Organization and digitization of information about buildings and civil engineering works, including building information modelling (BIM) — Information management using building information modelling — Part 5: Security-minded approach to information management

This document specifies the principles and requirements for security-minded information management at a stage of maturity described as "building information modelling (BIM) according to the ISO 19650 series", and as defined in ISO 19650-1, as well as the security-minded management of sensitive information that is obtained, created, processed and stored as part of, or in relation to, any other initiative, project, asset, product or service. It addresses the steps required to create and cultivate an appropriate and proportionate security mindset and culture across organizations with access to sensitive information, including the need to monitor and audit compliance. The approach outlined is applicable throughout the lifecycle of an initiative, project, asset, product or service, whether planned or existing, where sensitive information is obtained, created, processed and/or stored. This document is intended for use by any organization involved in the use of information management and technologies in the creation, design, construction, manufacture, operation, management, modification, improvement, demolition and/or recycling of assets or products, as well as the provision of services, within the built environment. It will also be of interest and relevance to those organizations wishing to protect their commercial information, personal information and intellectual property.

Organisation et numérisation des informations relatives aux bâtiments et ouvrages de génie civil, y compris modélisation des informations de la construction (BIM) — Gestion de l’information par la modélisation des informations de la construction — Partie 5: Approche de la gestion de l’information axée sur la sécurité

Le présent document spécifie les principes et les exigences relatifs à la gestion de l'information axée sur la sécurité à un stade de maturité décrit comme la « modélisation des informations de la construction (BIM) selon la série ISO 19650 », et comme défini dans l'ISO 19650-1, ainsi qu'à la gestion axée sur la sécurité des informations sensibles qui sont obtenues, créées, traitées et stockées dans le cadre de tout autre initiative, projet, actif, produit ou service, ou en relation avec ceux-ci. Il traite des étapes requises pour créer et développer une culture et un état d'esprit de sécurité appropriés et proportionnés au sein des organismes ayant accès à des informations sensibles, y compris la nécessité de surveiller et de vérifier la conformité. L'approche décrite est applicable pendant tout le cycle de vie d'une initiative, d'un projet, d'un actif, d'un produit ou d'un service, qu'il soit planifié ou existant, au cours duquel des informations sensibles sont obtenues, créées, traitées et/ou stockées. Le présent document est destiné à être utilisé par tout organisme concerné par l'utilisation de technologies et de la gestion de l'information dans la création, la conception, la construction, la fabrication, l'exploitation, la gestion, la modification, l'amélioration, la démolition et/ou le recyclage d'actifs ou de produits, ainsi que la prestation de services, dans l'environnement bâti. Il sera également intéressant et pertinent pour les organismes qui souhaitent protéger leurs informations commerciales, leurs informations personnelles et leur propriété intellectuelle.

ISO 19650-5:2020
ISO 19650-5:2020
ISO/FDIS 19650-5
Organization and digitization of information about
buildings and civil engineering works, including building
information modelling (BIM) — Information management
using building information modelling —
Part 5:
Security-minded approach to information management
1 Scope
This document specifies the principles and requirements for security-minded information management
at a stage of maturity described as “building information modelling (BIM) according to the ISO 19650
series”, and as defined in ISO 19650-1, as well as the security-minded management of sensitive
information that is obtained, created, processed and stored as part of, or in relation to, any other
initiative, project, asset, product or service.
It addresses the steps required to create and cultivate an appropriate and proportionate security
mindset and culture across organizations with access to sensitive information, including the need to
monitor and audit compliance.
The approach outlined is applicable throughout the lifecycle of an initiative, project, asset, product or
service, whether planned or existing, where sensitive information is obtained, created, processed and/
or stored.
This document is intended for use by any organization involved in the use of information management
and technologies in the creation, design, construction, manufacture, operation, management,
modification, improvement, demolition and/or recycling of assets or products, as well as the provision
of services, within the built environment. It will also be of interest and relevance to those organizations
wishing to protect their commercial information, personal information and intellectual property.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 19650-2, Organization and digitization of information about buildings and civil engineering works,
including building information modelling (BIM) — Information management using building information
modelling — Part 2: Delivery phase of the assets
ISO 19650-3 , Organization and digitization of information about buildings and civil engineering works,
including building information modelling (BIM) — Information management using building information
modelling — Part 3: Operational phase of assets
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
1) Under preparation. Stage at the time of publication: ISO/FDIS 19650-3:2020.
© ISO 2020 – All rights reserved 1

---------------------- Page: 10 ----------------------
ISO 19650-5:2020(E)

ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
item, thing or entity that has potential or actual value to an organization
Note 1 to entry: An asset can be fixed, mobile or movable. It can be an individual item of plant, a vehicle, a system
of connected equipment, a space within a structure, a piece of land, an entire piece of infrastructure, an entire
building, or a portfolio of assets including associated land or water. It can also comprise information in digital or
in printed form.
Note 2 to entry: The value of an asset can vary throughout its life and an asset can still have value at the end of its
life. Value can be tangible, intangible, financial or non-financial.
[SOURCE: ISO 55000:2014, 3.2.1, modified — The original notes 1, 2 and 3 to entry have been removed;
new notes 1 and 2 to entry have been added.]
crowded place
location or environment to which members of the public have access that can be considered more at
risk from a terrorist attack by virtue of its crowd density or the nature of the site
Note 1 to entry: Crowded places can include: sports stadia, arenas, festivals and music venues; hotels and
restaurants; pubs, clubs, bars and casinos; high streets, shopping centres and markets; visitor attractions;
cinemas and theatres; schools and universities; hospitals and places of worship; commercial centres; and
transport hubs. They can also include events and public realm spaces such as parks and squares.
Note 2 to entry: A crowded place will not necessarily be crowded at all times — crowd densities can vary and can
be temporary, as in the case of sporting events or open-air festivals.
data about data
legitimate requirement of a prospective recipient of information to know, to access, or to possess
sensitive information (3.11)
risk appetite
amount and type of risk that an organization is willing to pursue or retain
[SOURCE: ISO 22300:2018, 3.202]
state of relative freedom from threat (3.13) or harm caused by random, unintentional acts or events
state of relative freedom from threat (3.13) or harm caused by deliberate, unwanted, hostile or
malicious acts
security breach
infraction or violation of security (3.7)
[SOURCE: ISO 14298:2013, 3.30]
2 © ISO 2020 – All rights reserved

---------------------- Page: 11 ----------------------
ISO 19650-5:2020(E)

security incident
suspicious act or circumstance threatening security (3.7)
understanding and routinely applying appropriate and proportionate security (3.7) measures in any
business situation so as to deter and/or disrupt hostile, malicious, fraudulent and criminal behaviours
or activities
sensitive information
information, the loss, misuse or modification of which, or unauthorized access to, can:
— adversely affect the privacy, security (3.7) or safety (3.6) of an individual or individuals;
— compromise intellectual property or trade secrets of an organization;
— cause commercial or economic harm to an organization or country; and/or
— jeopardize the security, internal and foreign affairs of a nation
residual risk
risk that remains after controls have been implemented
[SOURCE: ISO 16530-1:2017, 3.52]
potential cause of an incident which may result in harm
top management
person or group of people who directs and controls an organization at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
Note 2 to entry: In the context of this document, management should be regarded as the function, not the activity.
[SOURCE: ISO 9000:2015, 3.1.1, modified — The original notes 2 and 3 to entry have been removed;
new note 2 entry has been added.]
weakness that can be exploited to cause harm
4 Establishing the need for a security-minded approach using a sensitivity
assessment process
4.1 Undertaking a sensitivity assessment process
The process for undertaking a sensitivity assessment is set out in 4.2 to 4.4.
© ISO 2020 – All rights reserved 3

---------------------- Page: 12 ----------------------
ISO 19650-5:2020(E)

4.2 Understanding the range of security risks
4.2.1 The top management of an organization involved in:
a) initiating a project to develop a new asset(s), product(s) or service(s) or modify/enhance an
existing one;
b) managing, operating, re-purposing or disposing of an asset(s); and/or
c) the provision of an asset-based service(s),
shall determine the range of security risks that arise through greater availability of information,
integration of services and systems, and the increased dependency on technology-based systems.
4.2.2 Information on the types of security risks that should be considered are contained in Annex A.
4.2.3 Where two or more organizations are involved, the top management of each organisation shall
follow 4.2.1 in a coordinated manner.
NOTE Such an arrangement of multiple organizations can occur in a city/community, a large, multi-purpose
development or in the provision of a transport system.
4.3 Identifying organizational sensitivities
4.3.1 Taking into consideration the range of security risks that exist, the organization(s) cited in 4.2.1
and 4.2.3 shall determine whether an initiative, project, asset, product or service, as well as any associated
information, in whole or in part, and whether planned or existing, shall be considered sensitive.
NOTE Wherever the term "organization(s)" is used in the reminder of this document, it refers to the
organization(s) referred to in 4.2.1 and 4.2.3.
