ISO/IEC 13335-1:2004

INTERNATIONAL ISO/IEC
STANDARD 13335-1
First edition
2004-11-15
Information technology — Security
techniques — Management
of information and communications
technology security —
Part 1:
Concepts and models for information and
communications technology security
management
Technologies de l'information — Techniques de sécurité — Gestion de
la sécurité des technologies de l'information et des communications —
Partie 1: Concepts et modèles pour la gestion de la sécurité des
technologies de l'information et des communications

Reference number
©
ISO/IEC 2004
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

© ISO/IEC 2004
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2004 – All rights reserved

Contents Page
TABLE OF CONTENTS. iii
FOREWORD. iv
INTRODUCTION. v
1SCOPE. 1
2 DEFINITIONS . 1
3 SECURITY CONCEPTS AND RELATIONSHIPS. 5
3.1 SECURITY PRINCIPLES. 5
3.2 ASSETS. 5
3.3 THREATS . 6
3.4 VULNERABILITIES. 8
3.5 IMPACT. 8
3.6 RISK . 9
3.7 SAFEGUARDS. 9
3.8 CONSTRAINTS. 10
3.9 SECURITY ELEMENT RELATIONSHIPS. 11
4 OBJECTIVES, STRATEGIES AND POLICIES . 13
4.1 ICT SECURITY OBJECTIVES AND STRATEGY. 14
4.2 POLICY HIERARCHY. 16
4.3 CORPORATE ICT SECURITY POLICY ELEMENTS. 18
5 ORGANIZATIONAL ASPECTS OF ICT SECURITY. 20
5.1 ROLES AND RESPONSIBILITIES . 20
5.1.1 Organizational roles, accountabilities and responsibilities . 20
5.1.2 ICT security forum . 23
5.1.3 Corporate ICT security officer. 23
5.1.4 ICT users . 24
5.2 ORGANIZATIONAL PRINCIPLES. 25
5.2.1 Commitment . 25
5.2.2 Consistent approach. 25
5.2.3 Integrating ICT security. 26
6 ICT SECURITY MANAGEMENT FUNCTIONS . 27
6.1 OVERVIEW . 27
6.2 CULTURAL AND ENVIRONMENTAL CONDITIONS. 27
6.3 RISK MANAGEMENT. 28
© ISO/IEC 2004 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the representative organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work. In the field of information technology, ISO and IEC have established a joint
technical committee, ISO/IEC JTC 1.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of the joint technical committee is to prepare International Standards. Draft
International Standards adopted by the joint technical committee are circulated to national bodies for
voting. Publication as an International Standard requires approval by at least 75 % of the national
bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

ISO/IEC 13335-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information
technology, Subcommittee SC 27, IT Security techniques.

This first edition of ISO/IEC 13335-1 cancels and replaces ISO/IEC TR 13335-1:1996 and
ISO/IEC TR 13335-2:1997, which have been technically revised.

ISO/IEC 13335 consists of the following parts, under the general title Information technology —
Security techniques — Management of information and communications technology security:

— Part 1: Concepts and models for information and communications technology security
management
The following part is under preparation:

— Part 2: Techniques for information and communications technology security risk management

ISO/IEC 13335-2, when published, will cancel and replace ISO/IEC TR 13335-3:1998 and
ISO/IEC TR 13335-4:2000. ISO/IEC TR 13335-5:2001 is currently under revision. In the course of
the revision process it will be merged with ISO/IEC 18028-1. When it is published,
ISO/IEC 18028-1 will consequently cancel and replace ISO/IEC TR 13335-5:2001.

iv © ISO/IEC 2004 – All rights reserved

Introduction
ISO/IEC 13335-1, Information technology — Security techniques — Management of
information and communications technology security — Part 1: Concepts and models for
information and communications technology security management, is the first in a series that
deals with the management aspects of planning, implementation and operations, including
maintenance, of information and communications technology (ICT) security.

Government and commercial organizations rely heavily on the use of information to conduct
their business activities. Compromise of confidentiality, integrity, availability, non-repudiation,
accountability, authenticity and reliability of an organization’s assets can have an adverse impact.
Consequently, there is a critical need to protect information and to manage the security of ICT
systems within organizations. This requirement to protect information is particularly important
in today’s environment because many organizations are internally and externally connected by
networks of ICT systems not necessarily controlled by their organizations. As well, legislation in
many countries requires that management take appropriate action to mitigate risk related to the
business and the use of ICT systems. Such legislation may cover not only privacy/data protection
but also healthcare and financial markets, among others.

Part 1 provides a high-level management overview. This material is suitable for managers and
those who have responsibility for ICT security, for an organization’s overall security program or
an organization’s ICT systems. Part 1 focuses its attention on concepts and models for managing
the planning, implementation and operations of ICT security. This Part contains:

� definitions applicable to all parts of this International Standard (Clause 2);
� descriptions of the major security elements and their relationships that are involved in ICT
security management (Clause 3);
� corporate security objectives, strategies and policies needed for effective organizational
ICT security (Clause 4);
� organization for effective ICT security, models for accountability, explicit assignment and
acknowledgement of security responsibilities (Clause 5);
� an overview of ICT security management functions (Clause 6).

The information provided in ISO/IEC 13335-1 may not be directly applicable to all
organizations. In particular, small organizations are not likely to have all the resources available
to completely perform some of the functions described. In these situations, it is important that the
basic concepts and functions are addressed in an appropriate manner for the organization. Even
in some large organizations, some of the functions discussed in this part may not be
accomplished exactly as described.
ISO/IEC 13335 is organized into two parts.
Part 1 (ISO/IEC 13335-1 Information technology – Security techniques – Management of information
© ISO/IEC 2004 – All rights reserved v

and communications technology security – Part 1: Concepts and models for information
and communications technology security management) provides an overview of the

fundamental concepts and models used to describe the management of ICT security.
Part 2 (ISO/IEC 13335-2 Information technology – Security techniques - Management of
information and communications technology security - Part 2: Techniques for information and
communications technology security risk management, to be published) describes security risk
management techniques appropriate for use by those involved with management activities.
Note that Parts 3, 4 and 5 are Technical Reports. As noted in the Foreword, ISO/IEC 13335 Part
1 supersedes ISO/IEC TR 13335 Part 1 and Part 2. ISO/IEC 13335 Part 2, when published, will
supersede ISO/IEC TR 13335 Part 3 and Part 4.
Part 3 (ISO/IEC TR 13335-3 Information technology – Security techniques - Guidelines for the
management of Information Technology security - Part 3: Techniques for the management of
Information Technology security) describes security risk management techniques appropriate for
use by those involved with management activities.
Part 4 (ISO/IEC TR 13335-4 Information technology – Security techniques - Guidelines for the
management of Information Technology security - Part 4: Selection of safeguards) provides
guidance for the selection of safeguards, and how this can be supported by the use of baseline
models and controls. It also describes how this complements the security techniques described in
Part 2, and how additional assessment methods can be used for the selection of safeguards.
Part 5 (ISO/IEC TR 13335-5 Information technology – Security techniques - Guidelines for the
management of Information Technology security – Part 5: Management guidance on network
security) provides guidance with respect to networks and communications to those responsible
for the management of IT security. This guidance supports the identification and analysis of the
communications related factors that should be taken into account to establish network security
requirements. It also contains a brief introduction to the possible safeguard areas.
vi © ISO/IEC 2004 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 13335-1:2004(E)

Information technology — Security techniques — Management
of information and communications technology security —
Part 1:
Concepts and models for information and communications
technology security management

1 Scope
ISO/IEC 13335 contains guidance on the management of ICT security. Part 1 of ISO/IEC 13335
presents the concepts and models fundamental to a basic understanding of ICT security, and
addresses the general management issues that are essential to the successful planning,
implementation and operation of ICT security.
It is not the intent of this International Standard to suggest a particular management approach to
ICT security. Instead ISO/IEC 13335-1 contains a general discussion of useful concepts and
models for the management of ICT security. This material is general and applicable to many
different styles of management and organizational environments. It is organized in a manner
that allows the tailoring of the material to meet the needs of an organization and its specific
management style.
2 Definitions
For the purpose of this document and the other Parts of 13335, the following terms and
definitions apply. The following terms are derived from all parts of ISO/IEC 13335 and ISO/IEC
17799. Any deviation from the definitions found in these references derives from the specific
usage in ISO/IEC 13335 concerning the IT security environment.

2.1
accountability
the property that ensures that the actions of an entity may be traced uniquely to the entity
[ISO/IEC 7498-2]
2.2
asset
anything that has value to the organization

© ISO/IEC 2004 – All rights reserved 1

2.3
authenticity
the property that ensures that the identity of a subject or resource is the one claimed. Authenticity
applies to entities such as users, processes, systems and information

2.4
availability
the property of being accessible and usable upon demand by an authorized entity
[ISO/IEC 7498-2]
2.5
baseline controls
a minimum set of safeguards established for a system or organization

2.6
confidentiality
the property that information is not made available or disclosed to unauthorized individuals,
entities, or processes
[ISO/IEC 7498-2]
2.7
control
in the context of ICT security, the term “control” may be considered synonymous with
“safeguard”. See 2.24, “safeguard”

2.8
guidelines
a description that clarifies what should be done and how, to achieve the objectives set out in
policies
2.9
impact
the result of an information security incident

2 © ISO/IEC 2004 – All rights reserved

2.10
information security incident
any unexpected or unwanted event that might cause a compromise of business activities or
information security. Examples of information security incidents are:
- loss of service, equipment or facilities,
- system malfunctions or overloads,
- human errors,
- non-compliances with policies or guidelines,
- breaches of physical security arrangements,
- uncontrolled system changes,
- malfunctions of software or hardware, and
- access violations.
2.11
ICT security
all aspects related to defining, achieving, and maintaining confidentiality, integrity, availability,
non-repudiation, accountability, authenticity, and reliability, of ICT

2.12
ICT security policy
rules, directives and practices that govern how assets, including sensitive information, are
managed, protected and distributed within an organization and its ICT systems

2.13
information processing facility(ies)
any information processing system, service or infrastructure, or the physical locations housing
them
2.14
information security
all aspects related to defining, achieving and maintaining confidentiality, integrity, availability,
non-repudiation, accountability, authenticity and reliability, of information or information
processing facilities
2.15
integrity
the property of safeguarding the accuracy and completeness of assets

2.16
non-repudiation
the ability to prove an action or event has taken place, so that this event or action cannot be
repudiated later
[ISO/IEC 13888-1; ISO IS 7498-2]

© ISO/IEC 2004 – All rights reserved 3

2.17
reliability
the property of consistent intended behaviour and results

2.18
residual risk
the risk that remains after risk treatment

2.19
risk
the potential that a given threat will exploit vulnerabilities of an asset or group of assets and
thereby cause harm to the organization. It is measured in terms of a combination of the
probability of an event and its consequence

2.20
risk analysis
the systematic process of estimating the magnitude of risks

2.21
risk assessment
the process of combining risk identification, risk analysis and risk evaluation

2.22
risk management
the total process of identifying, controlling, and eliminating or minimizing uncertain events that
may affect ICT system resources

2.23
risk treatment
the process of selection and implementation of controls to modify risk

2.24
safeguard
a practice, procedure or mechanism that treats risk. Note that the term “safeguard” may be
considered synonymous with the term “control”. See 2.7, “control”

2.25
threat
a potential cause of an incident that may result in harm to a system or organization

2.26
vulnerability
a weakness of an asset or group of assets that can be exploited by one or more threats

4 © ISO/IEC 2004 – All rights reserved

3 Security concepts and relationships
3.1 Security principles
The following high-level security principles are fundamental to the establishment of an effective
ICT security program.
Risk management: Assets should be protected through the adoption of appropriate safeguards.
Safeguards should be selected and managed on the basis of a suitable risk management
methodology, which assesses the organization’s assets, threats, vulnerabilities and the impact of
threats occurring, to arrive at attendant risks and taking constraints into consideration.

Commitment: Organizational commitment to ICT security and risk management is essential. To
gain commitment, the benefits of deploying ICT security should be specified.

Roles and responsibilities: Organizational management is responsible for securing assets. Roles
and responsibilities for ICT security should be clarified and communicated.

Objectives, strategies and policies: ICT security risk should be managed in consideration of the
organization’s objectives, strategies and policies.

Lifecycle management: ICT security management should be continuous throughout the lifecycle
of an organizational ICT asset.

The following sub-clauses describe at a high level the major security elements and their
relationships that are involved in security management, in view of the fundamental security
principles. Each of the elements is introduced, and the major contributing factors are identified.
Part 2 of this International Standard provides an in-depth discussion of elements of risk,
including threats, vulnerabilities and safeguards.

3.2 Assets
The proper management of assets is vital to the success of the organization, and is a major
responsibility of all management levels. The assets of an organization may be considered
valuable enough to warrant some degree of protection. These may include, without being limited
to:
� physical assets (e.g., computer hardware, communications facilities, buildings),
� information / data (e.g., documents, databases),
� software,
� the ability to provide a product or service,
� people, and
� intangibles (e.g., goodwill, image).
© ISO/IEC 2004 – All rights reserved 5

From a security perspective, it is not possible to implement and maintain a successful security
program if the assets of the organization are not identified. In many situations, the process of
identifying assets and assigning a value can be accomplished at a very high level and may not
require a costly, detailed, and time consuming exercise. The level of detail for this exercise
should be measured in terms of time and cost versus the value of the assets. In any case, the level
of detail should be determined on the basis of the security objectives.
Asset attributes to be considered include their value and/or sensitivity, and any safeguards
present. Vulnerabilities in the presence of particular threats influence protection requirements for
assets. The environments, cultures and legal systems in which the organization operates may
affect assets and their attributes. For example, some cultures consider the protection of personal
information as very important while others give a lower significance to this issue. These
environmental, cultural and legal variations can be significant for international organizations and
their use of ICT systems across international boundaries.
Based on an assessment of threats and vulnerabilities, and their combined impact, risk can be
assessed and then safeguards applied to protect the assets as appropriate. An assessment of
residual risk is then necessary to determine whether the assets are adequately protected.
3.3 Threats
Assets are subject to many kinds of threats. A threat has the potential to cause harm to an asset
and therefore an organization. This harm can occur from an attack on the information being
handled by an ICT system or service, on the system itself, or on other resources, e.g., by causing
unauthorized destruction, disclosure, modification, corruption, and unavailability or loss. A
threat needs to exploit an existing vulnerability of the asset in order to harm the asset. Threats
may be of environmental or human origin and, in the latter case, may be either accidental or
deliberate. Both accidental and deliberate threats should be identified and their level and
probability of occurrence assessed. Statistical data are available concerning many types of
environmental threats. Such data may be obtained and used by an organization while assessing
threats.
6 © ISO/IEC 2004 – All rights reserved

Examples of threats are:
Human Environmental
Deliberate Accidental
Earthquake
Eavesdropping Errors and omissions
Lightning
Information modification File deletion
Floods
System hacking Incorrect routing
Fire
Malicious code Physical accidents
Theft
Table 1 – Examples of threats
Threats may impact specific parts of an organization, for example disruption to computers.
Some threats may be general to the surrounding environment in a particular location in which a
system or organization exists, for example, damage to buildings from hurricanes or lightning. A
threat may arise from within the organization, for example, sabotage by an employee, or from
outside, for example, malicious hacking or industrial espionage. The amount of harm can vary
widely for each occurrence of a threat. The harm may be of a temporary nature or may be
permanent as in the case of the destruction of an asset.
Threats have characteristics that define their relationships with other security elements. These
characteristics may include the following:

� source, i.e., insider vs. outsider,
� motivation, e.g. financial gain, competitive advantage,
� frequency of occurrence,
� likelihood, and
� impact.
Some threats may affect more than one asset. In such cases they may cause different impacts
depending on which assets are affected. For example, a software virus on a stand-alone personal
computer may have a limited or localized impact. However, the same software virus on a
network based file server may have widespread impact.

The environments and cultures in which the organization is situated can have a significant
bearing and influence on how the threats to the organization and to its assets are addressed.
Some threats may not be considered harmful in some cultures. Aspects of environment and
culture must be considered when addressing threats.

Threats may be qualified in terms such as High, Medium, and Low, depending on the outcome of
threat assessment.
© ISO/IEC 2004 – All rights reserved 7

3.4 Vulnerabilities
A weakness of an asset, or group of assets, that can be exploited by one or more threats is known
as a vulnerability. Vulnerabilities associated with assets include weaknesses in physical layout,
organization, procedures, personnel, management, administration, hardware, software or
information. Threats may exploit vulnerabilities to cause harm to the ICT system or business
objectives. A vulnerability can exist in the absence of corresponding threats. A vulnerability in
itself does not cause harm; a vulnerability is merely a condition or set of conditions that may
allow a threat to affect an asset. Vulnerabilities arising from different sources need to be
considered, for example, those intrinsic or extrinsic to the asset. Vulnerabilities may remain
unless the asset itself changes such that the vulnerability no longer applies. Vulnerabilities
should be assessed both individually and in aggregate to consider the full operational context.

An example of a vulnerability is lack of access control, which could allow the threat of an
intrusion to occur and assets to be lost.

Within a specific system or organization not all vulnerabilities will be susceptible to a threat.
Vulnerabilities that have a corresponding threat are of immediate concern. However, as the
environment can change unpredictably, all vulnerabilities should be monitored to identify those
that have become exposed to new or re-emerging threats.

Vulnerability assessment is the examination of weaknesses that may be exploited by identified
threats. This assessment must take into account the environment and existing safeguards. The
measure of a vulnerability of a particular system or asset to a threat is a statement of the ease with
which the system or asset may be harmed.

Vulnerabilities may be qualified in terms such as High, Medium, and Low, depending on the

outcome of the vulnerability assessment.

3.5 Impact
Impact is the result of an information security incident, caused by a threat, which affects assets.
The impact could be the destruction of certain assets, damage to the ICT system, and
compromise of confidentiality, integrity, availability, non-repudiation, accountability,
authenticity or reliability. Possible indirect impact includes financial losses, and the loss of
market share or company image. The measurement of impact permits a balance to be made
between the anticipated results of an incident and the cost of the safeguards to protect against the
incident. The probability of occurrence of an incident needs to be taken into account. This is
particularly important when the amount of harm caused by each occurrence is low but where the
aggregate effect of many incidents over time may be harmful. The assessment of impacts is an
important element in the assessment of risks and the selection of safeguards.

Quantitative and qualitative measurements of impact can be achieved in a number of ways, such
as:
8 © ISO/IEC 2004 – All rights reserved

� establishing the financial cost,
� assigning an empirical scale of severity, e.g., 1 through 10, and
� using adjectives selected from a predefined list, e.g., High, Medium, and Low.

3.6 Risk
Risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets
and thereby cause harm to the organization. Single or multiple threats may exploit single or
multiple vulnerabilities.
A risk scenario describes how a particular threat or group of threats may exploit a particular
vulnerability or group of vulnerabilities that exposes assets to harm. The risk is characterized by
a combination of two factors, the probability of the incident occurring and its impact. Any
change to assets, threats, vulnerabilities and safeguards may have significant effects on risks.
Early detection or knowledge of any changes increases the opportunity for appropriate actions to
be taken to treat risk. Options for risk treatment include risk avoidance, risk reduction, risk
transfer and risk acceptance.
Risk is never completely eliminated. Part of judging whether the security is appropriate to the
needs of the organization is the acceptance of the residual risk. Management should be made
aware of all residual risks in terms of impact and the probability of an incident occurring. The
decision to accept residual risks must be taken by those who are in a position to accept the impact
of incidents occurring and who can authorize the implementation of additional safeguards if the
level of residual risk is not acceptable.

3.7 Safeguards
Safeguards are practices, procedures or mechanisms that may protect against a threat, reduce a
vulnerability, limit the impact of an information security incident, detect incidents and facilitate
recovery. Effective security usually requires a combination of different safeguards to provide
layers of security to protect assets. For example, access control mechanisms applied to
computers should be supported by audit controls, personnel procedures, training and physical
security. Some safeguards may exist already as part of the environment, or as an inherent aspect
of assets, or may be already in place in the system or organization.

An appropriate selection of safeguards is essential for a properly implemented security program.
A safeguard can serve multiple purposes; conversely, one function may require several
safeguards. Safeguards may be considered to perform one or more of the following functions:

� prevention,
� deterrence,
� detection,
� limitation,
� correction,
© ISO/IEC 2004 – All rights reserved 9

� recovery,
� monitoring, and
� awareness.
Some examples of areas where safeguards can be used include:

� physical environment,
� technical environment (hardware, software and communications),
� personnel, and
� administration.
Certain safeguards send a strong and clear message with regard to the organization’s attitude
towards security. In this regard, it is important to select safeguards that are not offensive to the
culture and/or the society in which the organization operates.

Examples of specific safeguards are:

� policies and procedures,
� access control mechanisms,
� anti-virus software,
� encryption,
� digital signatures,
� monitoring and analysis tools,
� redundant power supplies, and
� backup copies of information.

3.8 Constraints
Constraints are normally set or recognized by the organization’s management and influenced by
the environment within which the organization operates. Some examples of constraints to be
considered are:
� organizational,
� business,
� financial,
� environmental,
� personnel,
� time,
� legal,
� technical, and
� cultural/social.
10 © ISO/IEC 2004 – All rights reserved

These factors should be considered when selecting and implementing safeguards. Periodically,
existing and new constraints should be reviewed and any changes identified. It should also be
noted that constraints might change with time, geography, and social evolution, as well as
organizational culture. The environment and culture in which the organization operates can have
a bearing on several security elements, especially threats, risks, and safeguards.

3.9 Security element relationships
Security of ICT systems is a multi-dimensional discipline that can be viewed from different
perspectives. Figure 1 presents a model that shows how assets are potentially subject to a
number of threats. This collection of threats changes constantly over time and is only partially
known. As well, the environment changes over time and this change may impact the nature of
threats and the probability of their occurrence.

The model represents:
� an environment containing constraints and threats that change constantly and are only
partially known,
� the assets of an organization,
� the vulnerabilities associated with those assets,
� safeguards selected to protect assets, and
� residual risks acceptable to the organization.
At least five scenarios are feasible and are illustrated in Figure 1. These scenarios include:
Scenario 1 – A safeguard (S) may be effective in reducing the risks (R) associated with a threat
(T) capable of exploiting a vulnerability (V). A threat can only become effective if the asset is
vulnerable to it.
Scenario 2 – A safeguard may be effective in reducing the risks associated with a threat
exploiting multiple vulnerabilities.
Scenario 3 – Multiple safeguards may be effective in reducing the risks associated with multiple
threats exploiting a vulnerability. Sometimes several safeguards are required to reduce risk to an
acceptable level so that the residual risk (RR) is acceptable.
Scenario 4 – The risk is considered acceptable and no safeguards are implemented even if threats
are present and a vulnerability exists.
Scenario 5 – A vulnerability exists but there are no known threats to exploit it.
Safeguards may be implemented to monitor the threat environment to ensure that no threats
develop which can exploit the vulnerability. Constraints affect the selection of safeguards.
© ISO/IEC 2004 – All rights reserved 11

CONSTRAINTS
T T
T
R
RR
S
S
V V
ASSETS
V
S and their
RR V
value
V
T
V
S
Legend:
RR
R - risk
RR - residual risk
T S - safeguard
T - threat
V - vulnerability
Figure 1 – Security element relationships
Any ICT system comprises assets (particularly information, but also hardware, software,
communications services, etc.) that are important to the success of an organization’s business.
These assets have value to the organization, which is normally expressed in terms of the impact
on business operations from unauthorized disclosure, modification or repudiation of information,
or unavailability or destruction of information or service. The impact is first determined
regardless of which threats might occur to cause the impact, to be sure of identifying the real
values. Then the question of what threats might occur to cause such impact, and the probability
of their occurrence, is addressed, i.e. assets could be subject to a number of threats. Then the
question of what vulnerabilities (or weaknesses) might be exploited by the threats to cause the
impact is addressed, i.e. threats could exploit vulnerabilities to expose assets. Each of these
components, i.e. values, threats and vulnerabilities, can increase risk. Measures of risk will then
indicate the overall protection requirement, which in real terms is effected or met by the
implementation of safeguards. The implemented safeguards then reduce the risk, protect against
threats and indeed can reduce vulnerabilities.
12 © ISO/IEC 2004 – All rights reserved

Figure 2 illustrates in a simpler model how some safeguards may be effective in reducing risks.
Often, several safeguards are required to reduce the residual risks to an acceptable level. It is
possible that no safeguards are implemented if the risk is considered acceptable.
Safeguards
implemented
against
Implementing
Risk
Safeguards
Risk
Acceptable
Level
Residual
Risk
Planning: Implementation:
*Risk Assessment *Implementing
*Development of ICT Safeguards
security plan
Figure 2 – Safeguard and risk relationships
4 Objectives, strategies and policies
Corporate security objectives, strategies and policies need to be formulated as the basis for
effective ICT security in an organization. They support the business of the organization and
together they ensure consistency between all safeguards. It is particularly important, to ensure
such consistency, that objectives, strategies and policies be included as an integral part of
security training and awareness programmes.
© ISO/IEC 2004 – All rights reserved 13

Objectives (what is to be achieved), strategies (how to achieve these objectives), policies (the
rules to be observed in implementing the strategies), and procedures (the methods for
implementing the policies) may be defined and developed hierarchically from the corporate to the
operational levels of the organization and for each division, business unit or department. The
directing documentation should reflect organizational requirements and take into account any
organizational constraints. Consistency amongst the corresponding documents, although
influenced by different points of view, and amongst the various levels of the organization, is
important, since many threats (such as system hacking, file deletion and fire) are common
business problems.
Furthermore, general corporate objectives, strategies and policies should be reflected and refined
in detailed and specific objectives, policies and procedures in all areas of interest to the
organization, such as financial management, personnel management – and security management.
Security should then be further broken into its constituent parts (personnel, physical, information,
ICT, etc.). The hierarchy of documentation should be maintained and updated based on the
results of periodic security reviews (e.g., risk assessment, internal and/or external security audits)
and changes in business objectives.

ICT system security objectives, strategies, policies and procedures should represent what is
expected from the ICT system in terms of security. They are normally expressed using a natural
language, but there may be a requirement to express them in a more formal way using some
established language. The objectives, strategies, policies and procedures will establish the level
of security for the organization and the threshold for risk acceptance.

4.1 ICT security objectives and strategy
After establishing the organization’s ICT security objectives, an ICT security strategy should be
developed to form a basis for the development of a corporate ICT security policy. The
development of a corporate ICT security policy is essential to ensure that the results of the risk
management process are appropriate and effective. Management support across the organization
is required for the development and effective implementation of the policy. It is essential that a
corporate ICT security policy takes into account the corporate objectives and particular aspects of
the organization. It must be in alignment with the corporate security policy and the corporate
business policy. With this alignment, the corporate ICT security policy will help to achieve the
most effective use of resources, and will ensure a consistent approach to security across a range
of different system environments.
It may be necessary to develop a separate and specific security policy for each or some of the ICT
systems. These policies should be based on risk assessment and be consistent with the corporate
ICT security policy, thus taking into account the security recommendations for the systems to
which they relate.
As a first step in the process of managing ICT security, one should consider the question ‘what
broad level of risk is acceptable to the organization?’ Accurate definition of acceptable risks,
and thence the appropriate level of security, is the key to successful security management. The
14 © ISO/IEC 2004 – All rights reserved

necessary broad level of security is determined by the ICT security objectives an organization
needs to meet. In order to assess these security objectives, the organization’s assets and their
value should be considered. This should be determined by the importance that ICT has for
supporting the conduct of the organization’s business; the cost of ICT itself is only a small part of
its value.
Possible questions for assessing how much an organization’s business depends on ICT are:
� What are the important components of the business that cannot be carried out without ICT
support?
� What are the tasks that can only be done with the help of ICT?
� What essential decisions depend on the confidentiality, integrity, availability, non-
repudiation, accountability and authenticity of information stored or processed by ICT, or
on how up-to-date this information is?
� What confidential information stored or processed needs to be protected?
� What are the implications of an information security incident for the organization?
Answering these questions can help to assess the ICT security objectives of an organization. If,
for example, some important or very important components of the business are dependent on
accurate or up-to-date information, then one of the ICT security objectives of this organization
may be to ensure the integrity and timeliness of the information as it is stored and processed in
the ICT systems. Also, important business objectives and their relation to security should be
considered when assessing ICT security objectives.
Dependent on the ICT security objectives, a strategy for achieving these objectives should be
agreed upon. The strategy chosen should be appropriate to the value of the assets to be protected.
If, for example, the answers to one or more of the questions above indicates a strong reliance on
ICT, then it is likely that the organization has high ICT security requirements, and it is advisable
to choose a strategy that is sufficient to fulfill these requirements.
An ICT security strategy outlines in general terms how an organization will achieve its ICT
security objectives. The topics such a strategy should address will depend on the number, type
and importance of those objectives, and will normal
...