ISO/IEC 27003:2017

SLOVENSKI STANDARD
01-november-2018
Nadomešča:
SIST ISO/IEC 27003:2011
Informacijska tehnologija - Varnostne tehnike - Sistemi vodenja informacijske
varnosti - Smernice
Information technology -- Security techniques -- Information security management
systems -- Guidance
Technologies de l'information -- Techniques de sécurité --Systèmes de management de
la sécurité de l'information -- Lignes directrices
Ta slovenski standard je istoveten z: ISO/IEC 27003:2017
ICS:
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

INTERNATIONAL ISO/IEC
STANDARD 27003
Second edition
2017-03
Information technology — Security
techniques — Information security
management systems — Guidance
Technologies de l’information — Techniques de sécurité --Systèmes de
management de la sécurité de l’information — Lignes directrices
Reference number
©
ISO/IEC 2017
© ISO/IEC 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2017 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 1
4.1 Understanding the organization and its context . 1
4.2 Understanding the needs and expectations of interested parties . 3
4.3 Determining the scope of the information security management system . 4
4.4 Information security management system . 6
5 Leadership . 6
5.1 Leadership and commitment . 6
5.2 P olicy . 8
5.3 Organizational roles, responsibilities and authorities. 9
6 Planning .10
6.1 Actions to address risks and opportunities .10
6.1.1 General.10
6.1.2 Information security risk assessment .12
6.1.3 Information security risk treatment .15
6.2 Information security objectives and planning to achieve them .18
7 Support .21
7.1 Resources .21
7.2 Competence .22
7.3 Awareness .23
7.4 Communication .24
7.5 Documented information .25
7.5.1 General.25
7.5.2 Creating and updating .27
7.5.3 Control of documented information .28
8 Operation .29
8.1 Operational planning and control .29
8.2 Information security risk assessment.31
8.3 Information security risk treatment .31
9 Performance evaluation .32
9.1 Monit oring, measurement, analysis and evaluation .32
9.2 Internal audit .33
9.3 Management review .36
10 Improvement .37
10.1 Nonconformity and corrective action .37
10.2 Continual improvement .40
Annex A (informative) Policy framework .42
Bibliography .45
© ISO/IEC 2017 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: w w w . i s o .org/ iso/ foreword .html.
This document was prepared by ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security
techniques.
This second edition of ISO/IEC 27003 cancels and replaces the first edition (ISO/IEC 27003:2010), of
which it constitutes a minor revision.
The main changes compared to the previous edition are as follows:
— the scope and title have been changed to cover explanation of, and guidance on the requirements of,
ISO/IEC 27001:2013 rather than the previous edition (ISO/IEC 27001:2005);
— the structure is now aligned to the structure of ISO/IEC 27001:2013 to make it easier for the user to
use it together with ISO/IEC 27001:2013;
— the previous edition had a project approach with a sequence of activities. This edition instead
provides guidance on the requirements regardless of the order in which they are implemented.
iv © ISO/IEC 2017 – All rights reserved

Introduction
This document provides guidance on the requirements for an information security management system
(ISMS) as specified in ISO/IEC 27001 and provides recommendations (‘should’), possibilities (‘can’)
and permissions (‘may’) in relation to them. It is not the intention of this document to provide general
guidance on all aspects of information security.
Clauses 4 to 10 of this document mirror the structure of ISO/IEC 27001:2013.
This document does not add any new requirements for an ISMS and its related terms and definitions.
Organizations should refer to ISO/IEC 27001 and ISO/IEC 27000 for requirements and definitions.
Organizations implementing an ISMS are under no obligation to observe the guidance in this document.
An ISMS emphasizes the importance of the following phases:
— understanding the organization’s needs and the necessity for establishing information security
policy and information security objectives;
— assessing the organization’s risks related to information security;
— implementing and operating information security processes, controls and other measures to
treat risks;
— monitoring and reviewing the performance and effectiveness of the ISMS; and
— practising continual improvement.
An ISMS, similar to any other type of management system, includes the following key components:
a) policy;
b) persons with defined responsibilities;
c) management processes related to:
1) policy establishment;
2) awareness and competence provision;
3) planning;
4) implementation;
5) operation;
6) performance assessment;
7) management review; and
8) improvement; and
d) documented information.
An ISMS has additional key components such as:
e) information security risk assessment; and
f) information security risk treatment, including determination and implementation of controls.
This document is generic and intended to be applicable to all organizations, regardless of type, size or
nature. The organization should identify which part of this guidance applies to it in accordance with its
specific organizational context (see ISO/IEC 27001:2013, Clause 4).
© ISO/IEC 2017 – All rights reserved v

For example, some guidance can be more suited to large organizations, but for very small organizations
(e.g. with fewer than 10 persons) some of the guidance can be unnecessary or inappropriate.
The descriptions of Clauses 4 to10 are structured as follows:
— Required activity: presents key activities required in the corresponding subclause of ISO/IEC 27001;
— Explanation: explains what the requirements of ISO/IEC 27001 imply;
— Guidance: provides more detailed or supportive information to implement “required activity”
including examples for implementation; and
— Other information: provides further information that can be considered.
ISO/IEC 27003, ISO/IEC 27004 and ISO/IEC 27005 form a set of documents supporting and providing
guidance on ISO/IEC 27001:2013. Among these documents, ISO/IEC 27003 is a basic and comprehensive
document that provides guidance for all the requirements of ISO/IEC 27001, but it does not have
detailed descriptions regarding “monitoring, measurement, analysis and evaluation” and information
security risk management. ISO/IEC 27004 and ISO/IEC 27005 focus on specific contents and give more
detailed guidance on “monitoring, measurement, analysis and evaluation” and information security
risk management.
There are several explicit references to documented information in ISO/IEC 27001. Nevertheless, an
organization can retain additional documented information that it determines as necessary for the
effectiveness of its management system as part of its response to ISO/IEC 27001:2013, 7.5.1 b). In these
cases, this document uses the phrase “Documented information on this activity and its outcome is
mandatory only in the form and to the extent that the organization determines as necessary for the
effectiveness of its management system (see ISO/IEC 27001:2013, 7.5.1 b)).”
vi © ISO/IEC 2017 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 27003:2017(E)
Information technology — Security techniques —
Information security management systems — Guidance
1 Scope
This document provides explanation and guidance on ISO/IEC 27001:2013.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000:2016, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000:2016 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http:// www .electropedia .org/
— ISO Online browsing platform: available at http:// www .iso .org/ obp
4 Context of the organization
4.1 Understanding the organization and its context
Required activity
The organization determines external and internal issues relevant to its purpose and affecting its
ability to achieve the intended outcome(s) of the information security management system (ISMS).
Explanation
As an integral function of the ISMS, the organization continually analyses itself and the world
surrounding it. This analysis is concerned with external and internal issues that in some way affect
information security and how information security can be managed, and that are relevant to the
organization’s objectives.
Analysis of these issues has three purposes:
— understanding the context in order to decide the scope of the ISMS;
— analysing the context in order to determine risks and opportunities; and
— ensuring that the ISMS is adapted to changing external and internal issues.
© ISO/IEC 2017 – All rights reserved 1

External issues are those outside of the organization’s control. This is often referred to as the
organization’s environment. Analysing this environment can include the following aspects:
a) social and cultural;
b) political, legal, normative and regulatory;
c) financial and macroeconomic;
d) technological;
e) natural; and
f) competitive.
These aspects of the organization’s environment continually present issues that affect information
security and how information security can be managed. The relevant external issues depend on the
organization’s specific priorities and situation.
For example, external issues for a specific organization can include:
g) the legal implications of using an outsourced IT service (legal aspect);
h) characteristics of the nature in terms of possibility of disasters such as fire, flood and earthquakes
(natural aspect);
i) technical advances of hacking tools and use of cryptography (technological aspect); and
j) the general demand for the organization’s services (social, cultural or financial aspects).
Internal issues are subject to the organization’s control. Analysing the internal issues can include the
following aspects:
k) the organization’s culture;
l) policies, objectives, and the strategies to achieve them;
m) governance, organizational structure, roles and responsibilities;
n) standards, guidelines and models adopted by the organization;
o) contractual relationships that can directly affect the organization’s processes included in the scope
of the ISMS;
p) processes and procedures;
q) the capabilities, in terms of resources and knowledge (e.g. capital, time, persons, processes, systems
and technologies);
r) physical infrastructure and environment;
s) information systems, information flows and decision making processes (both formal and
informal); and
t) previous audits and previous risk assessment results.
The results of this activity are used in 4.3, 6.1 and 9.3.
Guidance
Based on an understanding of the organization’s purpose (e.g. referring to its mission statement or
business plan) as well as the intended outcome(s) of the organization’s ISMS, the organization should:
— review the external environment to identify relevant external issues; and
2 © ISO/IEC 2017 – All rights reserved

— review the internal aspects to identify relevant internal issues.
In order to identify relevant issues, the following question can be asked: How does a certain category
of issues (see a) to t) above) affect information security objectives? Three examples of internal issues
serve as an illustration by:
Example 1 on governance and organizational structure (see item m)): When establishing an ISMS,
already existing governance and organizational structures should be taken into account. As an
example, the organization can model the structure of its ISMS based on the structure of other existing
management systems, and can combine common functions, such as management review and auditing.
Example 2 on policy, objectives and strategies (see item l)): An analysis of existing policies, objectives
and strategies, can indicate what the organization intends to achieve and how the information security
objectives can be aligned with business objectives to ensure successful outcomes.
Example 3 on information systems and information flows (see item s)): When determining internal
issues, the organization should identify, at a sufficient level of detail, the information flows between its
various information systems.
As both the external and the internal issues will change over time, the issues and their influence on the
scope, constraints and requirements of the ISMS should be reviewed regularly.
Documented information on this activity and its outcome is mandatory only in the form and to the
extent that the organization determines as necessary for the effectiveness of its management system
(see ISO/IEC 27001:2013, 7.5.1 b)).
Other information
In ISO/IEC 27000, the definition of “organization” has a note which states that: “The concept of
organization includes but is not limited to sole-trader, company, corporation, firm, enterprise, authority,
partnership, charity or institution, or part or combination thereof, whether incorporated or not, public
or private.” Some of these examples are whole legal entities, whilst others are not.
There are four cases:
1) the organization is a legal or administrative entity (e.g. sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution whether incorporated or not, public or
private);
2) the organization is a subset of a legal or administrative entity (e.g. part of a company, corporation,
enterprise);
3) the organization is a set of a legal or administrative entities (e.g. a consortium of sole-traders, larger
companies, corporations, firms); and
4) the organization is a set of subsets of legal or administrative entities (e.g. clubs, trade associations).
4.2 Understanding the needs and expectations of interested parties
Required activity
The organization determines interested parties relevant to the ISMS and their requirements relevant to
information security.
Explanation
Interested party is a defined term (see ISO/IEC 27000:2016, 2.41) that refers to persons or organizations
that can affect, be affected by, or perceive themselves to be affected by a decision or activity of the
organization. Interested parties can be found both outside and inside the organization and can have
specific needs, expectations and requirements for the organization’s information security.
© ISO/IEC 2017 – All rights reserved 3

External interested parties can include:
a) regulators and legislators;
b) shareholders including owners and investors;
c) suppliers including subcontractors, consultants, and outsourcing partners;
d) industry associations;
e) competitors;
f) customers and consumers; and
g) activist groups.
Internal interested parties can include:
h) decision makers including top management;
i) process owners, system owners, and information owners;
j) support functions such as IT or Human Resources;
k) employees and users; and
l) information security professionals.
The results of this activity are used in 4.3 and 6.1.
Guidance
The following steps should be taken:
— identify external interested parties;
— identify internal interested parties; and
— identify requirements of interested parties.
As the needs, expectations and requirement of interested parties change over time, these changes and
their influence on the scope, constraints and requirements of the ISMS should be reviewed regularly.
Documented information on this activity and its outcome is mandatory only in the form and to the
extent the organization determines as necessary for the effectiveness of its management system (see
ISO/IEC 27001:2013, 7.5.1 b)).
Other information
No other information.
4.3 Determining the scope of the information security management system
Required activity
The organization determines the boundaries and applicability of the ISMS to establish its scope.
Explanation
The scope defines where and for what exactly the ISMS is applicable and where and for what it is not.
Establishing the scope is therefore a key activity that determines the necessary foundation for all other
activities in the implementation of the ISMS. For instance, risk assessment and risk treatment, including
the determination of controls, will not produce valid results without having a precise understanding of
4 © ISO/IEC 2017 – All rights reserved

where exactly the ISMS is applicable. Precise knowledge of the boundaries and applicability of the ISMS
and the interfaces and dependencies between the organization and other organizations is critical as
well. Any later modifications of the scope can result in considerable additional effort and costs.
The following factors can affect the determination of the scope:
a) the external and internal issues described in 4.1;
b) the interested parties and their requirements that are determined according to
ISO/IEC 27001:2013¸4.2;
c) the readiness of the business activities to be included as part of ISMS coverage;
d) all support functions, i.e. functions that are necessary to support these business activities (e.g.
human resources management; IT services and software applications; facility management of
buildings, physical zones, essential services and utilities); and
e) all functions that are outsourced either to other parts within the organization or to independent
suppliers.
The scope of an ISMS can be very different from one implementation to another. For instance, the scope
can include:
— one or more specific processes;
— one or more specific functions;
— one or more specific services;
— one or more specific sections or locations;
— an entire legal entity; and
— an entire administrative entity and one or more of its suppliers.
Guidance
To establish the scope of an ISMS, a multi-step approach can be followed:
f) determine the preliminary scope: this activity should be conducted by a small, but representative
group of management representatives;
g) determine the refined scope: the functional units within and outside the preliminary scope should
be reviewed, possibly followed by inclusion or exclusion of some of these functional units to reduce
the number of interfaces along the boundaries. When refining the preliminary scope, all support
functions should be considered that are necessary to support the business activities included in
the scope;
h) determine the final scope: the refined scope should be evaluated by all management within the
refined scope. If necessary, it should be adjusted and then precisely described; and
i) approval of the scope: the documented information describing the scope should be formally
approved by top management.
The organization should also consider activities with impact on the ISMS or activities that are
outsourced, either to other parts within the organization or to independent suppliers. For such
activities, interfaces (physical, technical and organizational) and their influence on the scope should be
identified.
Documented information describing the scope should include:
j) the organizational scope, boundaries and interfaces;
© ISO/IEC 2017 – All rights reserved 5

k) the information and communication technology scope, boundaries and interfaces; and
l) the physical scope, boundaries and interfaces.
Other information
No other information.
4.4 Information security management system
Required activity
The organization establishes, implements, maintains and continually improves the ISMS.
Explanation
ISO/IEC 27001:2013, 4.4 states the central requirement for establishing, implementing, maintaining
and continually improving an ISMS. While the other parts of ISO/IEC 27001 describe the required
elements of an ISMS, 4.4 mandates the organization to ensure that all required elements are met in
order to establish, implement, maintain and continually improve the ISMS.
Guidance
No specific guidance.
Other information
No other information.
5 Leadership
5.1 Leadership and c ommitment
Required activity
Top management demonstrates leadership and commitment with respect to the ISMS.
Explanation
Leadership and commitment are essential for an effective ISMS.
Top management is defined (see ISO/IEC 27000) as a person or group of people who directs and controls
the organization of the ISMS at the highest level, i.e. top management has the overall responsibility
for the ISMS. This means that top management directs the ISMS in a similar way to other areas in the
organization, for example the way budgets are allocated and monitored. Top management can delegate
authority in the organization and provide resources for actually performing activities related to
information security and the ISMS, but it still retains overall responsibility.
As an example, the organization implementing and operating the ISMS can be a business unit within
a larger organization. In this case, top management is the person or group of people that directs and
controls that business unit.
Top management also participates in management review (see 9.3) and promotes continual
improvement (see 10.2).
Guidance
Top management should provide leadership and show commitment through the following:
a) top management should ensure that the information security policy and the information security
objectives are established and are compatible with the strategic direction of the organization;
6 © ISO/IEC 2017 – All rights reserved

b) top management should ensure that ISMS requirements and controls are integrated into the
organization’s processes. How this is achieved should be tailored to the specific context of the
organization. For example, an organization that has designated process owners can delegate the
responsibility to implement applicable requirements to these persons or group of people. Top
management support can also be needed to overcome organizational resistance to changes in
processes and controls;
c) top management should ensure the availability of resources for an effective ISMS. The resources
are needed for the establishment of the ISMS, its implementation, maintenance and improvement,
as well as for implementing information security controls. Resources needed for the ISMS include:
1) financial resources;
2) personnel;
3) facilities; and
4) technical infrastructure.
The needed resources depend on the organization’s context, such as the size, the complexity, and
internal and external requirements. The management review should provide information that
indicates whether the resources are adequate for the organization;
d) top management should communicate the need for information security management in the
organization and the need to conform to ISMS requirements. This can be done by giving practical
examples that illustrate what the actual need is in the context of the organization and by
communicating information security requirements;
e) top management should ensure that the ISMS achieves its intended outcome(s) by supporting the
implementation of all information security management processes, and in particular through
requesting and reviewing reports on the status and effectiveness of the ISMS (see 5.3 b)). Such reports
can be derived from measurements (see 6.2 b) and 9.1 a)), management reviews and audit reports.
Top management can also set performance objectives for key personnel involved with the ISMS;
f) top management should direct and support persons in the organization directly involved with
information security and the ISMS. Failing to do this can have a negative impact on the effectiveness
of the ISMS. Feedback from top management can include how planned activities are aligned to the
strategic needs for the organization and also for prioritizing different activities in the ISMS;
g) top management should assess resource needs during management reviews and set objectives for
continual improvement and for monitoring effectiveness of planned activities; and
h) top management should support persons to whom roles and responsibilities relating to information
security management have been assigned, so that they are motivated and able to direct and support
information security activities within their area.
In cases where the organization implementing and operating an ISMS is part of a larger organization,
leadership and commitment can be improved by engagement with the person or group of people that
controls and directs the larger organization. If they understand what is involved in implementing an
ISMS, they can provide support for top management within the ISMS scope and help them provide
leadership and demonstrate commitment to the ISMS. For example, if interested parties outside the
scope of the ISMS are engaged in decision making concerning information security objectives and risk
criteria and are kept aware of information security outcomes produced by the ISMS, their decisions
regarding resource allocations can be aligned to the requirements of the ISMS.
Other information
No other information.
© ISO/IEC 2017 – All rights reserved 7

5.2 Policy
Required activity
Top management establishes an information security policy.
Explanation
The information security policy describes the strategic importance of the ISMS for the organization
and is available as documented information. The policy directs information security activities in the
organization.
The policy states what the needs for information security are in the actual context of the organization.
Guidance
The information security policy should contain brief, high level statements of intent and direction
concerning information security. It can be specific to the scope of an ISMS, or can have wider coverage.
All other policies, procedures, activities and objectives related to information security should be
aligned to the information security policy.
The information security policy should reflect the organization’s business situation, culture, issues and
concerns relating to information security. The extent of the information security policy should be in
accordance with the purpose and culture of the organization and should seek a balance between ease
of reading and completeness. It is important that users of the policy can identify themselves with the
strategic direction of the policy.
The information security policy can either include information security objectives for the organization
or describe the framework for how information security objectives are set (i.e. who sets them for
the ISMS and how they should be deployed within the scope of the ISMS). For example, in very large
organizations, high level objectives should be set by the top management of the entire organization,
then, according to a framework established in the information security policy, the objectives should be
detailed in a way to give a sense of direction to all interested parties.
The information security policy should contain a clear statement from the top management on its
commitment to satisfy information security related requirements.
The information security policy should contain a clear statement that top management supports
continual improvement in all activities. It is important to state this principle in the policy, so that
persons within the scope of the ISMS are aware of it.
The information security policy should be communicated to all persons within the scope of the ISMS.
Therefore, its format and language should be appropriate so that it is easily understandable by all
recipients.
Top management should decide to which interested parties the policy should be communicated. The
information security policy can be written in such a way that it is possible to communicate it to relevant
external interested parties outside of the organization. Examples of such external interested parties
are customers, suppliers, contractors, subcontractors and regulators. If the information security policy
is made available to external interested parties, it should not include confidential information.
The information security policy may either be a separate standalone policy or included in a
comprehensive policy, which covers multiple management system topics within the organization (e.g.
quality, environment and information security).
The information security policy should be available as documented information. The requirements in
ISO/IEC 27001 do not imply any specific form for this documented information, and therefore is up to
the organization to decide what form is most appropriate. If the organization has a standard template
for policies, the form of the information security policy should use this template.
8 © ISO/IEC 2017 – All rights reserved

Other information
Further information on policies related to information security can be found in ISO/IEC 27002.
Further information about the relationship between the information security policy and other policies
in a policy framework can be found in Annex A.
5.3 Organizational roles, responsibilities and authorities
Required activity
Top management ensures that responsibilities and authorities for roles relevant to information security
are assigned and communicated throughout the organization.
Explanation
Top management ensures that roles and responsibilities as well as the necessary authorities relevant to
information security are assigned and communicated.
The purpose of this requirement is to assign responsibilities and authorities to ensure conformance of
the ISMS with the requirements of ISO/IEC 27001, and to ensure reporting on the performance of the
ISMS to the top management.
Guidance
Top management should regularly ensure that the responsibilities and authorities for the ISMS are
assigned so that the management system fulfils the requirements stated in ISO/IEC 27001. Top
management does not need to assign all roles, responsibilities and authorities, but it should adequately
delegate authority to do this. Top management should approve major roles, responsibilities and
authorities of the ISMS.
Responsibilities and authorities related to information security activities should be assigned. Activities
include:
a) coordinating the establishment, implementation, maintenance, performance reporting, and
improvement of the ISMS;
b) advising on information security risk assessment and treatment;
c) designing information security processes and systems;
d) setting standards concerning determination, configuration and operation of information security
controls;
e) managing information security incidents; and
f) reviewing and auditing the ISMS.
Beyond the roles specifically related to information security, relevant information security
responsibilities and authorities should be included within other roles. For example, information
security responsibilities can be incorporated in the roles of:
g) information owners;
h) process owners;
i) asset owners (e.g. application or infrastructure owners);
j) risk owners;
k) information security coordinating functions or persons (this particular role is normally a
supporting role in the ISMS);
© ISO/IEC 2017 – All rights reserved 9

l) project managers;
m) line managers; and
n) information users.
Documented information on this activity and its outcome is mandatory only in the form and to the
extent the organization determines as necessary for the effectiveness of its management system (see
ISO/IEC 27001:2013, 7.5.1 b)).
Other information
No other information.
6 Planning
6.1 Actions to address risks and opportunities
6.1.1 General
Overview
ISO/IEC 27001:2013, 6.1 is concerned with the planning of actions to address all types of risks and
opportunities that are relevant to the ISMS. This includes risk assessment and planning for risk
treatment.
The structure of ISO/IEC 27001 subdivides risks into two categories during planning:
a) risks and opportunities relevant to the intended outcome(s) of the ISMS as a whole; and
b) information security risks that relate to the loss of confidentiality, integrity and availability of
information within the scope of the ISMS.
The first category should be handled in accordance with requirements specified in ISO/IEC 27001:2013,
6.1.1 (general). Risks that fall into this category can be risks relating to the ISMS itself, the ISMS scope
definition, top management’s commitment to information security, resources for operating the ISMS,
etc. Opportunities that fall into this category can be opportunities relating to the outcome(s) of the
ISMS, the commercial value of an ISMS, the efficiency of operating ISMS processes and information
security controls, etc.
The second category consists of all risks that directly relate to the loss of confidentiality, integrity and
availability of information within the scope of the ISMS. These risks should be handled in accordance
with 6.1.2 (information security risk assessment) and 6.1.3 (information security risk treatment).
Organizations may choose to use different techniques for each category.
The subdivision of requirements for addressing risks can be explained as follows:
— it encourages compatibility with other management systems standards for those organizations
that have integrated management systems for different aspects like quality, environment and
information security;
— it requires that the organization defines and applies complete and detailed processes for information
security risk assessment a
...

INTERNATIONAL ISO/IEC
STANDARD 27003
Second edition
2017-03
Information technology — Security
techniques — Information security
management systems — Guidance
Technologies de l’information — Techniques de sécurité --Systèmes de
management de la sécurité de l’information — Lignes directrices
Reference number
©
ISO/IEC 2017
© ISO/IEC 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2017 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 1
4.1 Understanding the organization and its context . 1
4.2 Understanding the needs and expectations of interested parties . 3
4.3 Determining the scope of the information security management system . 4
4.4 Information security management system . 6
5 Leadership . 6
5.1 Leadership and commitment . 6
5.2 P olicy . 8
5.3 Organizational roles, responsibilities and authorities. 9
6 Planning .10
6.1 Actions to address risks and opportunities .10
6.1.1 General.10
6.1.2 Information security risk assessment .12
6.1.3 Information security risk treatment .15
6.2 Information security objectives and planning to achieve them .18
7 Support .21
7.1 Resources .21
7.2 Competence .22
7.3 Awareness .23
7.4 Communication .24
7.5 Documented information .25
7.5.1 General.25
7.5.2 Creating and updating .27
7.5.3 Control of documented information .28
8 Operation .29
8.1 Operational planning and control .29
8.2 Information security risk assessment.31
8.3 Information security risk treatment .31
9 Performance evaluation .32
9.1 Monit oring, measurement, analysis and evaluation .32
9.2 Internal audit .33
9.3 Management review .36
10 Improvement .37
10.1 Nonconformity and corrective action .37
10.2 Continual improvement .40
Annex A (informative) Policy framework .42
Bibliography .45
© ISO/IEC 2017 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: w w w . i s o .org/ iso/ foreword .html.
This document was prepared by ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security
techniques.
This second edition of ISO/IEC 27003 cancels and replaces the first edition (ISO/IEC 27003:2010), of
which it constitutes a minor revision.
The main changes compared to the previous edition are as follows:
— the scope and title have been changed to cover explanation of, and guidance on the requirements of,
ISO/IEC 27001:2013 rather than the previous edition (ISO/IEC 27001:2005);
— the structure is now aligned to the structure of ISO/IEC 27001:2013 to make it easier for the user to
use it together with ISO/IEC 27001:2013;
— the previous edition had a project approach with a sequence of activities. This edition instead
provides guidance on the requirements regardless of the order in which they are implemented.
iv © ISO/IEC 2017 – All rights reserved

Introduction
This document provides guidance on the requirements for an information security management system
(ISMS) as specified in ISO/IEC 27001 and provides recommendations (‘should’), possibilities (‘can’)
and permissions (‘may’) in relation to them. It is not the intention of this document to provide general
guidance on all aspects of information security.
Clauses 4 to 10 of this document mirror the structure of ISO/IEC 27001:2013.
This document does not add any new requirements for an ISMS and its related terms and definitions.
Organizations should refer to ISO/IEC 27001 and ISO/IEC 27000 for requirements and definitions.
Organizations implementing an ISMS are under no obligation to observe the guidance in this document.
An ISMS emphasizes the importance of the following phases:
— understanding the organization’s needs and the necessity for establishing information security
policy and information security objectives;
— assessing the organization’s risks related to information security;
— implementing and operating information security processes, controls and other measures to
treat risks;
— monitoring and reviewing the performance and effectiveness of the ISMS; and
— practising continual improvement.
An ISMS, similar to any other type of management system, includes the following key components:
a) policy;
b) persons with defined responsibilities;
c) management processes related to:
1) policy establishment;
2) awareness and competence provision;
3) planning;
4) implementation;
5) operation;
6) performance assessment;
7) management review; and
8) improvement; and
d) documented information.
An ISMS has additional key components such as:
e) information security risk assessment; and
f) information security risk treatment, including determination and implementation of controls.
This document is generic and intended to be applicable to all organizations, regardless of type, size or
nature. The organization should identify which part of this guidance applies to it in accordance with its
specific organizational context (see ISO/IEC 27001:2013, Clause 4).
© ISO/IEC 2017 – All rights reserved v

For example, some guidance can be more suited to large organizations, but for very small organizations
(e.g. with fewer than 10 persons) some of the guidance can be unnecessary or inappropriate.
The descriptions of Clauses 4 to10 are structured as follows:
— Required activity: presents key activities required in the corresponding subclause of ISO/IEC 27001;
— Explanation: explains what the requirements of ISO/IEC 27001 imply;
— Guidance: provides more detailed or supportive information to implement “required activity”
including examples for implementation; and
— Other information: provides further information that can be considered.
ISO/IEC 27003, ISO/IEC 27004 and ISO/IEC 27005 form a set of documents supporting and providing
guidance on ISO/IEC 27001:2013. Among these documents, ISO/IEC 27003 is a basic and comprehensive
document that provides guidance for all the requirements of ISO/IEC 27001, but it does not have
detailed descriptions regarding “monitoring, measurement, analysis and evaluation” and information
security risk management. ISO/IEC 27004 and ISO/IEC 27005 focus on specific contents and give more
detailed guidance on “monitoring, measurement, analysis and evaluation” and information security
risk management.
There are several explicit references to documented information in ISO/IEC 27001. Nevertheless, an
organization can retain additional documented information that it determines as necessary for the
effectiveness of its management system as part of its response to ISO/IEC 27001:2013, 7.5.1 b). In these
cases, this document uses the phrase “Documented information on this activity and its outcome is
mandatory only in the form and to the extent that the organization determines as necessary for the
effectiveness of its management system (see ISO/IEC 27001:2013, 7.5.1 b)).”
vi © ISO/IEC 2017 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 27003:2017(E)
Information technology — Security techniques —
Information security management systems — Guidance
1 Scope
This document provides explanation and guidance on ISO/IEC 27001:2013.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000:2016, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000:2016 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http:// www .electropedia .org/
— ISO Online browsing platform: available at http:// www .iso .org/ obp
4 Context of the organization
4.1 Understanding the organization and its context
Required activity
The organization determines external and internal issues relevant to its purpose and affecting its
ability to achieve the intended outcome(s) of the information security management system (ISMS).
Explanation
As an integral function of the ISMS, the organization continually analyses itself and the world
surrounding it. This analysis is concerned with external and internal issues that in some way affect
information security and how information security can be managed, and that are relevant to the
organization’s objectives.
Analysis of these issues has three purposes:
— understanding the context in order to decide the scope of the ISMS;
— analysing the context in order to determine risks and opportunities; and
— ensuring that the ISMS is adapted to changing external and internal issues.
© ISO/IEC 2017 – All rights reserved 1

External issues are those outside of the organization’s control. This is often referred to as the
organization’s environment. Analysing this environment can include the following aspects:
a) social and cultural;
b) political, legal, normative and regulatory;
c) financial and macroeconomic;
d) technological;
e) natural; and
f) competitive.
These aspects of the organization’s environment continually present issues that affect information
security and how information security can be managed. The relevant external issues depend on the
organization’s specific priorities and situation.
For example, external issues for a specific organization can include:
g) the legal implications of using an outsourced IT service (legal aspect);
h) characteristics of the nature in terms of possibility of disasters such as fire, flood and earthquakes
(natural aspect);
i) technical advances of hacking tools and use of cryptography (technological aspect); and
j) the general demand for the organization’s services (social, cultural or financial aspects).
Internal issues are subject to the organization’s control. Analysing the internal issues can include the
following aspects:
k) the organization’s culture;
l) policies, objectives, and the strategies to achieve them;
m) governance, organizational structure, roles and responsibilities;
n) standards, guidelines and models adopted by the organization;
o) contractual relationships that can directly affect the organization’s processes included in the scope
of the ISMS;
p) processes and procedures;
q) the capabilities, in terms of resources and knowledge (e.g. capital, time, persons, processes, systems
and technologies);
r) physical infrastructure and environment;
s) information systems, information flows and decision making processes (both formal and
informal); and
t) previous audits and previous risk assessment results.
The results of this activity are used in 4.3, 6.1 and 9.3.
Guidance
Based on an understanding of the organization’s purpose (e.g. referring to its mission statement or
business plan) as well as the intended outcome(s) of the organization’s ISMS, the organization should:
— review the external environment to identify relevant external issues; and
2 © ISO/IEC 2017 – All rights reserved

— review the internal aspects to identify relevant internal issues.
In order to identify relevant issues, the following question can be asked: How does a certain category
of issues (see a) to t) above) affect information security objectives? Three examples of internal issues
serve as an illustration by:
Example 1 on governance and organizational structure (see item m)): When establishing an ISMS,
already existing governance and organizational structures should be taken into account. As an
example, the organization can model the structure of its ISMS based on the structure of other existing
management systems, and can combine common functions, such as management review and auditing.
Example 2 on policy, objectives and strategies (see item l)): An analysis of existing policies, objectives
and strategies, can indicate what the organization intends to achieve and how the information security
objectives can be aligned with business objectives to ensure successful outcomes.
Example 3 on information systems and information flows (see item s)): When determining internal
issues, the organization should identify, at a sufficient level of detail, the information flows between its
various information systems.
As both the external and the internal issues will change over time, the issues and their influence on the
scope, constraints and requirements of the ISMS should be reviewed regularly.
Documented information on this activity and its outcome is mandatory only in the form and to the
extent that the organization determines as necessary for the effectiveness of its management system
(see ISO/IEC 27001:2013, 7.5.1 b)).
Other information
In ISO/IEC 27000, the definition of “organization” has a note which states that: “The concept of
organization includes but is not limited to sole-trader, company, corporation, firm, enterprise, authority,
partnership, charity or institution, or part or combination thereof, whether incorporated or not, public
or private.” Some of these examples are whole legal entities, whilst others are not.
There are four cases:
1) the organization is a legal or administrative entity (e.g. sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution whether incorporated or not, public or
private);
2) the organization is a subset of a legal or administrative entity (e.g. part of a company, corporation,
enterprise);
3) the organization is a set of a legal or administrative entities (e.g. a consortium of sole-traders, larger
companies, corporations, firms); and
4) the organization is a set of subsets of legal or administrative entities (e.g. clubs, trade associations).
4.2 Understanding the needs and expectations of interested parties
Required activity
The organization determines interested parties relevant to the ISMS and their requirements relevant to
information security.
Explanation
Interested party is a defined term (see ISO/IEC 27000:2016, 2.41) that refers to persons or organizations
that can affect, be affected by, or perceive themselves to be affected by a decision or activity of the
organization. Interested parties can be found both outside and inside the organization and can have
specific needs, expectations and requirements for the organization’s information security.
© ISO/IEC 2017 – All rights reserved 3

External interested parties can include:
a) regulators and legislators;
b) shareholders including owners and investors;
c) suppliers including subcontractors, consultants, and outsourcing partners;
d) industry associations;
e) competitors;
f) customers and consumers; and
g) activist groups.
Internal interested parties can include:
h) decision makers including top management;
i) process owners, system owners, and information owners;
j) support functions such as IT or Human Resources;
k) employees and users; and
l) information security professionals.
The results of this activity are used in 4.3 and 6.1.
Guidance
The following steps should be taken:
— identify external interested parties;
— identify internal interested parties; and
— identify requirements of interested parties.
As the needs, expectations and requirement of interested parties change over time, these changes and
their influence on the scope, constraints and requirements of the ISMS should be reviewed regularly.
Documented information on this activity and its outcome is mandatory only in the form and to the
extent the organization determines as necessary for the effectiveness of its management system (see
ISO/IEC 27001:2013, 7.5.1 b)).
Other information
No other information.
4.3 Determining the scope of the information security management system
Required activity
The organization determines the boundaries and applicability of the ISMS to establish its scope.
Explanation
The scope defines where and for what exactly the ISMS is applicable and where and for what it is not.
Establishing the scope is therefore a key activity that determines the necessary foundation for all other
activities in the implementation of the ISMS. For instance, risk assessment and risk treatment, including
the determination of controls, will not produce valid results without having a precise understanding of
4 © ISO/IEC 2017 – All rights reserved

where exactly the ISMS is applicable. Precise knowledge of the boundaries and applicability of the ISMS
and the interfaces and dependencies between the organization and other organizations is critical as
well. Any later modifications of the scope can result in considerable additional effort and costs.
The following factors can affect the determination of the scope:
a) the external and internal issues described in 4.1;
b) the interested parties and their requirements that are determined according to
ISO/IEC 27001:2013¸4.2;
c) the readiness of the business activities to be included as part of ISMS coverage;
d) all support functions, i.e. functions that are necessary to support these business activities (e.g.
human resources management; IT services and software applications; facility management of
buildings, physical zones, essential services and utilities); and
e) all functions that are outsourced either to other parts within the organization or to independent
suppliers.
The scope of an ISMS can be very different from one implementation to another. For instance, the scope
can include:
— one or more specific processes;
— one or more specific functions;
— one or more specific services;
— one or more specific sections or locations;
— an entire legal entity; and
— an entire administrative entity and one or more of its suppliers.
Guidance
To establish the scope of an ISMS, a multi-step approach can be followed:
f) determine the preliminary scope: this activity should be conducted by a small, but representative
group of management representatives;
g) determine the refined scope: the functional units within and outside the preliminary scope should
be reviewed, possibly followed by inclusion or exclusion of some of these functional units to reduce
the number of interfaces along the boundaries. When refining the preliminary scope, all support
functions should be considered that are necessary to support the business activities included in
the scope;
h) determine the final scope: the refined scope should be evaluated by all management within the
refined scope. If necessary, it should be adjusted and then precisely described; and
i) approval of the scope: the documented information describing the scope should be formally
approved by top management.
The organization should also consider activities with impact on the ISMS or activities that are
outsourced, either to other parts within the organization or to independent suppliers. For such
activities, interfaces (physical, technical and organizational) and their influence on the scope should be
identified.
Documented information describing the scope should include:
j) the organizational scope, boundaries and interfaces;
© ISO/IEC 2017 – All rights reserved 5

k) the information and communication technology scope, boundaries and interfaces; and
l) the physical scope, boundaries and interfaces.
Other information
No other information.
4.4 Information security management system
Required activity
The organization establishes, implements, maintains and continually improves the ISMS.
Explanation
ISO/IEC 27001:2013, 4.4 states the central requirement for establishing, implementing, maintaining
and continually improving an ISMS. While the other parts of ISO/IEC 27001 describe the required
elements of an ISMS, 4.4 mandates the organization to ensure that all required elements are met in
order to establish, implement, maintain and continually improve the ISMS.
Guidance
No specific guidance.
Other information
No other information.
5 Leadership
5.1 Leadership and c ommitment
Required activity
Top management demonstrates leadership and commitment with respect to the ISMS.
Explanation
Leadership and commitment are essential for an effective ISMS.
Top management is defined (see ISO/IEC 27000) as a person or group of people who directs and controls
the organization of the ISMS at the highest level, i.e. top management has the overall responsibility
for the ISMS. This means that top management directs the ISMS in a similar way to other areas in the
organization, for example the way budgets are allocated and monitored. Top management can delegate
authority in the organization and provide resources for actually performing activities related to
information security and the ISMS, but it still retains overall responsibility.
As an example, the organization implementing and operating the ISMS can be a business unit within
a larger organization. In this case, top management is the person or group of people that directs and
controls that business unit.
Top management also participates in management review (see 9.3) and promotes continual
improvement (see 10.2).
Guidance
Top management should provide leadership and show commitment through the following:
a) top management should ensure that the information security policy and the information security
objectives are established and are compatible with the strategic direction of the organization;
6 © ISO/IEC 2017 – All rights reserved

b) top management should ensure that ISMS requirements and controls are integrated into the
organization’s processes. How this is achieved should be tailored to the specific context of the
organization. For example, an organization that has designated process owners can delegate the
responsibility to implement applicable requirements to these persons or group of people. Top
management support can also be needed to overcome organizational resistance to changes in
processes and controls;
c) top management should ensure the availability of resources for an effective ISMS. The resources
are needed for the establishment of the ISMS, its implementation, maintenance and improvement,
as well as for implementing information security controls. Resources needed for the ISMS include:
1) financial resources;
2) personnel;
3) facilities; and
4) technical infrastructure.
The needed resources depend on the organization’s context, such as the size, the complexity, and
internal and external requirements. The management review should provide information that
indicates whether the resources are adequate for the organization;
d) top management should communicate the need for information security management in the
organization and the need to conform to ISMS requirements. This can be done by giving practical
examples that illustrate what the actual need is in the context of the organization and by
communicating information security requirements;
e) top management should ensure that the ISMS achieves its intended outcome(s) by supporting the
implementation of all information security management processes, and in particular through
requesting and reviewing reports on the status and effectiveness of the ISMS (see 5.3 b)). Such reports
can be derived from measurements (see 6.2 b) and 9.1 a)), management reviews and audit reports.
Top management can also set performance objectives for key personnel involved with the ISMS;
f) top management should direct and support persons in the organization directly involved with
information security and the ISMS. Failing to do this can have a negative impact on the effectiveness
of the ISMS. Feedback from top management can include how planned activities are aligned to the
strategic needs for the organization and also for prioritizing different activities in the ISMS;
g) top management should assess resource needs during management reviews and set objectives for
continual improvement and for monitoring effectiveness of planned activities; and
h) top management should support persons to whom roles and responsibilities relating to information
security management have been assigned, so that they are motivated and able to direct and support
information security activities within their area.
In cases where the organization implementing and operating an ISMS is part of a larger organization,
leadership and commitment can be improved by engagement with the person or group of people that
controls and directs the larger organization. If they understand what is involved in implementing an
ISMS, they can provide support for top management within the ISMS scope and help them provide
leadership and demonstrate commitment to the ISMS. For example, if interested parties outside the
scope of the ISMS are engaged in decision making concerning information security objectives and risk
criteria and are kept aware of information security outcomes produced by the ISMS, their decisions
regarding resource allocations can be aligned to the requirements of the ISMS.
Other information
No other information.
© ISO/IEC 2017 – All rights reserved 7

5.2 Policy
Required activity
Top management establishes an information security policy.
Explanation
The information security policy describes the strategic importance of the ISMS for the organization
and is available as documented information. The policy directs information security activities in the
organization.
The policy states what the needs for information security are in the actual context of the organization.
Guidance
The information security policy should contain brief, high level statements of intent and direction
concerning information security. It can be specific to the scope of an ISMS, or can have wider coverage.
All other policies, procedures, activities and objectives related to information security should be
aligned to the information security policy.
The information security policy should reflect the organization’s business situation, culture, issues and
concerns relating to information security. The extent of the information security policy should be in
accordance with the purpose and culture of the organization and should seek a balance between ease
of reading and completeness. It is important that users of the policy can identify themselves with the
strategic direction of the policy.
The information security policy can either include information security objectives for the organization
or describe the framework for how information security objectives are set (i.e. who sets them for
the ISMS and how they should be deployed within the scope of the ISMS). For example, in very large
organizations, high level objectives should be set by the top management of the entire organization,
then, according to a framework established in the information security policy, the objectives should be
detailed in a way to give a sense of direction to all interested parties.
The information security policy should contain a clear statement from the top management on its
commitment to satisfy information security related requirements.
The information security policy should contain a clear statement that top management supports
continual improvement in all activities. It is important to state this principle in the policy, so that
persons within the scope of the ISMS are aware of it.
The information security policy should be communicated to all persons within the scope of the ISMS.
Therefore, its format and language should be appropriate so that it is easily understandable by all
recipients.
Top management should decide to which interested parties the policy should be communicated. The
information security policy can be written in such a way that it is possible to communicate it to relevant
external interested parties outside of the organization. Examples of such external interested parties
are customers, suppliers, contractors, subcontractors and regulators. If the information security policy
is made available to external interested parties, it should not include confidential information.
The information security policy may either be a separate standalone policy or included in a
comprehensive policy, which covers multiple management system topics within the organization (e.g.
quality, environment and information security).
The information security policy should be available as documented information. The requirements in
ISO/IEC 27001 do not imply any specific form for this documented information, and therefore is up to
the organization to decide what form is most appropriate. If the organization has a standard template
for policies, the form of the information security policy should use this template.
8 © ISO/IEC 2017 – All rights reserved

Other information
Further information on policies related to information security can be found in ISO/IEC 27002.
Further information about the relationship between the information security policy and other policies
in a policy framework can be found in Annex A.
5.3 Organizational roles, responsibilities and authorities
Required activity
Top management ensures that responsibilities and authorities for roles relevant to information security
are assigned and communicated throughout the organization.
Explanation
Top management ensures that roles and responsibilities as well as the necessary authorities relevant to
information security are assigned and communicated.
The purpose of this requirement is to assign responsibilities and authorities to ensure conformance of
the ISMS with the requirements of ISO/IEC 27001, and to ensure reporting on the performance of the
ISMS to the top management.
Guidance
Top management should regularly ensure that the responsibilities and authorities for the ISMS are
assigned so that the management system fulfils the requirements stated in ISO/IEC 27001. Top
management does not need to assign all roles, responsibilities and authorities, but it should adequately
delegate authority to do this. Top management should approve major roles, responsibilities and
authorities of the ISMS.
Responsibilities and authorities related to information security activities should be assigned. Activities
include:
a) coordinating the establishment, implementation, maintenance, performance reporting, and
improvement of the ISMS;
b) advising on information security risk assessment and treatment;
c) designing information security processes and systems;
d) setting standards concerning determination, configuration and operation of information security
controls;
e) managing information security incidents; and
f) reviewing and auditing the ISMS.
Beyond the roles specifically related to information security, relevant information security
responsibilities and authorities should be included within other roles. For example, information
security responsibilities can be incorporated in the roles of:
g) information owners;
h) process owners;
i) asset owners (e.g. application or infrastructure owners);
j) risk owners;
k) information security coordinating functions or persons (this particular role is normally a
supporting role in the ISMS);
© ISO/IEC 2017 – All rights reserved 9

l) project managers;
m) line managers; and
n) information users.
Documented information on this activity and its outcome is mandatory only in the form and to the
extent the organization determines as necessary for the effectiveness of its management system (see
ISO/IEC 27001:2013, 7.5.1 b)).
Other information
No other information.
6 Planning
6.1 Actions to address risks and opportunities
6.1.1 General
Overview
ISO/IEC 27001:2013, 6.1 is concerned with the planning of actions to address all types of risks and
opportunities that are relevant to the ISMS. This includes risk assessment and planning for risk
treatment.
The structure of ISO/IEC 27001 subdivides risks into two categories during planning:
a) risks and opportunities relevant to the intended outcome(s) of the ISMS as a whole; and
b) information security risks that relate to the loss of confidentiality, integrity and availability of
information within the scope of the ISMS.
The first category should be handled in accordance with requirements specified in ISO/IEC 27001:2013,
6.1.1 (general). Risks that fall into this category can be risks relating to the ISMS itself, the ISMS scope
definition, top management’s commitment to information security, resources for operating the ISMS,
etc. Opportunities that fall into this category can be opportunities relating to the outcome(s) of the
ISMS, the commercial value of an ISMS, the efficiency of operating ISMS processes and information
security controls, etc.
The second category consists of all risks that directly relate to the loss of confidentiality, integrity and
availability of information within the scope of the ISMS. These risks should be handled in accordance
with 6.1.2 (information security risk assessment) and 6.1.3 (information security risk treatment).
Organizations may choose to use different techniques for each category.
The subdivision of requirements for addressing risks can be explained as follows:
— it encourages compatibility with other management systems standards for those organizations
that have integrated management systems for different aspects like quality, environment and
information security;
— it requires that the organization defines and applies complete and detailed processes for information
security risk assessment and treatment; and
— it emphasizes that information security risk management is the core element of an ISMS.
ISO/IEC 27001:2013, 6.1.1 uses the expressions ‘determine the risks and opportunities’ and ‘address
these risks and opportunities’. The word “determine” can be considered to be equivalent to the word
“assess” used in ISO/IEC 27001:2013, 6.1.2 (i.e. identify, analyse and evaluate). Similarly, the word
“address” can be considered equivalent to the word “treat” used in ISO/IEC 27001:2013, 6.1.3.
10 © ISO/IEC 2017 – All rights reserved

Required activity
When planning for the ISMS, the organization determines the risks and opportunities considering
issues referred to in 4.1 and requirements referred to in 4.2.
Explanation
For risks and opportunities relevant to the intended outcome(s) of the ISMS, the organization
determines them based on internal and external issues (see 4.1) and requirements from interested
parties (see 4.2). Then the organization plans its ISMS to:
a) ensure that intended outcomes are delivered by the ISMS, e.g. that the information security risks
are known to the risk owners and treated to an acceptable level;
b) prev
...

SIST ISO/IEC 27003
SL O V EN S K I
S T ANDAR D
november 2018
Informacijska tehnologija – Varnostne tehnike – Sistemi vodenja
informacijske varnosti – Smernice

Information technology – Security techniques – Information security management
systems – Guidance
Technologies de l'information – Techniques de sécurité – Systèmes de
management de la sécurité de l'information – Lignes directrices

Referenčna oznaka
ICS 03.100.70; 35.030 SIST ISO/IEC 27003:2018 (sl)

Nadaljevanje na straneh 2 do 52

© 2025-12. Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

SIST ISO/IEC 27003 : 2018
NACIONALNI UVOD
Standard SIST ISO/IEC 27003 (sl), Informacijska tehnologija – Varnostne tehnike – Sistemi vodenja
informacijske varnosti – Smernice, 2018, ima status slovenskega standarda in je istoveten z
mednarodnim standardom ISO/IEC 27003 (en, fr, de), Information technology – Security techniques –
Information security management systems – Guidance, 2017.

NACIONALNI PREDGOVOR
Besedilo standarda ISO/IEC 27003:2017 je pripravil združeni tehnični odbor Mednarodne organizacije
za standardizacijo (ISO) in Mednarodne elektrotehniške komisije (IEC) ISO/IEC JTC 1 Informacijska
tehnologija. Slovenski standard SIST ISO/IEC 27003:2018 je prevod angleškega besedila
mednarodnega standarda ISO/IEC 27003:2017. V primeru spora glede besedila slovenskega prevoda
v tem standardu je odločilen izvirni mednarodni standard v angleškem jeziku. Slovensko izdajo
standarda je pripravil SIST/TC ITC Informacijska tehnologija.

Odločitev za privzem tega standarda je dne 1. novembra 2018 sprejel SIST/TC ITC Informacijska
tehnologija.
ZVEZA Z NACIONALNIMI STANDARDI

S privzemom tega mednarodnega standarda veljajo za omejeni namen referenčnih standardov vsi
standardi, navedeni v izvirniku, razen tistih, ki so že sprejeti v nacionalno standardizacijo:

SIST EN ISO/IEC 27000:2017, Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Pregled in izrazje

ISO/IEC 27001:2013, Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve

OSNOVA ZA IZDAJO STANDARDA
̶ privzem standarda ISO/IEC 27003:2017

PREDHODNA IZDAJA
̶ SIST ISO/IEC 27003:2011, Informacijska tehnologija – Varnostne tehnike – Smernice za izvedbo
sistema upravljanja informacijske varnosti

OPOMBE
‒ Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO/IEC
27003:2018 to pomeni “slovenski standard”.

‒ Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.

SIST ISO/IEC 27003 : 2018
Vsebina       Stran
Predgovor k mednarodnemu standardu . 5
Uvod .6
1 Področje uporabe . 8
2 Zveze s standardi . 8
3 Izrazi in definicije . 8
4 Kontekst organizacije . 8
4.1 Razumevanje organizacije in njenega konteksta . 8
4.2 Razumevanje potreb in pričakovanj zainteresiranih strani . 10
4.3 Določitev obsega sistema vodenja informacijske varnosti . 11
4.4 Sistem vodenja informacijske varnosti. 13
5 Voditeljstvo . 13
5.1 Voditeljstvo in zavezanost . 13
5.2 Politika . 15
5.3 Organizacijske vloge, odgovornosti in pooblastila . 16
6 Načrtovanje . 17
6.1 Ukrepi za obravnavanje tveganj in priložnosti . 17
6.1.1 Splošno . 17
6.1.2 Ocenjevanje tveganj informacijske varnosti . 19
6.1.3 Obravnavanje tveganj informacijske varnosti . 22
6.2 Cilji informacijske varnosti in načrtovanje njihovega doseganja . 26
7 Podpora . 28
7.1 Viri . 28
7.2 Kompetentnost . 29
7.3 Ozaveščenost . 30
7.4 Sporočanje . 31
7.5 Dokumentirane informacije . 33
7.5.1 Splošno . 33
7.5.2 Ustvarjanje in posodabljanje . 34
7.5.3 Obvladovanje dokumentiranih informacij . 35
8 Delovanje . 36
8.1 Načrtovanje in obvladovanje delovanja . 36
8.2 Ocenjevanje tveganj informacijske varnosti. 38
8.3 Obravnavanje tveganj informacijske varnosti . 39
9 Vrednotenje delovanja . 39
9.1 Spremljanje, merjenje, analiza in vrednotenje . 39
9.2 Notranja presoja . 41
9.3 Vodstveni pregled . 43
10 Izboljševanje . 45

SIST ISO/IEC 27003 : 2018
10.1 Neskladnost in korektivni ukrep . 45
10.2 Nenehno izboljševanje . 48
Dodatek A (informativni) Okvir politike . 50
Viri in literatura . 52

SIST ISO/IEC 27003 : 2018
Predgovor k mednarodnemu standardu

ISO (Mednarodna organizacija za standardizacijo) in IEC (Mednarodna elektrotehniška komisija)
tvorita specializiran sistem za svetovno standardizacijo. Nacionalni organi, ki so člani ISO ali IEC,
sodelujejo pri pripravi mednarodnih standardov prek tehničnih odborov, ki jih za obravnavanje
določenih strokovnih področij ustanovi ustrezna organizacija. Tehnični odbori ISO in IEC sodelujejo na
področjih skupnega interesa. Pri delu sodelujejo tudi druge mednarodne, vladne in nevladne
organizacije, povezane z ISO in IEC. Na področju informacijske tehnologije sta ISO in IEC ustanovila
združeni tehnični odbor ISO/IEC JTC 1.

Postopki, uporabljeni pri pripravi tega dokumenta, in predvideni postopki za njegovo vzdrževanje so
opisani v 1. delu Direktiv ISO/IEC. Posebna pozornost naj se nameni različnim kriterijem odobritve,
potrebnim za različne vrste dokumentov. Ta dokument je bil zasnovan v skladu z uredniškimi pravili
2. dela Direktiv ISO/IEC (glej www.iso.org/directives).

Opozoriti je treba na možnost, da bi lahko bil kateri od elementov tega dokumenta predmet patentnih
pravic. ISO in IEC nista odgovorna za identificiranje katerekoli ali vseh takih patentnih pravic.
Podrobnosti o morebitnih patentnih pravicah, identificiranih med pripravo tega dokumenta, bodo
navedene v uvodu in/ali na seznamu patentnih izjav, ki jih je prejela organizacija ISO (glej
www.iso.org/patents).
Vsakršna trgovska imena, uporabljena v tem dokumentu, so informacije za uporabnike in ne pomenijo
podpore blagovni znamki.
Za razlago prostovoljne narave standardov, pomena specifičnih pojmov in izrazov ISO, povezanih z
ugotavljanjem skladnosti, ter informacij o tem, kako ISO spoštuje načela Svetovne trgovinske
organizacije (WTO) v Tehničnih ovirah pri trgovanju (TBT), glej naslednji naslov URL:
www.iso.org/iso/foreword.html.

Ta dokument je pripravil združeni tehnični odbor ISO/IEC JTC 1, Informacijska tehnologija, pododbor
SC 27, Varnostne tehnike IT.
Ta druga izdaja standarda ISO/IEC 27003 razveljavlja in nadomešča prvo izdajo
(ISO/IEC 27003:2010) ter vključuje manjše popravke.

Glavne spremembe glede na predhodno izdajo so naslednje:

‒ področje uporabe in naslov sta spremenjena, da vključujeta razlago in smernice glede zahtev
standarda ISO/IEC 27001:2013, ne predhodne izdaje (ISO/IEC 27001:2005),

‒ struktura je zdaj usklajena s strukturo standarda ISO/IEC 27001:2013, ki uporabniku omogoča
lažjo uporabo skupaj s tem standardom,

‒ predhodna izdaja je sledila projektnemu pristopu z zaporedjem aktivnosti. Ta izdaja pa zagotavlja
smernice v zvezi z zahtevami ne glede na vrstni red, v katerem se izvajajo.

SIST ISO/IEC 27003 : 2018
Uvod
Ta dokument podaja smernice glede zahtev za sistem vodenja informacijske varnosti (ISMS), kot je
določeno v standardu ISO/IEC 27001, in vključuje priporočila ("naj"), možnosti ("je mogoče") in
dovoljenja ("se lahko") v zvezi z njimi. Namen tega dokumenta ni zagotovitev splošnih smernic glede
vseh vidikov informacijske varnosti.

Točke od 4 do 10 v tem dokumentu odražajo strukturo standarda ISO/IEC 27001:2013.

Ta dokument ne dodaja nobenih novih zahtev za sistem vodenja informacijske varnosti ter z njim
povezanih izrazov in definicij. Organizacije se naj za zahteve in definicije sklicujejo na standarda
ISO/IEC 27001 in ISO/IEC 27000. Organizacije, ki izvajajo sistem vodenja informacijske varnosti, niso
dolžne upoštevati smernic iz tega dokumenta.

Sistem vodenja informacijske varnosti poudarja pomen naslednjih faz:

‒ razumevanje potreb organizacije in potrebe po vzpostavitvi informacijske varnostne politike in
določitvi ciljev informacijske varnosti,

‒ ocenjevanje tveganj organizacije, povezanih z informacijsko varnostjo,

‒ izvajanje in upravljanje procesov informacijske varnosti, kontrol in drugih ukrepov za obravnavo
tveganj,
‒ spremljanje in pregledovanje delovanja in uspešnosti sistema vodenja informacijske varnosti; in

‒ izvajanje nenehnega izboljševanja.

Podobno kot drugi sistemi vodenja tudi sistem vodenja informacijske varnosti vključuje naslednje
ključne komponente:
a) politiko,
b) osebe z določeno odgovornostjo,

c) procese vodenja, povezane s/z:

1) oblikovanjem politike,
2) ozaveščenostjo in zagotavljanjem kompetentnosti,

3) načrtovanjem,
4) izvajanjem,
5) upravljanjem,
6) oceno delovanja,
7) vodstvenim pregledom; in
8) izboljšanjem; ter
d) dokumentirane informacije.
Sistem vodenja informacijske varnosti zajema dodatne ključne komponente, kot sta:

e) ocenjevanje tveganj informacijske varnosti; in

f) obravnavanje tveganj informacijske varnosti, vključno z določanjem in izvajanjem kontrol.

Ta dokument je splošen in je namenjen uporabi v vseh organizacijah ne glede na vrsto, velikost ali
naravo. Organizacija naj ugotovi, kateri del teh smernic velja zanjo glede na njen ustrezen
organizacijski kontekst (glej točko 4 v ISO/IEC 27001:2013).

Nekatere smernice, na primer, so lahko ustreznejše za večje organizacije, medtem ko so za zelo
SIST ISO/IEC 27003 : 2018
majhne organizacije (npr. z manj kot 10 osebami) nekatere smernice lahko nepotrebne ali neustrezne.

Opisi točk od 4 do 10 so strukturirani na naslednji način:

‒ zahtevana aktivnost: predstavlja ključne aktivnosti, ki so zahtevane v ustrezni podtočki
standarda ISO/IEC 27001,
‒ razlaga: pojasnjuje, kaj pomenijo zahteve standarda ISO/IEC 27001,

‒ smernice: zagotavljajo podrobnejše ali podporne informacije za izvajanje "zahtevane aktivnosti",
vključno s primeri za izvajanje; in

‒ druge informacije: navaja druge informacije, ki ji je mogoče upoštevati.

ISO/IEC 27003, ISO/IEC 27004 in ISO/IEC 27005 tvorijo nabor dokumentov za podporo in podajanje
smernic za ISO/IEC 27001:2013. Med njimi je ISO/IEC 27003 osnoven in celovit dokument, ki podaja
smernice za vse zahteve standarda ISO/IEC 27001, vendar ne vključuje podrobnih opisov v zvezi s
"spremljanjem, merjenjem, analizo in vrednotenjem" ter obvladovanjem tveganj informacijske varnosti.
ISO/IEC 27004 in ISO/IEC 27005 se osredotočata na določene vsebine in podajata podrobnejše
smernice za "spremljanje, merjenje, analizo in vrednotenje" ter obvladovanje tveganj informacijske
varnosti.
V ISO/IEC 27001 je več sklicevanj na izklučen način na dokumentirane informacije. Vseeno pa lahko
organizacija zadrži dodatne dokumentirane informacije, ki jih določi kot potrebne za uspešnost svojega
sistema vodenja kot del odgovora na točko 7.5.1 b) standarda ISO/IEC 27001:2013. V teh primerih se
v dokumentu uporablja navedba "dokumentirane informacije o tej aktivnosti in njenem rezultatu so
obvezne samo v obliki ter obsegu, ki ju organizacija določi kot potrebna za uspešnost svojega sistema
vodenja (glej 7.5.1 b) v ISO/IEC 27001:2013) ".

SIST ISO/IEC 27003 : 2018
Informacijska tehnologija – Varnostne tehnike – Sistemi vodenja informacijske
varnosti – Smernice
1 Področje uporabe
Ta dokument podaja pojasnila in smernice za ISO/IEC 27001:2013.

2 Zveze s standardi
Naslednji dokumenti so v besedilu navedeni na način, da njihov del ali celotna vsebina predstavlja
zahteve tega dokumenta. Pri datiranih sklicevanjih se uporablja zgolj navedena izdaja. Pri nedatiranih
sklicevanjih se uporablja zadnja izdaja navedenega dokumenta (vključno z dopolnili).

ISO/IEC 27000:2016, Informacijska tehnologija – Varnostne tehnike – Sistemi vodenja
informacijske varnosti – Pregled in izrazje

ISO/IEC 27001:2013, Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve

3 Izrazi in definicije
V tem dokumentu so uporabljeni izrazi in definicije, podani v standardu ISO/IEC 27000:2016.

ISO in IEC hranita terminološke podatkovne zbirke za uporabo pri standardizaciji na naslednjih
naslovih:
‒ IEC Electropedia: na voljo na http://www.electropedia.org/

‒ Platforma za spletno brskanje ISO: na voljo na http://www.iso.org/obp

4 Kontekst organizacije
4.1 Razumevanje organizacije in njenega konteksta

Zahtevana aktivnost
Organizacija določi zunanja in notranja vprašanja, ki so pomembna za njen namen ter vplivajo na
sposobnost doseganja pričakovanih rezultatov njenega sistema vodenja informacijske varnosti.

Razlaga
Organizacija v sklopu integralne funkcije sistema vodenja informacijske varnosti stalno analizira sebe
in svojo okolico. Ta analiza zadeva zunanja in notranja vprašanja, ki v nekaterih pogledih vplivajo na
informacijsko varnost in način njenega vodenja ter so pomembna za cilje posamezne organizacije.

Analiza tovrstnih vprašanj ima tri namene:

‒ razumevanje konteksta za namene določitve obsega sistema vodenja informacijske varnosti,

‒ analiziranje konteksta za namene določitve tveganj in priložnosti; in

‒ zagotavljanje, da je sistem vodenja informacijske varnosti prilagojen spreminjajočim se zunanjim
in notranjim vprašanjem.
Zunanja vprašanja so tista, ki so zunaj nadzora organizacije. To pogosto imenujemo okolje
organizacije. Analiziranje tega okolja lahko vključuje naslednje vidike:

a) družbeni in kulturni,
SIST ISO/IEC 27003 : 2018
b) politični, pravni, normativni in regulatorni,

c) finančni in makroekonomski,

d) tehnološki,
e) naravni; in
f) konkurenčni.
Ti vidiki okolja organizacije stalno predstavljajo vprašanja, ki vplivajo na informacijsko varnost in način
njenega vodenja. Pomembna zunanja vprašanja so odvisna od posebnih prednostnih usmeritev
organizacije in situacije.
Zunanja vprašanja za določeno organizacijo lahko na primer vključujejo:

g) pravne posledice uporabe zunanjega izvajanja storitve IT (pravni vidik),

h) značilnosti narave v smislu možnosti naravnih nesreč, kot so požar, poplave in potresi
(naravni vidik),
i) tehnični napredek orodij za vdiranje in uporabo kriptografije (tehnološki vidik); in

j) splošno povpraševanje po storitvah organizacije (družbeni, kulturni ali finančni vidik).

Notranja vprašanja so tista, ki so predmet nadzora organizacije. Analiziranje notranjih vprašanj lahko
vključuje naslednje vidike:
k) kulturo organizacije,
l) politike, cilje in strategije za njihovo doseganje,

m) upravljanje, organizacijsko strukturo, vloge in odgovornosti,

n) standarde, smernice in modele organizacije,

o) pogodbena razmerja, ki lahko neposredno vplivajo na procese organizacije, vključene v obseg
sistema vodenja informacijske varnosti,

p) procese in postopke,
q) zmožnosti v smislu virov in znanja (npr. kapital, čas, ljudje, procesi, sistemi in tehnologije),

r) fizično infrastrukturo in okolje,

s) informacijske sisteme, informacijske tokove in postopke odločanja (formalne in neformalne); in

t) rezultate predhodnih presoj in predhodnih ocenjevanj tveganja.

Rezultati te aktivnosti so uporabljeni v točkah 4.3, 6.1 in 9.3.

Smernice
Na podlagi razumevanja svojega namena (npr. glede na izjavo o viziji ali poslovni načrt) in
pričakovanih rezultatov sistema vodenja informacijske varnosti organizacije naj organizacija:

‒ pregleda zunanje okolje za namene določitve pomembnih zunanjih vprašanj; in

‒ pregleda notranje vidike za namene določitve pomembnih notranjih vprašanj.

Za določitev pomembnih zadev si je mogoče zastaviti naslednje vprašanje: Kako določena kategorija
zadev (glej točke od a) do t) zgoraj) vpliva na cilje informacijske varnosti? Ponazorjeni so trije primeri
notranjih zadev oziroma vprašanj:

Primer 1 o upravljanju in organizacijski strukturi (glej točko m)): pri vzpostavljanju sistema vodenja
informacijske varnosti naj se upoštevajo že obstoječe upravljanje in organizacijske strukture.
SIST ISO/IEC 27003 : 2018
Organizacija lahko na primer oblikuje strukturo svojega sistema vodenja informacijske varnosti na
podlagi strukture drugih obstoječih sistemov vodenja in lahko združi običajne funkcije, kot sta
vodstveni pregled in presoja.
Primer 2 o politiki, ciljih in strategijah (glej točko l)): analiza obstoječih politik, ciljev in strategij lahko
pokaže, kaj namerava organizacija doseči in kako je mogoče cilje informacijske varnosti uskladiti s
poslovnimi cilji za zagotavljanje uspešnih rezultatov.

Primer 3 o informacijskih sistemih in informacijskih tokovih (glej točko s)): organizacija naj pri
določanju notranjih vprašanj ustrezno natančno identificira informacijske tokove med različnimi
informacijskimi sistemi.
Ker se bodo tako zunanja kot notranja vprašanja sčasoma spremenila, naj se vprašanja in njihov vpliv
na obseg, omejitve in zahteve sistema vodenja informacijske varnosti redno pregleduje.

Dokumentirane informacije o tej aktivnosti in njenem rezultatu so obvezne samo v obliki ter obsegu, ki
ju organizacija določi kot potrebna za uspešnost svojega sistema vodenja (glej 7.5.1 b) v
ISO/IEC 27001:2013).
Druge informacije
Ob definiciji izraza "organizacija" je v standardu ISO/IEC 27000 navedena opomba, ki določa: "Pojem
organizacije med drugim vključuje samostojne podjetnike, družbe, korporacije, firme, podjetja, organe
oblasti, partnerstva, dobrodelne ustanove ali institucije, njihove dele ali kombinacije, ki so lahko
povezani ali nepovezani, javni ali zasebni." Nekateri od teh primerov so v celoti pravne osebe,
medtem ko drugi niso.
Obstajajo štirje primeri:
1) organizacija je pravna oseba ali upravno telo (npr. samostojni podjetnik, družba, korporacija,
firma, podjetje, organ oblasti, partnerstvo, dobrodelna ustanova ali institucija, ki je lahko
povezana ali ne, javna ali zasebna),

2) organizacija je podsklop pravne osebe ali upravnega telesa (npr. del družbe, korporacije,
podjetja),
3) organizacija je sklop pravnih oseb ali upravnih teles (npr. konzorcij samostojnih podjetnikov,
večjih družb, korporacij, podjetij); ter

4) organizacija je skupina podsklopov pravnih oseb ali upravnih teles (npr. klubov, trgovinskih
združenj).
4.2 Razumevanje potreb in pričakovanj zainteresiranih strani

Zahtevana aktivnost
Organizacija določa zainteresirane strani, povezane s sistemom vodenja informacijske varnosti, in
njihove zahteve v zvezi z informacijsko varnostjo.

Razlaga
Zainteresirana stran je opredeljen izraz (glej 2.41 v ISO/IEC 27000:2016), ki se nanaša na osebo ali
organizacijo, ki lahko vpliva na neko odločitev ali dejavnost, na katero lahko vpliva
neka odločitev ali dejavnost ali ki domneva, da lahko neka odločitev ali dejavnost vpliva nanjo.
Zainteresirane strani je mogoče najti tako zunaj kot znotraj organizacije in imajo lahko posebne
potrebe, pričakovanja ter zahteve glede informacijske varnosti organizacije.

Zunanje zainteresirane strani so lahko:

a) regulatorni in zakonodajni organi,
SIST ISO/IEC 27003 : 2018
b) delničarji, vključno z lastniki in investitorji,

c) dobavitelji, vključno s podizvajalci, svetovalci in zunanjimi izvajalci,

d) industrijska združenja,
e) konkurenti,
f) stranke in odjemalci; in
g) aktivistične skupine.
Med notranje zainteresirane strani je mogoče šteti:

h) odločevalce, vključno z najvišjim vodstvom,

i) skrbnike procesov, lastnike sistema in lastnike informacij,

j) podporne funkcije, kot so informacijska tehnologija in človeški viri,

k) zaposlene in uporabnike; in

l) strokovnjake za informacijsko varnost.

Rezultati te aktivnosti so uporabljeni v 4.3 in 6.1.

Smernice
Izvedejo naj se naslednji koraki:

‒ določitev zunanjih zainteresiranih strani,

‒ določitev notranjih zainteresiranih strani; in

‒ določitev zahtev zainteresiranih strani.

Ker se potrebe, pričakovanja in zahteve zainteresiranih strani sčasoma spreminjajo, naj se jih skupaj z
njihovim vplivom na obseg, omejitvami in zahtevami sistema vodenja informacijske varnosti redno
pregleduje.
Dokumentirane informacije o tej aktivnosti in njenem rezultatu so obvezne samo v obliki ter obsegu, ki
ju organizacija določi kot potrebna za uspešnost svojega sistema vodenja (glej 7.5.1 b) v
ISO/IEC 27001:2013).
Druge informacije
Ni drugih informacij.
4.3 Določitev obsega sistema vodenja informacijske varnosti

Zahtevana aktivnost
Organizacija določi meje in uporabnost sistema vodenja informacijske varnosti za opredelitev
njegovega obsega.
Razlaga
Obseg določa, za katera področja in primere se sistem vodenja informacijske varnosti pravzaprav
uporablja.
Določanje obsega je tako ključna aktivnost in osnova za vse druge aktivnosti pri izvajanju sistema
vodenja informacijske varnosti. Na primer ocenjevanje tveganja in obravnavanje tveganja, vključno z
določitvijo kontrol, ne bosta podala veljavnih rezultatov brez natančnega razumevanja obsega sistema
SIST ISO/IEC 27003 : 2018
vodenja informacijske varnosti. Natančno poznavanje meja oziroma uporabnosti sistema vodenja
informacijske varnosti in vmesnikov ter odvisnosti med organizacijo in drugimi organizacijami je prav
tako ključnega pomena. Vsakršna poznejša sprememba obsega lahko pomeni bistveno povečanje
dodatnih prizadevanj in stroškov.

Na določanje obsega lahko vplivajo naslednji dejavniki:

a) zunanja in notranja vprašanja, opisana v 4.1,

b) zainteresirane strani in njihove zahteve, ki so določene v skladu s 4.2 v ISO/IEC 27001:2013,

c) pripravljenost poslovnih dejavnosti za vključitev v sistem vodenja informacijske varnosti,

d) vse podporne funkcije, tj. funkcije, ki so potrebne za podpiranje teh poslovnih aktivnosti (npr.
upravljanje človeških virov, uporaba storitev IT in programske opreme, upravljanje stavbnih
objektov, fizičnih območij, osnovnih storitev in javne preskrbe); in

e) vse funkcije, predane v zunanje izvajanje drugim delom znotraj organizacije ali neodvisnim
izvajalcem.
Obseg sistema vodenja informacijske varnosti se lahko zelo razlikuje v smislu izvajanja. Obseg, na
primer, lahko vključuje:
‒ enega ali več določenih procesov,

‒ eno ali več določenih funkcij,

‒ eno ali več določenih storitev,

‒ enega ali več določenih sklopov ali lokacij,

‒ celotno pravno osebo; in
‒ celotno upravno telo in enega ali več njegovih dobaviteljev.

Smernice
Za določitev obsega sistema vodenja informacijske varnosti je mogoče uporabiti večstopenjski pristop:

f) določitev predhodnega obsega: to aktivnost naj izvede majhna, a reprezentativna skupina
predstavnikov vodstva,
g) določitev izpopolnjenega obsega: pregledajo naj se funkcionalne enote znotraj predhodnega
obsega in zunaj njega, nato pa se te funkcionalne enote lahko vključijo ali izključijo za zmanjšanje
vmesnikov vzdolž meja. Pri izpopolnjevanju predhodnega obsega naj se upoštevajo vse
podporne funkcije, ki so potrebne za podporo poslovnih aktivnosti, povezanih z obsegom,

h) določitev dokončnega obsega: izpopolnjen obseg naj oceni celotno vodstvo v okviru
izpopolnjenega obsega. Po potrebi naj se prilagodi in nato natančno opiše; in

i) odobritev obsega: dokumentirane informacije, ki opisujejo obseg, naj formalno odobri najvišje
vodstvo.
Organizacija naj prav tako upošteva aktivnosti, ki vplivajo na sistem vodenja informacijske varnosti,
oziroma aktivnosti, ki so predane v izvajanje drugim delom znotraj organizacije ali neodvisnim
izvajalcem. Za te aktivnosti je priporočljivo določiti tudi vmesnike (fizične, tehnične in organizacijske) in
njihov vpliv na obseg.
Dokumentirane informacije, ki opisujejo obseg, naj vključujejo:

j) organizacijski obseg, meje in vmesnike,

k) obseg, meje in vmesnike informacijske ter komunikacijske tehnologije; in

l) fizični obseg, meje in vmesnike.
SIST ISO/IEC 27003 : 2018
Druge informacije
Ni drugih informacij.
4.4 Sistem vodenja informacijske varnosti

Zahtevana aktivnost
Organizacija vzpostavi, izvaja, vzdržuje in stalno izboljšuje sistem vodenja informacijske varnosti.

Razlaga
V 4.4 standarda ISO/IEC 27001:2013 je določena glavna zahteva za vzpostavitev, izvajanje,
vzdrževanje in nenehno izboljševanje sistema vodenja informacijske varnosti. Medtem ko drugi deli
standarda ISO/IEC 27001 opisujejo zahtevane elemente sistema vodenja informacijske varnosti,
točka 4.4 organizaciji zagotavlja pristojnost, da zagotovi izpolnjevanje vseh zahtevanih elementov za
vzpostavitev, izvajanje, vzdrževanje in nenehno izboljševanje sistema vodenja informacijske varnosti.

Smernice
Ni posebnih smernic.
Druge informacije
Ni drugih informacij.
5 Voditeljstvo
5.1 Voditeljstvo in zavezanost

Zahtevana aktivnost
Najvišje vodstvo dokazuje sposobnost voditeljstva in zavezanost v zvezi s sistemom vodenja
informacijske varnosti.
Razlaga
Voditeljstvo in zavezanost sta bistvena elementa za učinkovit sistem vodenja informacijske varnosti.

Najvišje vodstvo je opredeljeno (glej ISO/IEC 27000) kot oseba ali skupina ljudi, ki na najvišji ravni
usmerja in nadzira organizacijo sistema vodenja informacijske varnosti, tj. najvišje vodstvo je v celoti
odgovorno za sistem vodenja informacijske varnosti. To pomeni, da najvišje vodstvo usmerja sistem
vodenja informacijske varnosti na podoben način kot druga področja v organizaciji, na primer način
dodeljevanja in spremljanja proračunskih sredstev. Najvišje vodstvo lahko daje pooblastila v
organizaciji in zagotavlja vire za dejansko izvajanje aktivnosti, povezanih z informacijsko varnostjo in
sistemom vodenja informacijske varnosti, vendar pri tem še vedno prevzema celotno odgovornost.

Organizacija, ki izvaja in upravlja sistem vodenja informacijske varnosti, je na primer lahko poslovna
enota znotraj večje organizacije. V tem primeru je najvišje vodstvo oseba ali skupina ljudi, ki usmerja
in nadzira zadevno poslovno enoto.

Najvišje vodstvo prav tako sodeluje pri vodstvenem pregledu (glej 9.3) in spodbuja nenehno
izboljševanje (glej 10.2).
Smernice
Najvišje vodstvo naj zagotavlja voditeljstvo in izkazuje zavezanost:

SIST ISO/IEC 27003 : 2018
a) najvišje vodstvo naj zagotovi vzpostavitev informacijske varnostne politike in določi cilje
informacijske varnosti, ki so združljivi s strateško usmeritvijo organizacije,

b) najvišje vodstvo naj zagotovi, da so zahteve in kontrole sistema vodenja informacijske varnosti
vključeni v proces organizacije. Način, kako to doseči, naj se prilagodi specifičnemu kontekstu
organizacije. Organizacija, ki ima imenovane skrbnike procesov, lahko na primer prenese
odgovornost za izvedbo veljavnih zahtev na te osebe ali skupino ljudi. Podpora najvišjega
vodstva se morda zahteva tudi za preseganje organizacijskega odpora do sprememb v procesih
in kontrolah,
c) najvišje vodstvo naj zagotovi razpoložljivost virov za uspešen sistem vodenja informacijske
varnosti. Viri so potrebni za vzpostavitev sistema vodenja informacijske varnosti, njegovo
izvajanje, vzdrževanje in izboljševanje, kot tudi za izvajanje kontrol informacijske varnosti. Viri,
potrebni za sistem vodenja informacijske varnosti, so:

1) finančni viri,
2) osebje,
3) objekti; in
4) tehnična infrastruktura.
Zahtevani viri so odvisni od konteksta organizacije, npr. velikost, sestava ter notranje in zunanje
zahteve. Vodstveni pregled naj zagotovi informacije, ki pokažejo, ali so viri za organizacijo
zadostni,
d) najvišje vodstvo naj sporoči potrebo po vodenju informacijske varnosti v organizaciji in potrebo po
upoštevanju zahtev sistema vodenja informacijske varnosti. To lahko stori s praktičnimi primeri, ki
prikazujejo, kaj je dejanska potreba v kontekstu organizacije, in prek sporočanja zahtev
informacijske varnosti,
e) najvišje vodstvo naj zagotovi, da sistem vodenja informacijske varnostni doseže svoje predvidene
rezultate s podporo izvajanja vseh procesov vodenja informacijske varnosti in predvsem prek
zahtev oziroma pregledov poročil o stanju in uspešnosti sistema vodenja informacijske varnosti
(glej 5.3 b)). Takšna poročila je mogoče pripraviti na podlagi meritev (glej 6.2 b) in 9.1 a)),
vodstvenih pregledov in poročil o presoji. Najvišje vodstvo lahko prav tako določi cilje uspešnosti
za ključne zaposlene, ki se ukvarjajo s sistemom vodenja informacijske varnosti,

f) najvišje vodstvo naj usmerja in podpira osebe, ki so v organizaciji neposredno povezane s
področjem informacijske varnosti in sistemom vodenja informacijske varnosti. V nasprotnem
primeru lahko pride do negativnega vpliva na uspešnost sistema vodenja informacijske varnosti.
Povratne informacije najvišjega vodstva lahko vključujejo način uskladitve načrtovanih aktivnosti s
strateškimi potrebami za organizacijo in tudi za prednostno obravnavo različnih aktivnosti v
sistemu vodenja informacijske varnosti,

g) najvišje vodstvo naj pri vodstvenih pregledih oceni potrebe v zvezi z viri ter določi cilje za
nenehno izboljševanje in spremljanje uspešnosti načrtovanih aktivnosti; in

h) najvišje vodstvo naj podpira osebe, ki so jim bile dodeljene vloge in odgovornosti v zvezi z
vodenjem informacijske varnosti, da zagotovi njihovo motiviranost ter sposobnost usmerjanja in
podpiranja aktivnosti informacijske varnosti na svojem področju.

Če je organizacija, ki izvaja in upravlja sistem vodenja informacijske varnosti, del večje organizacije, je
mogoče voditeljstvo in zavezanost izboljšati s sodelovanjem z osebo ali skupino ljudi, ki kontrolira in
usmerja večjo organizacijo. Če ta razume, kaj izvajanje sistema vodenja informacijske varnosti
zahteva, lahko zagotovi podporo najvišjemu vodstvu znotraj obsega sistema vodenja informacijske
varnosti ter mu pomaga pri vodenju in izkazovanju zavezanosti sistemu vodenja informacijske
varnosti. Če so na primer v odločanje v zvezi s cilji informacijske varnosti in kriteriji tveganj vključene
zainteresirane strani zunaj obsega sistema vodenja informacijske varnosti, ki so seznanjene z rezultati
informacijske varnosti v okviru sistema vodenja informacijske varnosti, je mogoče njihove odločitve
glede dodeljevanja virov uskladiti z zahtevami sistema vodenja informacijske varnosti.

SIST ISO/IEC 27003 : 2018
Druge informacije
Ni drugih informacij.
5.2 Politika
Zahtevana aktivnost
Najvišje vodstvo zagotavlja informacijsko varnostno politiko.

Razlaga
Informacijska varnostna politika opisuje strateški pomen sistema vodenja informacijske varnosti za
organizacijo in je na voljo v obliki dokumentiranih informacij. Politika narekuje aktivnosti informacijske
varnosti v organizaciji.
Politika določa potrebe za informacijsko varnost v dejanskem kontekstu organizacije.

Smernice
Informacijska varnostna politika naj vsebuje kratke izjave najvišje ravni o namenu in usmerjenosti v
zvezi z informacijsko varnostjo. Lahko velja za obseg sistema vodenja informacijske varnosti ali pa je
zastavljena širše.
Vse druge politike, postopki, aktivnosti in cilji, povezani z informacijsko varnostjo, naj bodo usklajeni z
informacijsko varnostno politiko.

Informacijska varnostna politika naj odraža poslovno situacijo, kulturo, vprašanja in zadeve
organizacije v zvezi z informacijsko varnostjo. Obseg informacijske varnostne politike naj bo v skladu z
namenom in kulturo organizacije ter čim bolj razumljiv in celovit obenem. Pomembno je, da se
uporabniki politike lahko poistovetijo s strateško usmeritvijo politike.

Informacijska varnostna politika lahko vključuje cilje informacijske varnosti za organizacijo ali opisuje
okvir za način določanja ciljev informacijske varnosti (tj. kdo cilje določa za sistem vodenja
informacijske varnosti in kako te cilje vključiti v obseg sistema vodenja informacijske varnosti). Na
primer, v zelo velikih organizacijah naj cilje na visoki ravni določi najvišje vodstvo celotne organizacije,
nato pa naj se v skladu z oblikovano informacijsko varnostno politiko cilji podrobno opišejo na način, ki
usmerja vse zainteresirane strani.

Informacijska varnostna politika naj vsebuje jasno izjavo najvišjega vodstva o njegovi zavzetosti pri
izpolnjevanju zahtev, povezanih z informacijsko varnostjo.

Informacijska varnostna politika naj vsebuje jasno izjavo, da najvišje vodstvo podpira nenehno
izboljševanje vseh aktivnosti. Pomembno je, da je to načelo navedeno v politiki, s tem pa so osebe
znotraj obsega sistema vodenja informacijske varnosti ustrezno seznanjene.

Informacijska varnostna politika naj se sporoči vsem osebam znotraj obsega sistema vodenja
informacijske varnosti. Zato naj bosta oblika in jezik politike ustrezna, da jo razumejo vsi prejemniki.

Najvišje vodstvo naj odloči, katerim zainteresiranim stranem naj se politika sporoči. Informacijska
varnostna politika se lahko zapiše na način, ki omogoča sporočanje ustreznim zunanjim
zainteresiranim stranem zunaj organizacije. Primeri zunanjih zainteresiranih strani so stranke,
dobavitelji, izvajalci, podizvajalci in regulatorni organi. Če je informacijska varnostna politika na voljo
zunanjim zainteresiranim stranem, naj ne vključuje zaupnih podatkov.

Informacijska varnostna politika je lahko ločena, samostojna politika, ali pa je vključena v celostno
politiko, ki zajema več tem sistema vodenja znotraj organizacije (npr. kakovost, okolje in informacijska
varnost).
SIST ISO/IEC 27003 : 2018
Informacijska varnostna politika naj bo na voljo v obliki dokumentiranih informacij. Zahteve standarda
ISO/IEC 27001 ne pomenijo določene oblike teh dokumentiranih informacij, zato se organizacija sama
odloči, katera oblika je najustreznejša. Če ima organizacija standardno predlogo za politike, naj se za
informacijsko varnostno politiko uporabi ta predloga.

Druge informacije
Dodatni podatki o politikah v zvezi z informacijsko varnostjo so na voljo v standardu ISO/IEC 27002.

Dodatni podatki o povezavi med informacijsko varnostno politiko in drugimi politikami v okviru politik so
na voljo v dodatku A.
5.3 Organizacijske vloge, odgovornosti in pooblastila

Zahtevana aktivnost
Najvišje vodstvo zagotavlja, da so odgovornosti in pooblastila za vloge, pomembne za informacijsko
varnost, določeni ter sporočeni celotni organizaciji.

Razlaga
Najvišje vodstvo zagotovi dodelitev ter sporočanje vlog in odgovornosti kot tudi potrebnih pooblastil v
zvezi z informacijsko varnostjo.

Namen te zahteve je dodeliti odgovornosti in pooblastila za zagotavljanje skladnosti sistema vodenja
informacijske varnosti z zahtevami standarda ISO/IEC 27001 in tudi zagotavljanje poročanja o
delovanju sistema vodenja informacijske varnosti najvišjemu vodstvu.

Smernice
Najvišje vodstvo naj redno zagotavlja, da so odgovornosti in pooblastila za sistem vodenja
informacijske varnosti dodeljeni, da sistem vodenja izpolnjuje zahteve, navedene v standardu
ISO/IEC 27001. Najvišjemu vodstvu ni treba dodeliti vseh vlog, odgovornosti in pooblastil, vendar naj
ustrezno podeli pristojnosti za tovrstno dodelitev. Najvišje vodstvo naj odobri glavne vloge,
odgovornosti in pooblastila za sistem vodenja informacijske varnosti.

Odgovornosti in pooblastila v zvezi z aktivnostmi informacijske varnosti naj bodo dodeljena. Aktivnosti
vključujejo:
a) usklajevanje vzpostavitve, izvajanja, vzdrževanja, poročanja o delovanju in izboljševanja sistema
vodenja informacijske varnosti,

b) svetovanje o ocenjevanju in obravnavanju tveganj informacijske varnosti,

c) oblikovanje procesov in sistemov informacijske varnosti,

d) vzpostavljanje standardov v zvezi z določanjem, konfiguriranjem in delovanjem kontrol
informacijske varnosti,
e) vodenje informacijskih varnostnih incidentov; in

f) pregled in presojo sistema vodenja informacijske varnosti.

Poleg vlog, ki so posebej povezane z informacijsko varnostjo, naj se v druge vloge vključijo ustrezne
odgovornosti in pooblastila v zvezi z informacijsko varnostjo. Odgovornosti za informacijsko varnost je
na primer mogoče vključiti v naslednje vloge:

g) lastniki informacij,
h) skrbniki procesov,
i) lastniki sredstev (npr. lastniki aplikacij ali infrastrukture),
SIST ISO/IEC 27003 : 2018
j) lastniki tveganj,
k) funkcije in osebe za usklajevanje informacijske varnosti (ta vloga je običajno podporna vloga v
sistemu vodenja informacijske varnosti),

l) vodje projektov,
m) področni vodje; in
n) uporabniki informacij.
Dokumentirane informacije o tej aktivnosti in njenem rezultatu so obvezne samo v obliki ter obsegu, ki
ju organizacija določi kot potrebna za uspešnost svojega sistema vodenja (glej 7.5.1 b) v
ISO/IEC 27001:2013).
Druge informacije
Ni drugih informacij.
6 Načrtovanje
6.1 Ukrepi za obravnavanje tveganj in priložnosti

6.1.1 Splošno
Pregled
Točka 6.1 v ISO/IEC 27001:2013 zadeva načrtovanje dejanj za obravnavo vseh vrst tveganj in
priložnosti, ki so pomembni za sistem vodenja informacijske varnosti. To vključuje ocenjevanje tveganj
in načrtovanje obravnavanja tveganj.

Standard ISO/IEC 27001 razdeli tveganja v dve kategoriji med načrtovanjem:

a) tveganja in priložnosti, ki so pomembna za predvidene rezultate sistema vodenja informacijske
varnosti kot celote; in
b) tveganja informacijske varnosti, povezana z izgubo zaupnosti, celovitosti in razpoložljivosti
informacij znotraj obsega sistema vodenja informacijske varnosti.

Prva kategorija naj se obravnava v skladu z zahtevami, določenimi v 6.1.1 (splošno) v
ISO/IEC 27001:2013. Tveganja, ki spadajo v to kategorijo, so lahko povezana s samim sistemom
vodenja informacijske varnosti, definicijo obsega sistema vodenja informacijske varnosti, zavezanostjo
najvišjega vodstva k informacijski varnosti, viri za delovanje sistema vodenja informacijske varnosti itd.
Priložnosti, zajete v to kategorijo, so lahko povezane z rezultati sistema vodenja informacijske
varnosti, tržno vrednostjo sistema vodenja informacijske varnosti, učinkovitostjo delovanja procesov
sistema vodenja informacijske varnosti in kontrolami informacijske varnosti itd.

Druga kategorija vključuje vsa tveganja, ki so neposredno povezana z izgubo zaupnosti, celovitosti in
razpoložljivosti informacij znotraj obsega sistema vodenja informacijske varnosti. Ta tveganja je
mogoče obravnavati v skladu s točkama 6.1.2 (ocenjevanje tveganj informacijske varnosti) in 6.1.3
(obravnavanje tveganj informacijske varnosti).

Organizacije se lahko odločijo uporabiti drugačne tehnike za posamezno kategorijo.

Nadaljnjo razdelitev zahtev za obravnavo tveganj je mogoče pojasniti na naslednji način:

‒ spodbuja združljivost z drugimi standardi za sisteme vodenja za organizacije, ki imajo integrirane
sisteme vodenja za različne vidike, kot so kakovost, okolje in informacijska varnost,

‒ zahteva, da organizacija opredeli in uporabi celovite ter podrobne procese za ocenjevanje in
obravnavanje tveganj informacijske varnosti; in
SIST ISO/IEC 27003 : 2018
‒ poudarja, da je obvladovanje tveganj informacijske varnosti osrednji element sistema vodenja
informacijske varnosti.
V 6.1.1 v ISO/IEC 27001:2013 sta uporabljena izraza "določa tveganja in priložnosti" ter "obravnava ta
tveganja in priložnosti". Besedo "določa" je mogoče razumeti kot besedo "oceni", ki je uporabljena v
6.1.2 v ISO/IEC 27001:2013 (tj. ugotovi, analizira in ovrednoti). Podobno je mogoče besedo
"obravnava" razumeti kot "obdela", ki je uporabljena v 6.1.3 v ISO/IEC 27001:2013.

Zahtevana aktivnost
Organizacija pri načrtovanju sistema vodenja informacijske varn
...