oSIST ISO/IEC DIS 27000:2013
(Main)Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary
Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary
ISO/IEC 27000:2014 provides the overview of information security management systems (ISMS), and terms and definitions commonly used in the ISMS family of standards.
It is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-for-profit organizations).
Technologies de l'information -- Techniques de sécurité -- Systèmes de management de la sécurité de l'information -- Vue d'ensemble et vocabulaire
L'ISO/IEC 27000:2014 offre une vue d'ensemble des syst�mes de management de la s�curit� de l'information, et des termes et d�finitions d'usage courant dans la famille de normes du SMSI. La pr�sente Norme internationale est applicable � tous les types et � toutes les tailles d'organismes (par exemple: les entreprises commerciales, les organismes publics, les organismes � but non lucratif).
Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske varnosti - Pregled in izrazje
General Information
Buy Standard
Standards Content (Sample)
МЕЖДУНАРОДНЫЙ ISO/IEC
СТАНДАРТ 27000
Третье издание
2014-01-15
Информационные технологии. Методы
обеспечения защиты. Системы
управления защитой информации.
Общий обзор и словарь
Information technology – Security techniques – Information security
management systems – Overview and vocabulary
Ответственность за подготовку русской версии несёт GOST R
(Российская Федерация) в соответствии со статьёй 18.1 Устава ISO
Ссылочный номер
ISO/IEC 27000:2014(R)
©
ISO/IEC 2014
---------------------- Page: 1 ----------------------
ISO/IEC 27000:2012(R)
ДОКУМЕНТ ЗАЩИЩЁН АВТОРСКИМ ПРАВОМ
© ISO/IEC 2014
Все права сохраняются. Если не указано иное, никакую часть настоящей публикации нельзя копировать или использовать в
какой-либо форме или каким-либо электронным или механическим способом, включая фотокопии и микрофильмы, без
предварительного получения письменного согласия ISO по указанному ниже адресу или организации-члена ISO в стране
запрашивающей стороны.
Бюро ISO по авторским правам:
Case postale 56 • CH-1211 Geneva 20
Тел.: + 41 22 749 01 11
Факс: + 41 22 749 09 47
Эл. почта: copyright@iso.org
Веб-сайт: www.iso.org
Опубликовано в Швейцарии
ii © ISO/IEC 2014 – Все права сохраняются
---------------------- Page: 2 ----------------------
ISO/IEC 27000:2014(R)
Содержание Страница
Предисловие . iv
0 Введение . v
1 Область применения . 1
2 Термины и определения . 1
3 Системы управления защитой информации . 15
3.1 Вводные замечания. 15
3.2 Что такое СОИБ? . 16
3.3 Технологический подход. 18
3.4 Важная роль СОИБ . 18
3.5 Внедрение, текущий контроль, техническая поддержка и развитие СОИБ. 20
3.6 Критические факторы успеха СОИБ . 23
3.7 Выгоды, обеспечиваемые использованием стандартов семейства ISMS . 24
4 Семейство стандартов ISMS . 24
4.1 Общие сведения. 24
4.2 Стандарты, дающие общий обзор и используемую терминологию . 25
4.3 Стандарты, определяющие требования . 26
4.4 Стандарты, содержащие руководящие указания общего характера. 26
4.5 Стандарты, содержащие руководящие указания для подразделений организации29
Приложение A (информативное) Глагольные формы для выражения формулируемых
положений. 31
Приложение B (информативное) Указатель терминов . 32
Библиография. 36
© ISO/IEC 2014 – Все права сохраняются iii
---------------------- Page: 3 ----------------------
ISO/IEC 27000:2014(R)
Предисловие
Международная организация по стандартизации (ISO) и Международная электротехническая комиссия
(IEC) образуют специализированную организацию по международной стандартизации. Национальные
органы стандартизации, являющиеся членами ISO или IEC, участвуют в разработке Международных
стандартов через технические комитеты, учреждённые соответствующей организацией для
компетентного рассмотрения проблем в конкретных предметных областях. Технические комитеты ISO
и IEC сотрудничают в сфере общих интересов. Международные правительственные и
неправительственные организации, имеющие связь с ISO и IEC, также принимают участие в этой
работе. Применительно к сфере информационных технологий ISO и IEC учредили объединённый
технический комитет ISO/IEC JTC 1.
Проекты международных стандартов разрабатываются согласно правилам, приведённым в
Директивах ISO/IEC, Часть 2.
Разработка международных стандартов является основной задачей технических комитетов. Проекты
международных стандартов, принятые техническими комитетами, рассылаются комитетам-членам на
голосование. Для публикации в качестве международного стандарта требуется одобрение не менее
75 % комитетов-членов, принявших участие в голосовании.
Принимается во внимание тот факт, что некоторые из элементов настоящего документа могут быть
объектом патентных прав. ISO не принимает на себя обязательств по определению отдельных или
всех таких патентных прав.
ISO/IEC 27000 был подготовлен Объединённым техническим комитетом ISO/IEC JTC 1,
Информационные технологии, Подкомитетом SC 27, Методы обеспечения безопасности в ИТ.
Настоящее третье издание стандарта отменяет и заменяет собой второе издание ISO/IEC 27000:2012,
техническое содержание которого подверглось пересмотру.
iv © ISO/IEC 2012 – Все права сохраняются
---------------------- Page: 4 ----------------------
ISO/IEC 27000:2014(R)
0 Введение
0.1 Общие замечания
Международные стандарты, касающиеся систем управления, предоставляют эталонную модель для
настройки параметров и эксплуатации таких систем. Функциональная структура этой модели обладает
характеристиками, по которым достигнуто единогласное мнение специалистов отрасли ИТ,
подтверждающих реализацию в модели самых последних мировых достижений научно-технического
прогресса. В составе технического комитета ISO/IEC JTC 1/SC 27 имеется экспертная комиссия,
специализирующаяся на разработке международных стандартов в сфере систем управления защитой
информации, которые широко известны ещё и как семейство стандартов по системе обеспечения
информационной безопасности СОИБ [Information Security Management System (ISMS)].
Используя это семейство стандартов, организации получают возможность разработки и реализации
инфраструктуры системы управления защитой своих информационных активов, включая финансовую
информацию, интеллектуальную собственность и детали кадровой политики, или конфиденциальную
информацию, доверенную им клиентами или третьими сторонами. Семейство стандартов ISMS может
также использоваться для подготовки к независимой оценке уже внедрённых СОИБ, обеспечивающих
защиту информации.
0.2 Семейство стандартов ISMS
Семейство стандартов ISMS (см. раздел 4) предназначено для оказания помощи организациям любых
типов и масштабов в эффективной эксплуатации СОИБ и включает в себя перечисленные ниже в
порядке возрастания номеров международные стандарты под общим заголовком Информационные
технологии. Методы обеспечения защиты:
⎯ ISO/IEC 27000, Системы управления защитой информации. Общий обзор и словарь
⎯ ISO/IEC 27001, Системы управления информационной безопасностью. Требования
⎯ ISO/IEC 27002, Свод правил по управлению защитой информации
⎯ ISO/IEC 27003, Руководство по внедрению системы управления информационной
безопасностью
⎯ ISO/IEC 27004, Управление информационной безопасностью. Измерения
⎯ ISO/IEC 27005, Управление рисками информационной безопасности
⎯ ISO/IEC 27006, Требования для органов, обеспечивающих аудит и сертификацию систем
управления информационной безопасностью
⎯ ISO/IEC 27007:2011, Руководящие указания по аудиту систем управления информационной
безопасностью
⎯ ISO/IEC TR 27008, Руководящие указания для аудиторов по оценке средств управления систем
обеспечения безопасности
⎯ ISO/IEC 27010:2012, Руководящие указания по обеспечению защиты информационного обмена
между подразделениями и организациями
⎯ ISO/IEC 27011, Руководящие указания по управлению защитой информации организаций,
предлагающих телекоммуникационные услуги, на основе ISO/IEC 27002
© ISO/IEC 2014 – Все права сохраняются v
---------------------- Page: 5 ----------------------
ISO/IEC 27000:2014(R)
⎯ ISO/IEC 27013, Руководство по интегрированному внедрению ISO/IEC 27001 и ISO/IEC 20000-1
⎯ ISO/IEC FDIS 27014, Управление защитой информации
⎯ ISO/IEC TR 27015, Руководящие указания по управлению защитой информации для финансовых
служб
⎯ ISO/IEC TR 27016, Управление защитой информации. Экономика организации
ПРИМЕЧАНИЕ Общий заголовок “Информационные технологии. Методы обеспечения защиты” указывает на
то, что данные стандарты были подготовлены подкомитетом SC 27 “Методы обеспечения защиты в ИТ”
Объединённого технического комитета ISO/IEC JTC 1 Информационные технологии. Методы обеспечения
защиты.
Частью семейства стандартов ISMS является также международный стандарт, не охваченный
вышеуказанным общим заголовком:
⎯ ISO 27799:2008, Информатика в здравоохранении. Управление информационной безопасностью
по стандарту ISO/IEC 27002
0.3 Целевое назначение настоящего международного стандарта
Данный международный стандарт содержит общий обзор систем управления защитой информации и
определяет соответствующие отраслевые термины.
ПРИМЕЧАНИЕ В Приложении A поясняется, каким образом в рамках семейства стандартов ISMS
используются глагольные словоформы для выражения требований и/или руководящих указаний.
В семейство ISMS входят стандарты, которые:
a) устанавливают требования к самим СОИБ и к органам, проводящим их сертификацию;
b) обеспечивают прямую поддержку, всестороннее консультирование и/или интерпретацию в рамках
всего процесса создания, внедрения, сопровождения и развития СОИБ;
c) содержат руководящие указания по использованию СОИБ в рамках определённой сферы их
назначения, и
d) касаются оценки соответствия СОИБ предъявляемым требованиям.
Представленные в настоящем стандарте термины и определения
⎯ охватывают понятия и определения, наиболее широко используемые в стандартах семейства
ISMS;
⎯ не охватывают всех терминов и определений, применяемых внутри семейства стандартов ISMS,
⎯ не накладывают никаких ограничений на использование в семействе ISMS новых терминов.
vi © ISO/IEC 2012 – Все права сохраняются
---------------------- Page: 6 ----------------------
МЕЖДУНАРОДНЫЙ СТАНДАРТ ISO/IEC 27000:2014(R)
Информационные технологии. Методы обеспечения
защиты. Системы управления защитой информации.
Общий обзор и словарь
1 Область применения
В настоящем международном стандарте приводится общий обзор систем управления защитой
информации, а также общепринятые термины и определения, используемые в рамках стандартов
семейства ISMS. Настоящий международный стандарт применим к организациям любого типа и
масштаба (например, к коммерческим организациям, государственным агентствам и
некоммерческим организациям).
2 Термины и определения
Термины и определения, используемые в рамках данного стандарта, представлены ниже.
2.1
управление доступом
access control
средство управления, призванное гарантировать, что доступ к активам (2.4) санкционирован и
ограничен в соответствии с установленными требованиями хозяйственной деятельности компании
и соблюдением условий безопасности
2.2
аналитическая модель
analytical model
алгоритм или вычислительный процесс, в котором комбинируются одна или несколько базовых мер
(2.10) или производных мер (2.22) с соответствующими критериями принятия решений
2.3
атака
attack
попытка разрушения, умышленного раскрытия, изменения, блокировки, кражи актива, получения
незаконного доступа к нему или его несанкционированного использования
2.4
атрибут
attribute
свойство или характеристика объекта (2.55), которые могут различаться по количественному или
качественному признаку человеком или автоматическими средствами
[ИСТОЧНИК: ISO/IEC 15939:2007, англоязычное определение модифицировано – термин “entity”
заменён термином “object”].
© ISO/IEC 2014 – Все права сохраняются 1
---------------------- Page: 7 ----------------------
ISO/IEC 27000:2014(R)
2.5
аудит, аудиторская проверка
audit
документируемый систематический независимый процесс (2.61) получения и объективного
оценивания данных, позволяющих определить степень выполнения критериев аудита
Примечание 1 к статье: Аудиторская проверка может быть внутренней (при проведении первой стороной),
внешней (при проведении второй либо третьей стороной) и комплексной (по двум и более направлениям)
Примечание 2 к статье: Термины “audit evidence” (результат ревизии) и “audit criteria” (критерии аудита)
определены в ISO 19011.
2.6
объём аудита
audit scope
масштабы и границы аудиторской проверки (2.5)
[ИСТОЧНИК: ISO 19011:2011]
2.7
аутентификация
authentication
подтверждение достоверности декларированной характеристики объекта
2.8
аутентичность
authenticity
подлинность представляемого объекта
2.9
готовность
availability
свойство, характеризующее доступность и пригодность объекта для использования по запросу
уполномоченного лица
2.10
базовая мера
base measure
мера (2.47), определяемая применительно к атрибуту (2.4) и методу его количественного
выражения
[ИСТОЧНИК: ISO/IEC 15939:2007]
ПРИМЕЧАНИЕ Базовая мера в функциональном плане не зависит от других мер.
2.11
компетентность
competence
способность применять знания и опыт для достижения желаемых результатов
2.12
конфиденциальность
confidentiality
характеристика, указывающая на то, что данная информация не подлежит передаче либо
раскрытию сторонним лицам, организациям или процессам (2.61)
2 © ISO/IEC 2014 – Все права сохраняются
---------------------- Page: 8 ----------------------
ISO/IEC 27000:2014(R)
2.13
соответствие
conformity
выполнение установленного требования (2.63)
Примечание 1 к статье В английском языке имеется синонимичный термин “conformance”, однако он не
рекомендуется к применению.
2.14
последствие
consequence
исход события (2.25), влияющий на достижение целей (2.56)
[ИСТОЧНИК: ISO Guide 73:2009]
Примечание 1 к статье Событие может вызывать целый ряд последствий.
Примечание 2 к статье Последствие может быть определённым или неопределённым, и в аспекте защиты
информации, как правило, негативным.
Примечание 3 к статье Последствия могут оцениваться качественно или количественно.
Примечание 4 к статье Первоначальные последствия могут усугубляться из-за эффектов косвенного влияния.
2.15
непрерывное улучшение
continual improvement
повторяющиеся действия по повышению эффективности (2.59)
2.16
средство управления
control
способ изменения характеристик риска (2.68
[ИСТОЧНИК: ISO Guide 73:2009]
Примечание 1 к статье: К числу средств управления относится любой процесс, стратегия, техническое
устройство, практический метод или другие действия, которые изменяют риски.
Примечание 2 к статье: Средства управления не всегда могут оказывать предписанное или ожидаемое
корректирующее воздействие.
2.17
цель управления
control objective
положение документа, описывающее нужный результат применения средств управления (2.16)
2.18
корректировка
correction
действие по устранению обнаруженного несоответствия (2.53)
2.19
корректирующее воздействие
corrective action
действие, направленное на устранение причины обнаруженного несоответствия (2.53) и на
предотвращение её повторного проявления
© ISO/IEC 2014 – Все права сохраняются 3
---------------------- Page: 9 ----------------------
ISO/IEC 27000:2014(R)
2.20
данные
data
коллекция значений, присвоенных базовым мерам (2.10), производным мерам (2.22) и/или показателям (2.30)
[ИСТОЧНИК: ISO/IEC 15939:2007]
Примечание 1 к статье: это определение применимо только в контексте ISO/IEC 27004:2009.
2.21
критерии принятия решений
decision criteria
пороговые значения, целевые значения или модели, используемые для определения
необходимости действия либо дальнейшего анализа ситуации, или принятый уровень
доверительной вероятности для данного результата
[ИСТОЧНИК: ISO/IEC 15939:2007]
2.22
производная мера
derived measure
мера (2.47), которая определяется как функция двух или более значений базовых мер (2.10)
[ИСТОЧНИК: ISO/IEC 15939:2007]
2.23
документированная информация
documented information
информация, которая должна контролироваться и поддерживаться организацией (2.57), и
носитель, на котором она хранится
Примечание 1 к статье: документированная информация может быть представлена в любом формате, на
любом носителе и поступать от любого источника.
Примечание 2 к статье: документированная информация может относиться:
─ к системе управления (2.46), включая соответствующие процессы (2.61);
─ к системе документооборота, обеспечивающей функционирование организации (рабочие документы);
─ к фактическим данным, характеризующим достигнутые результаты (записи и протоколы)
2.24
эффективность
effectiveness
степень реализации предусмотренных планом действий и достижения запланированных результатов
2.25
событие
event
возникновение или изменение конкретной совокупности обстоятельств
[ИСТОЧНИК: ISO Guide 73:2009]
Примечание 1 к статье: событие может происходить один или несколько раз и вызываться несколькими причинами.
Примечание 2 к статье: событие может состоять и в том, что нечто ожидаемое не произошло.
Примечание 3 к статье: событие иногда характеризуется как “инцидент” или “авария”.
4 © ISO/IEC 2014 – Все права сохраняются
---------------------- Page: 10 ----------------------
ISO/IEC 27000:2014(R)
2.26
исполнительное высшее руководство
executive management
должностное лицо или группа должностных лиц, которым делегированы полномочия органа
управления (2.29) для реализации стратегий и линий поведения, обеспечивающих достижение
цели организации (2.57)
Примечание 1 к статье: исполнительное высшее руководство иногда называют просто высшим руководством;
в его состав могут входить исполнительные директора, финансовые директора, руководители отделов
информационных систем и другое аналогичное руководство.
2.27
внешняя обстановка
external context
внешняя среда, в которой организация стремится к достижению своих целей
[ИСТОЧНИК: ISO Guide 73:2009]
Примечание 1 к статье: К внешней обстановке могут относиться:
⎯ культурная, социальная, политическая, юридическая, регуляционная, финансовая, технологическая,
экономическая, природная и конкурентная среда на международном, национальном, региональном или
локальном уровне;
⎯ ключевые движущие силы и тенденции, влияющие на цели (2.56) организации (2.57), и
⎯ взаимоотношения с внешними заинтересованными сторонами (2.82), интерпретация их поведения и
системы ценностей.
2.28
система управления защитой информации
governance of information security
предписанный порядок действий, разъясняющий, что и как должно быть сделано для достижения
целей, намеченных в рамках принятых стратегий (2.57)
2.29
руководящий орган
governing body
должностное лицо или группа должностных лиц, областью ответственности которых являются
эффективность функционирования (2.59) и соответствие организации (2.57) требованиям
времени
2.30
показатель
indicator
мера (2.47), которая обеспечивает качественную либо количественную оценку конкретных
атрибутов (2.4), полученных в аналитической модели (2.2) с учётом конкретизированных
информационных потребностей (2.31)
2.31
информационная потребность
information need
осознание необходимости углублённого анализа информации для определения задач, целей,
рисков и проблем, подлежащих решению
[ИСТОЧНИК: ISO/IEC 15939:2007]
© ISO/IEC 2014 – Все права сохраняются 5
---------------------- Page: 11 ----------------------
ISO/IEC 27000:2014(R)
2.32
средства обработки информации
information processing facilities
любая система обработки информации, её службы и инфраструктура или места их физического
размещения
2.33
защита информации
information security
сохранение конфиденциальности (2.12), целостности (2.40) и готовности (2.9) информации к
использованию
Примечание к статье: защита может охватывать и другие характеристики, такие как аутентичность (2.8),
подотчётность, невозможность отказа от авторства (2.54) и надёжность (2.62).
2.34
постоянство защиты информации
information security continuity
процессы (2.61) и процедуры обеспечивающие бесперебойную работу защиты информации (2.33)
2.35
событие информационной безопасности
information security event
обнаруживаемое состояние системы, системной службы или сети, указывающее на возможную
“брешь” в политике обеспечения информационной безопасности либо на сбой средств защиты или
на возникновение ранее не известной ситуации, которая может повлиять на работу защиты
2.36
инцидент информационной безопасности
information security incident
одиночное событие или целый ряд нежелательных либо неожиданных событий информационной
безопасности (2.35), которые сопряжены со значимой вероятностью компрометации деловых
операций и возникновения угроз системе защиты информации (2.33)
2.37
управление событиями информационной безопасности
information security incident management
процессы (2.61) обнаружения, регистрации, оценивания, реагирования, обработки и анализа
событий информационной безопасности (2.36)
2.38
сообщество пользователей общей информации
information sharing community
группа организаций, совместно использующих информацию по общему согласию
Примечание 1 к статье: организация может быть представлена одним лицом.
2.39
информационная система
information system
прикладная система, служба, актив информационных технологий или любой другой компонент,
предназначенный для обработки информации
2.40
целостность
integrity
сохранение характеристик точности и полноты
6 © ISO/IEC 2014 – Все права сохраняются
---------------------- Page: 12 ----------------------
ISO/IEC 27000:2014(R)
2.41
заинтересованная сторона
interested party
индивидуум или организация (2.57), которые могут влиять на принятие того или иного решения
либо действия, подвергаться его влиянию или ощущать возможность такого влияния
2.42
внутренний контекст
internal context
внутренняя среда, в которой организация ищет пути к достижению своих целей
[ИСТОЧНИК: ISO Guide 73:2009]
Примечание 1 к статье: возможные компоненты внутреннего контекста:
⎯ руководство организации, организационная структура, распределение функций и отношения
подотчётности;
⎯ программы действий, целевые установки и реализуемые стратегии их достижения;
⎯ имеющиеся возможности, понимаемые в аспекте требуемых ресурсов и знаний (например, капитала,
времени, людей, процессов, систем и технологий);
⎯ информационные системы, информационные потоки и процессы принятия решений (как формальные,
так и неформальные);
⎯ взаимоотношения с внутренними заинтересованными сторонами, трактовка их действий и систем
ценностей;
⎯ организационная культура;
⎯ стандарты, рекомендации и модели, используемые организацией, и
⎯ форма и объём контрактных отношений.
2.43
проект СОИБ
ISMS project
структурированные действия организации (2.57) по внедрению системы обеспечения
информационной безопасности (СОИБ)
2.44
уровень риска, степень риска
level of risk
величина риска (2.68), определённая с учётом комбинации его возможных последствий (2.14) и их
правдоподобия (2.45)
[ИСТОЧНИК: ISO Guide 73:2009 с изменением – в англоязычном оригинале исключены слова “or
combination of risks”]
2.45
правдоподобие
likelihood
вероятность какого-либо события или ситуации
[ИСТОЧНИК: ISO Guide 73:2009]
© ISO/IEC 2014 – Все права сохраняются 7
---------------------- Page: 13 ----------------------
ISO/IEC 27000:2014(R)
2.46
система управления
management system
совокупность взаимосвязанных или взаимодействующих элементов организации (2.57),
нацеленная на установление стратегий (2.60), целей (2.56) и соответствующих процессов (2.61)
обеспечивающих достижение поставленных целей
Примечание 1 к статье: система управления может охватывать одну или несколько сфер деятельности.
Примечание 2 к статье: к элементам системы относятся организационная структура, должности и сферы
ответственности, функции планирования, эксплуатации и др.
Примечание 3 к статье: масштабы системы управления могут определяться организацией в целом,
конкретными функциями организации, конкретными подразделениями организация либо одной или
несколькими функциями группы организаций.
2.47
мера
measure
переменная величина, которой значение присваивается в результате выполнения процесса
измерения (2.48)
[ИСТОЧНИК: ISO/IEC 15939:2007]
Примечание 1 к статье: термин “меры” используется как обобщённое название базовых единиц измерения,
производных единиц измерения и измеренных показателей.
2.48
измерение
measurement
процесс (2.61) определения конкретного значения
Примечание 1 к статье: в контексте защиты информации (2.33) процесс определения конкретного значения
требует получения сведений об эффективности (2.24), о системе управления (2.46) защитой информации и
её средствах управления (2.16) с помощью метода измерения (2.50), измерительной функции (2.49),
аналитической модели (2.2) и критериев принятия решений (2.21)
2.49
измерительная функция
measurement function
алгоритм или вычислительный процесс, выполняемый с целью комбинирования двух и более
базовых мер (2.10)
[ИСТОЧНИК: ISO/IEC 15939:2007]
2.50
метод измерения
measurement method
описываемая в общем виде логическая последовательность операций количественной оценки
атрибута (2.4) с помощью некоторой специализированной шкалы (2.80)
[ИСТОЧНИК: ISO/IEC 15939:2007]
Примечание к статье: тип метода измерения зависит от характера операций, выполняемых при
квантификации атрибута. Выделяются два типа таких операций:
⎯ субъективный - при котором количественное выражение атрибутов осуществляется на основе
человеческих суждений,
⎯ объективный, при котором квантификация основывается на численных правилах.
8 © ISO/IEC 2014 – Все права сохраняются
---------------------- Page: 14 ----------------------
ISO/IEC 27000:2014(R)
2.51
результаты измерения
measurement results
один или несколько показателей (2.30) и связанные с ними интерпретации, которые служат целям
удовлетворения информационных потребностей (2.31)
2.52
(текущий) контроль, мониторинг
monitoring
определение текущего состояния системы, процесса (2.61) или какой-либо работы
2.53
несоответствие
nonconformity
невыполнение требования (2.63)
2.54
неотказуемость, невозможность отказа от авторства
non-repudiation
наличие возможности доказать факт совершения конкретного события или выполнения конкретного
действия конкретным исполнителем
2.55
объект
object
предмет, характеризуемый посредством измерения (2.48) его атрибутов (2.4)
2.56
цель, целевая установка
objective
результат, который должен быть достигнут
Примечание 1 к статье: цель может быть стратегической, тактической или оперативной.
Примечание 2 к статье: цели могут относиться к разным сферам знаний (например, к финансовой
деятельности, охране здоровья и технике безопасности или к охране окружающей среды) и могут
устанавливаться на разных уровнях (например, на стратегическом; на уровне всей организации, на уровне
проекта, продукта или процесса (2.61).
Примечание 3 к статье: цель может быть выражена разными способами – например, как планируемый
выход продукции, как целевой показатель, как рабочий критерий, как задача информационной безопасности
или иными словами с тем же смыслом (намерение, глобальная цель, целевая установка).
Примечание 4 к статье: в контексте системы обеспечения информационной безопасности цели защиты
информации устанавливаются организацией в соответствии с выбранной стратегией безопасности,
ориентированной на получение конкретных результатов.
2.57
организация
organization
отдельное лицо или группа людей, которые выполняют определённые функции, отвечают за свою
сферу деятельности, облечены разными полномочиями и объединяются для достижения общих
целей (2.56)
Примечание 1 к статье: понятие “организация” охватывает, в частности, такие образования как
индивидуальный предприниматель, компания, корпорация, фирма, предприятие, орган власти, товарищество,
благотворительный фонд, ведомство, либо отдельные части или комбинации этих образований – независимо
от того, обладают они юридическими правами или нет и являются ли государственными или частными.
© ISO/IEC 2014 – Все права сохраняются 9
---------------------- Page: 15 ----------------------
ISO/IEC 27000:2014(R)
2.58
привлекать соисполнителей, использовать аутсорсинг
outsource
распределять работу организации таким образом, что часть её функций или процессов (2.61)
выполняется внешней организацией (2.57)
Примечание 1 к статье: привлекаемая внешняя организация находится вне границ системы управления
(2.46), тогда как отдаваемые на сторону функция или процесс лежат в границах системы.
2.59
эксплуатационные показатели
performance
измеримый результат работы
Примечание 1 к статье: эксплуатационные показатели могут выражаться в количественной или
качественной форме.
Примечание 2 к статье: эксплуатационные показатели могут относиться к управлению работами, к
процессам (2.61), продуктам (включая сферу услуг), системам или организациям (2.57).
2.60
стратегия, политика
policy
формальное выражение общей цели движения в определё
...
INTERNATIONAL ISO/IEC
STANDARD 27000
Redline version
compares third edition
to second edition
Information technology — Security
techniques — Information security
management systems — Overview
and vocabulary
Technologies de l’information — Techniques de sécurité —
Systèmes de management de la sécurité de l’information — Vue
d’ensemble et vocabulaire
Reference number
ISO/IEC 27000:redline:2014(E)
©
ISO/IEC 2014
---------------------- Page: 1 ----------------------
ISO/IEC 27000:redline:2014(E)
IMPORTANT — PLEASE NOTE
This is a mark-up copy and uses the following colour coding:
Text example 1 — indicates added text (in green)
Text example 2 — indicates removed text (in red)
— indicates added graphic figure
— indicates removed graphic figure
1.x . — Heading numbers containg modifications are highlighted in yellow in
the Table of Contents
DISCLAIMER
This Redline version provides you with a quick and easy way to compare the main changes
between this edition of the standard and its previous edition. It doesn’t capture all single
changes such as punctuation but highlights the modifications providing customers with
the most valuable information. Therefore it is important to note that this Redline version is
not the official ISO standard and that the users must consult with the clean version of the
standard, which is the official standard, for implementation purposes.
COPYRIGHT PROTECTED DOCUMENT
© ISO 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27000:redline:2014(E)
Contents Page
Foreword .iv
0 Introduction .v
1 Scope . 1
2 Terms and definitions . 1
3 Information security management systems .14
3.1 Introduction .14
3.2 What is an ISMS? .14
3.3 Process approach .16
3.4 Why an ISMS is important .16
3.5 Establishing, monitoring, maintaining and improving an ISMS .18
3.6 ISMS critical success factors .20
3.7 Benefits of the ISMS family of standards .21
4 ISMS family of standards .21
4.1 General information .21
4.2 Standards describing an overview and terminology .24
4.3 Standards specifying requirements .24
4.4 Standards describing general guidelines .25
4.5 Standards describing sector-specific guidelines .27
Annex A (informative) Verbal forms for the expression of provisions.29
Annex B (informative) Term and Term ownership .30
Bibliography .34
© ISO 2014 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27000:redline:2014(E)
Foreword
ISO (the International OrganisationOrganization for Standardization) and IEC (the International
Electrotechnical Commission) form the specialized system for worldwide standardization. National
bodies that are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organisationorganization to deal with particular
fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest.
Other international organisationsorganizations, governmental and non-governmental, in liaison
with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have
established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies
casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27000 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This secondthird edition cancels and replaces the firstsecond edition (ISO/IEC 27000:20092012), which
has been technically revised.
iv © ISO 2014 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27000:redline:2014(E)
0 Introduction
0.1 Overview
International Standards for management systems provide a model to follow in setting up and operating
a management system. This model incorporates the features on which experts in the field have reached a
consensus as being the international state of the art. ISO/IEC JTC 1/SC 27 maintains an expert committee
dedicated to the development of international management systems standards for information security,
otherwise known as the Information Security Management System (ISMS) family of standards.
Through the use of the ISMS family of standards, organisationsorganizations can develop and implement
a framework for managing the security of their information assets including financial information,
intellectual property, and employee details, or information entrusted to them by customers or third
parties. These standards can also be used to prepare for an independent assessment of their ISMS
applied to the protection of information.
0.2 ISMS family of standards
1)
The ISMS family of standards (see Clause 4) is intended to assist organisationsorganizations of all
types and sizes to implement and operate an ISMS and consists of the following International Standards,
under the general title Information technology — Security techniques (given below in numerical order):
— ISO/IEC 27000:2009, Information security management systems — Overview and vocabulary
— ISO/IEC 27001:2005, Information security management systems — Requirements
— ISO/IEC 27002:2005, Code of practice for information security managementcontrols
— ISO/IEC 27003:2010, Information security management system implementation guidance
— ISO/IEC 27004:2009, Information security management — Measurement
— ISO/IEC 27005:2011, Information security risk management
— ISO/IEC 27006:2011, Requirements for bodies providing audit and certification of information security
management systems
— ISO/IEC 27007:2011, Guidelines for information security management systems auditing
— ISO/IEC TR 27008:2011, Guidelines for auditors on information security management systems controls
— ISO/IEC 27010:2012, Information security management guidelines for inter-sector and inter-
organisationalorganizational communications
— ITU-T X .1051 | ISO/IEC 27011:2008, Information securit y management guidelines for telecommunications
organisationsorganizations based onISO/IEC 27002
— ISO/IEC/FDIS 27013, Guidance on the integrated implementation ofISO/IEC 27001 and
ISO/IEC 20000-1ISO/IEC 20000-1
— ITU-T X.1054 | ISO/IEC/FDIS 27014, Governance of information security
— ISO/IEC TR 27015, Information security management guidelines for financial services
— ISOISO/IEC TR 27016/IEC WD 27016, Information security management – Organisational—
Organizational economics
NOTE The general title “Information technology — Security techniques” indicates that these standards
were prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT
Security techniques.
1) Standards identified throughout this subclause with no release year indicated are still under development.
© ISO 2014 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 27000:redline:2014(E)
International Standards not under the same general title that are also part of the ISMS family of standards
are as follows:
— ISO 27799:2008, Health informatics — Information security management in health usingISO/IEC 27002
0.3 Purpose of this International Standard
This International Standard provides an overview of information security management systems, and
defines related terms.
NOTE Annex A provides clarification on how verbal forms are used to express requirements and/or guidance
in the ISMS family of standards.
The ISMS family of standards includes standards that:
a) define requirements for an ISMS and for those certifying such systems;
b) provide direct support, detailed guidance and/or interpretation for the overall Plan-Do-Check-Act
(PDCA) processes and requirementsprocess to establish, implement, maintain and improve an ISMS;
c) address sector-specific guidelines for ISMS; and
d) address conformity assessment for ISMS.
The terms and definitions provided in this International Standard:
— cover commonly used terms and definitions in the ISMS family of standards;
— willdo not cover all terms and definitions applied within the ISMS family of standards; and
— do not limit the ISMS family of standards in defining new terms for use.
do not limit the ISMS family of standards in defining new terms for use.
vi © ISO 2014 – All rights reserved
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27000:redline:2014(E)
Information technology — Security techniques —
Information security management systems — Overview
and vocabulary
1 Scope
This International Standard describes the overview and the vocabulary of information security
management systems, which form the subject of the ISMS family of standards, and defines related terms
and definitions.
This International Standard provides the overview of information security management systems, and
terms and definitions commonly used in the ISMS family of standards. This International Standard is
applicable to all types and sizes of organisationorganization (e.g. commercial enterprises, government
agencies, not-for-profit organisationsorganizations).
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
NOTE 1 A term in a definition or note which is defined elsewhere in this clause is indicated by boldface followed
by its entry number in parentheses. Such a boldface term can be replaced in the definition by its complete definition.
For example:
attack (2.4) is defined as “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to
or make unauthorized use of an asset (2.3)”;
asset is defined as “any item that has value to the organisation”.
If the term “asset” is replaced by its definition:
attack then becomes “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or
make unauthorized use of any item that has value to the organisation”.
2.1
access control
means to ensure that access to assets (2.4)assets is authorized and restricted based on business and
security requirements
2.2
accountability
assignment of actions and decisions to an entity
2.3 2.2
analytical model
algorithm or calculation combining one or more base measures (2.11 2.10) and/or derived measures
(2.21 2.22) with associated decision criteria
[SOURCE: ISO/IEC 15939:2007]
2.4
asset
anything that has value to the organisation
Note 1 to entry: There are many types of assets, including:
© ISO 2014 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC 27000:redline:2014(E)
a) information;
b) software, such as a computer program;
c) physical, such as computer;
d) services;
e) people, and their qualifications, skills, and experience; and
f) intangibles, such as reputation and image.
2.5 2.3
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use
of an asset (2.4)asset
2.6 2.4
attribute
property or characteristic of an object object (2.55) that can be distinguished quantitatively or
qualitatively by human or automated means
[SOURCE: ISO/IEC 15939:2007, modified – “entity” has been replaced by “object” in the definition.]
2.5
audit
systematic, independent and documented process (2.61) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
2.7 2.6
audit scope
extent and boundaries of an audit audit (2.5)
[SOURCE: ISO 9000:2005 19011:2011]
2.8 2.7
authentication
provision of assurance that a claimed characteristic of an entity is correct
2.9 2.8
authenticity
property that an entity is what it is claims to be
2.10 2.9
availability
property of being accessible and usable upon demand by an authorized entity
2.11 2.10
base measure
measure (2.43 2.47) defined in terms of an attribute (2.6 2.4) and the method for quantifying it
[SOURCE: ISO/IEC 15939:2007]
Note 1 to entry: A base measure is functionally independent of other measures.
2 © ISO 2014 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 27000:redline:2014(E)
2.12 2.11
business continuity competence
procedures (2.53) and/or ability to processes (2.54) for ensuring continued business operations apply
knowledge and skills to achieve intended results
2.13 2.12
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes (2.54 2.61)
2.14 2.13
conformity
fulfillment fulfilment of a requirement requirement (2.63) [ISO 9000:2005].
Note 1 to entry: The term “conformance” is synonymous but deprecated.
2.15 2.14
consequence
outcome of an event (2.24 2.25) affecting objectives objectives (2.56)
[SOURCE: ISO Guide 73:2009]
Note 1 to entry: An event can lead to a range of consequences.
Note 2 to entry: A consequence can be certain or uncertain and in the context of information security is usually negative.
Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 4 to entry: Initial consequences can escalate through knock-on effects.
2.15
continual improvement
recurring activity to enhance performance (2.59)
2.16
control
means of managing measure that is risk (2.61), including modifying policies (2.51 risk (2.68), procedures
(2.53), guidelines (2.26), practices or organisational structures, which can be of administrative, technical,
management, or legal nature
[SOURCE: ISO Guide 73:2009]
Note 1 to entry: Controls for information security include any process, policy, procedure, guideline, practice or
organisational structure, which can be administrative, technical, management, or legal in nature which modify
information security device, practice, or other actions which modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
Note 3 to entry: Control is also used as a synonym for safeguard or countermeasure.
2.17
control objective
statement describing what is to be achieved as a result of implementing controls (2.16)
2.18
correction
action to eliminate a detected nonconformity (2.53)
© ISO 2014 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC 27000:redline:2014(E)
2.18 2.19
corrective action
action to eliminate the cause of a detected non-conformity (2.48 nonconformity (2.53) or other undesirable
situation and to prevent recurrence
[SOURCE: ISO 9000:2005]
2.19 2.20
data
collection of values assigned to base measures (2.11 2.10), derived measures (2.21 2.22) and/or indicators
(2.27 2.30)
[SOURCE: ISO/IEC 15939:2007]
Note 1 to entry: This definition applies only within the context of ISO/IEC 27004:2009.
2.20 2.21
decision criteria
thresholds, targets, or patterns used to determine the need for action or further investigation, or to
describe the level of confidence in a given result
[SOURCE: ISO/IEC 15939:2007]
2.21 2.22
derived measure
measure (2.43 2.47) that is defined as a function of two or more values of base measures (2.11 2.10)
[SOURCE: ISO/IEC 15939:2007]
2.23
documented information
information required to be controlled and maintained by an organization (2.57) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to
— the management system (2.46), including related processes (2.61);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
2.22 2.24
effectiveness
extent to which planned activities are realized and planned results achieved
[SOURCE: ISO 9000:2005]
2.23
efficiency
relationship between the results achieved and the resources used
[SOURCE: ISO 9000:2005]
2.24 2.25
event
occurrence or change of a particular set of circumstances
[SOURCE: ISO Guide 73:2009]
Note 1 to entry: An event can be one or more occurrences, and can have several causes.
4 © ISO 2014 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 27000:redline:2014(E)
Note 2 to entry: An event can consist of something not happening.
Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.
2.26
executive management
person or group of people who have delegated responsibility from the governing body (2.29) for
implementation of strategies and policies to accomplish the purpose of the organization (2.57)
Note 1 to entry: Executive management is sometimes called top management and can include Chief Executive
Officers, Chief Financial Officers, Chief Information Officers, and similar roles
2.25 2.27
external context
external environment in which the organisation organization seeks to achieve its objectives
[SOURCE: ISO Guide 73:2009]
Note 1 to entry: External context can include:
— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive
environment, whether international, national, regional or local;
— key drivers and trends having impact on the objectivesobjectives (2.56) of the organisationorganization
(2.57); and
— relationships with, and perceptions and values of, external stakeholdersstakeholders (2.82).
2.28
governance of information security
system by which an organization’s (2.57) information security activities are directed and controlled
2.26 2.29
guideline governing body
description that clarifies what should be done and how, to achieve the objectives person or group of
people who are accountable for the performance (2.59) set out in and conformance of the policies
(2.51 organization (2.57)
Note 1 to entry: Governing body can in some jurisdictions be a board of directors.
2.27 2.30
indicator
measure (2.43 2.47) that provides an estimate or evaluation of specified attributes (2.6 2.4) derived from
an analytical model (2.3 2.2) with respect to defined information needs (2.28 2.31)
2.28 2.31
information need
insight necessary to manage objectives, goals, risks and problems
[SOURCE: ISO/IEC 15939:2007]
2.29 2.32
information processing facilities
any information processing system, service or infrastructure, or the physical locations housing
them location housing it
2.30 2.33
information security
preservation of confidentiality (2.13 2.12), integrity (2.36 2.40) and availability (2.10 2.9) of information
Note 1 to entry: In addition, other properties, such as authenticity (2.9 2.8), accountability (2.2)accountability, non-
repudiation (2.49 2.54), and reliability (2.56 2.62) can also be involved.
© ISO 2014 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO/IEC 27000:redline:2014(E)
2.34
information security continuity
processes (2.61) and procedures for ensuring continued information security (2.33) operations
2.31 2.35
information security event
identified occurrence of a system, service or network state indicating a possible breach of information
security policy or failure of safeguards controls, or a previously unknown situation that may be
security relevant
2.32 2.36
information security incident
single or a series of unwanted or unexpected information security events (2.31 2.35) that have a significant
probability of compromising business operations and threatening information security (2.30 2.33)
2.33 2.37
information security incident management
processes (2.54 2.61) for detecting, reporting, assessing, responding to, dealing with, and learning from
information security incidents (2.32 2.36)
2.34 2.38
information security management system sharing community
ISMS
part of the overall group of organizations that management system (2.42), based on a business risk
approach, to establish, implement, operate, monitor, review, maintain and improve agree to share
informationinformation security (2.30)
Note 1 to entry: The management system includes organisational structure, policies, planning activities,
responsibilities, practices, procedures, processes and resources An organization can be an individual.
2.35 2.39
information system
application, service applications, services, information technology asset assets, or any other information
handling component components
2.36 2.40
integrity
property of protecting the accuracy and completeness of assets (2.4)
2.41
interested party
person or organization (2.57) that can affect, be affected by, or perceive themselves to be affected by a
decision or activity
2.37 2.42
internal context
internal environment in which the organisation organization seeks to achieve its objectives
[SOURCE: ISO Guide 73:2009]
Note 1 to entry: Internal context can include:
— governance, organisationalorganizational structure, roles and accountabilities;
— policies, objectives, and the strategies that are in place to achieve them;
— the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes,
systems and technologies);
— information systems, information flows and decision-making processes (both formal and informal);
— relationships with, and perceptions and values of, internal stakeholders;
6 © ISO 2014 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/IEC 27000:redline:2014(E)
— the organisation’sorganization’s culture;
— standards, guidelines and models adopted by the organisationorganization; and
— form and extent of contractual relationships.
2.38 2.43
ISMS project
structured activities undertaken by an organisation organization (2.57) to implement an ISMS (2.34)ISMS
2.39 2.44
level of risk
magnitude of a risk (2.61 2.68) expressed in terms of the combination of consequences (2.15 2.14) and
their likelihood (2.40 2.45)
[SOURCE: ISO Guide 73:2009, modified — “or combination of risks,” has been deleted.]
2.40 2.45
likelihood
chance of something happening
[SOURCE: ISO Guide 73:2009]
2.41
management
coordinated activities to direct and control an organisation
[SOURCE: ISO 9000:2005]
2.42 2.46
management system
framework of set of interrelated or interacting elements of an guidelines (2.26 organization (2.57),
to establish policies (2.51 2.60), and procedures (2.53 objectives (2.56), and processes (2.54 2.61) and
associated resources aimed at ensuring an organisation meets its to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning,
operation, etc.
Note 3 to entry: The scope of a management system may include the whole of the organization, specific and
identified functions of the organization, specific and identified sections of the organization, or one or more
functions across a group of organizations.
2.43 2.47
measure
variable to which a value is assigned as the result of measurement (2.44 2.48)
[SOURCE: ISO/IEC 15939:2007]
Note 1 to entry: The term “measures” is used to refer collectively to base measures, derived measures, and indicators.
2.44 2.48
measurement
process of obtaining information about the effectiveness (2.22 process (2.61) of to ISMS (2.34)
and determine controls (2.16) using a measurement method (2.46), a value measurement function
(2.45 ) , an analytical model (2.3) and decision criteria (2.20)
Note 1 to entry: In the context of information security (2.33) the process of determining a value requires
information about the effectiveness (2.24) of an information security management system (2.46) and its associated
controls (2.16) using a measurement method (2.50), a measurement function (2.49), an analytical model (2.2), and
decision criteria (2.21).
© ISO 2014 – All rights reserved 7
---------------------- Page: 13 ----------------------
ISO/IEC 27000:redline:2014(E)
2.45 2.49
measurement function
algorithm or calculation performed to combine two or more base measures (2.11 2.10)
[SOURCE: ISO/IEC 15939:2007]
2.46 2.50
measurement method
logical sequence of operations, described generically, used in quantifying an attribute (2.6 2.4) with
respect to a specified scale (2.72 2.80)
[SOURCE: ISO/IEC 15939:2007]
Note 1 to entry: The type of measurement method depends on the nature of the operations used to quantify an
attribute. Two types can be distinguished:
— subjective: quantification involving human judgment;
— objective: quantification based on numerical rules.
2.47 2.51
measurement results
one or more indicators (2.27 2.30) and their associated interpretations that address an information need
(2.28 2.31)
2.52
monitoring
determining the status of a system, a process (2.61) or an activity
Note 1 to entry: To determine the status there may be a need to check, supervise or critically observe.
2.48 2.53
non-conformity nonconformity
non-fulfillment fulfilment of a requirement requirement (2.63)
[SOURCE: ISO 9000:2005]
2.49 2.54
non-repudiation
ability to prove the occurrence of a claimed event or action and its originating entities
2.50 2.55
object
item characterized through the measurement (2.44 2.48) of its attributes (2.6 2.4)
2.51 2.56
policy objective
overall intention and direction as formally expressed by result to be achievedmanagement (2.41)
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environme
...
INTERNATIONAL ISO/IEC
STANDARD 27000
Third edition
2014-01-15
Information technology — Security
techniques — Information security
management systems — Overview and
vocabulary
Technologies de l’information — Techniques de sécurité — Systèmes
de management de la sécurité de l’information — Vue d’ensemble et
vocabulaire
Reference number
ISO/IEC 27000:2014(E)
©
ISO/IEC 2014
---------------------- Page: 1 ----------------------
ISO/IEC 27000:2014(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2014 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27000:2014(E)
Contents Page
Foreword .iv
0 Introduction .v
1 Scope . 1
2 Terms and definitions . 1
3 Information security management systems .12
3.1 Introduction .12
3.2 What is an ISMS? .13
3.3 Process approach .14
3.4 Why an ISMS is important .14
3.5 Establishing, monitoring, maintaining and improving an ISMS .15
3.6 ISMS critical success factors .18
3.7 Benefits of the ISMS family of standards .19
4 ISMS family of standards .19
4.1 General information .19
4.2 Standards describing an overview and terminology .20
4.3 Standards specifying requirements .21
4.4 Standards describing general guidelines .21
4.5 Standards describing sector-specific guidelines .23
Annex A (informative) Verbal forms for the expression of provisions.25
Annex B (informative) Term and Term ownership .26
Bibliography .30
© ISO/IEC 2014 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27000:2014(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies
casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27000 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This third edition cancels and replaces the second edition (ISO/IEC 27000:2012), which has been
technically revised.
iv © ISO/IEC 2014 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27000:2014(E)
0 Introduction
0.1 Overview
International Standards for management systems provide a model to follow in setting up and operating
a management system. This model incorporates the features on which experts in the field have reached a
consensus as being the international state of the art. ISO/IEC JTC 1/SC 27 maintains an expert committee
dedicated to the development of international management systems standards for information security,
otherwise known as the Information Security Management System (ISMS) family of standards.
Through the use of the ISMS family of standards, organizations can develop and implement a framework
for managing the security of their information assets including financial information, intellectual
property, and employee details, or information entrusted to them by customers or third parties. These
standards can also be used to prepare for an independent assessment of their ISMS applied to the
protection of information.
0.2 ISMS family of standards
The ISMS family of standards (see Clause 4) is intended to assist organizations of all types and sizes to
implement and operate an ISMS and consists of the following International Standards, under the general
title Information technology — Security techniques (given below in numerical order):
— ISO/IEC 27000, Information security management systems — Overview and vocabulary
— ISO/IEC 27001, Information security management systems — Requirements
— ISO/IEC 27002, Code of practice for information security controls
— ISO/IEC 27003, Information security management system implementation guidance
— ISO/IEC 27004, Information security management — Measurement
— ISO/IEC 27005, Information security risk management
— ISO/IEC 27006, Requirements for bodies providing audit and certification of information security
management systems
— ISO/IEC 27007, Guidelines for information security management systems auditing
— ISO/IEC TR 27008, Guidelines for auditors on information security controls
— ISO/IEC 27010, Information security management for inter-sector and inter-organizational
communications
— ISO/IEC 27011, Information security management guidelines for telecommunications organizations
based on ISO/IEC 27002
— ISO/IEC 27013, Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
— ISO/IEC 27014, Governance of information security
— ISO/IEC TR 27015, Information security management guidelines for financial services
— ISO/IEC TR 27016, Information security management — Organizational economics
NOTE The general title “Information technology — Security techniques” indicates that these standards were
prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security
techniques.
International Standards not under the same general title that are also part of the ISMS family of standards
are as follows:
— ISO 27799:2008, Health informatics — Information security management in health using ISO/IEC 27002
© ISO/IEC 2014 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 27000:2014(E)
0.3 Purpose of this International Standard
This International Standard provides an overview of information security management systems, and
defines related terms.
NOTE Annex A provides clarification on how verbal forms are used to express requirements and/or guidance
in the ISMS family of standards.
The ISMS family of standards includes standards that:
a) define requirements for an ISMS and for those certifying such systems;
b) provide direct support, detailed guidance and/or interpretation for the overall process to establish,
implement, maintain and improve an ISMS;
c) address sector-specific guidelines for ISMS; and
d) address conformity assessment for ISMS.
The terms and definitions provided in this International Standard:
— cover commonly used terms and definitions in the ISMS family of standards;
— do not cover all terms and definitions applied within the ISMS family of standards; and
— do not limit the ISMS family of standards in defining new terms for use.
vi © ISO/IEC 2014 – All rights reserved
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27000:2014(E)
Information technology — Security techniques —
Information security management systems — Overview
and vocabulary
1 Scope
This International Standard provides the overview of information security management systems, and
terms and definitions commonly used in the ISMS family of standards. This International Standard is
applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-
for-profit organizations).
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
access control
means to ensure that access to assets is authorized and restricted based on business and security
requirements
2.2
analytical model
algorithm or calculation combining one or more base measures (2.10) and/or derived measures (2.22)
with associated decision criteria
2.3
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use
of an asset
2.4
attribute
property or characteristic of an object (2.55) that can be distinguished quantitatively or qualitatively
by human or automated means
[SOURCE: ISO/IEC 15939:2007, modified – “entity” has been replaced by “object” in the definition.]
2.5
audit
systematic, independent and documented process (2.61) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
2.6
audit scope
extent and boundaries of an audit (2.5)
[SOURCE: ISO 19011:2011]
© ISO/IEC 2014 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC 27000:2014(E)
2.7
authentication
provision of assurance that a claimed characteristic of an entity is correct
2.8
authenticity
property that an entity is what it is claims to be
2.9
availability
property of being accessible and usable upon demand by an authorized entity
2.10
base measure
measure (2.47) defined in terms of an attribute (2.4) and the method for quantifying it
[SOURCE: ISO/IEC 15939:2007]
Note 1 to entry: A base measure is functionally independent of other measures.
2.11
competence
ability to apply knowledge and skills to achieve intended results
2.12
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes (2.61)
2.13
conformity
fulfilment of a requirement (2.63)
Note 1 to entry: The term “conformance” is synonymous but deprecated.
2.14
consequence
outcome of an event (2.25) affecting objectives (2.56)
[SOURCE: ISO Guide 73:2009]
Note 1 to entry: An event can lead to a range of consequences.
Note 2 to entry: A consequence can be certain or uncertain and in the context of information security is usually
negative.
Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 4 to entry: Initial consequences can escalate through knock-on effects.
2.15
continual improvement
recurring activity to enhance performance (2.59)
2.16
control
measure that is modifying risk (2.68)
[SOURCE: ISO Guide 73:2009]
Note 1 to entry: Controls include any process, policy, device, practice, or other actions which modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
2 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 27000:2014(E)
2.17
control objective
statement describing what is to be achieved as a result of implementing controls (2.16)
2.18
correction
action to eliminate a detected nonconformity (2.53)
2.19
corrective action
action to eliminate the cause of a nonconformity (2.53) and to prevent recurrence
2.20
data
collection of values assigned to base measures (2.10), derived measures (2.22) and/or indicators (2.30)
[SOURCE: ISO/IEC 15939:2007]
Note 1 to entry: This definition applies only within the context of ISO/IEC 27004:2009.
2.21
decision criteria
thresholds, targets, or patterns used to determine the need for action or further investigation, or to
describe the level of confidence in a given result
[SOURCE: ISO/IEC 15939:2007]
2.22
derived measure
measure (2.47) that is defined as a function of two or more values of base measures (2.10)
[SOURCE: ISO/IEC 15939:2007]
2.23
documented information
information required to be controlled and maintained by an organization (2.57) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to
— the management system (2.46), including related processes (2.61);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
2.24
effectiveness
extent to which planned activities are realized and planned results achieved
2.25
event
occurrence or change of a particular set of circumstances
[SOURCE: ISO Guide 73:2009]
Note 1 to entry: An event can be one or more occurrences, and can have several causes.
Note 2 to entry: An event can consist of something not happening.
Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.
© ISO/IEC 2014 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC 27000:2014(E)
2.26
executive management
person or group of people who have delegated responsibility from the governing body (2.29) for
implementation of strategies and policies to accomplish the purpose of the organization (2.57)
Note 1 to entry: Executive management is sometimes called top management and can include Chief Executive
Officers, Chief Financial Officers, Chief Information Officers, and similar roles
2.27
external context
external environment in which the organization seeks to achieve its objectives
[SOURCE: ISO Guide 73:2009]
Note 1 to entry: External context can include:
— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive
environment, whether international, national, regional or local;
— key drivers and trends having impact on the objectives (2.56) of the organization (2.57); and
— relationships with, and perceptions and values of, external stakeholders (2.82).
2.28
governance of information security
system by which an organization’s (2.57) information security activities are directed and controlled
2.29
governing body
person or group of people who are accountable for the performance (2.59) and conformance of the
organization (2.57)
Note 1 to entry: Governing body can in some jurisdictions be a board of directors.
2.30
indicator
measure (2.47) that provides an estimate or evaluation of specified attributes (2.4) derived from an
analytical model (2.2) with respect to defined information needs (2.31)
2.31
information need
insight necessary to manage objectives, goals, risks and problems
[SOURCE: ISO/IEC 15939:2007]
2.32
information processing facilities
any information processing system, service or infrastructure, or the physical location housing it
2.33
information security
preservation of confidentiality (2.12), integrity (2.40) and availability (2.9) of information
Note 1 to entry: In addition, other properties, such as authenticity (2.8), accountability, non-repudiation (2.54),
and reliability (2.62) can also be involved.
2.34
information security continuity
processes (2.61) and procedures for ensuring continued information security (2.33) operations
4 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 27000:2014(E)
2.35
information security event
identified occurrence of a system, service or network state indicating a possible breach of information
security policy or failure of controls, or a previously unknown situation that may be security relevant
2.36
information security incident
single or a series of unwanted or unexpected information security events (2.35) that have a significant
probability of compromising business operations and threatening information security (2.33)
2.37
information security incident management
processes (2.61) for detecting, reporting, assessing, responding to, dealing with, and learning from
information security incidents (2.36)
2.38
information sharing community
group of organizations that agree to share information
Note 1 to entry: An organization can be an individual.
2.39
information system
applications, services, information technology assets, or other information handling components
2.40
integrity
property of accuracy and completeness
2.41
interested party
person or organization (2.57) that can affect, be affected by, or perceive themselves to be affected by a
decision or activity
2.42
internal context
internal environment in which the organization seeks to achieve its objectives
[SOURCE: ISO Guide 73:2009]
Note 1 to entry: Internal context can include:
— governance, organizational structure, roles and accountabilities;
— policies, objectives, and the strategies that are in place to achieve them;
— the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes,
systems and technologies);
— information systems, information flows and decision-making processes (both formal and informal);
— relationships with, and perceptions and values of, internal stakeholders;
— the organization’s culture;
— standards, guidelines and models adopted by the organization; and
— form and extent of contractual relationships.
2.43
ISMS project
structured activities undertaken by an organization (2.57) to implement an ISMS
© ISO/IEC 2014 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO/IEC 27000:2014(E)
2.44
level of risk
magnitude of a risk (2.68) expressed in terms of the combination of consequences (2.14) and their
likelihood (2.45)
[SOURCE: ISO Guide 73:2009, modified — “or combination of risks,” has been deleted.]
2.45
likelihood
chance of something happening
[SOURCE: ISO Guide 73:2009]
2.46
management system
set of interrelated or interacting elements of an organization (2.57) to establish policies (2.60) and
objectives (2.56) and processes (2.61) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning,
operation, etc.
Note 3 to entry: The scope of a management system may include the whole of the organization, specific and
identified functions of the organization, specific and identified sections of the organization, or one or more
functions across a group of organizations.
2.47
measure
variable to which a value is assigned as the result of measurement (2.48)
[SOURCE: ISO/IEC 15939:2007]
Note 1 to entry: The term “measures” is used to refer collectively to base measures, derived measures, and
indicators.
2.48
measurement
process (2.61) to determine a value
Note 1 to entry: In the context of information security (2.33) the process of determining a value requires
information about the effectiveness (2.24) of an information security management system (2.46) and its associated
controls (2.16) using a measurement method (2.50), a measurement function (2.49), an analytical model (2.2), and
decision criteria (2.21).
2.49
measurement function
algorithm or calculation performed to combine two or more base measures (2.10)
[SOURCE: ISO/IEC 15939:2007]
2.50
measurement method
logical sequence of operations, described generically, used in quantifying an attribute (2.4) with respect
to a specified scale (2.80)
[SOURCE: ISO/IEC 15939:2007]
Note 1 to entry: The type of measurement method depends on the nature of the operations used to quantify an
attribute. Two types can be distinguished:
— subjective: quantification involving human judgment;
— objective: quantification based on numerical rules.
6 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/IEC 27000:2014(E)
2.51
measurement results
one or more indicators (2.30) and their associated interpretations that address an information need
(2.31)
2.52
monitoring
determining the status of a system, a process (2.61) or an activity
Note 1 to entry: To determine the status there may be a need to check, supervise or critically observe.
2.53
nonconformity
non-fulfilment of a requirement (2.63)
2.54
non-repudiation
ability to prove the occurrence of a claimed event or action and its originating entities
2.55
object
item characterized through the measurement (2.48) of its attributes (2.4)
2.56
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environmental
goals) and can apply at different levels (such as strategic, organization-wide, project, product and process (2.61).
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational
criterion, as an information security objective or by the use of other words with similar meaning (e.g. aim, goal,
or target).
Note 4 to entry: In the context of information security management systems, information security objectives are
set by the organization, consistent with the information security policy, to achieve specific results.
2.57
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (2.56)
Note 1 to entry: The concept of organization includes but is not limited to sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
2.58
outsource
make an arrangement where an external organization (2.57) performs part of an organization’s function
or process (2.61)
Note 1 to entry: An external organization is outside the scope of the management system (2.46), although the
outsourced function or process is within the scope.
2.59
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
© ISO/IEC 2014 – All rights reserved 7
---------------------- Page: 13 ----------------------
ISO/IEC 27000:2014(E)
Note 2 to entry: Performance can relate to the management of activities, processes (2.61), products (including
services), systems or organizations (2.57).
2.60
policy
intentions and direction of an organization (2.57) as formally expressed by its top management (2.84)
2.61
process
set of interrelated or interacting activities which transforms inputs into outputs
2.62
reliability
property of consistent intended behaviour and results
2.63
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and interested
parties that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, for example in documented information.
2.64
residual risk
risk (2.68) remaining after risk treatment (2.79)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risk can also be known as “retained risk”.
2.65
review
activity undertaken to determine the suitability, adequacy and effectiveness (2.24) of the subject matter
to achieve established objectives
[SOURCE: ISO Guide 73:2009]
2.66
review object
specific item being reviewed
2.67
review objective
statement describing what is to be achieved as a result of a review
2.68
risk
effect of uncertainty on objectives
[SOURCE: ISO Guide 73:2009]
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event (2.25), its consequence (2.14), or likelihood (2.45).
Note 3 to entry: Risk is often characterized by reference to potential events (2.25) and consequences (2.14), or a
combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences (2.14) of an event (including
changes in circumstances) and the associated likelihood (2.45) of occurrence.
8 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 14 ----------------------
ISO/IEC 27000:2014(E)
Note 5 to entry: In the context of information security management systems, information security risks can be
expressed as effect of uncertainty on information security objectives.
Note 6 to entry: Information security risk is associated with the potential that threats (2.83) will exploit
vulnerabilities (2.89) of an information asset or group of information assets and thereby cause harm to an
organization.
2.69
risk acceptance
informed decision to take a particular risk (2.68)
[SOURCE: ISO Guide 73:2009]
Note 1 to entry: Risk acceptance can occur without risk treatment (2.79) or during the process of risk treatment.
Note 2 to entry: Accepted risks are subject to monitoring (2.52) and review (2.65).
2.70
risk analysis
process to comprehend the nature of risk (2.68) and to determine the level of risk (2.44)
[SOURCE: ISO Guide 73:2009]
Note 1 to entry: Risk analysis provides the basis for risk evaluation (2.74) and decisions about risk treatment
(2.79).
Note 2 to entry: Risk analysis includes risk estimation.
2.71
risk assessment
overall process (2.61) of risk identification (2.75), risk analysis (2.70) and risk evaluation (2.74)
[SOURCE: ISO Guide 73:2009]
2.72
risk communication and consultation
continual and iterative processes that an organization conducts to provide, share or obtain information,
and to engage in dialogue with stakeholders (2.82) regarding the management of risk (2.68)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood, significance, evaluation,
acceptability and treatment of risk.
Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its
stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is:
— a process which impacts on a decision through influence rather than power; and
— an input to decision making, not joint decision making.
2.73
risk criteria
terms of reference against which the significance of
...
NORME ISO/CEI
INTERNATIONALE 27000
Troisième édition
2014-01-15
Technologies de l’information —
Techniques de sécurité — Systèmes
de management de la sécurité de
l’information — Vue d’ensemble et
vocabulaire
Information technology — Security techniques — Information
security management systems — Overview and vocabulary
Numéro de référence
ISO/CEI 27000:2014(F)
©
ISO/CEI 2014
---------------------- Page: 1 ----------------------
ISO/CEI 27000:2014(F)
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO/IEC 2014
Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni utilisée
sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie, l’affichage sur
l’internet ou sur un Intranet, sans autorisation écrite préalable. Les demandes d’autorisation peuvent être adressées à l’ISO à
l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Publié en Suisse
ii © ISO/IEC 2014 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO/CEI 27000:2014(F)
Sommaire Page
Avant-propos .iv
0 Introduction .v
1 Domaine d’application . 1
2 Termes et définitions . 1
3 Systèmes de management de la sécurité de l’information .13
3.1 Introduction .13
3.2 Qu’est-ce qu’un SMSI ?.13
3.3 Approche processus .15
3.4 Raisons pour lesquelles un SMSI est important .15
3.5 Établissement, surveillance, mise à jour et amélioration d’un SMSI .16
3.6 Facteurs critiques de succès du SMSI .19
3.7 Avantages de la famille de normes du SMSI.20
4 La famille de normes du SMSI .20
4.1 Informations générales .20
4.2 Normes décrivant une vue d’ensemble et une terminologie .21
4.3 Normes spécifiant des exigences .22
4.4 Normes décrivant des lignes directrices générales .22
4.5 Normes décrivant des lignes directrices propres à un secteur .25
Annexe A (informative) Formes verbales pour exprimer des dispositions .27
Annexe B (informative) Termes et propriété des termes .28
Bibliographie .32
© ISO/IEC 2014 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO/CEI 27000:2014(F)
Avant-propos
L’ISO (Organisation internationale de normalisation) et l’IEC (Commission électrotechnique
internationale) forment le système spécialisé de la normalisation mondiale. Les organismes nationaux
membres de l’ISO ou de l’IEC participent à l’élaboration de Normes internationales par l’intermédiaire de
comités techniques créés par l’organisme concerné pour traiter de domaines particuliers à une activité
technique de leur compétence. Les comités techniques de l’ISO et de l’IEC collaborent dans des domaines
d’intérêt commun. D’autres organismes internationaux, gouvernementaux et non gouvernementaux,
en liaison avec l’ISO et l’IEC participent également aux travaux. Dans le domaine des technologies de
l’information, l’ISO et l’IEC ont créé un comité technique mixte: l’ISO/IEC JTC 1.
Les Normes internationales sont rédigées conformément aux règles données dans les Directives ISO/IEC,
Partie 2.
La tâche principale du comité technique mixte est d’élaborer des Normes internationales. Les projets de
Normes internationales adoptés par le comité technique mixte sont soumis aux organismes nationaux
pour vote. Leur publication en tant que Normes internationales requiert l’approbation d’au moins 75 %
des organismes nationaux votants.
L’attention est appelée sur le fait que certains des éléments du présent document peuvent faire l’objet
de droits de propriété intellectuelle ou de droits analogues. L’ISO et l’IEC ne sauraient être tenues pour
responsables de ne pas avoir identifié de tels droits de propriété et averti de leur existence.
L’ISO/IEC 27000 a été élaborée par le comité technique mixte ISO/IEC JTC 1, Technologies de l’information,
sous-comité SC 27, Techniques de sécurité des technologies de l’information.
Cette troisième édition annule et remplace la deuxième édition (ISO/IEC 27000:2012), qui a fait l’objet
d’une révision technique.
iv © ISO/IEC 2014 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO/CEI 27000:2014(F)
0 Introduction
0.1 Vue d’ensemble
Les Normes internationales relatives aux systèmes de management fournissent un modèle en matière
d’établissement et d’exploitation d’un système de management. Ce modèle comprend les caractéristiques
que les experts dans le domaine s’accordent à reconnaître comme reflétant l’état de l’art au niveau
international. Le sous-comité ISO/IEC JTC 1/SC 27 bénéficie de l’expérience d’un comité d’experts qui se
consacre à l’élaboration des Normes internationales sur les systèmes de management pour la sécurité de
l’information, connues également comme famille de normes du Système de Management de la Sécurité
de l’Information (SMSI).
Grâce à l’utilisation de la famille de normes du SMSI, les organismes peuvent élaborer et mettre en œuvre
un cadre de référence pour gérer la sécurité de leurs actifs informationnels, y compris les informations
financières, la propriété intellectuelle, les informations sur les employés, ou les informations qui leur
sont confiées par des clients ou des tiers. Elles peuvent également utiliser ces normes pour se préparer
à une évaluation indépendante de leurs SMSI en matière de protection de l’information.
0.2 La famille de normes du SMSI
La famille de normes du SMSI (voir l’Article 4) a pour objet d’aider les organismes de tous types
et de toutes tailles à déployer et à exploiter un SMSI. Elle se compose des Normes internationales
suivantes (indiquées ci-dessous par ordre numérique) regroupées sous le titre général Technologies de
l’information — Techniques de sécurité:
— ISO/IEC 27000, Systèmes de management de la sécurité de l’information — Vue d’ensemble et vocabulaire
— ISO/IEC 27001, Systèmes de management de la sécurité de l’information — Exigences
— ISO/IEC 27002, Code de bonne pratique pour les mesures de sécurité de l’information
— ISO/IEC 27003, Lignes directrices pour la mise en oeuvre du système de management de la sécurité de
l’information
— ISO/IEC 27004, Management de la sécurité de l’information — Mesurage
— ISO/IEC 27005, Gestion des risques liés à la sécurité de l’information
— ISO/IEC 27006, Exigences pour les organismes procédant à l’audit et à la certification des systèmes de
management de la sécurité de l’information
— ISO/IEC 27007, Lignes directrices pour l’audit des systèmes de management de la sécurité de l’information
— ISO/IEC/TR 27008, Lignes directrices pour les auditeurs des contrôles de sécurité de l’information
— ISO/IEC 27010, Gestion de la sécurité de l’information des communications intersectorielles et
interorganisationnelles
— ISO/IEC 27011, Lignes directrices du management de la sécurité de l’information pour les organismes
de télécommunications sur la base de l’ISO/IEC 27002
— ISO/IEC 27013, Guide sur la mise en oeuvre intégrée de l’ISO/IEC 27001 et de l’ISO/IEC 20000-1
— ISO/IEC 27014, Gouvernance de la sécurité de l’information
— ISO/IEC/TR 27015, Lignes directrices pour le management de la sécurité de l’information pour les
services financiers
— ISO/IEC/TR 27016, Management de la sécurité de l’information — Économie organisationnelle
© ISO/IEC 2014 – Tous droits réservés v
---------------------- Page: 5 ----------------------
ISO/CEI 27000:2014(F)
NOTE Le titre général «Technologies de l’information — Techniques de sécurité» indique que ces normes
ont été élaborées par le comité technique mixte ISO/IEC JTC 1, Technologies de l’information, sous-comité SC 27,
Techniques de sécurité des technologies de l’information.
Les Normes internationales qui font également partie de la famille de normes du SMSI, mais qui ne sont
pas regroupées sous le même titre général, sont les suivantes:
— ISO 27799:2008, Informatique de santé — Gestion de la sécurité de l’information relative à la santé en
utilisant l’ISO/IEC 27002
0.3 Objet de la présente Norme internationale
La présente Norme internationale offre une vue d’ensemble des systèmes de management de la sécurité
de l’information et définit les termes qui s’y rapportent.
NOTE L’Annexe A fournit des éclaircissements sur la façon dont les formes verbales sont utilisées pour
exprimer des exigences et/ou des préconisations dans la famille de normes du SMSI.
La famille de normes du SMSI comporte des normes qui:
a) définissent les exigences pour un SMSI et pour les organismes certifiant de tels systèmes;
b) apportent un soutien direct, des préconisations détaillées et/ou une interprétation du processus
général visant à établir, mettre en œuvre, entretenir et améliorer un SMSI;
c) traitent des lignes directrices propres à des secteurs particuliers en matière de SMSI;
d) traitent de l’évaluation de la conformité d’un SMSI.
Les termes et les définitions fournis dans la présente Norme internationale:
— couvrent les termes et les définitions d’usage courant dans la famille de normes du SMSI;
— ne couvrent pas l’ensemble des termes et des définitions utilisés dans la famille de normes du SMSI;
— ne limitent pas la famille de normes du SMSI en définissant de nouveaux termes à utiliser.
vi © ISO/IEC 2014 – Tous droits réservés
---------------------- Page: 6 ----------------------
NORME INTERNATIONALE ISO/CEI 27000:2014(F)
Technologies de l’information — Techniques de sécurité —
Systèmes de management de la sécurité de l’information —
Vue d’ensemble et vocabulaire
1 Domaine d’application
La présente Norme internationale offre une vue d’ensemble des systèmes de management de la sécurité
de l’information, et des termes et définitions d’usage courant dans la famille de normes du SMSI. La
présente Norme internationale est applicable à tous les types et à toutes les tailles d’organismes (par
exemple: les entreprises commerciales, les organismes publics, les organismes à but non lucratif).
2 Termes et définitions
Pour les besoins du présent document, les termes et définitions suivants s’appliquent.
2.1
contrôle d’accès
moyens mis en œuvre pour assurer que l’accès aux actifs est autorisé et limité selon les exigences propres
à la sécurité et à l’activité métier
2.2
modèle analytique
algorithme ou calcul combinant une ou plusieurs mesures élémentaires (2.10) et/ou mesures dérivées
(2.22) avec les critères de décision associés
2.3
attaque
tentative de détruire, de rendre public, de modifier, d’invalider, de voler ou d’obtenir un accès non
autorisé ou d’utiliser sans autorisation un actif
2.4
attribut
propriété ou caractéristique d’un objet (2.55) qui peut être distingué quantitativement ou qualitativement
par des moyens humains ou automatiques
[SOURCE: ISO/IEC 15939:2007, modifiée – le terme «entité» a été remplacé par «objet» dans la définition.]
2.5
audit
processus méthodique, indépendant et documenté (2.61) permettant d’obtenir des preuves d’audit et de
les évaluer de manière objective pour déterminer dans quelle mesure les critères d’audit sont satisfaits
Note 1 à l’article: Un audit peut être interne (audit de première partie) ou externe (audit de seconde ou de tierce
partie), et peut également être un audit combiné (combinant deux disciplines ou plus).
Note 2 à l’article: Les termes «preuves d’audit» et «critères d’audit» sont définis dans l’ISO 19011.
2.6
champ de l’audit
étendue et limites d’un audit (2.5)
[SOURCE: ISO 19011:2011]
© ISO 2014 – Tous droits réservés 1
---------------------- Page: 7 ----------------------
ISO/CEI 27000:2014(F)
2.7
authentification
moyen pour une entité d’assurer la légitimité d’une caractéristique revendiquée
2.8
authenticité
propriété selon laquelle une entité est ce qu’elle revendique être
2.9
disponibilité
propriété d’être accessible et utilisable à la demande par une entité autorisée
2.10
mesure élémentaire
mesure (2.47) définie en fonction d’un attribut (2.4) et de la méthode de mesurage spécifiée pour le
quantifier
[SOURCE: ISO/IEC 15939:2007]
Note 1 à l’article: Une mesure élémentaire est fonctionnellement indépendante des autres mesures.
2.11
compétence
aptitude à mettre en œuvre des connaissances et savoir-faire en vue d’obtenir des résultats prévus
2.12
confidentialité
propriété selon laquelle l’information n’est pas rendue disponible ni divulguée à des personnes, des
entités ou des processus (2.61) non autorisés
2.13
conformité
satisfaction d’une exigence (2.63)
Note 1 à l’article: Le terme anglais «conformance» est un synonyme mais a été abandonné.
2.14
conséquence
effet d’un événement (2.25) affectant les objectifs (2.56)
[SOURCE: Guide ISO 73:2009]
Note 1 à l’article: Un événement peut engendrer une série de conséquences.
Note 2 à l’article: Une conséquence peut être certaine ou incertaine; dans le contexte de la sécurité de l’information,
elle est généralement négative.
Note 3 à l’article: Les conséquences peuvent être exprimées de façon qualitative ou quantitative.
Note 4 à l’article: Des conséquences initiales peuvent déclencher des réactions en chaîne.
2.15
amélioration continue
activité régulière destinée à améliorer les performances (2.59)
2.16
mesure de sécurité
mesure qui modifie un risque (2.68)
[SOURCE: Guide ISO 73:2009]
Note 1 à l’article: Les mesures de sécurité comprennent tous les processus, politiques, dispositifs, pratiques ou
autres actions qui modifient un risque.
2 © ISO/IEC 2014 – Tous droits réservés
---------------------- Page: 8 ----------------------
ISO/CEI 27000:2014(F)
Note 2 à l’article: Les mesures de sécurité ne peuvent pas toujours aboutir à la modification voulue ou supposée.
2.17
objectif de sécurité
déclaration décrivant ce qui doit être atteint comme résultat de la mise en œuvre des mesures de sécurité
(2.16)
2.18
correction
action visant à éliminer une non-conformité (2.53) détectée
2.19
action corrective
action visant à éliminer la cause d’une non-conformité (2.53) et à empêcher sa répétition
2.20
données
ensemble des valeurs attribuées aux mesures élémentaires (2.10), aux mesures dérivées (2.22) et/ou aux
indicateurs (2.30)
[SOURCE: ISO/IEC 15939:2007]
Note 1 à l’article: Cette définition s’applique uniquement dans le contexte de l’ISO/IEC 27004:2009.
2.21
critères de décision
seuils, cibles ou modèles utilisés pour déterminer la nécessité d’une action ou d’un complément d’enquête,
ou pour décrire le niveau de confiance dans un résultat donné
[SOURCE: ISO/IEC 15939:2007]
2.22
mesure dérivée
mesure (2.47) définie en fonction d’au moins deux mesures élémentaires (2.10)
[SOURCE: ISO/IEC 15939:2007]
2.23
informations documentées
informations devant être contrôlées et mises à jour par un organisme (2.57) et le support sur lequel elles
sont contenues
Note 1 à l’article: Les informations documentées peuvent être dans n’importe quel format, sur n’importe quel
support, et provenir de n’importe quelle source.
Note 2 à l’article: Les informations documentées peuvent se rapporter
— au système de management (2.46) et aux processus associés (2.61);
— aux informations créées pour permettre à l’organisme de fonctionner (documentation);
— aux preuves des résultats obtenus (enregistrements).
2.24
efficacité
niveau de réalisation des activités planifiées et d’obtention des résultats escomptés
© ISO/IEC 2014 – Tous droits réservés 3
---------------------- Page: 9 ----------------------
ISO/CEI 27000:2014(F)
2.25
événement
occurrence ou changement d’un ensemble particulier de circonstances
[SOURCE: Guide ISO 73:2009]
Note 1 à l’article: Un événement peut être unique ou se reproduire et peut avoir plusieurs causes.
Note 2 à l’article: Un événement peut consister en quelque chose qui ne se produit pas.
Note 3 à l’article: Un événement peut parfois être qualifié «d’incident» ou «d’accident».
2.26
management exécutif
personne ou groupe de personnes ayant reçu des instances dirigeantes (2.29) la responsabilité de la mise
en œuvre des stratégies et politiques afin de réaliser les objectifs de l’organisme (2.57)
Note 1 à l’article: Le management exécutif est parfois appelé la direction, et peut comprendre les Directeurs, les
Responsables des Finances, les Responsables de l’Information, et autres fonctions similaires
2.27
contexte externe
environnement externe dans lequel l’organisme cherche à atteindre ses objectifs
[SOURCE: Guide ISO 73:2009]
Note 1 à l’article: Le contexte externe peut inclure:
— l’environnement culturel, social, politique, légal, réglementaire, financier, technologique, économique,
naturel et concurrentiel, au niveau international, national, régional ou local;
— les facteurs et tendances ayant un impact déterminant sur les objectifs (2.56) de l’organisme (2.57);
— les relations avec les parties prenantes (2.82) externes, leurs perceptions et leurs valeurs.
2.28
gouvernance de la sécurité de l’information
système au moyen duquel un organisme (2.57) oriente et supervise les activités liées à la sécurité de
l’information
2.29
instances dirigeantes
personne ou groupe de personnes ayant la responsabilité des performances (2.59) et de la conformité de
l’organisme (2.57)
Note 1 à l’article: Dans certaines juridictions, les instances dirigeantes peuvent être constituées d’un conseil
d’administration.
2.30
indicateur
mesure (2.47) qui fournit une estimation ou une évaluation d’attributs (2.4) spécifiés à partir d’un modèle
analytique (2.2) concernant des besoins d’information (2.31) définis
2.31
besoin d’information
information nécessaire pour gérer les objectifs, les risques et les problèmes
[SOURCE: ISO/IEC 15939:2007]
2.32
moyens de traitement de l’information
tout système, service ou infrastructure de traitement de l’information, ou local les abritant
4 © ISO/IEC 2014 – Tous droits réservés
---------------------- Page: 10 ----------------------
ISO/CEI 27000:2014(F)
2.33
sécurité de l’information
protection de la confidentialité (2.12), de l’intégrité (2.40) et de la disponibilité (2.9) de l’information
Note 1 à l’article: En outre, d’autres propriétés, telles que l’authenticité (2.8), l’imputabilité, la non-répudiation
(2.54) et la fiabilité (2.62) peuvent également être concernées.
2.34
continuité de la sécurité de l’information
processus (2.61) et procédures visant à assurer la continuité des opérations liées à la sécurité de
l’information (2.33)
2.35
événement lié à la sécurité de l’information
occurrence identifiée de l’état d’un système, d’un service ou d’un réseau indiquant une faille possible
dans la politique de sécurité de l’information ou un échec des mesures de sécurité, ou encore une
situation inconnue jusqu’alors et pouvant relever de la sécurité
2.36
incident lié à la sécurité de l’information
un ou plusieurs événements liés à la sécurité de l’information (2.35) indésirables ou inattendus présentant
une probabilité forte de compromettre les opérations liées à l’activité de l’organisme et de menacer la
sécurité de l’information (2.33)
2.37
gestion des incidents liés à la sécurité de l’information
processus (2.61) pour détecter, rapporter, apprécier, intervenir, résoudre et tirer les enseignements des
incidents liés à la sécurité de l’information (2.36)
2.38
communauté de partage d’informations
groupe d’organismes qui s’accordent pour partager les informations
Note 1 à l’article: Un organisme peut être un individu.
2.39
système d’information
applications, services, actifs informationnels ou autre composante permettant la prise en charge de
l’information
2.40
intégrité
propriété d’exactitude et de complétude
2.41
partie intéressée
personne ou organisme (2.57) susceptible d’affecter, d’être affectée ou de se sentir elle-même affectée
par une décision ou une activité
2.42
contexte interne
environnement interne dans lequel l’organisme cherche à atteindre ses objectifs
[SOURCE: Guide ISO 73:2009]
Note 1 à l’article: Le contexte interne peut inclure:
— la gouvernance, la structure organisationnelle, les rôles et les responsabilités;
— les politiques, les objectifs et les stratégies mises en place pour atteindre ces derniers;
© ISO/IEC 2014 – Tous droits réservés 5
---------------------- Page: 11 ----------------------
ISO/CEI 27000:2014(F)
— les capacités, en termes de ressources et de connaissances (par exemple: capital, temps, personnel, processus,
systèmes et technologies);
— les systèmes d’information, les flux d’information et les processus de prise de décision (à la fois formels et
informels);
— les relations avec les parties prenantes internes, ainsi que leurs perceptions et leurs valeurs;
— la culture de l’organisme;
— les normes, lignes directrices et modèles adoptés par l’organisme;
— la forme et l’étendue des relations contractuelles.
2.43
projet SMSI
activités structurées entreprises par un organisme (2.57) pour déployer un SMSI
2.44
niveau de risque
importance d’un risque (2.68) exprimée en termes de combinaison des conséquences (2.14) et de leur
vraisemblance (2.45)
[SOURCE: Guide ISO 73:2009, modifié – l’expression «ou combinaison de risques» a été supprimée.]
2.45
vraisemblance
possibilité que quelque chose se produise
[SOURCE: Guide ISO 73:2009]
2.46
système de management
ensemble d’éléments corrélés ou interactifs d’un organisme (2.57) visant à établir des politiques (2.60),
des objectifs (2.56) et des processus (2.61) afin d’atteindre ces objectifs
Note 1 à l’article: Un système de management peut recouvrir une ou plusieurs disciplines.
Note 2 à l’article: Les éléments du système comprennent la structure de l’organisme, les rôles et responsabilités,
la planification, les opérations, etc.
Note 3 à l’article: Le domaine d’un système de management peut comprendre l’organisme dans son ensemble,
certaines de ses fonctions spécifiques et identifiées, certaines de ses sections spécifiques et identifiées, ou une ou
plusieurs fonctions au sein d’un groupe d’organismes.
2.47
mesure
variable à laquelle on attribue une valeur correspondant au résultat du mesurage (2.48)
[SOURCE: ISO/IEC 15939:2007]
Note 1 à l’article: Le terme «mesures» est utilisé pour désigner collectivement les mesures élémentaires, les
mesures dérivées et les indicateurs.
2.48
mesurage
processus (2.61) permettant de déterminer une valeur
Note 1 à l’article: Dans le contexte de la sécurité de l’information (2.33), le processus de détermination d’une
valeur nécessite des informations concernant l’efficacité (2.24) d’un système de management (2.46) de la sécurité
de l’information et de ses mesures de sécurité (2.16) associées à l’aide d’une méthode de mesurage (2.50), d’une
fonction de mesurage (2.49), d’un modèle analytique (2.2) et de critères de décision (2.21).
6 © ISO/IEC 2014 – Tous droits réservés
---------------------- Page: 12 ----------------------
ISO/CEI 27000:2014(F)
2.49
fonction de mesurage
algorithme ou calcul utilisé pour combiner au moins deux mesures élémentaires (2.10)
[SOURCE: ISO/IEC 15939:2007]
2.50
méthode de mesurage
suite logique d’opérations décrites de manière générique qui permettent de quantifier un attribut (2.4)
selon une échelle (2.80) spécifiée
[SOURCE: ISO/IEC 15939:2007]
Note 1 à l’article: Le type de méthode de mesurage employé dépend de la nature des opérations utilisées pour
quantifier un attribut. On peut en distinguer deux:
— le type subjectif: quantification faisant appel au jugement humain;
— le type objectif: quantification fondée sur des règles numériques.
2.51
résultats de mesurage
un ou plusieurs indicateurs (2.30), et les interprétations associées, répondant à un besoin d’information
(2.31)
2.52
surveillance
détermination du statut d’un système, d’un processus (2.61) ou d’une activité
Note 1 à l’article: Pour déterminer le statut, il peut s’avérer nécessaire de vérifier, de superviser ou d’observer de
manière critique.
2.53
non-conformité
non-satisfaction d’une exigence (2.63)
2.54
non-répudiation
capacité à prouver l’occurrence d’un événement ou d’une action donné(e) et des entités qui en sont à
l’origine
2.55
objet
élément caractérisé par le mesurage (2.48) de ses attributs (2.4)
2.56
objectif
résultat à atteindre
Note 1 à l’article: Un objectif peut être stratégique, tactique ou opérationnel.
Note 2 à l’article: Les objectifs peuvent se rapporter à différentes disciplines (par exemple: buts financiers, de
santé et de sécurité, ou environnementaux) et peuvent concerner différents niveaux (par exemple: au niveau
stratégique, à l’échelle de l’organisme, au niveau d’un projet, d’un produit et d’un processus) [2.61]).
Note 3 à l’article: Un objectif peut être exprimé de différentes manières, par exemple comme un résultat recherché,
un but, un critère opérationnel, un objectif de sécurité de l’information, ou en utilisant d’autres mots de sens
similaire (par exemple: intention ou cible).
Note 4 à l’article: Dans le contexte des systèmes de management de la sécurité de l’information, les objectifs de
sécurité de l’information sont établis par l’organisme, conformément à la politique de sécurité de l’information,
afin d’obtenir des résultats spécifiques.
© ISO/IEC 2014 – Tous droits réservés 7
---------------------- Page: 13 ----------------------
ISO/CEI 27000:2014(F)
2.57
organisme
personne ou groupe de personnes qui a ses propres fonctions, avec les responsabilités, les pouvoirs et
les relations nécessaires pour atteindre ses objectifs (2.56)
Note 1 à l’article: Le concept d’organisme comprend, entre autres, les travailleurs indépendants, compagnies,
sociétés, firmes, entreprises, autorités, partenariats, œuvres de bienfaisance ou institutions, ou toute partie ou
combinaison de ceux-ci, constituée en société de capitaux ou ayant un autre statut, de droit privé ou public.
2.58
externaliser
prendre des dispositions pour qu’un organisme (2.57) externe assure une partie des fonctions ou des
processus (2.61) d’un organisme
Note 1 à l’article: Un organisme externe se situe hors du champ d’application du système de management (2.46),
bien que les fonctions ou processus externalisés en fassent partie.
2.59
performance
résultat mesurable
Note 1 à l’article: La performance peut se rapporter à des observations quantitatives ou qualitatives.
Note 2 à l’article: La performance peut se rapporter au management des activités, des processus (2.61), des produits
(y compris les services), des systèmes ou des organismes (2.57).
2.60
politique
intentions et orientation d’un organisme (2.57) telles que formalisées par sa direction (2.84)
2.61
processus
ensemble d’activités corrélées ou interactives qui transforme des éléments d’entrée en éléments de
sortie
2.62
fiabilité
propriété relative à un comportement et des résultats prévus et cohérents
2.63
exigence
besoin ou attente formulé(e), habituellement implicite, ou imposé(e)
Note 1 à l’article: «Habituellement implicite» signifie qu’il est d’usage ou de pratique courante pour l’organisme et
les parties intéressées de considérer le besoin ou l’attente en question comme implicite.
Note 2 à l’article: Une exigence spécifiée est une exigence qui est formulée, par exemple, dans des informations
documentées.
2.64
risque résiduel
...
SLOVENSKI STANDARD
oSIST ISO/IEC DIS 27000:2013
01-september-2013
Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske
varnosti - Pregled in izrazje
Information technology -- Security techniques -- Information security management
systems -- Overview and vocabulary
Technologies de l'information -- Techniques de sécurité -- Systèmes de management de
la sécurité de l'information -- Vue d'ensemble et vocabulaire
Ta slovenski standard je istoveten z: ISO/IEC DIS 27000
ICS:
01.040.35 Informacijska tehnologija. Information technology.
Pisarniški stroji (Slovarji) Office machines
(Vocabularies)
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
oSIST ISO/IEC DIS 27000:2013 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
oSIST ISO/IEC DIS 27000:2013
---------------------- Page: 2 ----------------------
oSIST ISO/IEC DIS 27000:2013
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27000
ISO/IEC JTC 1 Secretariat: ANSI
Voting begins on Voting terminates on
2013-07-16 2013-10-16
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION • МЕЖДУНАРОДНАЯ ОРГАНИЗАЦИЯ ПО СТАНДАРТИЗАЦИИ • ORGANISATION INTERNATIONALE DE NORMALISATION
INTERNATIONAL ELECTROTECHNICAL COMMISSION • МЕЖДУНАРОДНАЯ ЭЛЕКТРОТЕХНИЧЕСКАЯ КОММИСИЯ • COMMISSION ÉLECTROTECHNIQUE INTERNATIONALE
Information technology — Security techniques — Information
security management systems — Overview and vocabulary
Technologies de l'information — Techniques de sécurité — Systèmes de management de la sécurité de
l'information — Vue d'ensemble et vocabulaire
[Revision of second edition (ISO/IEC 27000:2012)]
ICS 01.040.35; 35.040
To expedite distribution, this document is circulated as received from the committee
secretariat. ISO Central Secretariat work of editing and text composition will be undertaken at
publication stage.
Pour accélérer la distribution, le présent document est distribué tel qu'il est parvenu du
secrétariat du comité. Le travail de rédaction et de composition de texte sera effectué au
Secrétariat central de l'ISO au stade de publication.
THIS DOCUMENT IS A DRAFT CIRCULATED FOR COMMENT AND APPROVAL. IT IS THEREFORE SUBJECT TO CHANGE AND MAY NOT BE
REFERRED TO AS AN INTERNATIONAL STANDARD UNTIL PUBLISHED AS SUCH.
R PURPOSES,
IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, TECHNOLOGICAL, COMMERCIAL AND USE
DRAFT INTERNATIONAL STANDARDS MAY ON OCCASION HAVE TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL TO BECOME
STANDARDS TO WHICH REFERENCE MAY BE MADE IN NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPORTING DOCUMENTATION.
International Organization for Standardization, 2013
©
International Electrotechnical Commission, 2013
---------------------- Page: 3 ----------------------
oSIST ISO/IEC DIS 27000:2013
ISO/IEC DIS 27000
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any
means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission.
Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2013 — All rights reserved
---------------------- Page: 4 ----------------------
oSIST ISO/IEC DIS 27000:2013
ISO/IEC DIS 27000
Contents Page
Foreword . vi
0 Introduction . viii
0.1 Overview . viii
0.2 ISMS family of standards . viii
0.3 Purpose of this International Standard . ix
1 Scope . 10
2 Terms and definitions . 10
3 Information security management systems . 24
3.1 Introduction . 24
3.2 What is an ISMS? . 25
3.2.1 Overview and principles . 25
3.2.2 Information . 25
3.2.3 Information security. 26
3.2.4 Management . 26
3.2.5 NoteorganizationManagement system. 26
3.3 Process approach . 27
3.4 Why an ISMS is important . 27
3.5 Establishing, monitoring, maintaining and improving an ISMS . 29
3.5.1 Overview . 29
3.5.2 Identifying information security requirements . 29
3.5.3 Assessing information security risks . 29
3.5.4 Treating information security risks . 30
3.5.5 Selecting and implementing controls . 31
3.5.6 Monitor, maintain and improve the effectiveness of the ISMS . 32
3.5.7 Continual improvement . 32
3.6 ISMS critical success factors . 33
3.7 Benefits of the ISMS family of standards . 33
4 ISMS family of standards . 34
4.1 General information . 34
4.2 Standards describing an overview and terminology . 36
4.2.1 ISO/IEC 27000 (this document) . 36
4.3 Standards specifying requirements . 36
4.3.1 ISO/IEC 27001 . 36
4.3.2 ISO/IEC 27006 . 37
4.4 Standards describing general guidelines . 37
4.4.1 ISO/IEC 27002 . 37
4.4.2 ISO/IEC 27003 . 38
4.4.3 ISO/IEC 27004 . 38
4.4.4 ISO/IEC 27005 . 38
4.4.5 ISO/IEC 27007 . 38
4.4.6 ISO/IEC TR 27008 . 39
4.4.7 ISO/IEC 27013 . 39
4.4.8 ISO/IEC 27014 . 39
iv © ISO/IEC 2011 – All rights reserved
---------------------- Page: 5 ----------------------
oSIST ISO/IEC DIS 27000:2013
ISO/IEC DIS 27000
4.4.9 ISO/IEC TR 27016 . 40
4.5 Standards describing sector-specific guidelines . 40
4.5.1 ISO/IEC 27010 . 40
4.5.2 ISO/IEC 27011 . 41
4.5.3 ISO/IEC TR 27015 . 41
4.5.4 ISO 27799 . 41
Annex A (informative) Verbal forms for the expression of provisions . 42
Annex B (informative) Terms and Terms Ownership . 43
B.1 Term ownership . 43
B.2 Terms ordered by Standards . 44
1. ISO/IEC 27001 . 44
2. ISO/IEC 27002 . 44
3. ISO/IEC 27003 . 44
4. ISO/IEC 27004 . 44
5. ISO/IEC 27005 . 45
6. ISO/IEC 27006 . 45
7. ISO/IEC 27007 . 45
8. ISO/IEC 27008 . 45
9. ISO/IEC 27010 . 45
10. ISO/IEC 27011 . 45
11. ISO/IEC 27014 . 46
12. ISO/IEC 27015 . 46
13. ISO/IEC 27016 . 46
Bibliography . 47
© ISO/IEC 2011 – All rights reserved v
---------------------- Page: 6 ----------------------
oSIST ISO/IEC DIS 27000:2013
ISO/IEC DIS 27000
Foreword
ISO (the International Organization for Standardization) and IEC (the International
Electrotechnical Commission) form the specialized system for worldwide standardization.
National bodies that are members of ISO or IEC participate in the development of
International Standards through technical committees established by the respective
organization to deal with particular fields of technical activity. ISO and IEC technical
committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
In the field of information technology, ISO and IEC have established a joint technical
committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the
ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft
International Standards adopted by the joint technical committee are circulated to national
bodies for voting. Publication as an International Standard requires approval by at least
75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the
subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all
such patent rights.
ISO/IEC 27000 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information
technology, Subcommittee SC 27, IT Security techniques.
This third edition cancels and replaces the second edition (ISO/IEC 27000:2012).
vi © ISO/IEC 2011 – All rights reserved
---------------------- Page: 7 ----------------------
oSIST ISO/IEC DIS 27000:2013
---------------------- Page: 8 ----------------------
oSIST ISO/IEC DIS 27000:2013
ISO/IEC DIS 27000
0 Introduction
0.1 Overview
International Standards for management systems provide a model to follow in setting up
and operating a management system. This model incorporates the features on which
experts in the field have reached a consensus as being the international state of the art.
ISO/IEC JTC 1/SC 27 maintains an expert committee dedicated to the development of
international management systems standards for information security, otherwise known as
the Information Security Management System (ISMS) family of standards.
Through the use of the ISMS family of standards, organizations can develop and implement
a framework for managing the security of their information assets including financial
information, intellectual property, and employee details, or information entrusted to them by
customers or third parties. These standards can also be used to prepare for an independent
assessment of their ISMS applied to the protection of information.
0.2 ISMS family of standards
The ISMS family of standards (see Clause 4) is intended to assist organizations of all types
and sizes to implement and operate an ISMS and consists of the following International
Standards, under the general title Information technology — Security techniques (given
below in numerical order):
ISO/IEC 27000, Information security management systems — Overview and vocabulary
ISO/IEC FDIS27001, Information security management systems — Requirements
ISO/IEC FDIS 27002, Code of practice for information security controls
ISO/IEC 27003, Information security management system implementation guidance
ISO/IEC 27004, Information security management — Measurement
ISO/IEC 27005, Information security risk management
ISO/IEC 27006, Requirements for bodies providing audit and certification of information
security management systems
ISO/IEC 27007, Guidelines for information security management systems auditing
ISO/IEC TR 27008, Guidelines for auditors on information security management
systems controls
ISO/IEC 27010, Information security management guidelines for inter-sector and inter-
organizational communications
viii © ISO/IEC 2011 – All rights reserved
---------------------- Page: 9 ----------------------
oSIST ISO/IEC DIS 27000:2013
ISO/IEC DIS 27000
ISO/IEC 27011, Information security management guidelines for telecommunications
organizations based on ISO/IEC 27002
ISO/IEC 27013, Guidance on the integrated implementation of ISO/IEC 27001 and
ISO/IEC 20000-1
ISO/IEC 27014, Governance of information security
ISO/IEC TR 27015, Information security management guidelines for financial services
ISO/IEC DTR 27016, Information security management – Organizational economics
Note The general title “Information technology — Security techniques” indicates that these standards were prepared
by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.
International Standards not under the same general title that are also part of the ISMS
family of standards are as follows:
ISO 27799:2008, Health informatics — Information security management in health
using ISO/IEC 27002
0.3 Purpose of this International Standard
This International Standard provides an overview of information security management
systems, and defines related terms.
Note: Annex A provides clarification on how verbal forms are used to express requirements and/or guidance in the
ISMS family of standards.
The ISMS family of standards includes standards that:
a) define requirements for an ISMS and for those certifying such systems;
b) provide direct support, detailed guidance and/or interpretation for the overall process to
establish, implement, maintain and improve an ISMS;
c) address sector-specific guidelines for ISMS; and
d) address conformity assessment for ISMS.
The terms and definitions provided in this International Standard:
cover commonly used terms and definitions in the ISMS family of standards;
will not cover all terms and definitions applied within the ISMS family of standards; and
do not limit the ISMS family of standards in defining new terms for use.
© ISO/IEC 2011 – All rights reserved ix
---------------------- Page: 10 ----------------------
oSIST ISO/IEC DIS 27000:2013
ISO/IEC DIS 27000
Information technology — Security techniques —
Information security management systems —
Overview and vocabulary
1 Scope
This International Standard provides the overview of information security
management systems, and terms and definitions commonly used in the ISMS
family of standards. This International Standard is applicable to all types and
sizes of organization (e.g. commercial enterprises, government agencies, not-
for-profit organizations).
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
access control
means to ensure that access to assets is authorized and restricted based on
business and security requirements
2.2
analytical model
algorithm or calculation combining one or more base (2.10) and/or derived
measures (2.22) with associated decision criteria
2.3
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to
or make unauthorized use of an asset
2.4
attribute
property or characteristic of an object (2.55) that can be distinguished
quantitatively or qualitatively by human or automated means
[Adopted from ISO/IEC 15939:2007]
2.5
audit
systematic, independent and documented process (2.61) for obtaining audit
evidence and evaluating it objectively to determine the extent to which the
audit criteria are fulfilled
© ISO/IEC 2011 – All rights reserved 10
---------------------- Page: 11 ----------------------
oSIST ISO/IEC DIS 27000:2013
ISO/IEC DIS 27000
Note 1: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
Note 2: “Audit evidence” and “audit criteria” are defined in ISO 19011.
2.6
audit scope
extent and boundaries of an audit (2.5)
[ISO 19011:2011]
2.7
authentication
provision of assurance that a claimed characteristic of an entity is correct
2.8
authenticity
property that an entity is what it is claims to be
2.9
availability
property of being accessible and usable upon demand by an authorized entity
2.10
base measure
measure (2.47) defined in terms of an attribute (2.4) and the method for
quantifying it
[ISO/IEC 15939:2007]
Note: A base measure is functionally independent of other measures.
2.11
competence
ability to apply knowledge and skills to achieve intended results
2.12
confidentiality
property that information is not made available or disclosed to unauthorized
individuals, entities, or processes (2.61)
2.13
conformity
fulfillment of a requirement (2.63)
Note: The term “conformance” is synonymous but deprecated.
2.14
consequence
outcome of an event (2.25) affecting objectives (2.56)
© ISO/IEC 2011 – All rights reserved 11
---------------------- Page: 12 ----------------------
oSIST ISO/IEC DIS 27000:2013
ISO/IEC DIS 27000
[ISO Guide 73:2009]
Note 1: An event can lead to a range of consequences.
Note 2: A consequence can be certain or uncertain and in the context of information security is
usually negative.
Note 3: Consequences can be expressed qualitatively or quantitatively.
Note 4: Initial consequences can escalate through knock-on effects.
2.15
continual improvement
recurring activity to enhance performance (2.59)
2.16
control
measure that is modifying risk (2.68)
[ISO Guide 73:2009]
Note 1: Controls include any process, policy, device,, practice, or other actions which modify risk.
Note 2: Controls may not always exert the intended or assumed modifying effect.
2.17
control objective
statement describing what is to be achieved as a result of implementing
controls (2.16)
2.18
correction
action to eliminate a detected nonconformity (2.53)
2.19
corrective action
action to eliminate the cause of a nonconformity (2.53) and to prevent
recurrence
2.20
data
collection of values assigned to base measures (2.10), derived measures
(2.22) and/or indicators (2.30)
[ISO/IEC 15939:2007]
Note: This definition applies only within the context of ISO/IEC 27004:2009.
2.21
decision criteria
thresholds, targets, or patterns used to determine the need for action or
further investigation, or to describe the level of confidence in a given result
12 © ISO/IEC 2011 – All rights reserved
---------------------- Page: 13 ----------------------
oSIST ISO/IEC DIS 27000:2013
ISO/IEC DIS 27000
[ISO/IEC 15939:2007]
2.22
derived measure
measure (2.47) that is defined as a function of two or more values of base
measures (2.10)
[ISO/IEC 15939:2007]
2.23
documented information
information required to be controlled and maintained by an organization
(2.57) and the medium on which it is contained
Note 1: Documented information can be in any format and media and from any source.
Note 2: Documented information can refer to
– the management system (2.46), including related processes (2.61);
– information created in order for the organization to operate (documentation);
– evidence of results achieved (records).
2.24
effectiveness
extent to which planned activities are realized and planned results achieved
2.25
event
occurrence or change of a particular set of circumstances
[ISO Guide 73:2009]
Note 1: An event can be one or more occurrences, and can have several causes.
Note 2: An event can consist of something not happening.
Note 3: An event can sometimes be referred to as an “incident” or “accident”.
2.26
executive management
person or group of people who have delegated responsibility from the
governing body (2.29) for implementation of strategies and policies to
accomplish the purpose of the organization (2.57)
Note: Executive management is sometimes called top management and can include Chief Executive
Officers, Chief Financial Officers, Chief Information Officers, and similar roles
2.27
external context
external environment in which the organization seeks to achieve its objectives
© ISO/IEC 2011 – All rights reserved 13
---------------------- Page: 14 ----------------------
oSIST ISO/IEC DIS 27000:2013
ISO/IEC DIS 27000
[ISO Guide 73:2009]
Note: External context can include:
the cultural, social, political, legal, regulatory, financial, technological, economic,
natural and competitive environment, whether international, national, regional or
local;
key drivers and trends having impact on the objectives (2.56) of the organization
(2.57); and
relationships with, and perceptions and values of, external stakeholders (2.82).
2.28
governance of information security
set of principles and processes (2.61) by which an organization (2.57)
provides direction and oversight of information security-related activities
2.29
governing body
group of people who are ultimately accountable for the performance (2.59) of
the organization (2.57)
Note: Governing body can in some jurisdictions be a board of directors.
2.30
indicator
measure (2.47) that provides an estimate or evaluation of specified
attributes (2.4) derived from an analytical model (2.2) with respect to
defined information needs (2.31)
2.31
information need
insight necessary to manage objectives, goals, risks and problems
[ISO/IEC 15939:2007]
2.32
information processing facilities
any information processing system, service or infrastructure, or the physical
locations housing them
2.33
information security
preservation of confidentiality (2.12), integrity (2.40) and availability (2.9)
of information
Note In addition, other properties, such as authenticity (2.8), accountability, non-repudiation
(2.54), and reliability (2.62) can also be involved.
2.34
information security continuity
processes (2.61) and procedures for ensuring continued information
security (2.33) operations
14 © ISO/IEC 2011 – All rights reserved
---------------------- Page: 15 ----------------------
oSIST ISO/IEC DIS 27000:2013
ISO/IEC DIS 27000
2.35
information security event
identified occurrence of a system, service or network state indicating a
possible breach of information security policy or failure of controls, or a
previously unknown situation that may be security relevant
2.36
information security incident
single or a series of unwanted or unexpected information security events
(2.35) that have a significant probability of compromising business operations
and threatening information security (2.33)
2.37
information security incident management
processes (2.61) for detecting, reporting, assessing, responding to, dealing
with, and learning from information security incidents (2.36)
2.38
information sharing community
group of organizations that agree to share information
Note: An organization can be an individual.
2.39
information system
applications, services, information technology assets, or other information
handling components
2.40
integrity
property of accuracy and completeness
2.41
interested party
person or organization (2.57) that can affect, be affected by, or perceive
themselves to be affected by a decision or activity
2.42
internal context
internal environment in which the organization seeks to achieve its objectives
[ISO Guide 73:2009]
Note: Internal context can include:
governance, organizational structure, roles and accountabilities;
policies, objectives, and the strategies that are in place to achieve them;
the capabilities, understood in terms of resources and knowledge (e.g. capital, time,
people, processes, systems and technologies);
information systems, information flows and decision-making processes (both
formal and informal);
© ISO/IEC 2011 – All rights reserved 15
---------------------- Page: 16 ----------------------
oSIST ISO/IEC DIS 27000:2013
ISO/IEC DIS 27000
relationships with, and perceptions and values of, internal stakeholders;
the organization's culture;
standards, guidelines and models adopted by the organization; and
form and extent of contractual relationships.
2.43
ISMS project
structured activities undertaken by an organization (2.57) to implement an
ISMS
2.44
level of risk
magnitude of a risk (2.68) expressed in terms of the combination of
consequences (2.14) and their likelihood (2.45)
[Adopted from ISO Guide 73:2009]
2.45
likelihood
chance of something happening
[ISO Guide 73:2009]
2.46
management system
set of interrelated or interacting elements of an organization (2.57) to
establish policies (2.60) and objectives (2.56) and processes (2.61) to
achieve those objectives
Note 1: A management system can address a single discipline or several disciplines.
Note 2: The system elements include the organization’s structure, roles and responsibilities, planning,
operation, etc.
Note 3: The scope of a management system may include the whole of the organization, specific and
identified functions of the organization, specific and identified sections of the organization, or one or
more functions across a group of organizations.
2.47
measure
variable to which a value is assigned as the result of measurement (2.48)
[ISO/IEC 15939:2007]
Note: The term “measures” is used to refer collectively to base measures, derived measures, and
indicators.
2.48
measurement
process (2.61) to determine a value
16 © ISO/IEC 2011 – All rights reserved
---------------------- Page: 17 -------------------
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.