Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary

ISO/IEC 27000:2014 provides the overview of information security management systems (ISMS), and terms and definitions commonly used in the ISMS family of standards. It is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-for-profit organizations).

Technologies de l'information -- Techniques de sécurité -- Systèmes de management de la sécurité de l'information -- Vue d'ensemble et vocabulaire

L'ISO/IEC 27000:2014 offre une vue d'ensemble des systčmes de management de la sécurité de l'information, et des termes et définitions d'usage courant dans la famille de normes du SMSI. La présente Norme internationale est applicable ŕ tous les types et ŕ toutes les tailles d'organismes (par exemple: les entreprises commerciales, les organismes publics, les organismes ŕ but non lucratif).

Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske varnosti - Pregled in izrazje

General Information

Status
Replaced
Publication Date
13-Jan-2014
Withdrawal Date
13-Jan-2014
Current Stage
6060 - International Standard published
Start Date
07-Jan-2014
Completion Date
14-Jan-2014

RELATIONS

Buy Standard

Standard
REDLINE ISO/IEC 27000:2014 - Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary
English language
31 pages
sale 15% off
Preview
sale 15% off
Preview
Standard
ISO/IEC 27000:2014 - Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary
English language
31 pages
sale 15% off
Preview
sale 15% off
Preview
Standard
ISO/IEC 27000:2014 - Technologies de l'information -- Techniques de sécurité -- Systemes de management de la sécurité de l'information -- Vue d'ensemble et vocabulaire
French language
33 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/IEC DIS 27000:2013
English language
47 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 27000
Redline version
compares third edition
to second edition
Information technology — Security
techniques — Information security
management systems — Overview
and vocabulary
Technologies de l’information — Techniques de sécurité —
Systèmes de management de la sécurité de l’information — Vue
d’ensemble et vocabulaire
Reference number
ISO/IEC 27000:redline:2014(E)
ISO/IEC 2014
---------------------- Page: 1 ----------------------
ISO/IEC 27000:redline:2014(E)
IMPORTANT — PLEASE NOTE
This is a mark-up copy and uses the following colour coding:
Text example 1 — indicates added text (in green)
Text example 2 — indicates removed text (in red)
— indicates added graphic figure
— indicates removed graphic figure
1.x ... — Heading numbers containg modifications are highlighted in yellow in
the Table of Contents
DISCLAIMER

This Redline version provides you with a quick and easy way to compare the main changes

between this edition of the standard and its previous edition. It doesn’t capture all single

changes such as punctuation but highlights the modifications providing customers with

the most valuable information. Therefore it is important to note that this Redline version is

not the official ISO standard and that the users must consult with the clean version of the

standard, which is the official standard, for implementation purposes.
COPYRIGHT PROTECTED DOCUMENT
© ISO 2014

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form

or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior

written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of

the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27000:redline:2014(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

0 Introduction .............................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Terms and definitions ..................................................................................................................................................................................... 1

3 Information security management systems .........................................................................................................................14

3.1 Introduction ...........................................................................................................................................................................................14

3.2 What is an ISMS? ................................................................................................................................................................................14

3.3 Process approach ...............................................................................................................................................................................16

3.4 Why an ISMS is important ..........................................................................................................................................................16

3.5 Establishing, monitoring, maintaining and improving an ISMS ................................................................18

3.6 ISMS critical success factors .....................................................................................................................................................20

3.7 Benefits of the ISMS family of standards .......................................................................................................................21

4 ISMS family of standards ...........................................................................................................................................................................21

4.1 General information ........................................................................................................................................................................21

4.2 Standards describing an overview and terminology ..........................................................................................24

4.3 Standards specifying requirements ...................................................................................................................................24

4.4 Standards describing general guidelines ......................................................................................................................25

4.5 Standards describing sector-specific guidelines ....................................................................................................27

Annex A (informative) Verbal forms for the expression of provisions...........................................................................29

Annex B (informative) Term and Term ownership .............................................................................................................................30

Bibliography .............................................................................................................................................................................................................................34

© ISO 2014 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27000:redline:2014(E)
Foreword

ISO (the International OrganisationOrganization for Standardization) and IEC (the International

Electrotechnical Commission) form the specialized system for worldwide standardization. National

bodies that are members of ISO or IEC participate in the development of International Standards through

technical committees established by the respective organisationorganization to deal with particular

fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest.

Other international organisationsorganizations, governmental and non-governmental, in liaison

with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have

established a joint technical committee, ISO/IEC JTC 1.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of the joint technical committee is to prepare International Standards. Draft International

Standards adopted by the joint technical committee are circulated to national bodies for voting.

Publication as an International Standard requires approval by at least 75 % of the national bodies

casting a vote.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

ISO/IEC 27000 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, IT Security techniques.

This secondthird edition cancels and replaces the firstsecond edition (ISO/IEC 27000:20092012), which

has been technically revised.
iv © ISO 2014 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27000:redline:2014(E)
0 Introduction
0.1 Overview

International Standards for management systems provide a model to follow in setting up and operating

a management system. This model incorporates the features on which experts in the field have reached a

consensus as being the international state of the art. ISO/IEC JTC 1/SC 27 maintains an expert committee

dedicated to the development of international management systems standards for information security,

otherwise known as the Information Security Management System (ISMS) family of standards.

Through the use of the ISMS family of standards, organisationsorganizations can develop and implement

a framework for managing the security of their information assets including financial information,

intellectual property, and employee details, or information entrusted to them by customers or third

parties. These standards can also be used to prepare for an independent assessment of their ISMS

applied to the protection of information.
0.2 ISMS family of standards

The ISMS family of standards (see Clause 4) is intended to assist organisationsorganizations of all

types and sizes to implement and operate an ISMS and consists of the following International Standards,

under the general title Information technology — Security techniques (given below in numerical order):

— ISO/IEC 27000:2009, Information security management systems — Overview and vocabulary

— ISO/IEC 27001:2005, Information security management systems — Requirements

— ISO/IEC 27002:2005, Code of practice for information security managementcontrols

— ISO/IEC 27003:2010, Information security management system implementation guidance

— ISO/IEC 27004:2009, Information security management — Measurement
— ISO/IEC 27005:2011, Information security risk management

— ISO/IEC 27006:2011, Requirements for bodies providing audit and certification of information security

management systems

— ISO/IEC 27007:2011, Guidelines for information security management systems auditing

— ISO/IEC TR 27008:2011, Guidelines for auditors on information security management systems controls

— ISO/IEC 27010:2012, Information security management guidelines for inter-sector and inter-

organisationalorganizational communications

— ITU-T X .1051 | ISO/IEC 27011:2008, Information securit y management guidelines for telecommunications

organisationsorganizations based onISO/IEC 27002

— ISO/IEC/FDIS 27013, Guidance on the integrated implementation ofISO/IEC 27001 and

ISO/IEC 20000-1ISO/IEC 20000-1
— ITU-T X.1054 | ISO/IEC/FDIS 27014, Governance of information security

— ISO/IEC TR 27015, Information security management guidelines for financial services

— ISOISO/IEC TR 27016/IEC WD 27016, Information security management – Organisational—

Organizational economics

NOTE The general title “Information technology — Security techniques” indicates that these standards

were prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT

Security techniques.

1) Standards identified throughout this subclause with no release year indicated are still under development.

© ISO 2014 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 27000:redline:2014(E)

International Standards not under the same general title that are also part of the ISMS family of standards

are as follows:

— ISO 27799:2008, Health informatics — Information security management in health usingISO/IEC 27002

0.3 Purpose of this International Standard

This International Standard provides an overview of information security management systems, and

defines related terms.

NOTE Annex A provides clarification on how verbal forms are used to express requirements and/or guidance

in the ISMS family of standards.
The ISMS family of standards includes standards that:
a) define requirements for an ISMS and for those certifying such systems;

b) provide direct support, detailed guidance and/or interpretation for the overall Plan-Do-Check-Act

(PDCA) processes and requirementsprocess to establish, implement, maintain and improve an ISMS;

c) address sector-specific guidelines for ISMS; and
d) address conformity assessment for ISMS.
The terms and definitions provided in this International Standard:
— cover commonly used terms and definitions in the ISMS family of standards;

— willdo not cover all terms and definitions applied within the ISMS family of standards; and

— do not limit the ISMS family of standards in defining new terms for use.
do not limit the ISMS family of standards in defining new terms for use.
vi © ISO 2014 – All rights reserved
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27000:redline:2014(E)
Information technology — Security techniques —
Information security management systems — Overview
and vocabulary
1 Scope

This International Standard describes the overview and the vocabulary of information security

management systems, which form the subject of the ISMS family of standards, and defines related terms

and definitions.

This International Standard provides the overview of information security management systems, and

terms and definitions commonly used in the ISMS family of standards. This International Standard is

applicable to all types and sizes of organisationorganization (e.g. commercial enterprises, government

agencies, not-for-profit organisationsorganizations).
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

NOTE 1 A term in a definition or note which is defined elsewhere in this clause is indicated by boldface followed

by its entry number in parentheses. Such a boldface term can be replaced in the definition by its complete definition.

For example:

attack (2.4) is defined as “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to

or make unauthorized use of an asset (2.3)”;
asset is defined as “any item that has value to the organisation”.
If the term “asset” is replaced by its definition:

attack then becomes “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or

make unauthorized use of any item that has value to the organisation”.
2.1
access control

means to ensure that access to assets (2.4)assets is authorized and restricted based on business and

security requirements
2.2
accountability
assignment of actions and decisions to an entity
2.3 2.2
analytical model

algorithm or calculation combining one or more base measures (2.11 2.10) and/or derived measures

(2.21 2.22) with associated decision criteria
[SOURCE: ISO/IEC 15939:2007]
2.4
asset
anything that has value to the organisation
Note 1 to entry: There are many types of assets, including:
© ISO 2014 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC 27000:redline:2014(E)
a) information;
b) software, such as a computer program;
c) physical, such as computer;
d) services;
e) people, and their qualifications, skills, and experience; and
f) intangibles, such as reputation and image.
2.5 2.3
attack

attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use

of an asset (2.4)asset
2.6 2.4
attribute

property or characteristic of an object object (2.55) that can be distinguished quantitatively or

qualitatively by human or automated means

[SOURCE: ISO/IEC 15939:2007, modified – “entity” has been replaced by “object” in the definition.]

2.5
audit

systematic, independent and documented process (2.61) for obtaining audit evidence and evaluating it

objectively to determine the extent to which the audit criteria are fulfilled

Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),

and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
2.7 2.6
audit scope
extent and boundaries of an audit audit (2.5)
[SOURCE: ISO 9000:2005 19011:2011]
2.8 2.7
authentication
provision of assurance that a claimed characteristic of an entity is correct
2.9 2.8
authenticity
property that an entity is what it is claims to be
2.10 2.9
availability
property of being accessible and usable upon demand by an authorized entity
2.11 2.10
base measure

measure (2.43 2.47) defined in terms of an attribute (2.6 2.4) and the method for quantifying it

[SOURCE: ISO/IEC 15939:2007]
Note 1 to entry: A base measure is functionally independent of other measures.
2 © ISO 2014 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 27000:redline:2014(E)
2.12 2.11
business continuity competence

procedures (2.53) and/or ability to processes (2.54) for ensuring continued business operations apply

knowledge and skills to achieve intended results
2.13 2.12
confidentiality

property that information is not made available or disclosed to unauthorized individuals, entities, or

processes (2.54 2.61)
2.14 2.13
conformity
fulfillment fulfilment of a requirement requirement (2.63) [ISO 9000:2005].
Note 1 to entry: The term “conformance” is synonymous but deprecated.
2.15 2.14
consequence
outcome of an event (2.24 2.25) affecting objectives objectives (2.56)
[SOURCE: ISO Guide 73:2009]
Note 1 to entry: An event can lead to a range of consequences.

Note 2 to entry: A consequence can be certain or uncertain and in the context of information security is usually negative.

Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 4 to entry: Initial consequences can escalate through knock-on effects.
2.15
continual improvement
recurring activity to enhance performance (2.59)
2.16
control

means of managing measure that is risk (2.61), including modifying policies (2.51 risk (2.68),  procedures

(2.53),  guidelines (2.26), practices or organisational structures, which can be of administrative, technical,

management, or legal nature
[SOURCE: ISO Guide 73:2009]

Note 1 to entry: Controls for information security  include any process, policy, procedure, guideline, practice or

organisational structure, which can be administrative, technical, management, or legal in nature which modify

information security device, practice, or other actions which modify risk.

Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.

Note 3 to entry: Control is also used as a synonym for safeguard or countermeasure.

2.17
control objective

statement describing what is to be achieved as a result of implementing controls (2.16)

2.18
correction
action to eliminate a detected nonconformity (2.53)
© ISO 2014 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC 27000:redline:2014(E)
2.18 2.19
corrective action

action to eliminate the cause of a detected  non-conformity (2.48  nonconformity (2.53) or other undesirable

situation and to prevent recurrence
[SOURCE: ISO 9000:2005]
2.19 2.20
data

collection of values assigned to base measures (2.11 2.10), derived measures (2.21 2.22) and/or indicators

(2.27 2.30)
[SOURCE: ISO/IEC 15939:2007]

Note 1 to entry: This definition applies only within the context of ISO/IEC 27004:2009.

2.20 2.21
decision criteria

thresholds, targets, or patterns used to determine the need for action or further investigation, or to

describe the level of confidence in a given result
[SOURCE: ISO/IEC 15939:2007]
2.21 2.22
derived measure

measure (2.43 2.47) that is defined as a function of two or more values of base measures (2.11 2.10)

[SOURCE: ISO/IEC 15939:2007]
2.23
documented information

information required to be controlled and maintained by an organization (2.57) and the medium on

which it is contained

Note 1 to entry: Documented information can be in any format and media and from any source.

Note 2 to entry: Documented information can refer to
— the management system (2.46), including related processes (2.61);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
2.22 2.24
effectiveness
extent to which planned activities are realized and planned results achieved
[SOURCE: ISO 9000:2005]
2.23
efficiency
relationship between the results achieved and the resources used
[SOURCE: ISO 9000:2005]
2.24 2.25
event
occurrence or change of a particular set of circumstances
[SOURCE: ISO Guide 73:2009]

Note 1 to entry: An event can be one or more occurrences, and can have several causes.

4 © ISO 2014 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 27000:redline:2014(E)
Note 2 to entry: An event can consist of something not happening.

Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.

2.26
executive management

person or group of people who have delegated responsibility from the governing body (2.29) for

implementation of strategies and policies to accomplish the purpose of the organization (2.57)

Note 1 to entry: Executive management is sometimes called top management and can include Chief Executive

Officers, Chief Financial Officers, Chief Information Officers, and similar roles

2.25 2.27
external context

external environment in which the organisation organization seeks to achieve its objectives

[SOURCE: ISO Guide 73:2009]
Note 1 to entry: External context can include:

— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive

environment, whether international, national, regional or local;

— key drivers and trends having impact on the objectivesobjectives (2.56) of the organisationorganization

(2.57); and

— relationships with, and perceptions and values of, external stakeholdersstakeholders (2.82).

2.28
governance of information security

system by which an organization’s (2.57) information security activities are directed and controlled

2.26 2.29
guideline governing body

description that clarifies what should be done and how, to achieve the objectives person or group of

people who are accountable for the performance (2.59) set out in and conformance of the policies

(2.51 organization (2.57)

Note 1 to entry: Governing body can in some jurisdictions be a board of directors.

2.27 2.30
indicator

measure (2.43 2.47) that provides an estimate or evaluation of specified attributes (2.6 2.4) derived from

an analytical model (2.3 2.2) with respect to defined information needs (2.28 2.31)

2.28 2.31
information need
insight necessary to manage objectives, goals, risks and problems
[SOURCE: ISO/IEC 15939:2007]
2.29 2.32
information processing facilities

any information processing system, service or infrastructure, or the physical locations housing

them location housing it
2.30 2.33
information security

preservation of confidentiality (2.13 2.12), integrity (2.36 2.40) and availability (2.10 2.9) of information

Note 1 to entry: In addition, other properties, such as authenticity (2.9 2.8), accountability (2.2)accountability, non-

repudiation (2.49 2.54), and reliability (2.56 2.62) can also be involved.
© ISO 2014 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO/IEC 27000:redline:2014(E)
2.34
information security continuity

processes (2.61) and procedures for ensuring continued information security (2.33) operations

2.31 2.35
information security event

identified occurrence of a system, service or network state indicating a possible breach of information

security policy or failure of safeguards controls, or a previously unknown situation that may be

security relevant
2.32 2.36
information security incident

single or a series of unwanted or unexpected information security events (2.31 2.35) that have a significant

probability of compromising business operations and threatening information security (2.30 2.33)

2.33 2.37
information security incident management

processes (2.54 2.61) for detecting, reporting, assessing, responding to, dealing with, and learning from

information security incidents (2.32 2.36)
2.34 2.38
information security management system sharing community
ISMS

part of the overall group of organizations that management system (2.42), based on a business risk

approach, to establish, implement, operate, monitor, review, maintain and improve  agree to share

informationinformation security (2.30)

Note 1 to entry: The management system includes organisational structure, policies, planning activities,

responsibilities, practices, procedures, processes and resources An organization can be an individual.

2.35 2.39
information system

application, service applications, services, information technology asset assets, or any  other information

handling component components
2.36 2.40
integrity
property of protecting the  accuracy and completeness of  assets (2.4)
2.41
interested party

person or organization (2.57) that can affect, be affected by, or perceive themselves to be affected by a

decision or activity
2.37 2.42
internal context

internal environment in which the organisation organization seeks to achieve its objectives

[SOURCE: ISO Guide 73:2009]
Note 1 to entry: Internal context can include:

— governance, organisationalorganizational structure, roles and accountabilities;

— policies, objectives, and the strategies that are in place to achieve them;

— the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes,

systems and technologies);

— information systems, information flows and decision-making processes (both formal and informal);

— relationships with, and perceptions and values of, internal stakeholders;
6 © ISO 2014 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/IEC 27000:redline:2014(E)
— the organisation’sorganization’s culture;
— standards, guidelines and models adopted by the organisationorganization; and
— form and extent of contractual relationships.
2.38 2.43
ISMS project

structured activities undertaken by an organisation organization (2.57) to implement an ISMS (2.34)ISMS

2.39 2.44
level of risk

magnitude of a risk (2.61 2.68) expressed in terms of the combination of consequences (2.15 2.14) and

their likelihood (2.40 2.45)

[SOURCE: ISO Guide 73:2009, modified — “or combination of risks,” has been deleted.]

2.40 2.45
likelihood
chance of something happening
[SOURCE: ISO Guide 73:2009]
2.41
management
coordinated activities to direct and control an organisation
[SOURCE: ISO 9000:2005]
2.42 2.46
management system

framework of set of interrelated or interacting elements of an guidelines (2.26 organization (2.57),

to establish policies (2.51 2.60),  and procedures (2.53 objectives (2.56),  and processes (2.54 2.61) and

associated resources aimed at ensuring an organisation meets its to achieve those objectives

Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning,

operation, etc.

Note 3 to entry: The scope of a management system may include the whole of the organization, specific and

identified functions of the organization, specific and identified sections of the organization, or one or more

functions across a group of organizations.
2.43 2.47
measure
variable to which a value is assigned as the result of measurement (2.44 2.48)
[SOURCE: ISO/IEC 15939:2007]

Note 1 to entry: The term “measures” is used to refer collectively to base measures, derived measures, and indicators.

2.44 2.48
measurement

process of obtaining information about the  effectiveness (2.22 process (2.61) of to ISMS (2.34)

and determine controls (2.16) using  a measurement method (2.46), a value measurement function

(2.45 ) , an  analytical model (2.3) and  decision criteria (2.20)

Note 1 to entry: In the context of information security (2.33) the process of determining a value requires

information about the effectiveness (2.24) of an information security management system (2.46) and its associated

controls (2.16) using a measurement method (2.50), a measurement function (2.49), an analytical model (2.2), and

decision criteria (2.21).
© ISO 2014 – All rights reserved 7
---------------------- Page: 13 ----------------------
ISO/IEC 27000:redline:2014(E)
2.45 2.49
measurement function

algorithm or calculation performed to combine two or more base measures (2.11 2.10)

[SOURCE: ISO/IEC 15939:2007]
2.46 2.50
measurement method

logical sequence of operations, described generically, used in quantifying an attribute (2.6 2.4) with

respect to a specified scale (2.72 2.80)
[SOURCE: ISO/IEC 15939:2007]

Note 1 to entry: The type of measurement method depends on the nature of the operations used to quantify an

attribute. Two types can be distinguished:
— subjective: quantification involving human judgment;
— objective: quantification based on numerical rules.
2.47 2.51
measurement results

one or more indicators (2.27 2.30) and their associated interpretations that address an information need

(2.28 2.31)
2.52
monitoring
determining the status of a system, a process (2.61) or an activity

Note 1 to entry: To determine the status there may be a need to check, supervise or critically observe.

2.48 2.53
non-conformity nonconformity
non-fulfillment fulfilment of a requirement requirement (2.63)
[SOURCE: ISO 9000:2005]
2.49 2.54
non-repudiation

ability to prove the occurrence of a claimed event or action and its originating entities

2.50 2.55
object

item characterized through the measurement (2.44 2.48) of its attributes (2.6 2.4)

2.51 2.56
policy objective

overall intention and direction as formally expressed by  result to be achievedmanagement (2.41)

Note 1 to entry: An objective can be strategic, tactical, or operational.

Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environme

...

INTERNATIONAL ISO/IEC
STANDARD 27000
Third edition
2014-01-15
Information technology — Security
techniques — Information security
management systems — Overview and
vocabulary
Technologies de l’information — Techniques de sécurité — Systèmes
de management de la sécurité de l’information — Vue d’ensemble et
vocabulaire
Reference number
ISO/IEC 27000:2014(E)
ISO/IEC 2014
---------------------- Page: 1 ----------------------
ISO/IEC 27000:2014(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2014

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form

or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior

written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of

the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2014 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27000:2014(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

0 Introduction ...............................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Terms and definitions ..................................................................................................................................................................................... 1

3 Information security management systems .........................................................................................................................12

3.1 Introduction ...........................................................................................................................................................................................12

3.2 What is an ISMS? ................................................................................................................................................................................13

3.3 Process approach ...............................................................................................................................................................................14

3.4 Why an ISMS is important ..........................................................................................................................................................14

3.5 Establishing, monitoring, maintaining and improving an ISMS ................................................................15

3.6 ISMS critical success factors .....................................................................................................................................................18

3.7 Benefits of the ISMS family of standards .......................................................................................................................19

4 ISMS family of standards ...........................................................................................................................................................................19

4.1 General information ........................................................................................................................................................................19

4.2 Standards describing an overview and terminology ..........................................................................................20

4.3 Standards specifying requirements ...................................................................................................................................21

4.4 Standards describing general guidelines ......................................................................................................................21

4.5 Standards describing sector-specific guidelines ....................................................................................................23

Annex A (informative) Verbal forms for the expression of provisions...........................................................................25

Annex B (informative) Term and Term ownership .............................................................................................................................26

Bibliography .............................................................................................................................................................................................................................30

© ISO/IEC 2014 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27000:2014(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

ISO/IEC JTC 1.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of the joint technical committee is to prepare International Standards. Draft International

Standards adopted by the joint technical committee are circulated to national bodies for voting.

Publication as an International Standard requires approval by at least 75 % of the national bodies

casting a vote.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

ISO/IEC 27000 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, IT Security techniques.

This third edition cancels and replaces the second edition (ISO/IEC 27000:2012), which has been

technically revised.
iv © ISO/IEC 2014 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27000:2014(E)
0 Introduction
0.1 Overview

International Standards for management systems provide a model to follow in setting up and operating

a management system. This model incorporates the features on which experts in the field have reached a

consensus as being the international state of the art. ISO/IEC JTC 1/SC 27 maintains an expert committee

dedicated to the development of international management systems standards for information security,

otherwise known as the Information Security Management System (ISMS) family of standards.

Through the use of the ISMS family of standards, organizations can develop and implement a framework

for managing the security of their information assets including financial information, intellectual

property, and employee details, or information entrusted to them by customers or third parties. These

standards can also be used to prepare for an independent assessment of their ISMS applied to the

protection of information.
0.2 ISMS family of standards

The ISMS family of standards (see Clause 4) is intended to assist organizations of all types and sizes to

implement and operate an ISMS and consists of the following International Standards, under the general

title Information technology — Security techniques (given below in numerical order):

— ISO/IEC 27000, Information security management systems — Overview and vocabulary

— ISO/IEC 27001, Information security management systems — Requirements
— ISO/IEC 27002, Code of practice for information security controls
— ISO/IEC 27003, Information security management system implementation guidance
— ISO/IEC 27004, Information security management — Measurement
— ISO/IEC 27005, Information security risk management

— ISO/IEC 27006, Requirements for bodies providing audit and certification of information security

management systems
— ISO/IEC 27007, Guidelines for information security management systems auditing
— ISO/IEC TR 27008, Guidelines for auditors on information security controls

— ISO/IEC 27010, Information security management for inter-sector and inter-organizational

communications

— ISO/IEC 27011, Information security management guidelines for telecommunications organizations

based on ISO/IEC 27002

— ISO/IEC 27013, Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1

— ISO/IEC 27014, Governance of information security

— ISO/IEC TR 27015, Information security management guidelines for financial services

— ISO/IEC TR 27016, Information security management — Organizational economics

NOTE The general title “Information technology — Security techniques” indicates that these standards were

prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security

techniques.

International Standards not under the same general title that are also part of the ISMS family of standards

are as follows:

— ISO 27799:2008, Health informatics — Information security management in health using ISO/IEC 27002

© ISO/IEC 2014 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 27000:2014(E)
0.3 Purpose of this International Standard

This International Standard provides an overview of information security management systems, and

defines related terms.

NOTE Annex A provides clarification on how verbal forms are used to express requirements and/or guidance

in the ISMS family of standards.
The ISMS family of standards includes standards that:
a) define requirements for an ISMS and for those certifying such systems;

b) provide direct support, detailed guidance and/or interpretation for the overall process to establish,

implement, maintain and improve an ISMS;
c) address sector-specific guidelines for ISMS; and
d) address conformity assessment for ISMS.
The terms and definitions provided in this International Standard:
— cover commonly used terms and definitions in the ISMS family of standards;

— do not cover all terms and definitions applied within the ISMS family of standards; and

— do not limit the ISMS family of standards in defining new terms for use.
vi © ISO/IEC 2014 – All rights reserved
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27000:2014(E)
Information technology — Security techniques —
Information security management systems — Overview
and vocabulary
1 Scope

This International Standard provides the overview of information security management systems, and

terms and definitions commonly used in the ISMS family of standards. This International Standard is

applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-

for-profit organizations).
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
access control

means to ensure that access to assets is authorized and restricted based on business and security

requirements
2.2
analytical model

algorithm or calculation combining one or more base measures (2.10) and/or derived measures (2.22)

with associated decision criteria
2.3
attack

attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use

of an asset
2.4
attribute

property or characteristic of an object (2.55) that can be distinguished quantitatively or qualitatively

by human or automated means

[SOURCE: ISO/IEC 15939:2007, modified – “entity” has been replaced by “object” in the definition.]

2.5
audit

systematic, independent and documented process (2.61) for obtaining audit evidence and evaluating it

objectively to determine the extent to which the audit criteria are fulfilled

Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),

and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
2.6
audit scope
extent and boundaries of an audit (2.5)
[SOURCE: ISO 19011:2011]
© ISO/IEC 2014 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC 27000:2014(E)
2.7
authentication
provision of assurance that a claimed characteristic of an entity is correct
2.8
authenticity
property that an entity is what it is claims to be
2.9
availability
property of being accessible and usable upon demand by an authorized entity
2.10
base measure

measure (2.47) defined in terms of an attribute (2.4) and the method for quantifying it

[SOURCE: ISO/IEC 15939:2007]
Note 1 to entry: A base measure is functionally independent of other measures.
2.11
competence
ability to apply knowledge and skills to achieve intended results
2.12
confidentiality

property that information is not made available or disclosed to unauthorized individuals, entities, or

processes (2.61)
2.13
conformity
fulfilment of a requirement (2.63)
Note 1 to entry: The term “conformance” is synonymous but deprecated.
2.14
consequence
outcome of an event (2.25) affecting objectives (2.56)
[SOURCE: ISO Guide 73:2009]
Note 1 to entry: An event can lead to a range of consequences.

Note 2 to entry: A consequence can be certain or uncertain and in the context of information security is usually

negative.
Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 4 to entry: Initial consequences can escalate through knock-on effects.
2.15
continual improvement
recurring activity to enhance performance (2.59)
2.16
control
measure that is modifying risk (2.68)
[SOURCE: ISO Guide 73:2009]

Note 1 to entry: Controls include any process, policy, device, practice, or other actions which modify risk.

Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.

2 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 27000:2014(E)
2.17
control objective

statement describing what is to be achieved as a result of implementing controls (2.16)

2.18
correction
action to eliminate a detected nonconformity (2.53)
2.19
corrective action

action to eliminate the cause of a nonconformity (2.53) and to prevent recurrence

2.20
data

collection of values assigned to base measures (2.10), derived measures (2.22) and/or indicators (2.30)

[SOURCE: ISO/IEC 15939:2007]

Note 1 to entry: This definition applies only within the context of ISO/IEC 27004:2009.

2.21
decision criteria

thresholds, targets, or patterns used to determine the need for action or further investigation, or to

describe the level of confidence in a given result
[SOURCE: ISO/IEC 15939:2007]
2.22
derived measure

measure (2.47) that is defined as a function of two or more values of base measures (2.10)

[SOURCE: ISO/IEC 15939:2007]
2.23
documented information

information required to be controlled and maintained by an organization (2.57) and the medium on

which it is contained

Note 1 to entry: Documented information can be in any format and media and from any source.

Note 2 to entry: Documented information can refer to
— the management system (2.46), including related processes (2.61);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
2.24
effectiveness
extent to which planned activities are realized and planned results achieved
2.25
event
occurrence or change of a particular set of circumstances
[SOURCE: ISO Guide 73:2009]

Note 1 to entry: An event can be one or more occurrences, and can have several causes.

Note 2 to entry: An event can consist of something not happening.

Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.

© ISO/IEC 2014 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC 27000:2014(E)
2.26
executive management

person or group of people who have delegated responsibility from the governing body (2.29) for

implementation of strategies and policies to accomplish the purpose of the organization (2.57)

Note 1 to entry: Executive management is sometimes called top management and can include Chief Executive

Officers, Chief Financial Officers, Chief Information Officers, and similar roles

2.27
external context
external environment in which the organization seeks to achieve its objectives
[SOURCE: ISO Guide 73:2009]
Note 1 to entry: External context can include:

— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive

environment, whether international, national, regional or local;

— key drivers and trends having impact on the objectives (2.56) of the organization (2.57); and

— relationships with, and perceptions and values of, external stakeholders (2.82).

2.28
governance of information security

system by which an organization’s (2.57) information security activities are directed and controlled

2.29
governing body

person or group of people who are accountable for the performance (2.59) and conformance of the

organization (2.57)

Note 1 to entry: Governing body can in some jurisdictions be a board of directors.

2.30
indicator

measure (2.47) that provides an estimate or evaluation of specified attributes (2.4) derived from an

analytical model (2.2) with respect to defined information needs (2.31)
2.31
information need
insight necessary to manage objectives, goals, risks and problems
[SOURCE: ISO/IEC 15939:2007]
2.32
information processing facilities

any information processing system, service or infrastructure, or the physical location housing it

2.33
information security

preservation of confidentiality (2.12), integrity (2.40) and availability (2.9) of information

Note 1 to entry: In addition, other properties, such as authenticity (2.8), accountability, non-repudiation (2.54),

and reliability (2.62) can also be involved.
2.34
information security continuity

processes (2.61) and procedures for ensuring continued information security (2.33) operations

4 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 27000:2014(E)
2.35
information security event

identified occurrence of a system, service or network state indicating a possible breach of information

security policy or failure of controls, or a previously unknown situation that may be security relevant

2.36
information security incident

single or a series of unwanted or unexpected information security events (2.35) that have a significant

probability of compromising business operations and threatening information security (2.33)

2.37
information security incident management

processes (2.61) for detecting, reporting, assessing, responding to, dealing with, and learning from

information security incidents (2.36)
2.38
information sharing community
group of organizations that agree to share information
Note 1 to entry: An organization can be an individual.
2.39
information system

applications, services, information technology assets, or other information handling components

2.40
integrity
property of accuracy and completeness
2.41
interested party

person or organization (2.57) that can affect, be affected by, or perceive themselves to be affected by a

decision or activity
2.42
internal context
internal environment in which the organization seeks to achieve its objectives
[SOURCE: ISO Guide 73:2009]
Note 1 to entry: Internal context can include:
— governance, organizational structure, roles and accountabilities;
— policies, objectives, and the strategies that are in place to achieve them;

— the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes,

systems and technologies);

— information systems, information flows and decision-making processes (both formal and informal);

— relationships with, and perceptions and values of, internal stakeholders;
— the organization’s culture;
— standards, guidelines and models adopted by the organization; and
— form and extent of contractual relationships.
2.43
ISMS project
structured activities undertaken by an organization (2.57) to implement an ISMS
© ISO/IEC 2014 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO/IEC 27000:2014(E)
2.44
level of risk

magnitude of a risk (2.68) expressed in terms of the combination of consequences (2.14) and their

likelihood (2.45)

[SOURCE: ISO Guide 73:2009, modified — “or combination of risks,” has been deleted.]

2.45
likelihood
chance of something happening
[SOURCE: ISO Guide 73:2009]
2.46
management system

set of interrelated or interacting elements of an organization (2.57) to establish policies (2.60) and

objectives (2.56) and processes (2.61) to achieve those objectives

Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning,

operation, etc.

Note 3 to entry: The scope of a management system may include the whole of the organization, specific and

identified functions of the organization, specific and identified sections of the organization, or one or more

functions across a group of organizations.
2.47
measure
variable to which a value is assigned as the result of measurement (2.48)
[SOURCE: ISO/IEC 15939:2007]

Note 1 to entry: The term “measures” is used to refer collectively to base measures, derived measures, and

indicators.
2.48
measurement
process (2.61) to determine a value

Note 1 to entry: In the context of information security (2.33) the process of determining a value requires

information about the effectiveness (2.24) of an information security management system (2.46) and its associated

controls (2.16) using a measurement method (2.50), a measurement function (2.49), an analytical model (2.2), and

decision criteria (2.21).
2.49
measurement function
algorithm or calculation performed to combine two or more base measures (2.10)
[SOURCE: ISO/IEC 15939:2007]
2.50
measurement method

logical sequence of operations, described generically, used in quantifying an attribute (2.4) with respect

to a specified scale (2.80)
[SOURCE: ISO/IEC 15939:2007]

Note 1 to entry: The type of measurement method depends on the nature of the operations used to quantify an

attribute. Two types can be distinguished:
— subjective: quantification involving human judgment;
— objective: quantification based on numerical rules.
6 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/IEC 27000:2014(E)
2.51
measurement results

one or more indicators (2.30) and their associated interpretations that address an information need

(2.31)
2.52
monitoring
determining the status of a system, a process (2.61) or an activity

Note 1 to entry: To determine the status there may be a need to check, supervise or critically observe.

2.53
nonconformity
non-fulfilment of a requirement (2.63)
2.54
non-repudiation

ability to prove the occurrence of a claimed event or action and its originating entities

2.55
object
item characterized through the measurement (2.48) of its attributes (2.4)
2.56
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.

Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environmental

goals) and can apply at different levels (such as strategic, organization-wide, project, product and process (2.61).

Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational

criterion, as an information security objective or by the use of other words with similar meaning (e.g. aim, goal,

or target).

Note 4 to entry: In the context of information security management systems, information security objectives are

set by the organization, consistent with the information security policy, to achieve specific results.

2.57
organization

person or group of people that has its own functions with responsibilities, authorities and relationships

to achieve its objectives (2.56)

Note 1 to entry: The concept of organization includes but is not limited to sole-trader, company, corporation, firm,

enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated

or not, public or private.
2.58
outsource

make an arrangement where an external organization (2.57) performs part of an organization’s function

or process (2.61)

Note 1 to entry: An external organization is outside the scope of the management system (2.46), although the

outsourced function or process is within the scope.
2.59
performance
measurable result

Note 1 to entry: Performance can relate either to quantitative or qualitative findings.

© ISO/IEC 2014 – All rights reserved 7
---------------------- Page: 13 ----------------------
ISO/IEC 27000:2014(E)

Note 2 to entry: Performance can relate to the management of activities, processes (2.61), products (including

services), systems or organizations (2.57).
2.60
policy

intentions and direction of an organization (2.57) as formally expressed by its top management (2.84)

2.61
process

set of interrelated or interacting activities which transforms inputs into outputs

2.62
reliability
property of consistent intended behaviour and results
2.63
requirement
need or expectation that is stated, generally implied or obligatory

Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and interested

parties that the need or expectation under consideration is implied.

Note 2 to entry: A specified requirement is one that is stated, for example in documented information.

2.64
residual risk
risk (2.68) remaining after risk treatment (2.79)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risk can also be known as “retained risk”.
2.65
review

activity undertaken to determine the suitability, adequacy and effectiveness (2.24) of the subject matter

to achieve established objectives
[SOURCE: ISO Guide 73:2009]
2.66
review object
specific item being reviewed
2.67
review objective
statement describing what is to be achieved as a result of a review
2.68
risk
effect of uncertainty on objectives
[SOURCE: ISO Guide 73:2009]

Note 1 to entry: An effect is a deviation from the expected — positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or

knowledge of, an event (2.25), its consequence (2.14), or likelihood (2.45).

Note 3 to entry: Risk is often characterized by reference to potential events (2.25) and consequences (2.14), or a

combination of these.

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences (2.14) of an event (including

changes in circumstances) and the associated likelihood (2.45) of occurrence.
8 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 14 ----------------------
ISO/IEC 27000:2014(E)

Note 5 to entry: In the context of information security management systems, information security risks can be

expressed as effect of uncertainty on information security objectives.

Note 6 to entry: Information security risk is associated with the potential that threats (2.83) will exploit

vulnerabilities (2.89) of an information asset or group of information assets and thereby cause harm to an

organization.
2.69
risk acceptance
informed decision to take a particular risk (2.68)
[SOURCE: ISO Guide 73:2009]

Note 1 to entry: Risk acceptance can occur without risk treatment (2.79) or during the process of risk treatment.

Note 2 to entry: Accepted risks are subject to monitoring (2.52) and review (2.65).

2.70
risk analysis

process to comprehend the nature of risk (2.68) and to determine the level of risk (2.44)

[SOURCE: ISO Guide 73:2009]

Note 1 to entry: Risk analysis provides the basis for risk evaluation (2.74) and decisions about risk treatment

(2.79).
Note 2 to entry: Risk analysis includes risk estimation.
2.71
risk assessment

overall process (2.61) of risk identification (2.75), risk analysis (2.70) and risk evaluation (2.74)

[SOURCE: ISO Guide 73:2009]
2.72
risk communication and consultation

continual and iterative processes that an organization conducts to provide, share or obtain information,

and to engage in dialogue with stakeholders (2.82) regarding the management of risk (2.68)

Note 1 to entry: The information can relate to the existence, nature, form, likelihood, significance, evaluation,

acceptability and treatment of risk.

Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its

stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is:

— a process which impacts on a decision through influence rather than power; and
— an input to decision making, not joint decision making.
2.73
risk criteria
terms of reference against which the significance of
...

NORME ISO/CEI
INTERNATIONALE 27000
Troisième édition
2014-01-15
Technologies de l’information —
Techniques de sécurité — Systèmes
de management de la sécurité de
l’information — Vue d’ensemble et
vocabulaire
Information technology — Security techniques — Information
security management systems — Overview and vocabulary
Numéro de référence
ISO/CEI 27000:2014(F)
ISO/CEI 2014
---------------------- Page: 1 ----------------------
ISO/CEI 27000:2014(F)
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO/IEC 2014

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni utilisée

sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie, l’affichage sur

l’internet ou sur un Intranet, sans autorisation écrite préalable. Les demandes d’autorisation peuvent être adressées à l’ISO à

l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Publié en Suisse
ii © ISO/IEC 2014 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO/CEI 27000:2014(F)
Sommaire Page

Avant-propos ..............................................................................................................................................................................................................................iv

0 Introduction ...............................................................................................................................................................................................................v

1 Domaine d’application ................................................................................................................................................................................... 1

2 Termes et définitions ....................................................................................................................................................................................... 1

3 Systèmes de management de la sécurité de l’information ....................................................................................13

3.1 Introduction ...........................................................................................................................................................................................13

3.2 Qu’est-ce qu’un SMSI ?...................................................................................................................................................................13

3.3 Approche processus ........................................................................................................................................................................15

3.4 Raisons pour lesquelles un SMSI est important ......................................................................................................15

3.5 Établissement, surveillance, mise à jour et amélioration d’un SMSI .....................................................16

3.6 Facteurs critiques de succès du SMSI ...............................................................................................................................19

3.7 Avantages de la famille de normes du SMSI................................................................................................................20

4 La famille de normes du SMSI ..............................................................................................................................................................20

4.1 Informations générales .................................................................................................................................................................20

4.2 Normes décrivant une vue d’ensemble et une terminologie .......................................................................21

4.3 Normes spécifiant des exigences .........................................................................................................................................22

4.4 Normes décrivant des lignes directrices générales ..............................................................................................22

4.5 Normes décrivant des lignes directrices propres à un secteur ..................................................................25

Annexe A (informative) Formes verbales pour exprimer des dispositions ..............................................................27

Annexe B (informative) Termes et propriété des termes ............................................................................................................28

Bibliographie ...........................................................................................................................................................................................................................32

© ISO/IEC 2014 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO/CEI 27000:2014(F)
Avant-propos

L’ISO (Organisation internationale de normalisation) et l’IEC (Commission électrotechnique

internationale) forment le système spécialisé de la normalisation mondiale. Les organismes nationaux

membres de l’ISO ou de l’IEC participent à l’élaboration de Normes internationales par l’intermédiaire de

comités techniques créés par l’organisme concerné pour traiter de domaines particuliers à une activité

technique de leur compétence. Les comités techniques de l’ISO et de l’IEC collaborent dans des domaines

d’intérêt commun. D’autres organismes internationaux, gouvernementaux et non gouvernementaux,

en liaison avec l’ISO et l’IEC participent également aux travaux. Dans le domaine des technologies de

l’information, l’ISO et l’IEC ont créé un comité technique mixte: l’ISO/IEC JTC 1.

Les Normes internationales sont rédigées conformément aux règles données dans les Directives ISO/IEC,

Partie 2.

La tâche principale du comité technique mixte est d’élaborer des Normes internationales. Les projets de

Normes internationales adoptés par le comité technique mixte sont soumis aux organismes nationaux

pour vote. Leur publication en tant que Normes internationales requiert l’approbation d’au moins 75 %

des organismes nationaux votants.

L’attention est appelée sur le fait que certains des éléments du présent document peuvent faire l’objet

de droits de propriété intellectuelle ou de droits analogues. L’ISO et l’IEC ne sauraient être tenues pour

responsables de ne pas avoir identifié de tels droits de propriété et averti de leur existence.

L’ISO/IEC 27000 a été élaborée par le comité technique mixte ISO/IEC JTC 1, Technologies de l’information,

sous-comité SC 27, Techniques de sécurité des technologies de l’information.

Cette troisième édition annule et remplace la deuxième édition (ISO/IEC 27000:2012), qui a fait l’objet

d’une révision technique.
iv © ISO/IEC 2014 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO/CEI 27000:2014(F)
0 Introduction
0.1 Vue d’ensemble

Les Normes internationales relatives aux systèmes de management fournissent un modèle en matière

d’établissement et d’exploitation d’un système de management. Ce modèle comprend les caractéristiques

que les experts dans le domaine s’accordent à reconnaître comme reflétant l’état de l’art au niveau

international. Le sous-comité ISO/IEC JTC 1/SC 27 bénéficie de l’expérience d’un comité d’experts qui se

consacre à l’élaboration des Normes internationales sur les systèmes de management pour la sécurité de

l’information, connues également comme famille de normes du Système de Management de la Sécurité

de l’Information (SMSI).

Grâce à l’utilisation de la famille de normes du SMSI, les organismes peuvent élaborer et mettre en œuvre

un cadre de référence pour gérer la sécurité de leurs actifs informationnels, y compris les informations

financières, la propriété intellectuelle, les informations sur les employés, ou les informations qui leur

sont confiées par des clients ou des tiers. Elles peuvent également utiliser ces normes pour se préparer

à une évaluation indépendante de leurs SMSI en matière de protection de l’information.

0.2 La famille de normes du SMSI

La famille de normes du SMSI (voir l’Article 4) a pour objet d’aider les organismes de tous types

et de toutes tailles à déployer et à exploiter un SMSI. Elle se compose des Normes internationales

suivantes (indiquées ci-dessous par ordre numérique) regroupées sous le titre général Technologies de

l’information — Techniques de sécurité:

— ISO/IEC 27000, Systèmes de management de la sécurité de l’information — Vue d’ensemble et vocabulaire

— ISO/IEC 27001, Systèmes de management de la sécurité de l’information — Exigences

— ISO/IEC 27002, Code de bonne pratique pour les mesures de sécurité de l’information

— ISO/IEC 27003, Lignes directrices pour la mise en oeuvre du système de management de la sécurité de

l’information
— ISO/IEC 27004, Management de la sécurité de l’information — Mesurage
— ISO/IEC 27005, Gestion des risques liés à la sécurité de l’information

— ISO/IEC 27006, Exigences pour les organismes procédant à l’audit et à la certification des systèmes de

management de la sécurité de l’information

— ISO/IEC 27007, Lignes directrices pour l’audit des systèmes de management de la sécurité de l’information

— ISO/IEC/TR 27008, Lignes directrices pour les auditeurs des contrôles de sécurité de l’information

— ISO/IEC 27010, Gestion de la sécurité de l’information des communications intersectorielles et

interorganisationnelles

— ISO/IEC 27011, Lignes directrices du management de la sécurité de l’information pour les organismes

de télécommunications sur la base de l’ISO/IEC 27002

— ISO/IEC 27013, Guide sur la mise en oeuvre intégrée de l’ISO/IEC 27001 et de l’ISO/IEC 20000-1

— ISO/IEC 27014, Gouvernance de la sécurité de l’information

— ISO/IEC/TR 27015, Lignes directrices pour le management de la sécurité de l’information pour les

services financiers

— ISO/IEC/TR 27016, Management de la sécurité de l’information — Économie organisationnelle

© ISO/IEC 2014 – Tous droits réservés v
---------------------- Page: 5 ----------------------
ISO/CEI 27000:2014(F)

NOTE Le titre général «Technologies de l’information — Techniques de sécurité» indique que ces normes

ont été élaborées par le comité technique mixte ISO/IEC JTC 1, Technologies de l’information, sous-comité SC 27,

Techniques de sécurité des technologies de l’information.

Les Normes internationales qui font également partie de la famille de normes du SMSI, mais qui ne sont

pas regroupées sous le même titre général, sont les suivantes:

— ISO 27799:2008, Informatique de santé — Gestion de la sécurité de l’information relative à la santé en

utilisant l’ISO/IEC 27002
0.3 Objet de la présente Norme internationale

La présente Norme internationale offre une vue d’ensemble des systèmes de management de la sécurité

de l’information et définit les termes qui s’y rapportent.

NOTE L’Annexe A fournit des éclaircissements sur la façon dont les formes verbales sont utilisées pour

exprimer des exigences et/ou des préconisations dans la famille de normes du SMSI.

La famille de normes du SMSI comporte des normes qui:

a) définissent les exigences pour un SMSI et pour les organismes certifiant de tels systèmes;

b) apportent un soutien direct, des préconisations détaillées et/ou une interprétation du processus

général visant à établir, mettre en œuvre, entretenir et améliorer un SMSI;

c) traitent des lignes directrices propres à des secteurs particuliers en matière de SMSI;

d) traitent de l’évaluation de la conformité d’un SMSI.
Les termes et les définitions fournis dans la présente Norme internationale:

— couvrent les termes et les définitions d’usage courant dans la famille de normes du SMSI;

— ne couvrent pas l’ensemble des termes et des définitions utilisés dans la famille de normes du SMSI;

— ne limitent pas la famille de normes du SMSI en définissant de nouveaux termes à utiliser.

vi © ISO/IEC 2014 – Tous droits réservés
---------------------- Page: 6 ----------------------
NORME INTERNATIONALE ISO/CEI 27000:2014(F)
Technologies de l’information — Techniques de sécurité —
Systèmes de management de la sécurité de l’information —
Vue d’ensemble et vocabulaire
1 Domaine d’application

La présente Norme internationale offre une vue d’ensemble des systèmes de management de la sécurité

de l’information, et des termes et définitions d’usage courant dans la famille de normes du SMSI. La

présente Norme internationale est applicable à tous les types et à toutes les tailles d’organismes (par

exemple: les entreprises commerciales, les organismes publics, les organismes à but non lucratif).

2 Termes et définitions

Pour les besoins du présent document, les termes et définitions suivants s’appliquent.

2.1
contrôle d’accès

moyens mis en œuvre pour assurer que l’accès aux actifs est autorisé et limité selon les exigences propres

à la sécurité et à l’activité métier
2.2
modèle analytique

algorithme ou calcul combinant une ou plusieurs mesures élémentaires (2.10) et/ou mesures dérivées

(2.22) avec les critères de décision associés
2.3
attaque

tentative de détruire, de rendre public, de modifier, d’invalider, de voler ou d’obtenir un accès non

autorisé ou d’utiliser sans autorisation un actif
2.4
attribut

propriété ou caractéristique d’un objet (2.55) qui peut être distingué quantitativement ou qualitativement

par des moyens humains ou automatiques

[SOURCE: ISO/IEC 15939:2007, modifiée – le terme «entité» a été remplacé par «objet» dans la définition.]

2.5
audit

processus méthodique, indépendant et documenté (2.61) permettant d’obtenir des preuves d’audit et de

les évaluer de manière objective pour déterminer dans quelle mesure les critères d’audit sont satisfaits

Note 1 à l’article: Un audit peut être interne (audit de première partie) ou externe (audit de seconde ou de tierce

partie), et peut également être un audit combiné (combinant deux disciplines ou plus).

Note 2 à l’article: Les termes «preuves d’audit» et «critères d’audit» sont définis dans l’ISO 19011.

2.6
champ de l’audit
étendue et limites d’un audit (2.5)
[SOURCE: ISO 19011:2011]
© ISO 2014 – Tous droits réservés 1
---------------------- Page: 7 ----------------------
ISO/CEI 27000:2014(F)
2.7
authentification
moyen pour une entité d’assurer la légitimité d’une caractéristique revendiquée
2.8
authenticité
propriété selon laquelle une entité est ce qu’elle revendique être
2.9
disponibilité
propriété d’être accessible et utilisable à la demande par une entité autorisée
2.10
mesure élémentaire

mesure (2.47) définie en fonction d’un attribut (2.4) et de la méthode de mesurage spécifiée pour le

quantifier
[SOURCE: ISO/IEC 15939:2007]

Note 1 à l’article: Une mesure élémentaire est fonctionnellement indépendante des autres mesures.

2.11
compétence

aptitude à mettre en œuvre des connaissances et savoir-faire en vue d’obtenir des résultats prévus

2.12
confidentialité

propriété selon laquelle l’information n’est pas rendue disponible ni divulguée à des personnes, des

entités ou des processus (2.61) non autorisés
2.13
conformité
satisfaction d’une exigence (2.63)

Note 1 à l’article: Le terme anglais «conformance» est un synonyme mais a été abandonné.

2.14
conséquence
effet d’un événement (2.25) affectant les objectifs (2.56)
[SOURCE: Guide ISO 73:2009]
Note 1 à l’article: Un événement peut engendrer une série de conséquences.

Note 2 à l’article: Une conséquence peut être certaine ou incertaine; dans le contexte de la sécurité de l’information,

elle est généralement négative.

Note 3 à l’article: Les conséquences peuvent être exprimées de façon qualitative ou quantitative.

Note 4 à l’article: Des conséquences initiales peuvent déclencher des réactions en chaîne.

2.15
amélioration continue
activité régulière destinée à améliorer les performances (2.59)
2.16
mesure de sécurité
mesure qui modifie un risque (2.68)
[SOURCE: Guide ISO 73:2009]

Note 1 à l’article: Les mesures de sécurité comprennent tous les processus, politiques, dispositifs, pratiques ou

autres actions qui modifient un risque.
2 © ISO/IEC 2014 – Tous droits réservés
---------------------- Page: 8 ----------------------
ISO/CEI 27000:2014(F)

Note 2 à l’article: Les mesures de sécurité ne peuvent pas toujours aboutir à la modification voulue ou supposée.

2.17
objectif de sécurité

déclaration décrivant ce qui doit être atteint comme résultat de la mise en œuvre des mesures de sécurité

(2.16)
2.18
correction
action visant à éliminer une non-conformité (2.53) détectée
2.19
action corrective

action visant à éliminer la cause d’une non-conformité (2.53) et à empêcher sa répétition

2.20
données

ensemble des valeurs attribuées aux mesures élémentaires (2.10), aux mesures dérivées (2.22) et/ou aux

indicateurs (2.30)
[SOURCE: ISO/IEC 15939:2007]

Note 1 à l’article: Cette définition s’applique uniquement dans le contexte de l’ISO/IEC 27004:2009.

2.21
critères de décision

seuils, cibles ou modèles utilisés pour déterminer la nécessité d’une action ou d’un complément d’enquête,

ou pour décrire le niveau de confiance dans un résultat donné
[SOURCE: ISO/IEC 15939:2007]
2.22
mesure dérivée
mesure (2.47) définie en fonction d’au moins deux mesures élémentaires (2.10)
[SOURCE: ISO/IEC 15939:2007]
2.23
informations documentées

informations devant être contrôlées et mises à jour par un organisme (2.57) et le support sur lequel elles

sont contenues

Note 1 à l’article: Les informations documentées peuvent être dans n’importe quel format, sur n’importe quel

support, et provenir de n’importe quelle source.
Note 2 à l’article: Les informations documentées peuvent se rapporter
— au système de management (2.46) et aux processus associés (2.61);

— aux informations créées pour permettre à l’organisme de fonctionner (documentation);

— aux preuves des résultats obtenus (enregistrements).
2.24
efficacité

niveau de réalisation des activités planifiées et d’obtention des résultats escomptés

© ISO/IEC 2014 – Tous droits réservés 3
---------------------- Page: 9 ----------------------
ISO/CEI 27000:2014(F)
2.25
événement
occurrence ou changement d’un ensemble particulier de circonstances
[SOURCE: Guide ISO 73:2009]

Note 1 à l’article: Un événement peut être unique ou se reproduire et peut avoir plusieurs causes.

Note 2 à l’article: Un événement peut consister en quelque chose qui ne se produit pas.

Note 3 à l’article: Un événement peut parfois être qualifié «d’incident» ou «d’accident».

2.26
management exécutif

personne ou groupe de personnes ayant reçu des instances dirigeantes (2.29) la responsabilité de la mise

en œuvre des stratégies et politiques afin de réaliser les objectifs de l’organisme (2.57)

Note 1 à l’article: Le management exécutif est parfois appelé la direction, et peut comprendre les Directeurs, les

Responsables des Finances, les Responsables de l’Information, et autres fonctions similaires

2.27
contexte externe
environnement externe dans lequel l’organisme cherche à atteindre ses objectifs
[SOURCE: Guide ISO 73:2009]
Note 1 à l’article: Le contexte externe peut inclure:

— l’environnement culturel, social, politique, légal, réglementaire, financier, technologique, économique,

naturel et concurrentiel, au niveau international, national, régional ou local;

— les facteurs et tendances ayant un impact déterminant sur les objectifs (2.56) de l’organisme (2.57);

— les relations avec les parties prenantes (2.82) externes, leurs perceptions et leurs valeurs.

2.28
gouvernance de la sécurité de l’information

système au moyen duquel un organisme (2.57) oriente et supervise les activités liées à la sécurité de

l’information
2.29
instances dirigeantes

personne ou groupe de personnes ayant la responsabilité des performances (2.59) et de la conformité de

l’organisme (2.57)

Note 1 à l’article: Dans certaines juridictions, les instances dirigeantes peuvent être constituées d’un conseil

d’administration.
2.30
indicateur

mesure (2.47) qui fournit une estimation ou une évaluation d’attributs (2.4) spécifiés à partir d’un modèle

analytique (2.2) concernant des besoins d’information (2.31) définis
2.31
besoin d’information
information nécessaire pour gérer les objectifs, les risques et les problèmes
[SOURCE: ISO/IEC 15939:2007]
2.32
moyens de traitement de l’information

tout système, service ou infrastructure de traitement de l’information, ou local les abritant

4 © ISO/IEC 2014 – Tous droits réservés
---------------------- Page: 10 ----------------------
ISO/CEI 27000:2014(F)
2.33
sécurité de l’information

protection de la confidentialité (2.12), de l’intégrité (2.40) et de la disponibilité (2.9) de l’information

Note 1 à l’article: En outre, d’autres propriétés, telles que l’authenticité (2.8), l’imputabilité, la non-répudiation

(2.54) et la fiabilité (2.62) peuvent également être concernées.
2.34
continuité de la sécurité de l’information

processus (2.61) et procédures visant à assurer la continuité des opérations liées à la sécurité de

l’information (2.33)
2.35
événement lié à la sécurité de l’information

occurrence identifiée de l’état d’un système, d’un service ou d’un réseau indiquant une faille possible

dans la politique de sécurité de l’information ou un échec des mesures de sécurité, ou encore une

situation inconnue jusqu’alors et pouvant relever de la sécurité
2.36
incident lié à la sécurité de l’information

un ou plusieurs événements liés à la sécurité de l’information (2.35) indésirables ou inattendus présentant

une probabilité forte de compromettre les opérations liées à l’activité de l’organisme et de menacer la

sécurité de l’information (2.33)
2.37
gestion des incidents liés à la sécurité de l’information

processus (2.61) pour détecter, rapporter, apprécier, intervenir, résoudre et tirer les enseignements des

incidents liés à la sécurité de l’information (2.36)
2.38
communauté de partage d’informations
groupe d’organismes qui s’accordent pour partager les informations
Note 1 à l’article: Un organisme peut être un individu.
2.39
système d’information

applications, services, actifs informationnels ou autre composante permettant la prise en charge de

l’information
2.40
intégrité
propriété d’exactitude et de complétude
2.41
partie intéressée

personne ou organisme (2.57) susceptible d’affecter, d’être affectée ou de se sentir elle-même affectée

par une décision ou une activité
2.42
contexte interne
environnement interne dans lequel l’organisme cherche à atteindre ses objectifs
[SOURCE: Guide ISO 73:2009]
Note 1 à l’article: Le contexte interne peut inclure:

— la gouvernance, la structure organisationnelle, les rôles et les responsabilités;

— les politiques, les objectifs et les stratégies mises en place pour atteindre ces derniers;

© ISO/IEC 2014 – Tous droits réservés 5
---------------------- Page: 11 ----------------------
ISO/CEI 27000:2014(F)

— les capacités, en termes de ressources et de connaissances (par exemple: capital, temps, personnel, processus,

systèmes et technologies);

— les systèmes d’information, les flux d’information et les processus de prise de décision (à la fois formels et

informels);

— les relations avec les parties prenantes internes, ainsi que leurs perceptions et leurs valeurs;

— la culture de l’organisme;
— les normes, lignes directrices et modèles adoptés par l’organisme;
— la forme et l’étendue des relations contractuelles.
2.43
projet SMSI
activités structurées entreprises par un organisme (2.57) pour déployer un SMSI
2.44
niveau de risque

importance d’un risque (2.68) exprimée en termes de combinaison des conséquences (2.14) et de leur

vraisemblance (2.45)

[SOURCE: Guide ISO 73:2009, modifié – l’expression «ou combinaison de risques» a été supprimée.]

2.45
vraisemblance
possibilité que quelque chose se produise
[SOURCE: Guide ISO 73:2009]
2.46
système de management

ensemble d’éléments corrélés ou interactifs d’un organisme (2.57) visant à établir des politiques (2.60),

des objectifs (2.56) et des processus (2.61) afin d’atteindre ces objectifs

Note 1 à l’article: Un système de management peut recouvrir une ou plusieurs disciplines.

Note 2 à l’article: Les éléments du système comprennent la structure de l’organisme, les rôles et responsabilités,

la planification, les opérations, etc.

Note 3 à l’article: Le domaine d’un système de management peut comprendre l’organisme dans son ensemble,

certaines de ses fonctions spécifiques et identifiées, certaines de ses sections spécifiques et identifiées, ou une ou

plusieurs fonctions au sein d’un groupe d’organismes.
2.47
mesure

variable à laquelle on attribue une valeur correspondant au résultat du mesurage (2.48)

[SOURCE: ISO/IEC 15939:2007]

Note 1 à l’article: Le terme «mesures» est utilisé pour désigner collectivement les mesures élémentaires, les

mesures dérivées et les indicateurs.
2.48
mesurage
processus (2.61) permettant de déterminer une valeur

Note 1 à l’article: Dans le contexte de la sécurité de l’information (2.33), le processus de détermination d’une

valeur nécessite des informations concernant l’efficacité (2.24) d’un système de management (2.46) de la sécurité

de l’information et de ses mesures de sécurité (2.16) associées à l’aide d’une méthode de mesurage (2.50), d’une

fonction de mesurage (2.49), d’un modèle analytique (2.2) et de critères de décision (2.21).

6 © ISO/IEC 2014 – Tous droits réservés
---------------------- Page: 12 ----------------------
ISO/CEI 27000:2014(F)
2.49
fonction de mesurage

algorithme ou calcul utilisé pour combiner au moins deux mesures élémentaires (2.10)

[SOURCE: ISO/IEC 15939:2007]
2.50
méthode de mesurage

suite logique d’opérations décrites de manière générique qui permettent de quantifier un attribut (2.4)

selon une échelle (2.80) spécifiée
[SOURCE: ISO/IEC 15939:2007]

Note 1 à l’article: Le type de méthode de mesurage employé dépend de la nature des opérations utilisées pour

quantifier un attribut. On peut en distinguer deux:
— le type subjectif: quantification faisant appel au jugement humain;
— le type objectif: quantification fondée sur des règles numériques.
2.51
résultats de mesurage

un ou plusieurs indicateurs (2.30), et les interprétations associées, répondant à un besoin d’information

(2.31)
2.52
surveillance
détermination du statut d’un système, d’un processus (2.61) ou d’une activité

Note 1 à l’article: Pour déterminer le statut, il peut s’avérer nécessaire de vérifier, de superviser ou d’observer de

manière critique.
2.53
non-conformité
non-satisfaction d’une exigence (2.63)
2.54
non-répudiation

capacité à prouver l’occurrence d’un événement ou d’une action donné(e) et des entités qui en sont à

l’origine
2.55
objet
élément caractérisé par le mesurage (2.48) de ses attributs (2.4)
2.56
objectif
résultat à atteindre
Note 1 à l’article: Un objectif peut être stratégique, tactique ou opérationnel.

Note 2 à l’article: Les objectifs peuvent se rapporter à différentes disciplines (par exemple: buts financiers, de

santé et de sécurité, ou environnementaux) et peuvent concerner différents niveaux (par exemple: au niveau

stratégique, à l’échelle de l’organisme, au niveau d’un projet, d’un produit et d’un processus) [2.61]).

Note 3 à l’article: Un objectif peut être exprimé de différentes manières, par exemple comme un résultat recherché,

un but, un critère opérationnel, un objectif de sécurité de l’information, ou en utilisant d’autres mots de sens

similaire (par exemple: intention ou cible).

Note 4 à l’article: Dans le contexte des systèmes de management de la sécurité de l’information, les objectifs de

sécurité de l’information sont établis par l’organisme, conformément à la politique de sécurité de l’information,

afin d’obtenir des résultats spécifiques.
© ISO/IEC 2014 – Tous droits réservés 7
---------------------- Page: 13 ----------------------
ISO/CEI 27000:2014(F)
2.57
organisme

personne ou groupe de personnes qui a ses propres fonctions, avec les responsabilités, les pouvoirs et

les relations nécessaires pour atteindre ses objectifs (2.56)

Note 1 à l’article: Le concept d’organisme comprend, entre autres, les travailleurs indépendants, compagnies,

sociétés, firmes, entreprises, autorités, partenariats, œuvres de bienfaisance ou institutions, ou toute partie ou

combinaison de ceux-ci, constituée en société de capitaux ou ayant un autre statut, de droit privé ou public.

2.58
externaliser

prendre des dispositions pour qu’un organisme (2.57) externe assure une partie des fonctions ou des

processus (2.61) d’un organisme

Note 1 à l’article: Un organisme externe se situe hors du champ d’application du système de management (2.46),

bien que les fonctions ou processus externalisés en fassent partie.
2.59
performance
résultat mesurable

Note 1 à l’article: La performance peut se rapporter à des observations quantitatives ou qualitatives.

Note 2 à l’article: La performance peut se rapporter au management des activités, des processus (2.61), des produits

(y compris les services), des systèmes ou des organismes (2.57).
2.60
politique

intentions et orientation d’un organisme (2.57) telles que formalisées par sa direction (2.84)

2.61
processus

ensemble d’activités corrélées ou interactives qui transforme des éléments d’entrée en éléments de

sortie
2.62
fiabilité
propriété relative à un comportement et des résultats prévus et cohérents
2.63
exigence
besoin ou attente formulé(e), habituellement implicite, ou imposé(e)

Note 1 à l’article: «Habituellement implicite» signifie qu’il est d’usage ou de pratique courante pour l’organisme et

les parties intéressées de considérer le besoin ou l’attente en question comme implicite.

Note 2 à l’article: Une exigence spécifiée est une exigence qui est formulée, par exemple, dans des informations

documentées.
2.64
risque résiduel
...

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske varnosti - Pregled in izrazjeTechnologies de l'information -- Techniques de sécurité -- Systèmes de management de la sécurité de l'information -- Vue d'ensemble et vocabulaireInformation technology -- Security techniques -- Information security management systems -- Overview and vocabulary35.040Nabori znakov in kodiranje informacijCharacter sets and information coding01.040.35Informacijska tehnologija. Pisarniški stroji (Slovarji)Information technology. Office machines (Vocabularies)ICS:Ta slovenski standard je istoveten z:ISO/IEC DIS 27000oSIST ISO/IEC DIS 27000:2013en,fr,de01-september-2013oSIST ISO/IEC DIS 27000:2013SLOVENSKI

STANDARD
oSIST ISO/IEC DIS 27000:2013

To expedite distribution, this document is circulated as received from the committee secretariat. ISO Central Secretariat work of editing and text composition will be undertaken at publication stage. Pour accélérer la distribution, le présent document est distribué tel qu'il est parvenu du secrétariat du comité. Le travail de rédaction et de composition de texte sera effectué au Secrétariat central de l'ISO au stade de publication.

THIS DOCUMENT IS A DRAFT CIRCULATED FOR COMMENT AND APPROVAL. IT IS THEREFORE SUBJECT TO CHANGE AND MAY NOT BE REFERRED TO AS AN INTERNATIONAL STANDARD UNTIL PUBLISHED AS SUCH. IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, TECHNOLOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT INTERNATIONAL STANDARDS MAY ON OCCASION HAVE TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL TO BECOME STANDARDS TO WHICH REFERENCE MAY BE MADE IN NATIONAL REGULATIONS. RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE AND TO PROVIDE SUPPORTING DOCUMENTATION. © International Organization for Standardization, 2013 International Electrotechnical Commission, 2013

DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27000 ISO/IEC JTC 1 Secretariat: ANSI Voting begins on Voting terminates on 2013-07-16 2013-10-16 INTERNATIONAL ORGANIZATION FOR STANDARDIZATION •

• ORGANISATION INTERNATIONALE DE NORMALISATION INTERNATIONAL
ELECTROTECHNICAL
COMMISSION •
• COMMISSION
ÉLECTROTECHNIQUE
INTERNATIONALE

Information technology — Security techniques — Information security management systems — Overview and vocabulary Technologies de l'information — Techniques de sécurité — Systèmes de management de la sécurité de l'information — Vue d'ensemble et vocabulaire [Revision of second edition (ISO/IEC 27000:2012)] ICS

01.040.35;
35.040
oSIST ISO/IEC DIS 27000:2013
ISO/IEC DIS 27000
COPYRIGHT PROTECTED DOCUMENT

ISO/IEC 2013 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester. ISO copyright office Case postale 56 • CH-1211 Geneva 20 Tel.

+ 41 22 749 01 11 Fax
+ 41 22 749 09 47 E-mail
copyright@iso.org Web
www.iso.org Published in Switzerland
ii © ISO/IEC 2013 — All rights reserved
oSIST ISO/IEC DIS 27000:2013
ISO/IEC DIS 27000 iv © ISO/IEC 2011 – All rights reserved

Contents Page Foreword ............................................................................................................................. vi 0 Introduction ............................................................................................................ viii 0.1 Overview ................................................................................................................. viii 0.2 ISMS family of standards ...................................................................................... viii 0.3 Purpose of this International Standard .................................................................. ix 1 Scope ....................................................................................................................... 10 2 Terms and definitions ............................................................................................. 10 3 Information security management systems ......................................................... 24 3.1 Introduction ............................................................................................................. 24 3.2 What is an ISMS? .................................................................................................... 25 3.2.1 Overview and principles ......................................................................................... 25 3.2.2 Information .............................................................................................................. 25 3.2.3 Information security................................................................................................ 26 3.2.4 Management ............................................................................................................ 26 3.2.5 NoteorganizationManagement system.................................................................. 26 3.3 Process approach ................................................................................................... 27 3.4 Why an ISMS is important ...................................................................................... 27 3.5 Establishing, monitoring, maintaining and improving an ISMS ......................... 29 3.5.1 Overview .................................................................................................................. 29 3.5.2 Identifying information security requirements ..................................................... 29 3.5.3 Assessing information security risks ................................................................... 29 3.5.4 Treating information security risks ....................................................................... 30 3.5.5 Selecting and implementing controls ................................................................... 31 3.5.6 Monitor, maintain and improve the effectiveness of the ISMS ........................... 32 3.5.7 Continual improvement .......................................................................................... 32 3.6 ISMS critical success factors ................................................................................. 33 3.7 Benefits of the ISMS family of standards .............................................................. 33 4 ISMS family of standards ....................................................................................... 34 4.1 General information ................................................................................................ 34 4.2 Standards describing an overview and terminology ........................................... 36 4.2.1 ISO/IEC 27000 (this document) .............................................................................. 36 4.3 Standards specifying requirements ...................................................................... 36 4.3.1 ISO/IEC 27001 .......................................................................................................... 36 4.3.2 ISO/IEC 27006 .......................................................................................................... 37 4.4 Standards describing general guidelines ............................................................. 37 4.4.1 ISO/IEC 27002 .......................................................................................................... 37 4.4.2 ISO/IEC 27003 .......................................................................................................... 38 4.4.3 ISO/IEC 27004 .......................................................................................................... 38 4.4.4 ISO/IEC 27005 .......................................................................................................... 38 4.4.5 ISO/IEC 27007 .......................................................................................................... 38 4.4.6 ISO/IEC TR 27008 .................................................................................................... 39 4.4.7 ISO/IEC 27013 .......................................................................................................... 39 4.4.8 ISO/IEC 27014 .......................................................................................................... 39 oSIST ISO/IEC DIS 27000:2013

ISO/IEC DIS 27000 © ISO/IEC 2011 – All rights reserved v

4.4.9 ISO/IEC TR 27016 .................................................................................................... 40 4.5 Standards describing sector-specific guidelines ................................................ 40 4.5.1 ISO/IEC 27010 .......................................................................................................... 40 4.5.2 ISO/IEC 27011 .......................................................................................................... 41 4.5.3 ISO/IEC TR 27015 .................................................................................................... 41 4.5.4 ISO 27799 ................................................................................................................. 41 Annex A (informative) Verbal forms for the expression of provisions ......................... 42 Annex B (informative) Terms and Terms Ownership ..................................................... 43 B.1 Term ownership ...................................................................................................... 43 B.2 Terms ordered by Standards ................................................................................. 44 1. ISO/IEC 27001 .......................................................................................................... 44 2. ISO/IEC 27002 .......................................................................................................... 44 3. ISO/IEC 27003 .......................................................................................................... 44 4. ISO/IEC 27004 .......................................................................................................... 44 5. ISO/IEC 27005 .......................................................................................................... 45 6. ISO/IEC 27006 .......................................................................................................... 45 7. ISO/IEC 27007 .......................................................................................................... 45 8. ISO/IEC 27008 .......................................................................................................... 45 9. ISO/IEC 27010 .......................................................................................................... 45 10. ISO/IEC 27011 .......................................................................................................... 45 11. ISO/IEC 27014 .......................................................................................................... 46 12. ISO/IEC 27015 .......................................................................................................... 46 13. ISO/IEC 27016 .......................................................................................................... 46 Bibliography ....................................................................................................................... 47

oSIST ISO/IEC DIS 27000:2013
ISO/IEC DIS 27000 vi © ISO/IEC 2011 – All rights reserved

Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27000 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. This third edition cancels and replaces the second edition (ISO/IEC 27000:2012).

oSIST ISO/IEC DIS 27000:2013
oSIST ISO/IEC DIS 27000:2013
ISO/IEC DIS 27000 viii © ISO/IEC 2011 – All rights reserved

0 Introduction 0.1 Overview International Standards for management systems provide a model to follow in setting up and operating a management system. This model incorporates the features on which experts in the field have reached a consensus as being the international state of the art. ISO/IEC JTC 1/SC 27 maintains an expert committee dedicated to the development of international management systems standards for information security, otherwise known as the Information Security Management System (ISMS) family of standards. Through the use of the ISMS family of standards, organizations can develop and implement a framework for managing the security of their information assets including financial information, intellectual property, and employee details, or information entrusted to them by customers or third parties. These standards can also be used to prepare for an independent assessment of their ISMS applied to the protection of information. 0.2 ISMS family of standards The ISMS family of standards (see Clause 4) is intended to assist organizations of all types and sizes to implement and operate an ISMS and consists of the following International Standards, under the general title Information technology — Security techniques (given below in numerical order):  ISO/IEC 27000, Information security management systems — Overview and vocabulary  ISO/IEC FDIS27001, Information security management systems — Requirements  ISO/IEC FDIS 27002, Code of practice for information security controls  ISO/IEC 27003, Information security management system implementation guidance  ISO/IEC 27004, Information security management — Measurement  ISO/IEC 27005, Information security risk management  ISO/IEC 27006, Requirements for bodies providing audit and certification of information security management systems  ISO/IEC 27007, Guidelines for information security management systems auditing  ISO/IEC TR 27008, Guidelines for auditors on information security management systems controls  ISO/IEC 27010, Information security management guidelines for inter-sector and inter-organizational communications oSIST ISO/IEC DIS 27000:2013

ISO/IEC DIS 27000 © ISO/IEC 2011 – All rights reserved ix

 ISO/IEC 27011, Information security management guidelines for telecommunications organizations based on ISO/IEC 27002  ISO/IEC 27013, Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1  ISO/IEC 27014, Governance of information security  ISO/IEC TR 27015, Information security management guidelines for financial services  ISO/IEC DTR 27016, Information security management – Organizational economics Note The general title “Information technology — Security techniques” indicates that these standards were prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. International Standards not under the same general title that are also part of the ISMS family of standards are as follows:  ISO 27799:2008, Health informatics — Information security management in health using ISO/IEC 27002 0.3 Purpose of this International Standard This International Standard provides an overview of information security management systems, and defines related terms. Note:

Annex A provides clarification on how verbal forms are used to express requirements and/or guidance in the ISMS family of standards. The ISMS family of standards includes standards that: a) define requirements for an ISMS and for those certifying such systems; b) provide direct support, detailed guidance and/or interpretation for the overall process to establish, implement, maintain and improve an ISMS; c) address sector-specific guidelines for ISMS; and d) address conformity assessment for ISMS. The terms and definitions provided in this International Standard:  cover commonly used terms and definitions in the ISMS family of standards;  will not cover all terms and definitions applied within the ISMS family of standards; and  do not limit the ISMS family of standards in defining new terms for use. oSIST ISO/IEC DIS 27000:2013

ISO/IEC DIS 27000
© ISO/IEC 2011 – All rights reserved

Information technology — Security techniques — Information security management systems — Overview and vocabulary 1 Scope This International Standard provides the overview of information security management systems, and terms and definitions commonly used in the ISMS family of standards.

This International Standard is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-for-profit organizations). 2 Terms and definitions For the purposes of this document, the following terms and definitions apply. 2.1 access control means to ensure that access to assets is authorized and restricted based on business and security requirements 2.2 analytical model algorithm or calculation combining one or more base (2.10) and/or derived measures (2.22) with associated decision criteria 2.3 attack attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset 2.4 attribute property or characteristic of an object (2.55) that can be distinguished quantitatively or qualitatively by human or automated means [Adopted from ISO/IEC 15939:2007] 2.5 audit systematic, independent and documented process (2.61) for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled oSIST ISO/IEC DIS 27000:2013

ISO/IEC DIS 27000 © ISO/IEC 2011 – All rights reserved 11

Note 1: An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a combined audit (combining two or more disciplines). Note 2: “Audit evidence” and “audit criteria” are defined in ISO 19011. 2.6 audit scope extent and boundaries of an audit (2.5)

[ISO 19011:2011] 2.7 authentication provision of assurance that a claimed characteristic of an entity is correct 2.8 authenticity property that an entity is what it is claims to be 2.9 availability property of being accessible and usable upon demand by an authorized entity 2.10 base measure measure (2.47) defined in terms of an attribute (2.4) and the method for quantifying it [ISO/IEC 15939:2007] Note: A base measure is functionally independent of other measures. 2.11 competence ability to apply knowledge and skills to achieve intended results 2.12 confidentiality property that information is not made available or disclosed to unauthorized individuals, entities, or processes (2.61) 2.13 conformity fulfillment of a requirement (2.63) Note: The term “conformance” is synonymous but deprecated. 2.14 consequence outcome of an event (2.25) affecting objectives (2.56) oSIST ISO/IEC DIS 27000:2013

ISO/IEC DIS 27000 12
© ISO/IEC 2011 – All rights reserved

[ISO Guide 73:2009] Note 1: An event can lead to a range of consequences. Note 2: A consequence can be certain or uncertain and in the context of information security is usually negative. Note 3: Consequences can be expressed qualitatively or quantitatively. Note 4: Initial consequences can escalate through knock-on effects. 2.15 continual improvement recurring activity to enhance performance (2.59) 2.16 control measure that is modifying risk (2.68) [ISO Guide 73:2009] Note 1: Controls include any process, policy, device,, practice, or other actions which modify risk. Note 2: Controls may not always exert the intended or assumed modifying effect. 2.17 control objective statement describing what is to be achieved as a result of implementing controls (2.16) 2.18 correction action to eliminate a detected nonconformity (2.53) 2.19 corrective action action to eliminate the cause of a nonconformity (2.53) and to prevent recurrence 2.20 data collection of values assigned to base measures (2.10), derived measures (2.22) and/or indicators (2.30) [ISO/IEC 15939:2007] Note:

This definition applies only within the context of ISO/IEC 27004:2009. 2.21 decision criteria thresholds, targets, or patterns used to determine the need for action or further investigation, or to describe the level of confidence in a given result oSIST ISO/IEC DIS 27000:2013

ISO/IEC DIS 27000 © ISO/IEC 2011 – All rights reserved 13

[ISO/IEC 15939:2007] 2.22 derived measure measure (2.47) that is defined as a function of two or more values of base measures (2.10) [ISO/IEC 15939:2007] 2.23 documented information information required to be controlled and maintained by an organization (2.57) and the medium on which it is contained Note 1: Documented information can be in any format and media and from any source. Note 2: Documented information can refer to – the management system (2.46), including related processes (2.61); – information created in order for the organization to operate (documentation); – evidence of results achieved (records). 2.24 effectiveness extent to which planned activities are realized and planned results achieved

2.25 event occurrence or change of a particular set of circumstances [ISO Guide 73:2009] Note 1: An event can be one or more occurrences, and can have several causes. Note 2: An event can consist of something not happening. Note 3: An event can sometimes be referred to as an “incident” or “accident”. 2.26 executive management person or group of people who have delegated responsibility from the governing body (2.29) for implementation of strategies and policies to accomplish the purpose of the organization (2.57) Note: Executive management is sometimes called top management and can include Chief Executive Officers, Chief Financial Officers, Chief Information Officers, and similar roles 2.27 external context external environment in which the organization seeks to achieve its objectives oSIST ISO/IEC DIS 27000:2013

ISO/IEC DIS 27000 14
© ISO/IEC 2011 – All rights reserved

[ISO Guide 73:2009] Note: External context can include:  the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local;  key drivers and trends having impact on the objectives (2.56) of the organization (2.57); and  relationships with, and perceptions and values of, external stakeholders (2.82). 2.28 governance of information security set of principles and processes (2.61) by which an organization (2.57) provides direction and oversight of information security-related activities 2.29 governing body group of people who are ultimately accountable for the performance (2.59) of the organization (2.57) Note: Governing body can in some jurisdictions be a board of directors. 2.30 indicator measure (2.47) that provides an estimate or evaluation of specified attributes (2.4) derived from an analytical model (2.2) with respect to defined information needs (2.31) 2.31 information need insight necessary to manage objectives, goals, risks and problems [ISO/IEC 15939:2007] 2.32 information processing facilities any information processing system, service or infrastructure, or the physical locations housing them 2.33 information security preservation of confidentiality (2.12), integrity (2.40) and availability (2.9) of information Note In addition, other properties, such as authenticity (2.8), accountability, non-repudiation (2.54), and reliability (2.62) can also be involved. 2.34 information security continuity processes (2.61) and procedures for ensuring continued information security (2.33) operations oSIST ISO/IEC DIS 27000:2013

ISO/IEC DIS 27000 © ISO/IEC 2011 – All rights reserved 15

2.35 information security event identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant 2.36 information security incident single or a series of unwanted or unexpected information security events (2.35) that have a significant probability of compromising business operations and threatening information security (2.33) 2.37 information security incident management processes (2.61) for detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents (2.36) 2.38 information sharing community group of organizations that agree to share information Note: An organization can be an individual. 2.39 information system applications, services, information technology assets, or other information handling components 2.40 integrity property of accuracy and completeness 2.41 interested party person or organization (2.57) that can affect, be affected by, or perceive themselves to be affected by a decision or activity 2.42 internal context internal environment in which the organization seeks to achieve its objectives [ISO Guide 73:2009] Note: Internal context can include:  governance, organizational structure, roles and accountabilities;  policies, objectives, and the strategies that are in place to achieve them;  the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);  information systems, information flows and decision-making processes (both formal and informal); oSIST ISO/IEC DIS 27000:2013

ISO/IEC DIS 27000 16
© ISO/IEC 2011 – All rights reserved

 relationships with, and perceptions and values of, internal stakeholders;  the organization's culture;  standards, guidelines and models adopted by the organization; and  form and extent of contractual relationships. 2.43 ISMS project structured activities undertaken by an organization (2.57) to implement an ISMS 2.44 level of risk magnitude of a risk (2.68) expressed in terms of the combination of consequences (2.14) and their likelihood (2.45) [Adopted from ISO Guide 73:2009] 2.45 likelihood chance of something happening [ISO Guide 73:2009] 2.46 management system set of interrelated or interacting elements of an organization (2.57) to establish policies (2.60) and objectives (2.56) and processes (2.61) to achieve those objectives Note 1:

A management system can address a single discipline or several disciplines. Note 2: The system elements include the organization’s structure, roles and responsibilities, planning, operation, etc. Note 3: The scope of a management system may include the whole of the organization, specific and identified functions of the organization, specific and identified sections of the organization, or one or more functions across a group of organizations. 2.47 measure variable to which a value is assigned as the result of measurement (2.48) [ISO/IEC 15939:2007] Note:

The term “measures” is used to refer collectively to base measures, derived measures, and indicators. 2.48 measurement process (2.61) to determine a value oSIST ISO/IEC DIS 27000:2013

ISO/IEC DIS 27000 © ISO/IEC 2011 – All rights reserved 17

Note: In the context of information security (2.33) the process of determining a value requires information about the effectiveness (2.24) of an information security management system (2.46) and its associated controls (2.16) using a measurement method (2.50), a measurement function (2.49), an analytical model (2.2), and decision criteria (2.21) 2.49 measurement function algorithm or calculation performed to combine two or more base measures (2.10) [ISO/IEC 15939:2007] 2.50 measurement method logical sequence of operations, described generically, used in quantifying an attribute (2.4) with respect to a specified scale (2.80) [ISO/IEC 15939:2007] Note: The type of measurement method depends on the nature of the operations used to quantify an attribute. Two types can be distinguished:  subjective: quantification involving human judgment;  objective: quantification based on numerical rules. 2.51 measurement results one or more indicators (2.30) and their associated interpretations that address an information need (2.31) 2.52 monitoring determining the status of a system, a process (2.61) or an activity Note: To determine the status there may be a need to check, supervise or critically observe. 2.53 nonconformity non-fulfillment of a requirement (2.63) 2.54 non-repudiation ability to prove the occurrence of a claimed event or action and its originating entities 2.55 object item characterized through the measurement (2.48) of its attributes (2.4) oSIST ISO/IEC DIS 27000:2013

ISO/IEC DIS 27000 18
© ISO/IE
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.