ISO/IEC 27003:2010

SLOVENSKI STANDARD
SIST ISO/IEC 27003:2011
01-marec-2011
Informacijska tehnologija - Varnostne tehnike - Smernice za izvedbo sistema
upravljanja informacijske varnosti
Information technology - Security techniques - Information security management system
implementation guidance
Technologies de l'information - Techniques de sécurité - Lignes directrices pour la mise
en oeuvre du système de management de la sécurité de l'information
Ta slovenski standard je istoveten z: ISO/IEC 27003:2010
ICS:
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
SIST ISO/IEC 27003:2011 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST ISO/IEC 27003:2011

---------------------- Page: 2 ----------------------

SIST ISO/IEC 27003:2011

INTERNATIONAL ISO/IEC
STANDARD 27003
First edition
2010-02-01

Information technology — Security
techniques — Information security
management system implementation
guidance
Technologies de l'information — Techniques de sécurité — Lignes
directrices pour la mise en œuvre du système de management de la
sécurité de l'information




Reference number
ISO/IEC 27003:2010(E)
©
ISO/IEC 2010

---------------------- Page: 3 ----------------------

SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2010
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2010 – All rights reserved

---------------------- Page: 4 ----------------------

SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Structure of this International Standard .2
4.1 General structure of clauses.2
4.2 General structure of a clause.3
4.3 Diagrams .3
5 Obtaining management approval for initiating an ISMS project .5
5.1 Overview of obtaining management approval for initiating an ISMS project .5
5.2 Clarify the organization’s priorities to develop an ISMS.7
5.3 Define the preliminary ISMS scope .9
5.4 Create the business case and the project plan for management approval.11
6 Defining ISMS scope, boundaries and ISMS policy.12
6.1 Overview of defining ISMS scope, boundaries and ISMS policy .12
6.2 Define organizational scope and boundaries.15
6.3 Define information communication technology (ICT) scope and boundaries .16
6.4 Define physical scope and boundaries.17
6.5 Integrate each scope and boundaries to obtain the ISMS scope and boundaries.18
6.6 Develop the ISMS policy and obtain approval from management .19
7 Conducting information security requirements analysis.20
7.1 Overview of conducting information security requirements analysis.20
7.2 Define information security requirements for the ISMS process.22
7.3 Identify assets within the ISMS scope .23
7.4 Conduct an information security assessment .24
8 Conducting risk assessment and planning risk treatment.25
8.1 Overview of conducting risk assessment and planning risk treatment .25
8.2 Conduct risk assessment.27
8.3 Select the control objectives and controls.28
8.4 Obtain management authorization for implementing and operating an ISMS.29
9 Designing the ISMS.30
9.1 Overview of designing the ISMS.30
9.2 Design organizational information security .33
9.3 Design ICT and physical information security .38
9.4 Design ISMS specific information security.40
9.5 Produce the final ISMS project plan .44
Annex A (informative) Checklist description .45
Annex B (informative) Roles and responsibilities for Information Security .51
Annex C (informative) Information about Internal Auditing .55
Annex D (informative) Structure of policies .57
Annex E (informative) Monitoring and measuring.62
Bibliography.68

© ISO/IEC 2010 – All rights reserved iii

---------------------- Page: 5 ----------------------

SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27003 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
iv © ISO/IEC 2010 – All rights reserved

---------------------- Page: 6 ----------------------

SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
Introduction
The purpose of this International Standard is to provide practical guidance in developing the implementation
plan for an Information Security Management System (ISMS) within an organization in accordance with
ISO/IEC 27001:2005. The actual implementation of an ISMS is generally executed as a project.
The process described within this International Standard has been designed to provide support of the
implementation of ISO/IEC 27001:2005; (relevant parts from Clauses 4, 5, and 7 inclusive) and document:
a) the preparation of beginning an ISMS implementation plan in an organization, defining the organizational
structure for the project, and gaining management approval,
b) the critical activities for the ISMS project and,
c) examples to achieve the requirements in ISO/IEC 27001:2005.
By using this International Standard the organization will be able to develop a process for information security
management, giving stakeholders the assurance that risks to information assets are continuously maintained
within acceptable information security bounds as defined by the organization.
This International Standard does not cover the operational activities and other ISMS activities, but covers the
concepts on how to design the activities which will result after the ISMS operations begin. The concept results
in the final ISMS project implementation plan. The actual execution of the organizational specific part of an
ISMS project is outside the scope of this International Standard.
The implementation of the ISMS project should be carried out using standard project management
methodologies (for more information please see ISO and ISO/IEC Standards addressing project
management).

© ISO/IEC 2010 – All rights reserved v

---------------------- Page: 7 ----------------------

SIST ISO/IEC 27003:2011

---------------------- Page: 8 ----------------------

SIST ISO/IEC 27003:2011
INTERNATIONAL STANDARD ISO/IEC 27003:2010(E)

Information technology — Security techniques — Information
security management system implementation guidance
1 Scope
This International Standard focuses on the critical aspects needed for successful design and implementation
of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes
the process of ISMS specification and design from inception to the production of implementation plans. It
describes the process of obtaining management approval to implement an ISMS, defines a project to
implement an ISMS (referred to in this International Standard as the ISMS project), and provides guidance on
how to plan the ISMS project, resulting in a final ISMS project implementation plan.
This International Standard is intended to be used by organizations implementing an ISMS. It is applicable to
all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations) of all
sizes. Each organization's complexity and risks are unique, and its specific requirements will drive the ISMS
implementation. Smaller organizations will find that the activities noted in this International Standard are
applicable to them and can be simplified. Large-scale or complex organizations might find that a layered
organization or management system is needed to manage the activities in this International Standard
effectively. However, in both cases, the relevant activities can be planned by applying this International
Standard.
This International Standard gives recommendations and explanations; it does not specify any requirements.
This International Standard is intended to be used in conjunction with ISO/IEC 27001:2005 and
ISO/IEC 27002:2005, but is not intended to modify and/or reduce the requirements specified in
ISO/IEC 27001:2005 or the recommendations provided in ISO/IEC 27002:2005. Claiming conformity to this
International Standard is not appropriate.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 27000:2009, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000:2009,
ISO/IEC 27001:2005 and the following apply.
3.1
ISMS project
structured activities undertaken by an organization to implement an ISMS
© ISO/IEC 2010 – All rights reserved 1

---------------------- Page: 9 ----------------------

SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
4 Structure of this International Standard
4.1 General structure of clauses
The implementation of an ISMS is an important activity and is generally executed as a project in an
organization. This document explains the ISMS implementation by focusing on the initiation, planning, and
definition of the project. The process of planning the ISMS final implementation contains five phases and each
phase is represented by a separate clause. All clauses have a similar structure, as described below. The five
phases are:
a) Obtaining management approval for initiating an ISMS project (Clause 5)
b) Defining ISMS Scope and ISMS Policy (Clause 6)
c) Conducting Organization Analysis (Clause 7)
d) Conducting Risk Assessment and Risk Treatment planning (Clause 8)
e) Designing the ISMS (Clause 9)
Figure 1 illustrates the five phases of the planning of the ISMS project referring to ISO/IEC standards and
main output documents.










Figure 1 — ISMS project phases
Further information is noted in the annexes. These annexes are:
Annex A. Summary of activities with references according to ISO/IEC 27001:2005
Annex B. Information security roles and responsibilities
Annex C. Information on planning of internal audits
Annex D. Structure of policies
Annex E. Information on planning of monitoring and measuring
2 © ISO/IEC 2010 – All rights reserved

---------------------- Page: 10 ----------------------

SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
4.2 General structure of a clause
Each clause contains:
a) one or more objectives stating what is to be achieved noted in the beginning of each clause in a text box;
and
b) one or more activities necessary to achieve the phase objective or objectives.
Each activity is described in a subclause.
Activity descriptions in each subclause are structured as follows:
Activity
The activity defines what is necessary to satisfy this activity which achieves all or part of the phase objectives.
Input
The input describes the starting point, such as the existence of documented decisions or outputs from other
activities described in this International Standard. Inputs could either be referred to as the complete output
from an activity just stating the relevant clause or specific information from an activity may be added after the
clause reference.
Guidance
The guidance provides detailed information to enable performing this activity. Some of the guidance may not
be suitable in all cases and other ways of achieving the results may be more appropriate.
Output
The output describes the result(s) or deliverable(s), upon completion of the activity; e.g. a document. The
outputs are the same, independent of the size of the organization or the ISMS scope.
Other information
The other information provides any additional information that may assist in performing the activity, for
example references to other standards.
NOTE The phases and activities described in this document include a suggested sequence of performing activities
based on the dependencies identified through each of the activities’ “Input” and “Output” descriptions. However,
depending on many different factors (e.g., effectiveness of management system currently in place, understanding with
regard to the importance of information security, reasons for implementing an ISMS), an organization may select any
activity in any order as necessary to prepare for the establishment and implementation of the ISMS.
4.3 Diagrams
A project is often illustrated in graphical or diagram form showing an overview of activities and outputs.
Figure 2 illustrates the legend of diagrams which are illustrated in an overview subclause of each phase. The
diagrams provide a high level overview of the activities included in each phase.



© ISO/IEC 2010 – All rights reserved 3

---------------------- Page: 11 ----------------------

SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
































Figure 2 — Flow diagram legend


4 © ISO/IEC 2010 – All rights reserved

---------------------- Page: 12 ----------------------

SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
The upper square illustrates the planning phases of an ISMS project. The phase explained in the specific
clause is then emphasized with its key output documents.
The lower diagram (activities of the phase) includes the key activities which are included in the emphasized
phase of the upper square, and main output documents of each activity.
The timeline in the lower square is based on the timeline in the upper square.
Activity A and Activity B can be executed at the same time. Activity C should be started after Activity A and B
is finished.
5 Obtaining management approval for initiating an ISMS project
5.1 Overview of obtaining management approval for initiating an ISMS project
There are several factors that should be taken into consideration when deciding to implement an ISMS. In
order to address these factors, management should understand the business case of an ISMS implementation
project and approve it. Therefore the objective of this phase is:
Objective:
To obtain management approval to start the ISMS project by defining a business case and the project plan.
In order to acquire management approval, an organization should create a business case which includes the
priorities and objectives to implement an ISMS in addition to the structure of the organization for the ISMS.
The initial ISMS project plan should also be created.
The work performed in this phase will enable the organization to understand the relevance of an ISMS, and
clarify the information security roles and responsibilities within the organization needed for an ISMS project.
The expected output of this phase will be the preliminary management approval of, and commitment to
implement, an ISMS and performing the activities described in this International Standard. The deliverables
from this clause include a business case and a draft ISMS project plan with key milestones.
Figure 3 illustrates the process to obtain management approval to initiate the ISMS project.
NOTE The output from Clause 5 (Documented management commitment to plan and implement an ISMS) and one
of the outputs of Clause 7 (Document summarization of the information security status) are not requirements of
ISO/IEC 27001:2005. However, the outputs from these activities are recommended input to other activities described in
this document.

© ISO/IEC 2010 – All rights reserved 5

---------------------- Page: 13 ----------------------

SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)

Figure 3 — Overview of obtaining management approval for initiating an ISMS project

6 © ISO/IEC 2010 – All rights reserved

---------------------- Page: 14 ----------------------

SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
5.2 Clarify the organization’s priorities to develop an ISMS
Activity
The objectives to implement an ISMS should be included by considering the organization’s information
security priorities and requirements.
Input
a) the organization’s strategic objectives
b) overview of the existing management systems
c) a list of legal, regulatory, and contractual information security requirements applicable to the organization
Guidance
In order to start the ISMS project, management approval is generally needed. Therefore, the first activity that
should be performed is to collect the relevant information illustrating the value of an ISMS to the organization.
The organization should clarify why an ISMS is needed and decide the objectives of the ISMS implementation
and initiate the ISMS Project.
The objectives for implementing an ISMS can be determined by answering the following questions:
a) risk management – How will an ISMS generate better management of information security risks?
b) efficiency – How can an ISMS improve the management of information security?
c) business advantage – How can an ISMS create competitive advantage for the organization?
In order to answer the questions above, the organization’s security priorities and requirements are addressed
by the following possible factors:
a) critical businesses and organization areas:
1. What are the critical businesses and organizational areas?
2. Which organizational areas provide the business and with what focus?
3. What third party relationships and agreements exist?
4. Are there any services that have been outsourced?
b) sensitive or valuable information:
1. What information is critical to the organization?
2. What would be the likely consequences if certain information were to be disclosed to unauthorized
parties (e.g., loss of competitive advantage, damage to brand or reputation, legal action, etc.)?
c) laws which mandate information security measures:
1. What laws relating to risk treatment or information security apply to the organization?
2. Is the organization part of a public global organization that is required to have external financial
reporting?
d) contractual or organizational agreements relating to information security:
1. What are the storage requirements (including the retention periods) for data storage?
2. Are there any contractual requirements relating to privacy or quality (e.g. service level agreement-
SLA)?
© ISO/IEC 2010 – All rights reserved 7

---------------------- Page: 15 ----------------------

SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
e) industry requirements which specify particular information security controls or measures:
1. What sector-specific requirements apply to the organization?
f) The threat environment:
1. What kind of protection is needed, and against what threats?
2. What are the distinct categories of information that require protection?
3. What are the distinct types of information activities that need to be protected?
g) Competitive Drivers:
1. What are the minimum market requirements for information security?
2. What additional information security controls should provide a competitive advantage for the
organization?
h) Business continuity requirements
1. What are the critical business processes?
2. How long can the organization tolerate interruptions to each critical business process?
The preliminary ISMS scope can be determined by responding to the information above. This is also needed
in order to create a business case and overall ISMS project plan for management approval. The detailed
ISMS scope will be defined during the ISMS project.
The requirements noted in ISO/IEC 27001:2005 reference 4.2.1 a) outline the scope in terms of the
characteristics of the business, the organization, its location, assets and technology. The resulting information
from the above supports this determination.
Some topics which should be considered when making the initial decisions regarding scope include:
a) What are the mandates for information security management established by organizational management
and the obligations imposed externally on the organization?
b) Is the responsibility for the proposed in-scope systems held by more than one management team (e.g.
people in different subsidiaries or different departments)?
c) How will the ISMS-related documents be communicated throughout the organization (e.g. on paper or
through the corporate intranet)?
d) Can the current management systems support the organization’s needs? Is it fully operational, well
maintained, and functioning as intended?
Examples of management objectives that may be used as input to define the preliminary ISMS scope include:
a) facilitating business continuity and disaster recovery
b) improving resilience to incidents
c) addressing legal/contractual compliance/liabilities
d) enabling certification against other ISO/IEC standards
e) enabling organizational evolution and position
f) reducing costs of security controls
g) protecting assets of strategic value
h) establishing a healthy and effective internal control environment
i) providing assurance to stakeholders that information assets are properly protected
8 © ISO/IEC 2010 – All rights reserved

---------------------- Page: 16 ----------------------

SIST ISO/IEC 27003:2011
ISO/IEC 27003:2010(E)
Output
The deliverables of this activity are:
a) a document summarizing the objectives, information security priorities, and organizational requirements
for an ISMS.
b) a list of regulatory, contractual, and industry requirements related to the information security of the
organization.
c) Outlined characteristics of the business, the organization, its location, assets, and technology.
Other information
ISO/IEC 9001:2008, ISO/IEC 14001:2004, ISO/IEC 20000-1:2005.
5.3 Define the preliminary ISMS scope
5.3.1 Develop the preliminary ISMS scope
Activity
The objectives to implement ISMS should include the preliminary ISMS scope definition, which is necessary
for the ISMS project.
Input
Output from Activity 5.2 Clarify the organization’s priorities to develop an ISMS.
Guidance
In order to execute the ISMS implementation project, the structure of an organization for the ISMS should be
defined. The preliminary scope of the ISMS should now be defined to provide management with guidance for
implementation decisions, and to support further activities.
The preliminary ISMS scope is needed in order to create the business case and the proposed project plan for
management approval.
The output from this stage will be a document defining the preliminary scope of the ISMS, which includes:
a) a summary of the mandates for information security management established by organizational
management, and the obligations imposed externally on the organization;
b) a description of how the area(s) in scope interact with other management systems;
c) a list of the business objectives of information security management (as derived in clause 5.2);
d) a list of critical business processes, systems, information assets, organizational structures and
geographic locations to which the ISMS will be applied.
e) the relationship of existing management systems, regulatory, compliance, and organization objectives;
f) the characteristics of the business, the organization, its location, assets and technology.
The common elements and the operational differences between the processes of any existing management
system(s) and the proposed ISMS should
...

INTERNATIONAL ISO/IEC
STANDARD 27003
First edition
2010-02-01

Information technology — Security
techniques — Information security
management system implementation
guidance
Technologies de l'information — Techniques de sécurité — Lignes
directrices pour la mise en œuvre du système de management de la
sécurité de l'information




Reference number
ISO/IEC 27003:2010(E)
©
ISO/IEC 2010

---------------------- Page: 1 ----------------------
ISO/IEC 27003:2010(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2010
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2010 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 27003:2010(E)
Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Structure of this International Standard .2
4.1 General structure of clauses.2
4.2 General structure of a clause.3
4.3 Diagrams .3
5 Obtaining management approval for initiating an ISMS project .5
5.1 Overview of obtaining management approval for initiating an ISMS project .5
5.2 Clarify the organization’s priorities to develop an ISMS.7
5.3 Define the preliminary ISMS scope .9
5.4 Create the business case and the project plan for management approval.11
6 Defining ISMS scope, boundaries and ISMS policy.12
6.1 Overview of defining ISMS scope, boundaries and ISMS policy .12
6.2 Define organizational scope and boundaries.15
6.3 Define information communication technology (ICT) scope and boundaries .16
6.4 Define physical scope and boundaries.17
6.5 Integrate each scope and boundaries to obtain the ISMS scope and boundaries.18
6.6 Develop the ISMS policy and obtain approval from management .19
7 Conducting information security requirements analysis.20
7.1 Overview of conducting information security requirements analysis.20
7.2 Define information security requirements for the ISMS process.22
7.3 Identify assets within the ISMS scope .23
7.4 Conduct an information security assessment .24
8 Conducting risk assessment and planning risk treatment.25
8.1 Overview of conducting risk assessment and planning risk treatment .25
8.2 Conduct risk assessment.27
8.3 Select the control objectives and controls.28
8.4 Obtain management authorization for implementing and operating an ISMS.29
9 Designing the ISMS.30
9.1 Overview of designing the ISMS.30
9.2 Design organizational information security .33
9.3 Design ICT and physical information security .38
9.4 Design ISMS specific information security.40
9.5 Produce the final ISMS project plan .44
Annex A (informative) Checklist description .45
Annex B (informative) Roles and responsibilities for Information Security .51
Annex C (informative) Information about Internal Auditing .55
Annex D (informative) Structure of policies .57
Annex E (informative) Monitoring and measuring.62
Bibliography.68

© ISO/IEC 2010 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 27003:2010(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27003 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
iv © ISO/IEC 2010 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 27003:2010(E)
Introduction
The purpose of this International Standard is to provide practical guidance in developing the implementation
plan for an Information Security Management System (ISMS) within an organization in accordance with
ISO/IEC 27001:2005. The actual implementation of an ISMS is generally executed as a project.
The process described within this International Standard has been designed to provide support of the
implementation of ISO/IEC 27001:2005; (relevant parts from Clauses 4, 5, and 7 inclusive) and document:
a) the preparation of beginning an ISMS implementation plan in an organization, defining the organizational
structure for the project, and gaining management approval,
b) the critical activities for the ISMS project and,
c) examples to achieve the requirements in ISO/IEC 27001:2005.
By using this International Standard the organization will be able to develop a process for information security
management, giving stakeholders the assurance that risks to information assets are continuously maintained
within acceptable information security bounds as defined by the organization.
This International Standard does not cover the operational activities and other ISMS activities, but covers the
concepts on how to design the activities which will result after the ISMS operations begin. The concept results
in the final ISMS project implementation plan. The actual execution of the organizational specific part of an
ISMS project is outside the scope of this International Standard.
The implementation of the ISMS project should be carried out using standard project management
methodologies (for more information please see ISO and ISO/IEC Standards addressing project
management).

© ISO/IEC 2010 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27003:2010(E)

Information technology — Security techniques — Information
security management system implementation guidance
1 Scope
This International Standard focuses on the critical aspects needed for successful design and implementation
of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes
the process of ISMS specification and design from inception to the production of implementation plans. It
describes the process of obtaining management approval to implement an ISMS, defines a project to
implement an ISMS (referred to in this International Standard as the ISMS project), and provides guidance on
how to plan the ISMS project, resulting in a final ISMS project implementation plan.
This International Standard is intended to be used by organizations implementing an ISMS. It is applicable to
all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations) of all
sizes. Each organization's complexity and risks are unique, and its specific requirements will drive the ISMS
implementation. Smaller organizations will find that the activities noted in this International Standard are
applicable to them and can be simplified. Large-scale or complex organizations might find that a layered
organization or management system is needed to manage the activities in this International Standard
effectively. However, in both cases, the relevant activities can be planned by applying this International
Standard.
This International Standard gives recommendations and explanations; it does not specify any requirements.
This International Standard is intended to be used in conjunction with ISO/IEC 27001:2005 and
ISO/IEC 27002:2005, but is not intended to modify and/or reduce the requirements specified in
ISO/IEC 27001:2005 or the recommendations provided in ISO/IEC 27002:2005. Claiming conformity to this
International Standard is not appropriate.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 27000:2009, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000:2009,
ISO/IEC 27001:2005 and the following apply.
3.1
ISMS project
structured activities undertaken by an organization to implement an ISMS
© ISO/IEC 2010 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC 27003:2010(E)
4 Structure of this International Standard
4.1 General structure of clauses
The implementation of an ISMS is an important activity and is generally executed as a project in an
organization. This document explains the ISMS implementation by focusing on the initiation, planning, and
definition of the project. The process of planning the ISMS final implementation contains five phases and each
phase is represented by a separate clause. All clauses have a similar structure, as described below. The five
phases are:
a) Obtaining management approval for initiating an ISMS project (Clause 5)
b) Defining ISMS Scope and ISMS Policy (Clause 6)
c) Conducting Organization Analysis (Clause 7)
d) Conducting Risk Assessment and Risk Treatment planning (Clause 8)
e) Designing the ISMS (Clause 9)
Figure 1 illustrates the five phases of the planning of the ISMS project referring to ISO/IEC standards and
main output documents.










Figure 1 — ISMS project phases
Further information is noted in the annexes. These annexes are:
Annex A. Summary of activities with references according to ISO/IEC 27001:2005
Annex B. Information security roles and responsibilities
Annex C. Information on planning of internal audits
Annex D. Structure of policies
Annex E. Information on planning of monitoring and measuring
2 © ISO/IEC 2010 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 27003:2010(E)
4.2 General structure of a clause
Each clause contains:
a) one or more objectives stating what is to be achieved noted in the beginning of each clause in a text box;
and
b) one or more activities necessary to achieve the phase objective or objectives.
Each activity is described in a subclause.
Activity descriptions in each subclause are structured as follows:
Activity
The activity defines what is necessary to satisfy this activity which achieves all or part of the phase objectives.
Input
The input describes the starting point, such as the existence of documented decisions or outputs from other
activities described in this International Standard. Inputs could either be referred to as the complete output
from an activity just stating the relevant clause or specific information from an activity may be added after the
clause reference.
Guidance
The guidance provides detailed information to enable performing this activity. Some of the guidance may not
be suitable in all cases and other ways of achieving the results may be more appropriate.
Output
The output describes the result(s) or deliverable(s), upon completion of the activity; e.g. a document. The
outputs are the same, independent of the size of the organization or the ISMS scope.
Other information
The other information provides any additional information that may assist in performing the activity, for
example references to other standards.
NOTE The phases and activities described in this document include a suggested sequence of performing activities
based on the dependencies identified through each of the activities’ “Input” and “Output” descriptions. However,
depending on many different factors (e.g., effectiveness of management system currently in place, understanding with
regard to the importance of information security, reasons for implementing an ISMS), an organization may select any
activity in any order as necessary to prepare for the establishment and implementation of the ISMS.
4.3 Diagrams
A project is often illustrated in graphical or diagram form showing an overview of activities and outputs.
Figure 2 illustrates the legend of diagrams which are illustrated in an overview subclause of each phase. The
diagrams provide a high level overview of the activities included in each phase.



© ISO/IEC 2010 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC 27003:2010(E)
































Figure 2 — Flow diagram legend


4 © ISO/IEC 2010 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 27003:2010(E)
The upper square illustrates the planning phases of an ISMS project. The phase explained in the specific
clause is then emphasized with its key output documents.
The lower diagram (activities of the phase) includes the key activities which are included in the emphasized
phase of the upper square, and main output documents of each activity.
The timeline in the lower square is based on the timeline in the upper square.
Activity A and Activity B can be executed at the same time. Activity C should be started after Activity A and B
is finished.
5 Obtaining management approval for initiating an ISMS project
5.1 Overview of obtaining management approval for initiating an ISMS project
There are several factors that should be taken into consideration when deciding to implement an ISMS. In
order to address these factors, management should understand the business case of an ISMS implementation
project and approve it. Therefore the objective of this phase is:
Objective:
To obtain management approval to start the ISMS project by defining a business case and the project plan.
In order to acquire management approval, an organization should create a business case which includes the
priorities and objectives to implement an ISMS in addition to the structure of the organization for the ISMS.
The initial ISMS project plan should also be created.
The work performed in this phase will enable the organization to understand the relevance of an ISMS, and
clarify the information security roles and responsibilities within the organization needed for an ISMS project.
The expected output of this phase will be the preliminary management approval of, and commitment to
implement, an ISMS and performing the activities described in this International Standard. The deliverables
from this clause include a business case and a draft ISMS project plan with key milestones.
Figure 3 illustrates the process to obtain management approval to initiate the ISMS project.
NOTE The output from Clause 5 (Documented management commitment to plan and implement an ISMS) and one
of the outputs of Clause 7 (Document summarization of the information security status) are not requirements of
ISO/IEC 27001:2005. However, the outputs from these activities are recommended input to other activities described in
this document.

© ISO/IEC 2010 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/IEC 27003:2010(E)

Figure 3 — Overview of obtaining management approval for initiating an ISMS project

6 © ISO/IEC 2010 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 27003:2010(E)
5.2 Clarify the organization’s priorities to develop an ISMS
Activity
The objectives to implement an ISMS should be included by considering the organization’s information
security priorities and requirements.
Input
a) the organization’s strategic objectives
b) overview of the existing management systems
c) a list of legal, regulatory, and contractual information security requirements applicable to the organization
Guidance
In order to start the ISMS project, management approval is generally needed. Therefore, the first activity that
should be performed is to collect the relevant information illustrating the value of an ISMS to the organization.
The organization should clarify why an ISMS is needed and decide the objectives of the ISMS implementation
and initiate the ISMS Project.
The objectives for implementing an ISMS can be determined by answering the following questions:
a) risk management – How will an ISMS generate better management of information security risks?
b) efficiency – How can an ISMS improve the management of information security?
c) business advantage – How can an ISMS create competitive advantage for the organization?
In order to answer the questions above, the organization’s security priorities and requirements are addressed
by the following possible factors:
a) critical businesses and organization areas:
1. What are the critical businesses and organizational areas?
2. Which organizational areas provide the business and with what focus?
3. What third party relationships and agreements exist?
4. Are there any services that have been outsourced?
b) sensitive or valuable information:
1. What information is critical to the organization?
2. What would be the likely consequences if certain information were to be disclosed to unauthorized
parties (e.g., loss of competitive advantage, damage to brand or reputation, legal action, etc.)?
c) laws which mandate information security measures:
1. What laws relating to risk treatment or information security apply to the organization?
2. Is the organization part of a public global organization that is required to have external financial
reporting?
d) contractual or organizational agreements relating to information security:
1. What are the storage requirements (including the retention periods) for data storage?
2. Are there any contractual requirements relating to privacy or quality (e.g. service level agreement-
SLA)?
© ISO/IEC 2010 – All rights reserved 7

---------------------- Page: 12 ----------------------
ISO/IEC 27003:2010(E)
e) industry requirements which specify particular information security controls or measures:
1. What sector-specific requirements apply to the organization?
f) The threat environment:
1. What kind of protection is needed, and against what threats?
2. What are the distinct categories of information that require protection?
3. What are the distinct types of information activities that need to be protected?
g) Competitive Drivers:
1. What are the minimum market requirements for information security?
2. What additional information security controls should provide a competitive advantage for the
organization?
h) Business continuity requirements
1. What are the critical business processes?
2. How long can the organization tolerate interruptions to each critical business process?
The preliminary ISMS scope can be determined by responding to the information above. This is also needed
in order to create a business case and overall ISMS project plan for management approval. The detailed
ISMS scope will be defined during the ISMS project.
The requirements noted in ISO/IEC 27001:2005 reference 4.2.1 a) outline the scope in terms of the
characteristics of the business, the organization, its location, assets and technology. The resulting information
from the above supports this determination.
Some topics which should be considered when making the initial decisions regarding scope include:
a) What are the mandates for information security management established by organizational management
and the obligations imposed externally on the organization?
b) Is the responsibility for the proposed in-scope systems held by more than one management team (e.g.
people in different subsidiaries or different departments)?
c) How will the ISMS-related documents be communicated throughout the organization (e.g. on paper or
through the corporate intranet)?
d) Can the current management systems support the organization’s needs? Is it fully operational, well
maintained, and functioning as intended?
Examples of management objectives that may be used as input to define the preliminary ISMS scope include:
a) facilitating business continuity and disaster recovery
b) improving resilience to incidents
c) addressing legal/contractual compliance/liabilities
d) enabling certification against other ISO/IEC standards
e) enabling organizational evolution and position
f) reducing costs of security controls
g) protecting assets of strategic value
h) establishing a healthy and effective internal control environment
i) providing assurance to stakeholders that information assets are properly protected
8 © ISO/IEC 2010 – All rights reserved

---------------------- Page: 13 ----------------------
ISO/IEC 27003:2010(E)
Output
The deliverables of this activity are:
a) a document summarizing the objectives, information security priorities, and organizational requirements
for an ISMS.
b) a list of regulatory, contractual, and industry requirements related to the information security of the
organization.
c) Outlined characteristics of the business, the organization, its location, assets, and technology.
Other information
ISO/IEC 9001:2008, ISO/IEC 14001:2004, ISO/IEC 20000-1:2005.
5.3 Define the preliminary ISMS scope
5.3.1 Develop the preliminary ISMS scope
Activity
The objectives to implement ISMS should include the preliminary ISMS scope definition, which is necessary
for the ISMS project.
Input
Output from Activity 5.2 Clarify the organization’s priorities to develop an ISMS.
Guidance
In order to execute the ISMS implementation project, the structure of an organization for the ISMS should be
defined. The preliminary scope of the ISMS should now be defined to provide management with guidance for
implementation decisions, and to support further activities.
The preliminary ISMS scope is needed in order to create the business case and the proposed project plan for
management approval.
The output from this stage will be a document defining the preliminary scope of the ISMS, which includes:
a) a summary of the mandates for information security management established by organizational
management, and the obligations imposed externally on the organization;
b) a description of how the area(s) in scope interact with other management systems;
c) a list of the business objectives of information security management (as derived in clause 5.2);
d) a list of critical business processes, systems, information assets, organizational structures and
geographic locations to which the ISMS will be applied.
e) the relationship of existing management systems, regulatory, compliance, and organization objectives;
f) the characteristics of the business, the organization, its location, assets and technology.
The common elements and the operational differences between the processes of any existing management
system(s) and the proposed ISMS should be identified.
Output
The deliverable is a document which describes the preliminary scope of the ISMS.
© ISO/IEC 2010 – All rights reserved 9

---------------------- Page: 14 ----------------------
ISO/IEC 27003:2010(E)
Other information
No other specific information.
NOTE Special attention should be drawn that in case of certification specific documentation requirements of
ISO/IEC 27001:2005 as for the ISMS scope are to be fulfilled regardless of the management systems in place within the
organization.
5.3.2 Define roles & responsibilities for the preliminary ISMS scope
Activity
The overall roles and responsibilities for the preliminary ISMS scope should be defined.
Input
a) output from Activity 5.3.1 Develop the preliminary ISMS scope
b) list of stakeholders who will benefit from results of the ISMS project.
Guidance
In order to execute the ISMS project, the role of an organization for the project should be determined. The role
generally is different at each organization, because of the number of people dealing with information security.
The organizational structure and resources for information security vary with the size, type and structure of the
organization. For example, in a smaller organization, several roles may be carried out by the same person.
However, man
...

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Informacijska tehnologija - Varnostne tehnike - Smernice za izvedbo sistema upravljanja informacijske varnostiTechnologies de l'information - Techniques de sécurité - Lignes directrices pour la mise en oeuvre du système de management de la sécurité de l'informationInformation technology - Security techniques - Information security management system implementation guidance35.040Nabori znakov in kodiranje informacijCharacter sets and information codingICS:Ta slovenski standard je istoveten z:ISO/IEC 27003:2010oSIST ISO/IEC 27003:2010en01-december-2010oSIST ISO/IEC 27003:2010SLOVENSKI
STANDARD



oSIST ISO/IEC 27003:2010



Reference numberISO/IEC 27003:2010(E)© ISO/IEC 2010
INTERNATIONAL STANDARD ISO/IEC27003First edition2010-02-01Information technology — Security techniques — Information security management system implementation guidance Technologies de l'information — Techniques de sécurité — Lignes directrices pour la mise en œuvre du système de management de la sécurité de l'information
oSIST ISO/IEC 27003:2010



ISO/IEC 27003:2010(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
COPYRIGHT PROTECTED DOCUMENT
©
ISO/IEC 2010 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 • CH-1211 Geneva 20 Tel.
+ 41 22 749 01 11 Fax
+ 41 22 749 09 47 E-mail
copyright@iso.org Web
www.iso.org Published in Switzerland
ii © ISO/IEC 2010 – All rights reserved
oSIST ISO/IEC 27003:2010



ISO/IEC 27003:2010(E) © ISO/IEC 2010 – All rights reserved iii Contents Page Foreword.iv Introduction.v 1 Scope.1 2 Normative references.1 3 Terms and definitions.1 4 Structure of this International Standard.2 4.1 General structure of clauses.2 4.2 General structure of a clause.3 4.3 Diagrams.3 5 Obtaining management approval for initiating an ISMS project.5 5.1 Overview of obtaining management approval for initiating an ISMS project.5 5.2 Clarify the organization’s priorities to develop an ISMS.7 5.3 Define the preliminary ISMS scope.9 5.4 Create the business case and the project plan for management approval.11 6 Defining ISMS scope, boundaries and ISMS policy.12 6.1 Overview of defining ISMS scope, boundaries and ISMS policy.12 6.2 Define organizational scope and boundaries.15 6.3 Define information communication technology (ICT) scope and boundaries.16 6.4 Define physical scope and boundaries.17 6.5 Integrate each scope and boundaries to obtain the ISMS scope and boundaries.18 6.6 Develop the ISMS policy and obtain approval from management.19 7 Conducting information security requirements analysis.20 7.1 Overview of conducting information security requirements analysis.20 7.2 Define information security requirements for the ISMS process.22 7.3 Identify assets within the ISMS scope.23 7.4 Conduct an information security assessment.24 8 Conducting risk assessment and planning risk treatment.25 8.1 Overview of conducting risk assessment and planning risk treatment.25 8.2 Conduct risk assessment.27 8.3 Select the control objectives and controls.28 8.4 Obtain management authorization for implementing and operating an ISMS.29 9 Designing the ISMS.30 9.1 Overview of designing the ISMS.30 9.2 Design organizational information security.33 9.3 Design ICT and physical information security.38 9.4 Design ISMS specific information security.40 9.5 Produce the final ISMS project plan.44 Annex A (informative)
Checklist description.45 Annex B (informative)
Roles and responsibilities for Information Security.51 Annex C (informative)
Information about Internal Auditing.55 Annex D (informative)
Structure of policies.57 Annex E (informative)
Monitoring and measuring.62 Bibliography.68
oSIST ISO/IEC 27003:2010



ISO/IEC 27003:2010(E) iv © ISO/IEC 2010 – All rights reserved Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27003 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. oSIST ISO/IEC 27003:2010



ISO/IEC 27003:2010(E) © ISO/IEC 2010 – All rights reserved v Introduction The purpose of this International Standard is to provide practical guidance in developing the implementation plan for an Information Security Management System (ISMS) within an organization in accordance with ISO/IEC 27001:2005. The actual implementation of an ISMS is generally executed as a project. The process described within this International Standard has been designed to provide support of the implementation of ISO/IEC 27001:2005; (relevant parts from Clauses 4, 5, and 7 inclusive) and document: a) the preparation of beginning an ISMS implementation plan in an organization, defining the organizational structure for the project, and gaining management approval, b) the critical activities for the ISMS project and, c) examples to achieve the requirements in ISO/IEC 27001:2005.
By using this International Standard the organization will be able to develop a process for information security management, giving stakeholders the assurance that risks to information assets are continuously maintained within acceptable information security bounds as defined by the organization. This International Standard does not cover the operational activities and other ISMS activities, but covers the concepts on how to design the activities which will result after the ISMS operations begin. The concept results in the final ISMS project implementation plan. The actual execution of the organizational specific part of an ISMS project is outside the scope of this International Standard. The implementation of the ISMS project should be carried out using standard project management methodologies (for more information please see ISO and ISO/IEC Standards addressing project management).
oSIST ISO/IEC 27003:2010



oSIST ISO/IEC 27003:2010



INTERNATIONAL STANDARD ISO/IEC 27003:2010(E) © ISO/IEC 2010 – All rights reserved 1 Information technology — Security techniques — Information security management system implementation guidance 1 Scope This International Standard focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes the process of ISMS specification and design from inception to the production of implementation plans. It describes the process of obtaining management approval to implement an ISMS, defines a project to implement an ISMS (referred to in this International Standard as the ISMS project), and provides guidance on how to plan the ISMS project, resulting in a final ISMS project implementation plan. This International Standard is intended to be used by organizations implementing an ISMS. It is applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations) of all sizes. Each organization's complexity and risks are unique, and its specific requirements will drive the ISMS implementation. Smaller organizations will find that the activities noted in this International Standard are applicable to them and can be simplified. Large-scale or complex organizations might find that a layered organization or management system is needed to manage the activities in this International Standard effectively. However, in both cases, the relevant activities can be planned by applying this International Standard. This International Standard gives recommendations and explanations; it does not specify any requirements. This International Standard is intended to be used in conjunction with ISO/IEC 27001:2005 and ISO/IEC 27002:2005, but is not intended to modify and/or reduce the requirements specified in ISO/IEC 27001:2005 or the recommendations provided in ISO/IEC 27002:2005. Claiming conformity to this International Standard is not appropriate. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27000:2009, Information technology — Security techniques — Information security management systems — Overview and vocabulary ISO/IEC 27001:2005, Information technology — Security techniques — Information security management systems — Requirements 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 27000:2009, ISO/IEC 27001:2005 and the following apply. 3.1 ISMS project structured activities undertaken by an organization to implement an ISMS oSIST ISO/IEC 27003:2010



ISO/IEC 27003:2010(E) 2 © ISO/IEC 2010 – All rights reserved 4 Structure of this International Standard 4.1 General structure of clauses The implementation of an ISMS is an important activity and is generally executed as a project in an organization. This document explains the ISMS implementation by focusing on the initiation, planning, and definition of the project. The process of planning the ISMS final implementation contains five phases and each phase is represented by a separate clause. All clauses have a similar structure, as described below. The five phases are: a) Obtaining management approval for initiating an ISMS project (Clause 5)
b) Defining ISMS Scope and ISMS Policy (Clause 6) c) Conducting Organization Analysis (Clause 7) d) Conducting Risk Assessment and Risk Treatment planning (Clause 8) e) Designing the ISMS (Clause 9) Figure 1 illustrates the five phases of the planning of the ISMS project referring to ISO/IEC standards and main output documents.
Figure 1 — ISMS project phases Further information is noted in the annexes. These annexes are: Annex A. Summary of activities with references according to ISO/IEC 27001:2005 Annex B. Information security roles and responsibilities
Annex C. Information on planning of internal audits Annex D. Structure of policies Annex E. Information on planning of monitoring and measuring oSIST ISO/IEC 27003:2010



ISO/IEC 27003:2010(E) © ISO/IEC 2010 – All rights reserved 3 4.2 General structure of a clause Each clause contains: a) one or more objectives stating what is to be achieved noted in the beginning of each clause in a text box; and b) one or more activities necessary to achieve the phase objective or objectives. Each activity is described in a subclause. Activity descriptions in each subclause are structured as follows: Activity The activity defines what is necessary to satisfy this activity which achieves all or part of the phase objectives. Input The input describes the starting point, such as the existence of documented decisions or outputs from other activities described in this International Standard. Inputs could either be referred to as the complete output from an activity just stating the relevant clause or specific information from an activity may be added after the clause reference. Guidance The guidance provides detailed information to enable performing this activity. Some of the guidance may not be suitable in all cases and other ways of achieving the results may be more appropriate. Output The output describes the result(s) or deliverable(s), upon completion of the activity; e.g. a document. The outputs are the same, independent of the size of the organization or the ISMS scope. Other information The other information provides any additional information that may assist in performing the activity, for example references to other standards. NOTE The phases and activities described in this document include a suggested sequence of performing activities based on the dependencies identified through each of the activities’ “Input” and “Output” descriptions. However, depending on many different factors (e.g., effectiveness of management system currently in place, understanding with regard to the importance of information security, reasons for implementing an ISMS), an organization may select any activity in any order as necessary to prepare for the establishment and implementation of the ISMS.
4.3 Diagrams A project is often illustrated in graphical or diagram form showing an overview of activities and outputs.
Figure 2 illustrates the legend of diagrams which are illustrated in an overview subclause of each phase. The diagrams provide a high level overview of the activities included in each phase.
oSIST ISO/IEC 27003:2010



ISO/IEC 27003:2010(E) 4 © ISO/IEC 2010 – All rights reserved
Figure 2 — Flow diagram legend
oSIST ISO/IEC 27003:2010



ISO/IEC 27003:2010(E) © ISO/IEC 2010 – All rights reserved 5 The upper square illustrates the planning phases of an ISMS project. The phase explained in the specific clause is then emphasized with its key output documents. The lower diagram (activities of the phase) includes the key activities which are included in the emphasized phase of the upper square, and main output documents of each activity.
The timeline in the lower square is based on the timeline in the upper square. Activity A and Activity B can be executed at the same time. Activity C should be started after Activity A and B is finished. 5 Obtaining management approval for initiating an ISMS project
5.1 Overview of obtaining management approval for initiating an ISMS project There are several factors that should be taken into consideration when deciding to implement an ISMS. In order to address these factors, management should understand the business case of an ISMS implementation project and approve it. Therefore the objective of this phase is: Objective:
To obtain management approval to start the ISMS project by defining a business case and the project plan. In order to acquire management approval, an organization should create a business case which includes the priorities and objectives to implement an ISMS in addition to the structure of the organization for the ISMS. The initial ISMS project plan should also be created. The work performed in this phase will enable the organization to understand the relevance of an ISMS, and clarify the information security roles and responsibilities within the organization needed for an ISMS project. The expected output of this phase will be the preliminary management approval of, and commitment to implement, an ISMS and performing the activities described in this International Standard. The deliverables from this clause include a business case and a draft ISMS project plan with key milestones. Figure 3 illustrates the process to obtain management approval to initiate the ISMS project. NOTE The output from Clause 5 (Documented management commitment to plan and implement an ISMS) and one of the outputs of Clause 7 (Document summarization of the information security status) are not requirements of ISO/IEC 27001:2005. However, the outputs from these activities are recommended input to other activities described in this document.
oSIST ISO/IEC 27003:2010



ISO/IEC 27003:2010(E) 6 © ISO/IEC 2010 – All rights reserved
Figure 3 — Overview of obtaining management approval for initiating an ISMS project
oSIST ISO/IEC 27003:2010



ISO/IEC 27003:2010(E) © ISO/IEC 2010 – All rights reserved 7 5.2 Clarify the organization’s priorities to develop an ISMS Activity The objectives to implement an ISMS should be included by considering the organization’s information security priorities and requirements. Input a) the organization’s strategic objectives b) overview of the existing management systems c) a list of legal, regulatory, and contractual information security requirements applicable to the organization Guidance In order to start the ISMS project, management approval is generally needed. Therefore, the first activity that should be performed is to collect the relevant information illustrating the value of an ISMS to the organization. The organization should clarify why an ISMS is needed and decide the objectives of the ISMS implementation and initiate the ISMS Project. The objectives for implementing an ISMS can be determined by answering the following questions: a) risk management – How will an ISMS generate better management of information security risks? b) efficiency – How can an ISMS improve the management of information security? c) business advantage – How can an ISMS create competitive advantage for the organization? In order to answer the questions above, the organization’s security priorities and requirements are addressed by the following possible factors: a) critical businesses and organization areas: 1. What are the critical businesses and organizational areas? 2. Which organizational areas provide the business and with what focus?
3. What third party relationships and agreements exist? 4. Are there any services that have been outsourced? b) sensitive or valuable information: 1. What information is critical to the organization? 2. What would be the likely consequences if certain information were to be disclosed to unauthorized parties (e.g., loss of competitive advantage, damage to brand or reputation, legal action, etc.)?
c) laws which mandate information security measures: 1. What laws relating to risk treatment or information security apply to the organization? 2. Is the organization part of a public global organization that is required to have external financial reporting? d) contractual or organizational agreements relating to information security: 1. What are the storage requirements (including the retention periods) for data storage? 2. Are there any contractual requirements relating to privacy or quality (e.g. service level agreement-SLA)? oSIST ISO/IEC 27003:2010



ISO/IEC 27003:2010(E) 8 © ISO/IEC 2010 – All rights reserved e) industry requirements which specify particular information security controls or measures: 1. What sector-specific requirements apply to the organization? f) The threat environment: 1. What kind of protection is needed, and against what threats? 2. What are the distinct categories of information that require protection? 3. What are the distinct types of information activities that need to be protected? g) Competitive Drivers: 1. What are the minimum market requirements for information security? 2. What additional information security controls should provide a competitive advantage for the organization? h) Business continuity requirements
1. What are the critical business processes? 2. How long can the organization tolerate interruptions to each critical business process? The preliminary ISMS scope can be determined by responding to the information above. This is also needed in order to create a business case and overall ISMS project plan for management approval. The detailed ISMS scope will be defined during the ISMS project. The requirements noted in ISO/IEC 27001:2005 reference 4.2.1 a) outline the scope in terms of the characteristics of the business, the organization, its location, assets and technology. The resulting information from the above supports this determination. Some topics which should be considered when making the initial decisions regarding scope include: a) What are the mandates for information security management established by organizational management and the obligations imposed externally on the organization?
b) Is the responsibility for the proposed in-scope systems held by more than one management team (e.g. people in different subsidiaries or different departments)? c) How will the ISMS-related documents be communicated throughout the organization (e.g. on paper or through the corporate intranet)? d) Can the current management systems support the organization’s needs? Is it fully operational, well maintained, and functioning as intended?
Examples of management objectives that may be used as input to define the preliminary ISMS scope include: a) facilitating business continuity and disaster recovery b) improving resilience to incidents c) addressing legal/contractual compliance/liabilities
d) enabling certification against other ISO/IEC standards e) enabling organizational evolution and position f) reducing costs of security controls g) protecting assets of strategic value h) establishing a healthy and effective internal control environment
i) providing assurance to stakeholders that information assets are properly protected oSIST ISO/IEC 27003:2010



ISO/IEC 27003:2010(E) © ISO/IEC 2010 – All rights reserved 9 Output The deliverables of this activity are: a) a document summarizing the objectives, information security priorities, and organizational requirements for an ISMS. b) a list of regulatory, contractual, and industry requirements related to the information security of the organization. c) Outlined characteristics of the business, the organization, its location, assets, and technology. Other information ISO/IEC 9001:2008, ISO/IEC 14001:2004, ISO/IEC 20000-1:2005. 5.3 Define the preliminary ISMS scope 5.3.1 Develop the preliminary ISMS scope Activity The objectives to implement ISMS should include the preliminary ISMS scope definition, which is necessary for the ISMS project. Input Output from Activity 5.2 Clarify the organization’s priorities to develop an ISMS. Guidance In order to execute the ISMS implementation project, the structure of an organization for the ISMS should be defined. The preliminary scope of the ISMS should now be defined to provide management with guidance for implementation decisions, and to support further activities. The preliminary ISMS scope is needed in order to create the business case and the proposed project plan for management approval. The output from this stage will be a document defining the preliminary scope of the ISMS, which includes: a) a summary of the mandates for information security management established by organizational management, and the obligations imposed externally on the organization;
b) a description of how the area(s) in scope interact with other management systems;
c) a list of the business objectives of information security management (as derived in clause 5.2);
d) a list of critical business processes, systems, information assets, organizational structures and geographic locations to which the ISMS will be applied.
e) the relationship of existing management systems, regulatory, compliance, and organization objectives;
f) the characteristics of the business, the organization, its location, assets and technology. The common elements and the operational differences between the processes of any existing management system(s) and the proposed ISMS should be identified. Output The deliverable is a document which describes the preliminary scope of the ISMS. oSIST ISO/IEC 27003:2010



ISO/IEC 27003:2010(E) 10 © ISO/IEC 2010 – All rights reserved Other information No other specific information. NOTE Special attention should be drawn that in case of certification specific documentation requirements of ISO/IEC 27001:2005 as for the ISMS scope are to be fulfilled regardless of the management systems in place within the organization. 5.3.2 Define roles & responsibilities for the preliminary ISMS scope Activity The overall roles and responsibilities for the preliminary ISMS scope should be defined. Input a) output from Activity 5.3.1 Develop the preliminary ISMS scope
b) list of stakeholders who will benefit from results of the ISMS project. Guidance In order to execute the ISMS project, the role of an organization for the project should be determined. The role generally is different at each organization, because of the number of people dealing with information security. The organizational structure and resources for information security vary with the size, type and structure of the organization. For example, in a smaller organization, several roles may be carried out by the same person. However, management should explicitly identify the role (typically Chief Information Security Officer, Information Security Manager or similar) with overall responsibility for managing
...

SLOVENSKI SIST ISO/IEC 27003

STANDARD
marec 2011











Informacijska tehnologija – Varnostne tehnike – Smernice za izvedbo
sistema upravljanja informacijske varnosti

Information technology – Security techniques – Information security management
system implementation guidance

Technologies de l'information – Techniques de sécurité – Lignes directrices pour
la mise en oeuvre du système de management de la sécurité de l'information
























Referenčna oznaka
ICS 35.040 SIST ISO/IEC 27003:2011 (sl)


Nadaljevanje na straneh 2 do 65



© 2014-03: Slovenski inštitut za standardizacijo. Razmnoževanje ali kopiranje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST ISO/IEC 27003 : 2011
NACIONALNI UVOD

Standard SIST ISO/IEC 27003 (sl), Informacijska tehnologija – Varnostne tehnike – Smernice za
izvedbo sistema upravljanja informacijske varnosti, 2011, ima status slovenskega standarda in je
istoveten mednarodnemu standardu ISO/IEC 27003 (en), Information technology – Security
techniques – Information security management system implementation guidance, 2010-02-01.

NACIONALNI PREDGOVOR

Mednarodni standard ISO/IEC 27003:2010 je pripravil pododbor združenega tehničnega odbora
Mednarodne organizacije za standardizacijo in Mednarodne elektrotehniške komisije ISO/IEC JTC
1/SC 27 Varnostne tehnike v informacijski tehnologiji.

Slovenski standard SIST ISO/IEC 27003:2011 je prevod mednarodnega standarda ISO/IEC
27003:2010. Slovenski standard SIST ISO/IEC 27003:2011 je pripravil tehnični odbor SIST/TC ITC
Informacijska tehnologija. V primeru spora glede besedila slovenskega prevoda je odločilen izvirni
mednarodni standard v angleškem jeziku.

Odločitev za izdajo tega standarda je dne 25. november 2010 sprejel SIST/TC ITC Informacijska
tehnologija.

ZVEZA Z NACIONALNIMI STANDARDI

SIST ISO/IEC 27000:2011 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Pregled in izrazoslovje

SIST ISO/IEC 27001:2005 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve (nadomeščen s SIST ISO/IEC
27001:2013)

OSNOVA ZA IZDAJO STANDARDA

– privzem standarda ISO/IEC 27003:2010

OPOMBI

– Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO/IEC
27003:2011 to pomeni “slovenski standard”.

– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
2

---------------------- Page: 2 ----------------------

SIST ISO/IEC 27003 : 2011
Vsebina Stran
Predgovor .5
Uvod .6
1 Področje uporabe .7
2 Zveza s standardi .7
3 Izrazi in definicije .7
4 Struktura tega mednarodnega standarda.7
4.1 Splošna struktura poglavij .7
4.2 Splošna struktura točke.8
4.3 Diagrami .9
5 Pridobitev odobritve vodstva za uvedbo projekta SUIV .11
5.1 Pregled pridobivanja odobritve vodstva za uvedbo projekta SUIV .11
5.2 Razjasniti prioritete organizacije pri razvoju SUIV .13
5.3 Določiti izhodiščni obseg SUIV.15
5.3.1 Pripraviti izhodiščni obseg SUIV .15
5.3.2 Določiti vloge in odgovornosti za izhodiščni obseg SUIV.15
5.4 Ustvariti poslovni razlog in načrt projekta za odobritev vodstva .16
6 Opredelitev obsega in meja SUIV ter politike SUIV .18
6.1 Pregled opredelitve obsega in meja SUIV ter politike SUIV.18
6.2 Določiti organizacijski obseg in meje.20
6.3 Določiti obseg in meje informacijsko-komunikacijske tehnologije (IKT).21
6.4 Določiti fizični obseg in meje .22
6.5 Povezati vse obsege in meje za pridobitev obsega in meja SUIV .22
6.6 Pripraviti politiko SUIV in pridobiti odobritev vodstva .23
7 Izvedba analize zahtev informacijske varnosti .24
7.1 Pregled izvedbe analize zahtev informacijske varnosti.24
7.2 Določiti zahteve informacijske varnosti za proces SUIV .26
7.3 Prepoznati dobrine v obsegu SUIV .27
7.4 Izvesti ocenjevanje informacijske varnosti .27
8 Izvedba ocenjevanja tveganj in načrtovanje obravnavanja tveganj .29
8.1 Pregled izvedbe ocenjevanja tveganj in načrtovanja obravnave tveganj.29
8.2 Izvesti ocenjevanje tveganj .31
8.3 Izbrati cilje kontrol in kontrole .32
8.4 Pridobiti pooblastilo vodstva za izvedbo in delovanje SUIV.32
9 Snovanje SUIV .33
9.1 Pregled snovanja SUIV .33
9.2 Zasnovati organizacijsko informacijsko varnost .36
9.2.1 Zasnovati končno organizacijsko strukturo za informacijsko varnost .36
9.2.2 Zasnovati okvir dokumentacije SUIV.37
9.2.3 Zasnovati politiko informacijske varnosti.38
3

---------------------- Page: 3 ----------------------

SIST ISO/IEC 27003 : 2011
9.2.4 Pripraviti standarde in postopke informacijske varnosti .39
9.3 Zasnovati informacijsko varnost IKT in fizično informacijsko varnost .40
9.4 Zasnovati informacijsko varnost, specifično za SUIV.42
9.4.1 Načrtovati vodstvene preglede.42
9.4.2 Zasnovati program ozaveščanja, usposabljanja in izobraževanja o informacijski varnosti .43
9.5 Pripraviti končni načrt projekta SUIV.45
Dodatek A (informativni): Opis kontrolnega seznama.46
Dodatek B (informativni): Vloge in odgovornosti v zvezi z informacijsko varnostjo .50
Dodatek C (informativni): Informacije o notranjem presojanju .54
Dodatek D (informativni): Struktura politik.56
Dodatek E (informativni): Spremljanje in merjenje .60
Literatura.65
4

---------------------- Page: 4 ----------------------

SIST ISO/IEC 27003 : 2011
Predgovor

ISO (Mednarodna organizacija za standardizacijo) in IEC (Mednarodna elektrotehniška komisija)
tvorita specializiran sistem za svetovno standardizacijo. Nacionalni organi, ki so člani ISO ali IEC,
sodelujejo pri pripravi mednarodnih standardov prek tehničnih odborov, ki jih za obravnavanje
določenih strokovnih področij ustanovi ustrezna organizacija. Tehnični odbori ISO in IEC sodelujejo na
področjih skupnega interesa. Pri delu sodelujejo tudi druge mednarodne, vladne in nevladne
organizacije, povezane z ISO in IEC. Na področju informacijske tehnologije sta ISO in IEC vzpostavila
združeni tehnični odbor ISO/IEC JTC 1.

Osnutki mednarodnih standardov so pripravljeni v skladu s pravili iz 2. dela direktiv ISO/IEC.

Glavna naloga tehničnih odborov je priprava mednarodnih standardov. Osnutki mednarodnih
standardov, ki jih sprejmejo tehnični odbori, se pošljejo vsem članom v glasovanje. Za objavo
mednarodnega standarda je treba pridobiti soglasje najmanj 75 odstotkov članov, ki se udeležijo
glasovanja.

Opozoriti je treba na možnost, da so lahko nekateri elementi tega dokumenta predmet patentnih
pravic. ISO ne prevzema odgovornosti za identifikacijo nekaterih ali vseh takih patentnih pravic.

ISO/IEC 27003 je pripravil združeni tehnični odbor JTC ISO/IEC 1 Informacijska tehnologija, pododbor
SC 27 Varnostne tehnike IT.

5

---------------------- Page: 5 ----------------------

SIST ISO/IEC 27003 : 2011
Uvod

Namen tega mednarodnega standarda je zagotoviti praktične napotke pri razvoju načrta izvedbe
upravljavskega sistema za informacijsko varnost (SUIV) v organizaciji v skladu z ISO/IEC 27001:2005.
Dejanska izvedba SUIV se v splošnem izvrši kot projekt.

Proces, opisan v tem mednarodnem standardu, je bil zasnovan, da zagotovi podporo izvajanju
ISO/IEC 27001:2005 (ustrezni deli iz točk 4, 5 in vključujoč 7), in dokumentira:
a) pripravo začetka načrta izvedbe SUIV v organizaciji, opredelitev organizacijske projektne
strukture in pridobivanje odobritve vodstva,
b) kritične aktivnosti za projekt SUIV in
c) primere za doseganje zahtev v ISO/IEC 27001:2005.

Z uporabo tega mednarodnega standarda bo organizacija sposobna razviti proces upravljanja
informacijske varnosti in dajati zainteresiranim strankam zagotovila, da so tveganja informacijskih
dobrin nenehno vzdrževana v okviru sprejemljivih meja informacijske varnosti, kot jih je opredelila
organizacija.

Ta mednarodni standard ne obravnava operativnih aktivnosti in drugih aktivnosti SUIV, zajema pa
koncepte, kako zasnovati aktivnosti, ki se bodo izvajale po začetku delovanja SUIV. Koncept se kaže
v končnem projektnem načrtu izvedbe SUIV. Dejanska izvršitev specifičnih delov projekta SUIV
organizacije je zunaj področja uporabe tega mednarodnega standarda.

Izvedba projekta SUIV naj se izvaja z uporabo standardnih metodologij projektnega vodenja (več
informacij je navedenih v standardih ISO in ISO/IEC v zvezi s projektnim vodenjem).



6

---------------------- Page: 6 ----------------------

SIST ISO/IEC 27003 : 2011
Informacijska tehnologija – Varnostne tehnike – Smernice za izvedbo sistema
upravljanja informacijske varnosti
1 Področje uporabe
Ta mednarodni standard se osredotoča na kritične vidike, ki so potrebni za uspešno zasnovo in
izvedbo sistema upravljanja informacijske varnosti (SUIV) v skladu z ISO/IEC 27001:2005. Opisuje
proces specifikacije in zasnove SUIV od začetka do izvajanja načrtov. Opisuje proces pridobivanja
odobritve vodstva za izvedbo SUIV, definira projekt izvedbe SUIV (v tem standardu poimenovan
projekt SUIV) in ponuja napotke, kako načrtovati projekt SUIV, kar se odraža v dokončanem načrtu
izvedbe projekta SUIV.

Ta mednarodni standard naj bi uporabljale organizacije, ki uvajajo SUIV. Primeren je za vse vrste
organizacij (na primer podjetja, vladne agencije, nepridobitne organizacije) vseh velikosti.
Kompleksnost in tveganja vsake organizacije so edinstveni in njene specifične zahteve bodo vodile
izvedbo SUIV. Manjše organizacije bodo ugotovile, da so aktivnosti, navedene v tem mednarodnem
standardu, primerne zanje in da jih je mogoče poenostaviti. Velike in kompleksne organizacije bodo
lahko ugotovile, da sta za učinkovito upravljanje aktivnosti iz tega mednarodnega standarda potrebna
nivojska organiziranost ali nivojski sistem upravljanja. Vendar je v obeh primerih mogoče ustrezne
aktivnosti načrtovati z uporabo tega mednarodnega standarda.

Ta mednarodni standard podaja priporočila in pojasnila; ne določa nobenih zahtev. Ta mednarodni
standard je namenjen, da se uporablja skupaj z ISO/IEC 27001:2005 in ISO/IEC 27002:2005, ni pa
namenjen spreminjanju in/ali zmanjševanju zahtev, danih v ISO/IEC 27001:2005, ali priporočil, danih v
ISO/IEC 27002:2005. Trditve o skladnosti s tem mednarodnim standardom niso ustrezne.

2 Zveza s standardi
Naslednja dokumenta sta nujna za uporabo tega dokumenta. Pri datiranem sklicevanju velja samo
navedena izdaja. Pri nedatiranem sklicevanju velja zadnja izdaja dokumenta, na katerega se nanaša
sklic (vključno z morebitnimi dopolnitvami).

ISO/IEC 27000:2009 Informacijska tehnologija – Varnostne tehnike – Sistem upravljanja informacijske
varnosti – Pregled in izrazoslovje
ISO/IEC 27001:2005 Informacijska tehnologija – Varnostne tehnike – Sistem upravljanja informacijske
varnosti – Zahteve

3 Izrazi in definicije
V tem dokumentu so uporabljeni izrazi in definicije, podani v nadaljevanju ter v ISO/IEC 27000:2009 in
ISO/IEC 27001:2005.

3.1
projekt SUIV
strukturirane aktivnosti, ki jih opravlja organizacija za izvajanje SUIV

4 Struktura tega mednarodnega standarda
4.1 Splošna struktura poglavij

Izvedba SUIV je pomembna aktivnost in se v splošnem izvaja kot projekt organizacije. Ta dokument
razlaga, kako izvesti SUIV z osredotočenjem na zasnovo, načrtovanje in opredelitev projekta. Proces
načrtovanja končne izvedbe SUIV vsebuje pet faz in vsaka faza je predstavljena v svoji točki. Vse
točke imajo podobno strukturo, kot je opisana spodaj. Pet faz je:
a) pridobitev odobritve vodstva za uvedbo projekta SUIV (točka 5),
b) opredelitev obsega SUIV in politike SUIV (točka 6),
7

---------------------- Page: 7 ----------------------

SIST ISO/IEC 27003 : 2011
c) izvedba analize organizacije (točka 7),
d) izvedba ocenjevanja tveganj in načrtovanje obravnave tveganj (točka 8),
e) snovanje SUIV (točka 9).

Slika 1 prikazuje pet faz načrtovanja projekta SUIV po standardih ISO/IEC ter glavne izhodne
dokumente.


Opredelitev
Pridobitev Izvedba
Izvedba analize

odobritve vodstva za obsega in meja ocenjevanja tveganj

zahtev informacijske
Snovanje SUIV
uvedbo projekta SUIV SUIV ter politike in načrtovanje

varnosti

SUIV obravnavanja

7
 9
5 6 tveganj 8


Odobritev Pisna
Zahteve Končni načrt
Obseg in
vodstva za zabeležka o
projekta izvedbe
informacijske
meje SUIV
uvedbo odobritvi vodstva
SUIV
varnosti
projekta SUIV za izvedbo SUIV



Načrt
Informacijske

Politika SUIV
obravnavanja
dobrine
tveganj



Rezultati IOP,

ocenjevanja
vključno s cilji kontrol
informacijske
in izbranimi

varnosti kontrolami

Čas


Slika 1: Faze projekta SUIV

Več informacij je navedenih v dodatkih. Ti dodatki so:
Dodatek A: Povzetek aktivnosti s sklici na ISO/IEC 27001:2005
Dodatek B: Vloge in odgovornosti v informacijski varnosti
Dodatek C: Informacije o načrtovanju notranjih presoj
Dodatek D: Struktura politik
Dodatek E: Informacije o načrtovanju spremljanja in merjenja

4.2 Splošna struktura točke

Vsaka točka vsebuje:
a) enega ali več ciljev, navedenih v okvirjenem besedilu na začetku vsake točke, ki navajajo, kaj naj
se doseže,
in
b) eno ali več aktivnosti, potrebnih za doseganje cilja ali ciljev te faze.

Vsaka aktivnost je opisana v podtočki.

Opisi aktivnosti v vsaki podtočki so strukturirani na naslednji način:

Aktivnost
Aktivnost določa, kaj je potrebno, da se zadovolji ta aktivnost in dosežejo vsi ali nekaj ciljev te faze.

8

---------------------- Page: 8 ----------------------

SIST ISO/IEC 27003 : 2011
Vhod
Vhod opiše začetno točko, kot je obstoj dokumentiranih odločitev ali izhodov iz drugih aktivnosti,
opisanih v tem mednarodnem standardu. Vhodi so lahko ali sklici na celovit izhod neke aktivnosti z
navedbo ustrezne točke ali pa specifična informacija iz aktivnosti, dodana po sklicu na točko.

Napotki
Napotki dajejo podrobne informacije za omogočitev opravljanja te aktivnosti. Nekateri napotki morda
niso ustrezni v vseh primerih in so lahko primernejši drugi načini doseganja rezultatov.

Izhod
Izhod opisuje rezultat(-e) ali izdelek(-ke) po končanju aktivnosti, na primer dokument. Izhodi so enaki
ne glede na velikost organizacije ali obseg SUIV.

Druge informacije
Druge informacije dajejo morebitne dodatne informacije, ki lahko pomagajo pri opravljanju aktivnosti,
na primer sklici na druge standarde.

OPOMBA: Faze in aktivnosti, opisane v tem dokumentu, vključujejo predlagano zaporedje opravljanja aktivnosti, ki
temeljijo na odvisnostih, ugotovljenih na podlagi opisov vhodov in izhodov vsake aktivnosti. Vendar lahko
organizacija v odvisnosti od mnogih različnih dejavnikov (na primer uspešnosti sistema upravljanja, ki je
trenutno v uporabi, razumevanja glede pomembnosti informacijske varnosti, razlogov za izvedbo SUIV) izbere
katero koli aktivnost v katerem koli vrstnem redu, kot je to potrebno za vzpostavitev in izvedbo SUIV.

4.3 Diagrami

Projekt je pogosto prikazan v grafični obliki ali z diagramom, tako da je prikazan pregled aktivnosti in
izhodov.

Slika 2 prikazuje legendo diagramov, ki so prikazani v podtočki pregleda vsake faze. Diagrami nudijo
splošen pregled aktivnosti, vključenih v vsaki fazi.
9

---------------------- Page: 9 ----------------------

SIST ISO/IEC 27003 : 2011
Faza načrtovanja projekta SUIV


Faza
Faza
Faza
Obseg in meje



SUIV


Politika SUIV

x
y
z


Dokument



Dokument




Čas





Aktivnosti v vsaki fazi


Aktivnost




A

•• •


Dokument



•

•

•

Dokument







Aktivnost Aktivnost



B C

•• • •• •


Dokument Dokument



• •

• •

• •

Dokument Dokument



Čas




Slika 2: Legenda diagrama pretoka
10

---------------------- Page: 10 ----------------------

SIST ISO/IEC 27003 : 2011
Zgornji kvadratek prikazuje faze načrtovanja projekta SUIV. Faza, pojasnjena v posamezni točki, je
nato poudarjena z njenimi glavnimi izhodnimi dokumenti.

Spodnji diagram (aktivnosti te faze) vključuje glavne aktivnosti, ki so vključene v poudarjeno fazo
zgornjega kvadratka, in glavne izhodne dokumente vsake aktivnosti.

Potek časa v spodnjem kvadratku temelji na poteku časa v zgornjem kvadratku.

Aktivnost A in aktivnost B sta lahko izvršeni hkrati. Aktivnost C naj se začne po koncu aktivnosti A in B.

5 Pridobitev odobritve vodstva za uvedbo projekta SUIV
5.1 Pregled pridobivanja odobritve vodstva za uvedbo projekta SUIV

Ko se odloča o izvedbi SUIV, naj se upoštevajo številni dejavniki. Za upoštevanje teh dejavnikov naj
vodstvo razume poslovni razlog izvedbe projekta SUIV in naj ga odobri. Tako je cilj te faze:

Cilj:
Pridobiti odobritev vodstva za začetek projekta SUIV z opredelitvijo poslovnega razloga in načrta
projekta.

Da organizacija pridobi odobritev vodstva, naj pripravi poslovni razlog, ki vključuje prednostne naloge
in cilje za izvedbo SUIV kot dodatek k strukturi organiziranosti SUIV. Pripravi naj tudi začetni načrt
projekta SUIV.

Delo, opravljeno v tej fazi, bo omogočilo organizaciji razumeti pomembnost SUIV ter razjasnilo vloge
in odgovornosti informacijske varnosti v organizaciji, potrebne za projekt SUIV.

Pričakovani izhod iz te faze bosta predhodna odobritev vodstva ter njegova zavezanost k izvedbi
SUIV in opravljanju aktivnosti, opisanih v tem mednarodnem standardu. Izdelki te točke vključujejo
poslovni razlog in osnutek načrta projekta SUIV z glavnimi mejniki.

Slika 3 prikazuje proces pridobivanja odobritve vodstva za uvedbo projekta SUIV.

OPOMBA: Izhod točke 5 (dokumentirana zavezanost vodstva k načrtovanju in izvedbi SUIV) in eden od izhodov točke 7
(povzemanje dokumentov s statusom informacijske varnosti) nista zahtevi ISO/IEC 27001:2005. Vendar sta ta
dva izhoda priporočena vhoda za druge aktivnosti, opisane v tem dokumentu.
11

---------------------- Page: 11 ----------------------

SIST ISO/IEC 27003 : 2011

Pridobitev Izvedba
Opredelitev
Izvedba analize
odobritve vodstva obsega in meja ocenjevanja tveganj

zahtev informacijske
za uvedbo projekta in načrtovanje Snovanje SUIV
SUIV ter politike
varnosti

SUIV obravnavanja
SUIV
7
 9
5 6 tveganj 8
Odobritev

vodstva za
uvedbo projekta
SUIV

Čas


Razjasniti
prioritete
organizacije pri

razvoju SUIV
5.2

Povzetek

ciljev SUIV

Seznam

omejitev iz
predpisov in pogodb ter
industrijsko-panožnih

omejitev, ki vplivajo na
informacijsko
varnost organizacije


Podane
poslovne

značilnosti Določiti vloge in
Določiti Pripraviti
odgovornosti za
izhodiščni
izhodiščni
izhodiščni obseg
obseg SUIV obseg SUIV
SUIV
5.3.1
5.3 5.3.2

Ustvariti
Podane
Opis vlog in
poslovni razlog in
poslovne odgovornosti za
načrt projekta za
značilnosti
izvedbo SUIV
odobritev vodstva

5.4

Poslovni
razlog


Predlog
projekta

SUIV

Odobritev
projekta

SUIV

Čas


Slika 3: Pregled pridobivanja odobritve vodstva za začetek projekta SUIV
12

---------------------- Page: 12 ----------------------

SIST ISO/IEC 27003 : 2011
5.2 Razjasniti prioritete organizacije pri razvoju SUIV

Aktivnost
Na podlagi določitve prioritet in zahtev informacijske varnosti organizacije naj se vključijo cilji izvedbe
SUIV.

Vhod
a) Strateški cilji organizacije,
b) pregled obstoječih sistemov upravljanja,
c) seznam zakonodajnih, regulatornih in pogodbenih zahtev informacijske varnosti, ki veljajo za
organizacijo.

Napotki
Za začetek projekta SUIV je v splošnem potrebna odobritev vodstva. Zato je prva aktivnost, ki naj se
opravi, zbiranje ustreznih informacij, ki prikazujejo pomen SUIV za organizacijo. Organizacija naj
razjasni, zakaj potrebuje SUIV, določi cilje izvedbe SUIV in zasnuje projekt SUIV.

Cilje izvedbe SUIV je mogoče določiti z odgovori na naslednja vprašanja:
a) upravljanje tveganj – kako bo SUIV izboljšal upravljanje informacijskih varnostnih tveganj,
b) učinkovitost – kako je mogoče s SUIV izboljšati upravljanje informacijske varnosti,
c) poslovne prednosti – kako je s SUIV mogoče ustvariti konkurenčno prednost za organizacijo.
Da organizacija odgovori na gornja vprašanja, upošteva pri prioritetah in varnostnih zahtevah
naslednje možne dejavnike:
a) kritična poslovna in organizacijska področja:
1. Katera poslovna in organizacijska področja so kritična?
2. Katera organizacijska področja ustvarjajo posel in na kaj so osredotočena?
3. Kateri odnosi in sporazumi s tretjimi strankami obstajajo?
4. Ali obstajajo storitve v zunanjem izvajanju?
b) občutljive in dragocene informacije:
1. Katere informacije so kritične za organizacijo?
2. Kakšne bi bile verjetne posledice, če bi se določene informacije razkrile nepooblaščenim
osebam (na primer izguba konkurenčne prednosti, škoda za blagovne znamke in ugled,
pravni postopki itd.)?
c) zakoni, ki določajo ukrepe na področju informacijske varnosti:
1. Kateri zakoni, ki se nanašajo na obravnavo tveganj ali informacijsko varnost, veljajo za
organizacijo?
2. Ali je organizacija del javne globalne organizacije, za katero veljajo zahteve za zunanje
finančno poročanje?
d) pogodbeni ali organizacijski sporazumi v zvezi z informacijsko varnostjo:
1. Kakšne so zahteve za hrambo podatkov (vključujoč roke hrambe)?
2. Ali obstajajo pogodbene zahteve, ki se nanašajo na zasebnost ali kakovost (na primer
sporazumi o ravni storitev – SLA)?
e) industrijsko-panožne zahteve, ki določajo posebne kontrole in ukrepe za informacijsko varnost:
1. Katere specifične panožne zahteve veljajo za organizacijo?
13

---------------------- Page: 13 ----------------------

SIST ISO/IEC 27003 : 2011
f) okolje groženj:
1. Kakšna zaščita je potrebna in proti katerim grožnjam?
2. Katere različne kategorije informacij zahtevajo zaščito?
3. Katere različne informacijske aktivnosti morajo biti zaščitene?
g) konkurenčne gonilne sile:
1. Katere so na trgu minimalne zahteve informacijske varnosti?
2. Katere dodatne kontrole informacijske varnosti naj bi omogočale konkurenčno prednost za
organizacijo?
h) zahteve za neprekinjeno poslovanje:
1. Kateri poslovni procesi so kritični?
2. Kako dolgo lahko organizacija prenaša prekinitve posameznih kritičnih poslovnih procesov?

Na podlagi odgovorov na gornje informacije je mogoče določiti izhodiščni obseg SUIV. Ta je potreben
tudi za postavitev poslovnega razloga in celovitega načrta projekta SUIV za pridobitev odobritve
vodstva. Podroben obseg SUIV bo določen med izvajanjem projekta SUIV.

Zahteve, navedene v ISO/IEC 27001:2005, točka 4.2.1.a), postavljajo obseg glede na značilnosti
poslovanja, organizacije, njene lokacije, dobrin in tehnologije. Iz tega izhajajoče informacije podpirajo
to določitev.

Pri postavljanju začetnih odločitev o obsegu naj se razmisli o temah, med katerimi so:
a) Katere naloge vodstvo organizacije postavlja vodstvu informacijske varnosti in katere so zunanje
obveznosti organizacije?
b) Ali je odgovornost za predlagane sisteme v obsegu naložena več kot eni vodstveni ekipi (na
primer ljudem v različnih hčerinskih družbah ali oddelkih)?
c) Kako se bodo dokumenti v zvezi s SUIV razširjali po organizaciji (na primer na papirju ali z
intranetom organizacije)?
d) Ali lahko sedanji sistemi upravljanja podpirajo potrebe organizacije? Ali so v celoti operativni,
dobro vzdrževani in delujejo, kot je bilo zamišljeno?

Primeri ciljev vodstva, ki so lahko uporabljeni kot vhod za določitev izhodiščnega obsega SUIV,
vključujejo:
a) spodbujanje neprekinjenega poslovanja in okrevanja po katastrofi,
b) izboljševanje odpornosti proti incidentom,
c) obravnavanje zakonskih/pogodbenih zahtev/obveznosti,
d) omogočanje certificiranja po standardih ISO/IEC,
e) omogočanje razvoja in položaja organizacije,
f) zmanjševanje cene varnostnih kontrol,
g) zaščito dobrin s strateško vrednostjo,
h) ustanovitev zdravega in uspešnega okolja notranjih kontrol,
i) zagotavljanje zainteresiranim strankam, da so informacijske dobrine ustrezno zaščitene.

Izhod
Izdelki te aktivnosti so:
a) dokument, ki povzema cilje, prioritete informacijske varnosti in organizacijske zahteve za SUIV,
14

---------------------- Page: 14 ----------------------

SIST ISO/IEC 27003 : 2011
b) seznam zakonodajnih, pogodbenih in industrijsko-panožnih zahtev v zvezi z informacijsko
varnostjo organizacije,
c) podane značilnosti poslovanja, organizacije, njene lokacije, dobrin in tehnologije.

Druge informacije
ISO/IEC 9001:2008, ISO/IEC 14001:2004, ISO/IEC 20000-1:2005.

5.3 Določiti izhodiščni obseg SUIV

5.3.1 Pripraviti izhodiščni obseg SUIV

Aktivnost
Cilji izvedbe SUIV naj vključujejo določitev izhodiščnega obsega SUIV, ki je potreben za projekt SUIV.

Vhod
Izhod iz aktivnosti 5.2 Razjasniti prioritete organizacije pri razvoju SUIV

Napotki
Da bi projekt izvedbe SUIV potekal, naj se določi struktura organizacije SUIV. Sedaj naj se določi
izhodiščni obseg SUIV, da se vodstvu zagotovijo napotki za izvedbene odločitve in da se podprejo
aktivnosti, ki sledijo.

Izhodiščni obseg SUIV je potreben za ustvarjanje poslovnega razloga in predloga načrta projekta za
odobritev vodstva.

Izhod tega koraka bo dokument, ki določa izhodiščni obseg SUIV in vključuje:
a) povzetek nalog, ki jih vodstvo organizacije podaja vodstvu informacijske varnosti, zunanjih
obveznosti organizacije,
b) opis, kako področje(-a) v obsegu sodeluje(-jo) z drugimi sistemi upravljanja,
c) seznam poslovnih ciljev vodstva informacijske varnosti (ko
...