de l'information — Techniques de
sécurité», le titre général de chacune des normes du SMSI se présente comme suit:
⎯ ISO/CEI 27000:2009, Systèmes de management de la sécurité de l'information — Vue d'ensemble et
vocabulaire
⎯ ISO/CEI 27001:2005, Systèmes de management de la sécurité de l'information — Exigences
⎯ ISO/CEI 27002:2005, Code de bonne pratique pour le management de la sécurité de l'information
⎯ ISO/CEI 27003, Guide de mise en œuvre du système de management de la sécurité de l'information
⎯ ISO/CEI 27004, Management de la sécurité de l'information — Mesurage
⎯ ISO/CEI 27005:2008, Management du risque de la sécurité de l'information
⎯ ISO/CEI 27006:2007, Exigences pour les organismes procédant à l'audit et à la certification des
systèmes de management de la sécurité de l'information
⎯ ISO/CEI 27007, Lignes directrices pour l'audit des systèmes de management de la sécurité de
l'information
⎯ ISO/CEI 27011:2008, Lignes directrices du management de la sécurité de l'information pour les
organismes de télécommunications sur la base de l'ISO/CEI 27002
NOTE Le titre général «Technologies de l'information – Techniques de sécurité» indique que ces normes ont été
élaborées par le comité technique mixte ISO/CEI JTC 1, Technologies de l'information, sous-comité SC 27, Techniques de
sécurité.
1) Les normes mentionnées dans cette section qui ne comportent pas d'année de publication sont toujours en cours
d'élaboration.
© ISO/CEI 2009 – Tous droits réservés v
---------------------- Page: 5 ----------------------
ISO/CEI 27000:2009(F)
Les Normes internationales qui font également partie de la famille de normes du SMSI, mais qui ne sont pas
comprises comme «Technologies de l'information – Techniques de sécurité» sont les suivantes:
⎯ ISO/CEI 27799:2008, Informatique de santé — Management de la sécurité de l'information relative à la
santé en utilisant l'ISO/CEI 27002
0.3 Objet de la présente Norme internationale
L'ISO/CEI 27000 présente une vue d'ensemble des systèmes de management de la sécurité de l'information,
qui constituent l'objet de la famille de normes du SMSI, et définit les termes qui s'y rapportent.
NOTE L'Annexe A fournit des éclaircissements sur la façon dont les normes de la famille SMSI doivent être
interprétées en fonction des expressions verbales utilisées, celles-ci exprimant des exigences et/ou des lignes directrices.
La famille de normes du SMSI comporte des normes qui:
a) définissent les exigences pour un SMSI et pour les organisations certifiant de tels systèmes;
b) apportent un soutien direct, des recommandations détaillées et/ou une interprétation des processus et
des exigences générales selon le modèle Planifier-Déployer-Contrôler-Agir (PDCA);
c) traitent des pratiques propres à des secteurs particuliers en matière de SMSI;
d) traitent de l'évaluation de la conformité d'un SMSI.
Les termes et les définitions fournis dans cette Norme internationale:
a) couvrent les termes et les définitions d'usage courant dans la famille de normes du SMSI;
b) ne couvrent pas l'ensemble des termes et des définitions utilisés dans la famille de normes du SMSI;
c) ne limitent pas la famille de normes du SMSI en définissant des termes pour un usage propre.
Les normes ne traitant que de la mise en œuvre des mesures, par opposition au traitement de l'ensemble des
mesures prévu dans l'ISO/CEI 27002, sont exclues de la famille de normes du SMSI.
L'ISO/CEI 27000 est une norme délivrée gratuitement.
Pour tenir compte des fréquentes évolutions de la famille de normes du SMSI, on s'attend à ce que
l'ISO/CEI 27000 soit remise à jour en permanence et sur une base plus fréquente que celle prévue pour les
autres normes ISO/CEI.
vi © ISO/CEI 2009 – Tous droits réservés
---------------------- Page: 6 ----------------------
NORME INTERNATIONALE ISO/CEI 27000:2009(F)
Technologies de l'information — Techniques de sécurité —
Systèmes de management de la sécurité de l'information — Vue
d'ensemble et vocabulaire
1 Domaine d'application
La présente Norme internationale fournit:
a) une vue d'ensemble de la famille de normes du SMSI;
b) une introduction aux systèmes de management de la sécurité de l'information (SMSI);
c) une brève description du processus Planifier-Déployer-Contrôler-Agir (PDCA); et
d) les termes et définitions utilisés dans la famille de normes du SMSI.
La présente Norme internationale est applicable à tous les types d'organisations (par exemple: entreprises
commerciales, organisations publiques, organisations à but non lucratif).
2 Termes et définitions
Pour les besoins du présent document, les termes et définitions suivants s'appliquent.
Si ces termes et ces définitions s'appliquent également à d'autres documents, cela doit être indiqué dans ces
autres documents à l'aide de l'alinéa d'introduction suivant:
Pour les besoins du présent document, les termes et définitions fournis dans l'ISO/CEI 27000 s'appliquent.
Un terme utilisé dans une définition ou une note et défini à un autre endroit du présent article figure en
caractères gras, suivi de la référence de l'entrée entre parenthèses. Ce terme en caractères gras peut être
remplacé dans la définition ou la note par sa propre définition.
Par exemple:
attaque (2.4) est définie comme une «tentative de détruire, de rendre public, de modifier, d'invalider, de voler
ou d'obtenir un accès non autorisé ou d'utiliser sans autorisation un actif (2.3)»;
actif est défini comme «tout élément représentant de la valeur pour l'organisation».
En remplaçant le terme «actif» par sa définition, on obtient:
attaque est alors définie comme une «tentative de détruire, de rendre public, de modifier, d'invalider, de voler,
d'obtenir un accès non autorisé ou d'utiliser sans autorisation tout élément représentant de la valeur pour
l'organisation».
© ISO/CEI 2009 – Tous droits réservés 1
---------------------- Page: 7 ----------------------
ISO/CEI 27000:2009(F)
2.1
contrôle d'accès
moyens mis en œuvre pour assurer que l'accès aux actifs (2.3) est autorisé et limité selon les exigences
propres à la sécurité et à l'activité métier
2.2
imputabilité
responsabilité d'une entité par rapport à ses actions et ses décisions
2.3
actif
tout élément représentant de la valeur pour l'organisation
NOTE Il existe plusieurs sortes d'actifs, dont:
(a) l'information (2.18);
(b) les logiciels, par exemple un programme informatique;
(c) les actifs physiques, par exemple un ordinateur;
(d) les services;
(e) le personnel, et leurs qualifications, compétences et expérience;
(f) les actifs incorporels, par exemple la réputation et l'image.
2.4
attaque
tentative de détruire, de rendre public, de modifier, d'invalider, de voler ou d'obtenir un accès non autorisé ou
d'utiliser sans autorisation un actif (2.3)
2.5
authentification
moyen pour une entité d'assurer la légitimité d'une caractéristique revendiquée
2.6
authenticité
propriété selon laquelle une entité est ce qu'elle revendique être
2.7
disponibilité
propriété d'être accessible et utilisable à la demande par une entité autorisée
2.8
continuité de l'activité
processus (2.31) et/ou procédures (2.30) permettant d'assurer la continuité de l'activité métier
2.9
confidentialité
propriété selon laquelle l'information n'est pas rendue disponible ou divulguée à des personnes, des entités
ou des processus (2.31) non autorisés
2.10
mesure de sécurité
moyens de gestion des risques (2.34), comprenant les politiques (2.28), les procédures (2.30), les lignes
directrices (2.16), les pratiques ou l'organisation, qui peuvent être de nature administrative, technique,
manégériale ou juridique
NOTE Mesure de sécurité est également synonyme de protection ou de contre-mesure.
2.11
objectif de sécurité
déclaration décrivant ce qui doit être atteint comme résultat de la mise en oeuvre des mesures de
sécurité (2.10)
2 © ISO/CEI 2009 – Tous droits réservés
---------------------- Page: 8 ----------------------
ISO/CEI 27000:2009(F)
2.12
action corrective
action visant à éliminer la cause d'une non-conformité ou d'une autre situation indésirable détectée
[ISO 9000:2005]
2.13
efficacité
niveau de réalisation des activités planifiées et d'obtention des résultats escomptés
[ISO 9000:2005]
2.14
efficience
rapport entre le résultat obtenu et les ressources utilisées
2.15
événement
occurrence d'un ensemble particulier de circonstances
[ISO/CEI Guide 73:2002]
2.16
ligne directrice
recommandation de ce qui doit être fait pour atteindre un objectif
2.17
impact
altération préjudiciable à la réalisation des objectifs métiers
2.18
actif informationnel
savoir ou données représentant de la valeur pour l'organisation
2.19
sécurité de l'information
protection de la confidentialité (2.9), de l'intégrité (2.25) et de la disponibilité (2.7) de l'information; en outre,
d'autres propriétés, telles que l'authenticité (2.6), l'imputabilité (2.2), la non-répudiation (2.27) et la
fiabilité (2.33), peuvent également être concernées
2.20
événement lié à la sécurité de l'information
occurrence identifiée de l'état d'un système, d'un service ou d'un réseau indiquant une faille possible dans la
politique (2.28) de sécurité de l'information (2.19) ou un échec des mesures de sécurité (2.10) ou encore
une situation inconnue jusqu'alors et pouvant relever de la sécurité
2.21
incident lié à la sécurité de l'information
un ou plusieurs événements liés à la sécurité de l'information (2.20) indésirables ou inattendus présentant
une probabilité forte de compromettre les opérations liées à l'activité de l'organisation et de menacer la
sécurité de l'information (2.19)
2.22
gestion des incidents liés à la sécurité de l'information
processus (2.31) pour détecter, rapporter, apprécier, intervenir, résoudre et tirer les enseignements des
incidents liés à la sécurité de l'information (2.21)
© ISO/CEI 2009 – Tous droits réservés 3
---------------------- Page: 9 ----------------------
ISO/CEI 27000:2009(F)
2.23
système de management de la sécurité de l'information
SMSI
partie du système de management global (2.26), basée sur une approche du risque lié à l'activité, visant
à établir, mettre en œuvre, exploiter, surveiller, réexaminer, tenir à jour et améliorer la sécurité de
l'information (2.19)
2.24
risque lié à la sécurité de l'information
possibilité qu'une menace (2.45) exploite une vulnérabilité (2.46) d'un actif (2.3) ou d'un groupe d'actifs et
nuise donc à l'organisation
2.25
intégrité
propriété de protection de l'exactitude et de la complétude des actifs (2.3)
2.26
système de management
cadre de référence des politiques (2.28), procédures (2.30), lignes directrices (2.16) et ressources
associées pour atteindre les objectifs de l'organisation
2.27
non-répudiation
capacité à prouver l'occurrence d'un événement (2.15) ou d'une action donné et les entités qui en sont à
l'origine, de manière à résoudre les litiges entre l'occurrence ou la non-occurrence de l'événement (2.15) ou
de l'action et l'implication des entités dans l'événement (2.15)
2.28
politique
orientations et intentions globales d'une organisation telles qu'elles sont exprimées formellement par la
direction
2.29
action préventive
action visant à éliminer la cause d'une non-conformité potentielle ou d'une autre situation potentielle
indésirable
[ISO 9000:2005]
2.30
procédure
manière spécifiée d'effectuer une activité ou un processus (2.31)
[ISO 9000:2005]
2.31
processus
ensemble d'activités corrélées ou interactives qui transforme des éléments d'entrée en éléments de sortie
[ISO 9000:2005]
2.32
enregistrement
document faisant état de résultats obtenus ou apportant la preuve de la réalisation d'une activité
[ISO 9000:2005]
2.33
fiabilité
propriété relative à un comportement et des résultats prévus et cohérents
4 © ISO/CEI 2009 – Tous droits réservés
---------------------- Page: 10 ----------------------
ISO/CEI 27000:2009(F)
2.34
risque
combinaison de la probabilité d'un événement (2.15) et de ses conséquences
[Guide ISO/CEI 73:2002]
2.35
acceptation des risques
décision d'accepter un risque (2.34)
[Guide ISO/CEI 73:2002]
2.36
analyse des risques
utilisation systématique d'informations pour identifier les sources et pour estimer le risque (2.34)
[Guide ISO/CEI 73:2002]
NOTE L'analyse des risques fournit une base pour l'évaluation des risques (2.41), le traitement des
risques (2.43) et l'acceptation des risques (2.35)
2.37
appréciation des risques
ensemble du processus (2.31) d'analyse des risques (2.36) et d'évaluation des risques (2.41)
[Guide ISO/CEI 73:2002]
2.38
communication relative aux risques
échange ou partage d'informations concernant le risque (2.34) entre le décideur et d'autres parties prenantes
[Guide ISO/CEI 73:2002]
2.39
critères de risque
termes de référence permettant d'apprécier l'importance des risques (2.34)
[Guide ISO/CEI 73:2002]
2.40
estimation des risques
activité consistant à affecter des valeurs à la probabilité et aux conséquences d'un risque (2.34)
[Guide ISO/CEI 73:2002]
2.41
évaluation des risques
processus (2.31) de comparaison du risque (2.34) estimé avec des critères de risque (2.39) donnés
pour déterminer l'importance du risque (2.34)
[Guide ISO/CEI 73:2002]
2.42
gestion du risque
activités coordonnées visant à diriger et contrôler une organisation vis-à-vis du risque (2.34)
[Guide ISO/CEI 73:2002]
NOTE La gestion du risque comporte généralement l'appréciation des risques (2.37), le traitement des
risques (2.43), l'acceptation des risques (2.35), la communication relative aux risques (2.38), la surveillance et le
réexamen du risque.
© ISO/CEI 2009 – Tous droits réservés 5
---------------------- Page: 11 ----------------------
ISO/CEI 27000:2009(F)
2.43
traitement des risques
processus (2.31) de sélection et de mise en œuvre des mesures visant à modifier le risque (2.34)
[Guide ISO/CEI 73:2002]
2.44
déclaration d'applicabilité
déclaration documentée décrivant les objectifs de sécurité (2.11), ainsi que les mesures de sécurité (2.10)
appropriés et applicables au SMSI (2.23) d'une organisation
2.45
menace
cause potentielle d'un incident indésirable, qui peut nuire à un système ou une organisation
2.46
vulnérabilité
faille dans un actif (2.3) ou dans une mesure de sécurité (2.10) qui peut être exploitée par une menace (2.45)
3 Systèmes de management de la sécurité de l'information
3.1 Introduction
Des organisations de toutes catégories et de toutes tailles:
a) collectent, traitent, stockent et transmettent de grandes quantités d'informations;
b) reconnaissent que les informations et les processus associés, les systèmes, les réseaux et les gens qui
s'y rattachent sont des actifs importants pour la réalisation des objectifs de l'organisation;
c) font face à un éventail de risques qui peut avoir des répercussions sur le fonctionnement des actifs; et
d) modifient les risques en mettant en œuvre des mesures de sécurité de l'information. des menaces
d'attaque, d'erreur et d'événement naturel.
Toutes les informations détenues et traitées par une organisation sont exposées à des menaces d'attaque,
d'erreur, d'évènement naturel (par exemple, inondation ou incendie), etc. et sont exposées à des
vulnérabilités inhérentes à leur utilisation. Le terme sécurité de l'information repose, en général, sur le fait que
l'information est considéré comme un actif qui a une valeur et qui, en tant que tel, nécessite une protection
appropriée contre, par exemple, la perte de disponibilité, de confidentialité et d'intégrité. Permettre aux
personnes qui en ont l'autorisation et le besoin de disposer d'informations précises et complètes en temps
utile est un catalyseur pour l'efficience de l'organisation.
Pour qu'une organisation puisse atteindre ses objectifs, se mettre en conformité avec la loi et valoriser son
image, il lui est essentiel de protéger ses actifs. Protéger les actifs d'information en définissant, accomplissant,
maintenant et améliorant efficacement la sécurité de l'information est essentiel pour permettre à une
organisation d'atteindre ses objectifs et maintenir et améliorer sa conformité légale et son image. Ces activités
coordonnées visant à orienter la mise en œuvre de mesures appropriées et du traitement des risques
inacceptables liés à la sécurité de l'information, sont connues généralement comme éléments de
management de la sécurité de l'information.
Les risques liés à la sécurité de l'information et l'efficacité des mesures changeant en fonction des
conjonctures, les organisations doivent:
a) surveiller et évaluer l'efficacité des mesures et des procédures mises en œuvre;
b) identifier les risques émergents qu'il faut traiter; et
c) sélectionner, mettre en œuvre et améliorer les mesures appropriées le cas échéant.
6 © ISO/CEI 2009 – Tous droits réservés
---------------------- Page: 12 ----------------------
ISO/CEI 27000:2009(F)
Pour relier ces activités de sécurité de l'information et les coordonner, chaque organisation doit établir sa
politique et ses objectifs en matière de sécurité de l'information et atteindre ces objectifs de manière efficace
en utilisant un système de management.
3.2 Qu'est ce qu'un SMSI?
3.2.1 Vue d'ensemble et principes
Un SMSI (Système de Management de la Sécurité et de l'Information) fournit un modèle destiné à
l'établissement, à la mise en œuvre, à l'exploitation, à la surveillance, au réexamen, à la mise à jour et à
l'amélioration de la protection des actifs informationnels afin d'atteindre les objectifs métier en se fondant sur
l'appréciation des risques et sur les niveaux d'acceptation des risques définis par l'organisation pour traiter et
gérer efficacement les risques. L'analyse des exigences de protection des actifs informationnels et
l'application des mesures appropriées pour assurer comme il se doit la protection de ces actifs, contribuent à
la réussite de la mise en œuvre d'un SMSI. Les principes essentiels suivants y contribuent également:
a) la sensibilisation à la sécurité de l'information;
b) l'attribution des responsabilités liées à la sécurité de l'information;
c) la prise en compte de l'engagement de la direction et des intérêts des parties prenantes;
d) la consolidation des valeurs sociales;
e) l'appréciation des risques déterminant les mesures appropriées pour arriver à des niveaux de risques
acceptables;
f) l'intégration de la sécurité comme élément essentiel des systèmes et des réseaux d'information;
g) la prévention active et détection des incidents liés à la sécurité de l'information;
h) la garantie d'une approche globale du management de la sécurité de l'information; et
i) le réexamen continu de l'appréciation de la sécurité de l'information et la mise en œuvre de modifications
le cas échéant.
3.2.2 L'information
L'information est un actif qui, comme tous les autres actifs importants de l'organisation, est essentiel à son
fonctionnement et nécessite, par conséquent, d'être protégé de manière adéquate. L'information peut être
stockée sous différentes formes, notamment numérique (par exemple, les fichiers de données stockés sur un
support électronique ou optique), matérielle (par exemple, sur papier), ainsi que les connaissances des
salariés qui ne constituent pas une information tangible. L'information peut être transmise par différents
moyens, notamment par courrier, par communication électronique ou verbale. Quelle que soit la forme que
prend l'information ou quel que soit son vecteur de transmission, elle nécessite toujours une protection
appropriée.
L'information d'une organisation dépend des technologies de l'information et des communications. Ces
technologies sont un élément essentiel dans toute organisation et elle facilite la création, le traitement, le
stockage, la transmission, la protection et la destruction de l'information. Alors que l'étendue des
environnements de travail globaux interconnectés des organisations s'accroît, la nécessité de protéger
l'information s'accroît également, car cette information est maintenant exposée à une plus grande diversité de
menaces et de vulnérabilités.
3.2.3 Sécurité de l'information
La sécurité de l'information comprend trois grandes dimensions: la confidentialité, la disponibilité et l'intégrité.
Dans le but d'assurer la réussite durable de l'organisation et sa continuité, et de réduire le plus possible les
© ISO/CEI 2009 – Tous droits réservés 7
---------------------- Page: 13 ----------------------
ISO/CEI 27000:2009(F)
impacts, la sécurité de l'information implique l'application et le management de mesures de sécurité
appropriées, ce qui implique la prise en compte d'un vaste éventail de menaces.
La sécurité de l'information s'obtient par la mise en œuvre d'un ensemble de mesures applicables,
sélectionnées au moyen d'un processus déterminé de gestion du risque et gérées au moyen d'un SMSI,
incluant des politiques, des processus, des procédures, des structures organisationnelles, des logiciels et
des matériels pour protéger l'actif infor
...
SLOVENSKI SIST ISO/IEC 27000
STANDARD marec 2011
Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Pregled in izrazoslovje
Information technology – Security techniques – Information security management
systems - Overview and vocabulary
Technologies de l'information – Techniques de sécurité – Systèmes de
management de la sécurité de l'information - Vue d'ensemble et vocabulaire
Referenčna oznaka
ICS 01.140.35, 35.040 SIST ISO/IEC 27000:2011 (sl)
Nadaljevanje na straneh od 2 do 25
© 2013-05 Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST ISO/IEC 27000 : 2011
NACIONALNI UVOD
Standard SIST ISO/IEC 27000 (sl), Informacijska tehnologija – Varnostne tehnike – Sistemi
upravljanja informacijske varnosti – Pregled in izrazoslovje, 2011, ima status slovenskega standarda
in je istoveten mednarodnemu standardu ISO/IEC 27000 (en), Information technology – Security
techniques – Information security management systems – Overview and vocabulary, prva izdaja,
2009-05-01.
NACIONALNI PREDGOVOR
Mednarodni standard ISO/IEC 27000:2009 je pripravil pododbor združenega tehničnega odbora
Mednarodne organizacije za standardizacijo in Mednarodne elektrotehniške komisije ISO/IEC JTC
1/SC 27 Varnostne tehnike v informacijski tehnologiji.
Slovenski standard SIST ISO/IEC 27000:2011 je prevod mednarodnega standarda ISO/IEC
27000:2009. Slovensko izdajo standarda SIST ISO/IEC 27000:2011 je pripravil tehnični odbor
SIST/TC ITC Informacijska tehnologija. V primeru spora glede besedila slovenskega prevoda je
odločilen izvirni mednarodni standard v angleškem jeziku.
Odločitev za izdajo tega standarda je dne 18. novembra 2010 sprejel SIST/TC ITC Informacijska
tehnologija.
OSNOVA ZA IZDAJO STANDARDA
– privzem standarda ISO/IEC 27000:2009
OPOMBE
– Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO/IEC
27000:2011 to pomeni “slovenski standard”.
– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
– Definicije pojmov so povzete po mednarodnih standardih ISO 9000, Sistemi vodenja kakovosti –
Osnove in slovar, in ISO Guide 73, Risk management – Vocabulary.
– V besedilu SIST ISO/IEC 27000 so v točkah 0.2, 4.1, 4.2, 4.3, 4.4, 4.5 in v dodatku navedeni
mednarodni standardi ISO/IEC 27000, ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27003, ISO/IEC
27004, ISO/IEC 27005, ISO/IEC 27006, ISO/IEC 27007, ISO/IEC 27011 in ISO 27799. Pri tem je
vedno mišljena njihova zadnja izdaja.
2
---------------------- Page: 2 ----------------------
SIST ISO/IEC 27000 : 2011
VSEBINA Stran
Predgovor .4
0 Uvod .5
1 Področje uporabe .7
2 Izrazi in definicije .7
3 Sistemi upravljanja informacijske varnosti .12
3.1 Uvod .12
3.2 Kaj je SUIV .12
3.3 Procesni pristop.14
3.4 Zakaj je SUIV pomemben .14
3.5 Vzpostavljanje, spremljanje, vzdrževanje in izboljševanje SUIV .15
3.6 Kritični dejavniki uspeha SUIV .16
3.7 Koristi skupine standardov SUIV.17
4 Skupina standardov SUIV .17
4.1 Splošne informacije .17
4.2 Standardi, ki opisujejo pregled in izrazje.18
4.3 Standardi, ki določajo zahteve .19
4.4 Standardi, ki opisujejo splošne smernice.19
4.5 Standardi, ki opisujejo smernice za posamezne sektorje .20
Dodatek A (informativni): Glagolske oblike za izražanje določil .22
Dodatek B (informativni): Kategorizacija izrazov.23
Literatura .25
3
---------------------- Page: 3 ----------------------
SIST ISO/IEC 27000 : 2011
Predgovor
ISO (Mednarodna organizacija za standardizacijo) in IEC (Mednarodna elektrotehniška komisija)
tvorita specializiran sistem za svetovno standardizacijo. Nacionalni organi, ki so člani ISO ali IEC,
sodelujejo pri pripravi mednarodnih standardov prek tehničnih odborov, ki jih za obravnavanje
določenih strokovnih področij ustanovi ustrezna organizacija. Tehnični odbori ISO in IEC sodelujejo na
področjih skupnega interesa. Pri delu sodelujejo tudi druge mednarodne, vladne in nevladne
organizacije, povezane z ISO in IEC. Na področju informacijske tehnologije sta ISO in IEC vzpostavila
združeni tehnični odbor ISO/IEC JTC 1.
Mednarodni standardi so pripravljeni v skladu s pravili, podanimi v 2. delu Direktiv ISO/IEC.
Glavna naloga tehničnih odborov je priprava mednarodnih standardov. Osnutki mednarodnih
standardov, ki jih sprejmejo tehnični odbori, se pošljejo vsem članom v glasovanje. Za objavo
mednarodnega standarda je treba pridobiti soglasje najmanj 75 odstotkov članov, ki se udeležijo
glasovanja.
Opozoriti je treba na možnost, da je lahko nekaj elementov tega mednarodnega standarda predmet
patentnih pravic. ISO in IEC ne prevzemata odgovornosti za prepoznavanje katerih koli ali vseh takih
patentnih pravic.
ISO/IEC 27000 je pripravil združeni tehnični odbor JTC ISO/IEC 1 Informacijska tehnologija, pododbor
SC 27 Varnostne tehnike IT.
4
---------------------- Page: 4 ----------------------
SIST ISO/IEC 27000 : 2011
0 Uvod
0.1 Pregled
Mednarodni standardi za sisteme upravljanja zagotavljajo model za ravnanje pri vzpostavljanju in
delovanju sistema upravljanja. Ta model vključuje značilnosti, za katere so strokovnjaki s tega
področja dosegli soglasje, da je to mednarodno doseženo stanje tehnike. V okviru ISO/IEC JTC 1 SC
27 deluje strokovna komisija, namenjena razvoju mednarodnih standardov za sisteme upravljanja
informacijske varnosti, sicer poznanih kot skupina standardov Sistem upravljanja informacijske
varnosti – SUIV.
Z uporabo skupine standardov SUIV lahko organizacije razvijejo in ustvarijo okvir za upravljanje
varnosti svojih informacij ter se pripravijo na neodvisno oceno svojega SUIV, ki ga uporabljajo za
zaščito podatkov, kot so na primer finančni podatki, podatki o intelektualni lastnini in podrobnosti o
zaposlenih ali informacije, ki jim jih zaupajo njihove stranke ali tretje osebe.
0.2 Skupina standardov SUIV
1
Namen skupine standardov SUIV je pomagati organizacijam vseh vrst in velikosti pri izvedbi in
delovanju SUIV. Skupino standardov SUIV sestavljajo naslednji mednarodni standardi pod skupnim
naslovom Informacijska tehnologija – Varnostne tehnike:
− ISO/IEC 27000:2009, Sistemi upravljanja informacijske varnosti – Pregled in izrazoslovje
− ISO/IEC 27001:2005, Sistemi upravljanja informacijske varnosti – Zahteve
− ISO/IEC 27002:2005, Pravila obnašanja pri upravljanju informacijske varnosti
− ISO/IEC 27003, Smernice za izvedbo sistema upravljanja informacijske varnosti
− ISO/IEC 27004, Upravljanje informacijske varnosti – Merjenje
− ISO/IEC 27005:2008, Obvladovanje tveganj informacijske varnosti
− ISO/IEC 27006:2007, Zahteve za organe, ki izvajajo presoje in certificiranje sistemov upravljanja
informacijske varnosti
− ISO/IEC 27007, Smernice za presojo sistemov upravljanja informacijske varnosti
− ISO/IEC 27011, Smernice za upravljanje informacijske varnosti telekomunikacijskih organizacij,
zasnovane na ISO/IEC 27002
OPOMBA: Splošni naslov "Informacijska tehnologija – Varnostne tehnike" kaže, da je te standarde pripravil združeni
tehnični odbor JTC ISO/IEC 1 Informacijska tehnologija, pododbor SC 27 Varnostne tehnike IT.
Mednarodni standard, ki ni naslovljen z istim splošnim naslovom, a je prav tako del skupine
standardov SUIV, je:
− ISO 27799:2008, Zdravstvena informatika – Upravljanje informacijske varnosti v zdravstvu z
uporabo standarda ISO/IEC 27002
0.3 Namen tega mednarodnega standarda
Ta mednarodni standard daje pregled sistemov upravljanja informacijske varnosti, ki so predmet
skupine standardov SUIV, in določa s tem povezane izraze.
OPOMBA: Dodatek A pojasnjuje uporabo izrazov za izražanje zahtev in/ali navodil v skupini standardov SUIV.
Skupina standardov SUIV vključuje standarde, ki:
a) določajo zahteve za SUIV in za tiste, ki certificirajo takšne sisteme,
1
Standardi, navedeni v tej podtočki brez letnice objave, so še v razvoju.
5
---------------------- Page: 5 ----------------------
SIST ISO/IEC 27000 : 2011
b) zagotavljajo neposredno podporo, podrobna navodila in/ali razlage za celotne procese in zahteve
postopka »načrtuj-izvedi-preveri-ukrepaj« (PDCA),
c) se nanašajo na smernice za SUIV, specifične za posamezne sektorje,
d) se nanašajo na ugotavljanje skladnosti za SUIV.
Izrazi in definicije, navedeni v tem mednarodnem standardu:
− obsegajo izraze in definicije, pogosto uporabljene v skupini standardov SUIV,
− ne bodo zajeli vseh izrazov in definicij, ki se uporabljajo v skupini standardov SUIV, in
− ne omejujejo skupine standardov SUIV pri opredeljevanju pogojev za lastno uporabo.
Standardi, ki obravnavajo le izvedbo kontrol, namesto da bi obravnavali vse kontrole, so izključeni iz
skupine standardov SUIV.
Da bi ta mednarodni standard odražal spreminjajoči se status skupine standardov SUIV, je
pričakovati, da se bo posodabljal nenehno in pogosteje, kot to ponavadi velja za druge standarde
ISO/IEC.
6
---------------------- Page: 6 ----------------------
SIST ISO/IEC 27000 : 2011
Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Pregled in izrazoslovje
1 Področje uporabe
Ta mednarodni standard navaja:
a) pregled skupine standardov SUIV,
b) uvod v sisteme upravljanja informacijske varnosti (SUIV),
c) kratek opis procesa načrtuj-izvedi-preveri-ukrepaj (PDCA) ter
d) izraze in definicije za uporabo v skupini standardov SUIV.
Ta mednarodni standard je uporaben za vse vrste organizacij (npr. gospodarske družbe, državne
organe, nepridobitne organizacije).
2 Izrazi in definicije
V tem dokumenta so uporabljeni naslednji izrazi in definicije.
OPOMBA: Izraz v definiciji ali opombi, ki je opredeljen drugje v tej točki, je zapisan s krepko pisavo in mu sledi njegovo
številčenje v oklepaju. Tak krepko označen izraz v definiciji se lahko nadomesti z njegovo celotno definicijo.
Na primer:
napad (2.4) je opredeljen kot "poskus uničiti, izpostaviti, spremeniti, onemogočiti, ukrasti ali pridobiti
nepooblaščen dostop do dobrine ali nepooblaščena uporaba te dobrine (2.3)",
dobrina je opredeljena kot "kar koli, kar ima vrednost za organizacijo".
Če se izraz "dobrina" nadomesti s svojo definicijo:
napad potem postane "poskus uničiti, izpostaviti, spremeniti, onemogočiti, ukrasti ali pridobiti nepooblaščen
dostop do česar koli, kar ima vrednost za organizacijo, ali nepooblaščena uporaba česar koli, kar ima vrednost
za organizacijo ".
2.1
nadzor dostopa
pomeni zagotovitev, da je dostop do dobrin (2.3) pooblaščen in omejen na podlagi poslovnih in
varnostnih zahtev
2.2
odgovornost
odgovornost subjekta za njegova dejanja in odločitve
2.3
dobrina
kar koli, kar ima vrednost za organizacijo
OPOMBA: Obstaja več vrst dobrin, vključno z:
a) informacijo (2.18),
b) programsko opremo, kot je računalniški program,
c) fizičnimi sredstvi, kot je računalnik,
d) storitvami,
e) osebjem in njegovimi kvalifikacijami, veščinami in izkušnjami ter
f) neopredmetenimi dobrinami, kot sta ugled in javna podoba.
7
---------------------- Page: 7 ----------------------
SIST ISO/IEC 27000 : 2011
2.4
napad
poskus uničiti, izpostaviti, spremeniti, onemogočiti, ukrasti ali pridobiti nepooblaščen dostop do
dobrine ali nepooblaščena uporaba te dobrine (2.3)
2.5
overjanje
priskrba zagotovila, da je zatrjevana lastnost subjekta prava
2.6
verodostojnost
lastnost, da je subjekt to, kar trdi, da je
2.7
razpoložljivost
lastnost, da je nekaj na zahtevo pooblaščenega subjekta dostopno in uporabno
2.8
neprekinjeno poslovanje
procesi (2.31) in/ali postopki (2.30) za zagotavljanje neprekinjenih poslovnih dejavnosti
2.9
zaupnost
lastnost, da informacija ni na voljo ali razkrita nepooblaščenim posameznikom, subjektom ali
procesom (2.31)
2.10
kontrola
načini obvladovanja tveganja (2.34), vključno s politikami (2.28), postopki (2.30), smernicami
(2.16), praksami ali organizacijskimi strukturami, ki so po naravi lahko upravni, tehnični, upravljalni ali
pravni
OPOMBA: Kontrola se uporablja tudi kot sopomenka za zaščito ali protiukrep.
2.11
cilj kontrole
izjava, ki opisuje, kaj bo doseženo kot rezultat izvajanja kontrol (2.10)
2.12
1)
korektivni ukrep
ukrep za odpravo vzroka ugotovljene neskladnosti ali druge neželene situacije
[ISO 9000:2005]
2.13
uspešnost
obseg, v katerem so planirane aktivnosti realizirane in planirani rezultati doseženi
[ISO 9000:2005]
2.14
učinkovitost
razmerje med doseženimi rezultati in sredstvi, ki so bili zanje porabljeni
1) Opomba SI: V skupini standardov SUIV se uporablja tudi izraz popravni ukrep.
8
---------------------- Page: 8 ----------------------
SIST ISO/IEC 27000 : 2011
2.15
dogodek
nastop določenega niza okoliščin
[ISO/IEC Guide 73:2002]
2.16
smernica
priporočilo, kaj se pričakuje, da je treba storiti za dosego cilja
2.17
vpliv
sprememba, neugodna za raven doseženih poslovnih ciljev
2.18
informacija
znanje ali podatek, ki ima vrednost za organizacijo
2.19
informacijska varnost
ohranjanje zaupnosti (2.9), celovitosti (2.25) in razpoložljivosti (2.7) informacije
OPOMBA: Poleg tega so lahko vključene tudi druge lastnosti, kot so verodostojnost (2.6), odgovornost (2.2),
nezanikanje (2.27) in zanesljivost (2.33).
2.20
informacijski varnostni dogodek
prepoznano dogajanje v sistemu, storitvi ali omrežju, ki kaže na morebitno kršitev informacijske
varnosti (2.19), politike (2.28) ali odpovedi kontrol (2.10) ali na do tedaj še neznano okoliščino, ki je
lahko pomembna za varnost
2.21
informacijski varnostni incident
eden ali več neželenih ali nepričakovanih informacijskih varnostnih dogodkov (2.20), ki
predstavljajo veliko verjetnost ogrožanja poslovnih dejavnosti in informacijske varnosti (2.19)
2.22
upravljanje informacijskih varnostnih incidentov
procesi (2.31) za odkrivanje, poročanje in ocenjevanje informacijskih varnostnih incidentov (2.21)
ter za odzivanje nanje, ukvarjanje z njimi in učenje iz njih
2.23
sistem upravljanja informacijske varnosti
SUIV
del celotnega sistema upravljanja (2.26), ki temelji na pristopu poslovnega tveganja in je namenjen
vzpostavitvi, izvedbi, delovanju, spremljanju, pregledovanju, vzdrževanju in izboljševanju
informacijske varnosti (2.19)
2.24
informacijsko varnostno tveganje
možnost, da bo grožnja (2.45) izkoristila ranljivost (2.46) dobrine (2.3) ali skupine dobrin in s tem
škodila organizaciji
2.25
celovitost
lastnost varovanja točnosti in celovitosti dobrin (2.3)
9
---------------------- Page: 9 ----------------------
SIST ISO/IEC 27000 : 2011
2.26
sistem upravljanja
ogrodje politik (2.28), postopkov (2.30), smernic (2.16) in z njimi povezanih virov za doseganje
ciljev organizacije
2.27
nezanikanje
sposobnost dokazati, da je določeni subjekt izvedel zahtevani dogodek (2.15) ali dejanje, zaradi
razrešitve spora glede izvedbe ali neizvedbe dogodka (2.15) oziroma dejanja ter vključenosti subjekta
v dogodek (2.15).
2.28
politika
celota namena in usmeritev, kot jih je uradno izrazilo vodstvo
2.29
1)
preventivni ukrep
ukrep za odpravo vzroka potencialne neskladnosti ali druge potencialne neželene situacije
[ISO 9000:2005]
2.30
postopek
specificiran način za izvedbo aktivnosti ali procesa (2.31)
[ISO 9000:2005]
2.31
proces
skupek med seboj povezanih ali medsebojno vplivajočih aktivnosti, ki pretvarja vhode v izhode
[ISO 9000:2005]
2.32
zapis
dokument, ki navaja dosežene rezultate ali podaja dokaz o izvedenih aktivnostih
[ISO 9000:2005]
2.33
zanesljivost
čvrsto predvideno ravnanje in učinki
2.34
tveganje
kombinacija verjetnosti dogodka (2.15) in njegove posledice
[ISO/IEC Guide 73:2002]
2.35
sprejetje tveganja
odločitev, da se tveganje (2.34) sprejme
[ISO/IEC Guide 73:2002]
1)
Opomba SI: V skupini standardov SUIV se uporablja tudi izraz preprečevalni ukrep.
10
---------------------- Page: 10 ----------------------
SIST ISO/IEC 27000 : 2011
2.36
analiza tveganja
sistematična uporaba informacij za prepoznavanje virov in ocenjevanje tveganja (2.34)
[ISO/IEC Guide 73:2002]
OPOMBA: Analiza tveganja je podlaga za vrednotenje tveganja (2.41), obravnavo tveganja (2.43) in sprejetje tveganja
(2.35).
2.37
ocenjevanje tveganja
celovit proces (2.31) analize tveganja (2.36) in vrednotenja tveganja (2.41)
[ISO/IEC Guide 73:2002]
2.38
obveščanje o tveganju
izmenjava ali razpošiljanje informacije o tveganju (2.34) med odločevalci in drugimi deležniki
[ISO/IEC Guide 73:2002]
2.39
kriterij tveganja
formalni pogoji, po katerih se ocenjuje pomembnost tveganja (2.34)
[ISO/IEC Guide 73:2002]
2.40
ocena tveganja
povezovanje vrednosti z verjetnostjo in posledicami tveganja (2.34)
[ISO/IEC Guide 73:2002]
2.41
vrednotenje tveganja
proces (2.31), s katerim se ocenjeno tveganje (2.34) primerja s kriterijem tveganja (2.39), da se
določi pomembnost tveganja (2.34)
[ISO/IEC Guide 73:2002]
2.42
obvladovanje tveganja
usklajene aktivnosti organizacije za usmerjanje in nadzor tveganja (2.34)
[ISO/IEC Guide 73:2002]
OPOMBA: Obvladovanje tveganja na splošno vključuje ocenjevanje tveganja (2.37), obravnavanje tveganja (2.43),
sprejetje tveganja (2.35), obveščanje o tveganju (2.38), spremljanje tveganja in proučitev tveganja.
2.43
obravnavanje tveganja
proces (2.31) izbire in izvedbe ukrepov za spremembo tveganja (2.34)
[ISO/IEC Guide 73:2002]
11
---------------------- Page: 11 ----------------------
SIST ISO/IEC 27000 : 2011
2.44
izjava o uporabnosti
dokumentirana izjava, ki opisuje cilje kontrole (2.11) in kontrole (2.10), ki so pomembni in uporabni
za SUIV (2.23) organizacije
2.45
grožnja
možen vzrok neželenega incidenta, ki lahko povzroči škodo sistemu ali organizaciji
2.46
ranljivost
slabost dobrine (2.3) ali kontrole (2.10), ki jo lahko izkoristi grožnja (2.45)
3 Sistemi upravljanja informacijske varnosti
3.1 Uvod
Organizacije vseh vrst in velikosti:
a) zbirajo, obdelujejo, shranjujejo in prenašajo velike količine informacij,
b) priznavajo, da so informacije in s tem povezani procesi, sistemi, omrežja in ljudje pomembne
dobrine za doseganje ciljev organizacije,
c) se soočajo z vrstami tveganja, ki lahko vplivajo na delovanje dobrin, in
d) zmanjšujejo tveganja z izvajanjem informacijskih varnostnih kontrol.
Vse informacije, ki jih hrani in obdeluje organizacija, so predmet groženj napada, napake, naravnih
pojavov (na primer poplave ali požara) ipd. in so izpostavljene ranljivosti, ki izhaja iz njihove uporabe.
Izraz informacijska varnost temelji na dojemanju informacije kot dobrine z vrednostjo, ki zahteva
ustrezno zaščito, na primer pred izgubo razpoložljivosti, zaupnosti in celovitosti. Zagotavljanje točnih
in popolnih informacij, ki so pravočasno na voljo pooblaščenim uporabnikom, pospešuje poslovno
učinkovitost.
Ščitenje informacij je ključnega pomena, da organizacija z določanjem, doseganjem, vzdrževanjem in
izboljševanjem informacijske varnosti uspešno dosega svoje cilje ter vzdržuje in krepi skladnost
poslovanja s predpisi in javno podobo. Te usklajene aktivnosti usmerjanja izvajanja ustreznih kontrol
in obravnavanja sprejemljivih tveganj informacijske varnosti so na splošno znane kot elementi
upravljanja informacijske varnosti.
Ker se tveganja informacijske varnosti in uspešnost kontrol spreminjajo glede na spreminjajoče se
okoliščine, morajo organizacije:
a) spremljati in vrednotiti uspešnost izvajanja kontrol in postopkov,
b) prepoznati nastajajoča tveganja, ki jih je treba obravnavati, in
c) izbrati, izvajati in izboljševati ustrezne potrebne kontrole.
Da bi vsaka organizacija medsebojno povezovala in usklajevala takšne aktivnosti informacijske
varnosti, mora določiti politiko in cilje informacijske varnosti ter uspešno dosegati te cilje z uporabo
sistema upravljanja.
3.2 Kaj je SUIV
3.2.1 Pregled in načela
SUIV (sistem upravljanja informacijske varnosti) zagotavlja model za vzpostavitev, izvajanje,
delovanje, spremljanje, pregledovanje, vzdrževanje in izboljševanje zaščite informacij za doseganje
poslovnih ciljev, ki temeljijo na oceni tveganja in sprejemljivih ravneh tveganja organizacije,
zasnovanih tako, da uspešno obravnavajo in obvladujejo tveganja. Analiza zahtev za zaščito
12
---------------------- Page: 12 ----------------------
SIST ISO/IEC 27000 : 2011
informacij in uporaba ustreznih kontrol za zaščito informacij prispevata k uspešni izvedbi SUIV v
organizaciji. K uspešni izvedbi SUIV prav tako prispevajo naslednja temeljna načela:
a) zavedanje o potrebnosti informacijske varnosti,
b) dodelitev odgovornosti za informacijsko varnost,
c) vključevanje zavezanosti vodstva in interesov deležnikov,
d) krepitev družbenih vrednot,
e) ocenjevanja tveganja, ki določajo ustrezne kontrole za doseganje sprejemljivih ravni tveganja,
f) vključevanje varnosti kot bistvenega elementa informacijskih omrežij in sistemov,
g) aktivno preprečevanje in odkrivanje informacijskih varnostnih incidentov,
h) zagotavljanje celovitega pristopa k upravljanju informacijske varnosti in
i) nenehno ponovno ocenjevanje informacijske varnosti in izvajanje ustreznih sprememb.
3.2.2 Informacija
Informacija je dobrina, ki je tako kot druge pomembne poslovne dobrine bistvenega pomena za
poslovanje organizacije in jo je zato treba ustrezno zaščititi. Informacija je lahko shranjena v različnih
oblikah, kot sta digitalna (na primer podatki, shranjeni na elektronskih ali optičnih medijih), fizična (npr.
na papirju) oblika, pa tudi kot nepredstavljive informacije v obliki znanja zaposlenih. Informacije se
lahko prenašajo na različne načine, vključno s kurirsko, elektronsko ali govorno komunikacijo. Ne
glede na obliko shranjevanja ali način prenašanja informacije vedno potrebujejo ustrezno zaščito.
Informacije organizacije so odvisne od njene informacijske in komunikacijske tehnologije. Ta
tehnologija je bistveni element v vsaki organizaciji ter pomaga pri ustvarjanju, obdelovanju,
shranjevanju, posredovanju, zaščiti in uničevanju informacij. Ker se obseg medsebojno povezanega
globalnega poslovanja širi, se širijo tudi zahteve po zaščiti informacij, saj so informacije sedaj
izpostavljene širši paleti groženj in ranljivosti.
3.2.3 Informacijska varnost
Informacijska varnost vključuje tri glavne razsežnosti: zaupnost, razpoložljivost in celovitost. Za
zagotavljanje stalne poslovne uspešnosti in neprekinjenega poslovanja ter za zmanjševanje vplivov
informacijska varnost vključuje uporabo in upravljanje ustreznih varnostnih ukrepov, ki morajo
upoštevati širok obseg groženj.
Informacijska varnost se doseže z izvajanjem uporabnega nabora kontrol, določenega s pomočjo
izbranih postopkov za obvladovanje tveganja in vodenih z uporabo SUIV, vključno s politikami,
procesi, postopki, organizacijskimi strukturami ter programsko in strojno opremo za zaščito
prepoznanih informacij. Te kontrole morajo biti natančno določene, izvedene, nadzorovane,
pregledovane, in kadar je potrebno, tudi izboljšane, da se zagotovi izpolnjevanje posebnih varnostnih
in poslovnih ciljev organizacije. Pričakuje se, da so ustrezni postopki nadzora informacijske varnosti
celovito vgrajeni v poslovne procese organizacije.
3.2.4 Upravljanje
Upravljanje vključuje dejavnosti, ki usmerjajo, nadzirajo in nenehno izboljšujejo organizacijo znotraj
ustreznih struktur. Upravljavske dejavnosti vključujejo delovanje, način ali prakso organiziranja
upravljanja, usmerjanja, nadziranja in preverjanja virov. Strukture upravljanja segajo od ene osebe v
majhni organizaciji do upravljavske hierarhije, sestavljene iz številnih posameznikov v velikih
organizacijah.
V zvezi s SUIV upravljanje vključuje nadzor in sprejemanje odločitev, potrebnih za doseganje
poslovnih ciljev z zaščito informacij organizacije. Upravljanje informacijske varnosti se izkazuje v
oblikovanju in uporabi informacijskih varnostnih politik, standardov, postopkov in smernic, ki jih nato v
celotni organizaciji uporabljajo vsi posamezniki, povezani z organizacijo.
13
---------------------- Page: 13 ----------------------
SIST ISO/IEC 27000 : 2011
OPOMBA: Izraz "upravljanje" se lahko včasih nanaša na ljudi (to je osebo ali skupino ljudi s pooblastili in odgovornostjo za
vodenje in izvajanje nadzora v organizaciji). Izraz "upravljanje", obravnavan v tej točki, se ne uporablja v tem
pomenu.
3.2.5 Sistem upravljanja
Sistem upravljanja uporablja določen razpon virov za dosego ciljev organizacije. Sistem upravljanja
vključuje organizacijsko strukturo, politike, aktivnosti načrtovanja, odgovornosti, prakse, postopke,
procese in vire.
Z vidika informacijske varnosti sistem upravljanja omogoča organizaciji, da:
a) izpolnjuje varnostne zahteve kupcev in drugih zainteresiranih strani,
b) izboljšuje načrte in dejavnosti organizacije,
c) izpolnjuje cilje informacijske varnosti organizacije,
d) je skladna s predpisi, zakonodajo in industrijskimi dogovori ter
e) upravlja informacije na organiziran način, ki omogoča nenehno izboljševanje in prilagajanje
trenutnim organizacijskim ciljem in okolju.
3.3 Procesni pristop
Organizacije morajo prepoznati in upravljati številne aktivnosti, da bi delovale uspešno in učinkovito.
Vsako aktivnost, ki uporablja vire, je treba upravljati tako, da se omogoči preoblikovanje vhodov v
izhode z uporabo določenih medsebojno povezanih ali medsebojno odvisnih aktivnosti. To je znano
tudi kot proces. Izhod iz enega procesa lahko neposredno oblikuje vhod v drug proces in na splošno
se to preoblikovanje izvaja v okviru načrtovanih nadzorovanih pogojev. Uporaba sistema procesov v
organizaciji skupaj s prepoznavanjem in medsebojnim delovanjem teh procesov ter njihovim
upravljanjem se lahko imenuje "procesni pristop".
Procesni pristop za SUIV, predstavljen v skupini standardov SUIV, temelji na načelu izvajanja,
sprejetem v standardih ISO za sisteme upravljanja, splošno znanem kot proces "načrtuj-izvedi-
preveri-ukrepaj" (PDCA):
a) načrtuj – določi cilje in izdelaj načrte (analiziraj stanje v organizaciji, vzpostavi skupne cilje in
določi konkretne cilje ter razvij načrte za njihovo uresničitev);
b) izvedi – izvedi načrte (naredi to, kar je bilo načrtovano, da se naredi);
c) preveri – meri rezultate (meri/nadzoruj, v kolikšni meri dosežki izpolnjujejo načrtovane cilje) in
d) ukrepaj – popravi in izboljšaj aktivnosti (učenje iz napak za izboljšanje aktivnosti za doseganje
boljših rezultatov).
3.4 Zakaj je SUIV pomemben
V sklopu SUIV organizacije morajo biti obravnavana tveganja, povezana z informacijami te
organizacije. Doseganje informacijske varnosti zahteva obvladovanje tveganja in zajema tveganja, ki
izhajajo iz fizičnih, človeških in tehnoloških groženj ter se nanašajo na vse oblike informacij znotraj
organizacije ali ki jih organizacija uporablja.
Sprejetje SUIV naj bi bila strateška odločitev za organizacijo in ta odločitev mora biti celovito vgrajena,
razširj
...
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske varnosti - Pregled in izrazoslovjeTechnologies de l'information - Techniques de sécurité - Systèmes de management de la sécurité de l'information - Vue d'ensemble et vocabulaireInformation technology - Security techniques - Information security management systems - Overview and vocabulary35.040Nabori znakov in kodiranje informacijCharacter sets and information coding01.040.35Informacijska tehnologija. Pisarniški stroji (Slovarji)Information technology. Office machines (Vocabularies)ICS:Ta slovenski standard je istoveten z:ISO/IEC 27000:2009oSIST ISO/IEC 27000:2010en01-december-2010oSIST ISO/IEC 27000:2010SLOVENSKI
STANDARD
oSIST ISO/IEC 27000:2010
Reference numberISO/IEC 27000:2009(E)© ISO/IEC 2009
INTERNATIONAL STANDARD ISO/IEC27000First edition2009-05-01Information technology — Security techniques — Information security management systems — Overview and vocabulary Technologies de l'information — Techniques de sécurité — Systèmes de gestion de la sécurité des informations — Vue d'ensemble et vocabulaire
oSIST ISO/IEC 27000:2010
ISO/IEC 27000:2009(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
COPYRIGHT PROTECTED DOCUMENT
©
ISO/IEC 2009 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 • CH-1211 Geneva 20 Tel.
+ 41 22 749 01 11 Fax
+ 41 22 749 09 47 E-mail
copyright@iso.org Web
www.iso.org Published in Switzerland
ii © ISO/IEC 2009 – All rights reserved
oSIST ISO/IEC 27000:2010
ISO/IEC 27000:2009(E) © ISO/IEC 2009 – All rights reserved iiiContents Page Foreword.iv 0 Introduction.v 1 Scope.1 2 Terms and definitions.1 3 Information security management systems.6 3.1 Introduction.6 3.2 What is an ISMS?.7 3.3 Process approach.8 3.4 Why an ISMS is important.9 3.5 Establishing, monitoring, maintaining and improving an ISMS.10 3.6 ISMS critical success factors.11 3.7 Benefits of the ISMS family of standards.11 4 ISMS family of standards.12 4.1 General information.12 4.2 Standards describing an overview and terminology.13 4.3 Standards specifying requirements.13 4.4 Standards describing general guidelines.14 4.5 Standards describing sector-specific guidelines.15 Annex A (informative)
Verbal forms for the expression of provisions.16 Annex B (informative)
Categorized terms.17 Bibliography.19
oSIST ISO/IEC 27000:2010
ISO/IEC 27000:2009(E) iv © ISO/IEC 2009 – All rights reserved Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27000 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. oSIST ISO/IEC 27000:2010
ISO/IEC 27000:2009(E) © ISO/IEC 2009 – All rights reserved v0 Introduction 0.1 Overview International Standards for management systems provide a model to follow in setting up and operating a management system. This model incorporates the features on which experts in the field have reached a consensus as being the international state of the art. ISO/IEC JTC 1 SC 27 maintains an expert committee dedicated to the development of international management systems standards for information security, otherwise known as the Information Security Management System (ISMS) family of standards. Through the use of the ISMS family of standards, organizations can develop and implement a framework for managing the security of their information assets and prepare for an independent assessment of their ISMS applied to the protection of information, such as financial information, intellectual property, and employee details, or information entrusted to them by customers or third parties. 0.2 ISMS family of standards The ISMS family of standards1) is intended to assist organizations of all types and sizes to implement and operate an ISMS. The ISMS family of standards consists of the following International Standards, under the general title Information technology — Security techniques: ⎯ ISO/IEC 27000:2009, Information security management systems — Overview and vocabulary ⎯ ISO/IEC 27001:2005, Information security management systems — Requirements ⎯ ISO/IEC 27002:2005, Code of practice for information security management ⎯ ISO/IEC 27003, Information security management system implementation guidance ⎯ ISO/IEC 27004, Information security management — Measurement ⎯ ISO/IEC 27005:2008, Information security risk management ⎯ ISO/IEC 27006:2007, Requirements for bodies providing audit and certification of information security management systems ⎯ ISO/IEC 27007, Guidelines for information security management systems auditing ⎯ ISO/IEC 27011, Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 NOTE The general title “Information technology — Security techniques” indicates that these standards were prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. International Standards not under the same general title that are also part of the ISMS family of standards are as follows: ⎯ ISO 27799:2008, Health informatics — Information security management in health using ISO/IEC 27002
1) Standards identified throughout this subclause with no release year indicated are still under development. oSIST ISO/IEC 27000:2010
ISO/IEC 27000:2009(E) vi © ISO/IEC 2009 – All rights reserved 0.3 Purpose of this International Standard This International Standard provides an overview of information security management systems, which form the subject of the ISMS family of standards, and defines related terms. NOTE Annex A provides clarification on how verbal forms are used to express requirements and/or guidance in the ISMS family of standards. The ISMS family of standards includes standards that: a) define requirements for an ISMS and for those certifying such systems; b) provide direct support, detailed guidance and/or interpretation for the overall Plan-Do-Check-Act (PDCA) processes and requirements; c) address sector-specific guidelines for ISMS; and d) address conformity assessment for ISMS. The terms and definitions provided in this International Standard: ⎯ cover commonly used terms and definitions in the ISMS family of standards; ⎯ will not cover all terms and definitions applied within the ISMS family of standards; and ⎯ do not limit the ISMS family of standards in defining terms for own use. Standards addressing only the implementation of controls, as opposed to addressing all controls, from ISO/IEC 27002 are excluded from the ISMS family of standards. To reflect the changing status of the ISMS family of standards, this International Standard is expected to be continually updated on a more frequent basis than would normally be the case for other ISO/IEC standards.
oSIST ISO/IEC 27000:2010
INTERNATIONAL STANDARD ISO/IEC 27000:2009(E) © ISO/IEC 2009 – All rights reserved 1Information technology — Security techniques — Information security management systems — Overview and vocabulary 1 Scope This International Standard provides: a) an overview of the ISMS family of standards; b) an introduction to information security management systems (ISMS); c) a brief description of the Plan-Do-Check-Act (PDCA) process; and d) terms and definitions for use in the ISMS family of standards. This International Standard is applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations). 2 Terms and definitions For the purposes of this document, the following terms and definitions apply. NOTE A term in a definition or note which is defined elsewhere in this clause is indicated by boldface followed by its entry number in parentheses. Such a boldface term can be replaced in the definition by its complete definition. For example: attack (2.4) is defined as “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset (2.3)”; asset is defined as “anything that has value to the organization”. If the term “asset” is replaced by its definition: attack then becomes “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of anything that has value to the organization”. 2.1 access control means to ensure that access to assets (2.3) is authorized and restricted based on business and security requirements 2.2 accountability responsibility of an entity for its actions and decisions oSIST ISO/IEC 27000:2010
ISO/IEC 27000:2009(E) 2 © ISO/IEC 2009 – All rights reserved 2.3 asset anything that has value to the organization NOTE There are many types of assets, including: a) information (2.18); b) software, such as a computer program; c) physical, such as computer; d) services; e) people, and their qualifications, skills, and experience; and f) intangibles, such as reputation and image. 2.4 attack attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset (2.3) 2.5 authentication provision of assurance that a claimed characteristic of an entity is correct 2.6 authenticity property that an entity is what it claims to be 2.7 availability property of being accessible and usable upon demand by an authorized entity 2.8 business continuity processes (2.31) and/or procedures (2.30) for ensuring continued business operations 2.9 confidentiality property that information is not made available or disclosed to unauthorized individuals, entities, or processes (2.31) 2.10 control means of managing risk (2.34), including policies (2.28), procedures (2.30), guidelines (2.16), practices or organizational structures, which can be administrative, technical, management, or legal in nature NOTE Control is also used as a synonym for safeguard or countermeasure. 2.11 control objective statement describing what is to be achieved as a result of implementing controls (2.10) 2.12 corrective action action to eliminate the cause of a detected nonconformity or other undesirable situation [ISO 9000:2005] oSIST ISO/IEC 27000:2010
ISO/IEC 27000:2009(E) © ISO/IEC 2009 – All rights reserved 32.13 effectiveness extent to which planned activities are realized and planned results achieved [ISO 9000:2005] 2.14 efficiency relationship between the results achieved and how well the resources have been used 2.15 event occurrence of a particular set of circumstances [ISO/IEC Guide 73:2002] 2.16 guideline recommendation of what is expected to be done to achieve an objective 2.17 impact adverse change to the level of business objectives achieved 2.18 information asset knowledge or data that has value to the organization 2.19 information security preservation of confidentiality (2.9), integrity (2.25) and availability (2.7) of information NOTE In addition, other properties, such as authenticity (2.6), accountability (2.2), non-repudiation (2.27), and reliability (2.33) can also be involved. 2.20 information security event identified occurrence of a system, service or network state indicating a possible breach of information security (2.19) policy (2.28) or failure of controls (2.10), or a previously unknown situation that may be security relevant 2.21 information security incident single or a series of unwanted or unexpected information security events (2.20) that have a significant probability of compromising business operations and threatening information security (2.19) 2.22 information security incident management processes (2.31) for detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents (2.21) 2.23 information security management system ISMS part of the overall management system (2.26), based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security (2.19) oSIST ISO/IEC 27000:2010
ISO/IEC 27000:2009(E) 4 © ISO/IEC 2009 – All rights reserved 2.24 information security risk potential that a threat (2.45) will exploit a vulnerability (2.46) of an asset (2.3) or group of assets and thereby cause harm to the organization 2.25 integrity property of protecting the accuracy and completeness of assets (2.3) 2.26 management system framework of policies (2.28), procedures (2.30), guidelines (2.16) and associated resources to achieve the objectives of the organization 2.27 non-repudiation ability to prove the occurrence of a claimed event (2.15) or action and its originating entities, in order to resolve disputes about the occurrence or non-occurrence of the event (2.15) or action and involvement of entities in the event (2.15) 2.28 policy overall intention and direction as formally expressed by management 2.29 preventive action action to eliminate the cause of a potential nonconformity or other undesirable potential situation [ISO 9000:2005] 2.30 procedure specified way to carry out an activity or a process (2.31) [ISO 9000:2005] 2.31 process set of interrelated or interacting activities which transforms inputs into outputs [ISO 9000:2005] 2.32 record document stating results achieved or providing evidence of activities performed [ISO 9000:2005] 2.33 reliability property of consistent intended behaviour and results 2.34 risk combination of the probability of an event (2.15) and its consequence [ISO/IEC Guide 73:2002] oSIST ISO/IEC 27000:2010
ISO/IEC 27000:2009(E) © ISO/IEC 2009 – All rights reserved 52.35 risk acceptance decision to accept a risk (2.34) [ISO/IEC Guide 73:2002] 2.36 risk analysis systematic use of information to identify sources and to estimate risk (2.34) [ISO/IEC Guide 73:2002] NOTE Risk analysis provides a basis for risk evaluation (2.41), risk treatment (2.43) and risk acceptance (2.35). 2.37 risk assessment overall process (2.31) of risk analysis (2.36) and risk evaluation (2.41) [ISO/IEC Guide 73:2002] 2.38 risk communication exchange or sharing of information about risk (2.34) between the decision-maker and other stakeholders [ISO/IEC Guide 73:2002] 2.39 risk criteria terms of reference by which the significance of risk (2.34) is assessed [ISO/IEC Guide 73:2002] 2.40 risk estimation activity to assign values to the probability and consequences of a risk (2.34) [ISO/IEC Guide 73:2002] 2.41 risk evaluation process (2.31) of comparing the estimated risk (2.34) against given risk criteria (2.39) to determine the significance of the risk (2.34) [ISO/IEC Guide 73:2002] 2.42 risk management coordinated activities to direct and control an organization with regard to risk (2.34) [ISO/IEC Guide 73:2002] NOTE Risk management generally includes risk assessment (2.37), risk treatment (2.43), risk acceptance (2.35), risk communication (2.38), risk monitoring and risk review. 2.43 risk treatment process (2.31) of selection and implementation of measures to modify risk (2.34) [ISO/IEC Guide 73:2002] oSIST ISO/IEC 27000:2010
ISO/IEC 27000:2009(E) 6 © ISO/IEC 2009 – All rights reserved 2.44 statement of applicability documented statement describing the control objectives (2.11) and controls (2.10) that are relevant and applicable to the organization's ISMS (2.23) 2.45 threat potential cause of an unwanted incident, which may result in harm to a system or organization 2.46 vulnerability weakness of an asset (2.3) or control (2.10) that can be exploited by a threat (2.45) 3 Information security management systems 3.1 Introduction Organizations of all types and sizes: a) collect, process, store, and transmit large amounts of information; b) recognise that information, and related processes, systems, networks and people are important assets for achieving organization objectives; c) face a range of risks that may affect the functioning of assets; and d) modify risks by implementing information security controls. All information held and processed by an organization is subject to threats of attack, error, nature (for example, flood or fire), etc, and is subject to vulnerabilities inherent in its use. The term information security is generally based on information being considered as an asset which has a value requiring appropriate protection, for example, against the loss of availability, confidentiality and integrity. Enabling accurate and complete information to be available in a timely manner to those with an authorized need is a catalyst for business efficiency. Protecting information assets through defining, achieving, maintaining, and improving information security effectively is essential to enable an organization to achieve its objectives, and maintain and enhance its legal compliance and image. These coordinated activities directing the implementation of suitable controls and treating unacceptable information security risks are generally known as elements of information security management. As information security risks and the effectiveness of controls change depending on shifting circumstances, organizations need to: a) monitor and evaluate the effectiveness of implemented controls and procedures; b) identify emerging risks to be treated; and c) select, implement and improve appropriate controls as needed. To interrelate and coordinate such information security activities, each organization needs to establish its policy and objectives for information security and achieve those objectives effectively by using a management system. oSIST ISO/IEC 27000:2010
ISO/IEC 27000:2009(E) © ISO/IEC 2009 – All rights reserved 73.2 What is an ISMS? 3.2.1 Overview and principles An ISMS (Information Security Management System) provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the protection of information assets to achieve business objectives based upon a risk assessment and the organization's risk acceptance levels designed to effectively treat and manage risks. Analysing requirements for the protection of information assets and applying appropriate controls to ensure the protection of these information assets, as required, contributes to the successful implementation of an ISMS. The following fundamental principles also contribute to the successful implementation of an ISMS: a) awareness of the need for information security; b) assignment of responsibility for information security; c) incorporating management commitment and the interests of stakeholders; d) enhancing societal values; e) risk assessments determining appropriate controls to reach acceptable levels of risk; f) security incorporated as an essential element of information networks and systems; g) active prevention and detection of information security incidents; h) ensuring a comprehensive approach to information security management; and i) continual reassessment of information security and making of modifications as appropriate. 3.2.2 Information Information is an asset that, like other important business assets, is essential to an organization's business and consequently needs to be suitably protected. Information can be stored in many forms, including: digital form (e.g. data files stored on electronic or optical media), material form (e.g. on paper), as well as unrepresented information in the form of knowledge of the employees. Information may be transmitted by various means including: courier, electronic or verbal communication. Whatever form information takes, or the means by which the information is transmitted, it always needs appropriate protection. An organization's information is dependent upon information and communications technology. This technology is an essential element in any organization and assists in facilitating the creation, processing, storing, transmitting, protection and destruction of information. Where the extent of the interconnected global business environment expands so does the requirement to protect information as this information is now exposed to a wider variety of threats and vulnerabilities. 3.2.3 Information security Information security includes three main dimensions: confidentiality, availability and integrity. With the aim of ensuring sustained business success and continuity, and in minimising impacts, information security involves the application and management of appropriate security measures that involves consideration of a wide range of threats. Information security is achieved through the implementation of an applicable set of controls, selected through the chosen risk management process and managed using an ISMS, including policies, processes, procedures, organizational structures, software and hardware to protect the identified information assets. These controls need to be specified, implemented, monitored, reviewed and improved where necessary, to ensure that the specific security and business objectives of the organization are met. Relevant information security controls are expected to be seamlessly integrated with an organization's business processes. oSIST ISO/IEC 27000:2010
ISO/IEC 27000:2009(E) 8 © ISO/IEC 2009 – All rights reserved 3.2.4 Management Management involves activities to direct, control and continually improve the organization within appropriate structures. Management activities include the act, manner, or practice of organizing, handling, directing, supervising, and controlling resources. Management structures extend from one person in a small organization to management hierarchies consisting of many individuals in large organizations. In terms of an ISMS, management involves the supervision and making of decisions necessary to achieve business objectives through the protection of the organization's information assets. Management of information security is expressed through the formulation and use of information security policies, standards, procedures and guidelines, which are then applied throughout the organization by all individuals associated with the organization. NOTE The term “management” may sometimes refer to people (i.e. a person or group of people with authority and responsibility for the conduct and control of an organization). The term “management” addressed in this clause is not in this sense. 3.2.5 Management system A management system uses a framework of resources to achieve an organization's objectives. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources. In terms of information security, a management system allows an organization to: a) satisfy the security requirements of customers and other stakeholders; b) improve an organization's plans and activities; c) meet the organization's information security objectives; d) comply with regulations, legislation and industry mandates; and e) manage information assets in an organized way that facilitates continual improvement and adjustment to current organizational goals and to the environment. 3.3 Process approach Organizations need to identify and manage many activities in order to function effectively and efficiently. Any activity using resources needs to be managed to enable the transformation of inputs into outputs using a set of interrelated or interacting activities – this is also known as a process. The output from one process can directly form the input to another process and generally this transformation is carried out under planned and controlled conditions. The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management, can be referred to as a “process approach”. The process approach for the ISMS presented in the ISMS family of standards is based on the operating principle adopted in ISO's management system standards commonly known as the Plan – Do – Check – Act (PDCA) process. a) Plan – establish objectives and make plans (analyze the organization's situation, establish the overall objectives and set targets, and develop plans to achieve them); b) Do – implement plans (do what was planned to do); c) Check – measure results (measure/monitor the extent to which achievements meet planned objectives); and d) Act – correct and improve activities (learn from mistakes to improve activities to achieve better results). oSIST ISO/IEC 27000:2010
ISO/IEC 27000:2009(E) © ISO/IEC 2009 – All rights reserved 93.4 Why an ISMS is important As part of an organization's ISMS, risks associated with an organization's information assets need to be addressed. Achieving information security requires the management of risk, and encompasses risks from physical, human and technology related threats associated with all forms of information within or used by the organization. The adoption of an ISMS is expected to be a strategic decision for an organization and it is necessary that this decision is seamlessly integrated, scaled and updated in accordance with the needs of the organization. The design and implementation of an organization's ISMS is influenced by the needs and objectives of the organization, security requirements, the business processes employed and the size and structure of the organization. The design and operation of an ISMS needs to reflect the interests and information security requirements of all of the organization's st
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.