Information technology - Security techniques - Information security management systems - Overview and vocabulary

This International Standard provides:
a) an overview of the ISMS family of standards;
b) an introduction to information security management systems (ISMS);
c) a brief description of the Plan-Do-Check-Act (PDCA) process; and
d) terms and definitions for use in the ISMS family of standards.
This International Standard is applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations).

Technologies de l'information - Techniques de sécurité - Systèmes de management de la sécurité de l'information - Vue d'ensemble et vocabulaire

L'ISO/CEI 27000:2009 fournit une vue d'ensemble des syst�mes de management de la s�curit� de l'information (SMSI); cette vue d'ensemble constitue l'objet de la famille des normes SMSI et d�finit les termes qui s'y rattachent. Suite � la mise en oeuvre de l'ISO/CEI 27000:2009, tous les types d'organismes (par exemple entreprises commerciales, organismes publics et organismes � but non lucratif) sont cens�s obtenir  
une vue d'ensemble de la famille des normes SMSI,
une introduction aux SMSI,
une br�ve description du processus Planifier-D�ployer-Contr�ler-Agir (PDCA), et
les termes et d�finitions utilis�s dans la famille des normes SMSI.  
Les objectifs de l'ISO/CEI 27000:2009 sont la fourniture de termes et d�finitions, et une introduction � la famille des normes SMSI qui  
d�finissent les exigences pour un SMSI et pour les organismes certifiant de tels syst�mes,
apportent un soutien direct, des recommandations d�taill�es et/ou une interpr�tation des processus et des exigences g�n�rales selon le mod�le Planifier-D�ployer-Contr�ler-Agir (PDCA),
traitent des lignes directrices propres � des secteurs particuliers en mati�re de SMSI, et
traitent de l'�valuation de la conformit� d'un SMSI.

Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske varnosti - Pregled in izrazoslovje

Ta mednarodni standard določa:
a) pregled družine standardov ISMS;
b) predstavitev sistemov upravljanja informacijske varnosti (ISMS);
c) kratek opis postopka planiraj-izvedi-preveri-ukrepaj (PDCA); ter
d) izraze in definicije za uporabo pri družini standardov ISMS.
Ta mednarodni standard velja za vse vrste organizacij (npr. trgovinska podjetja, vladne službe, neprofitne organizacije).

General Information

Status
Withdrawn
Public Enquiry End Date
02-Jan-2011
Publication Date
09-Feb-2011
Withdrawal Date
05-Feb-2018
Technical Committee
Current Stage
9900 - Withdrawal (Adopted Project)
Start Date
06-Feb-2018
Due Date
01-Mar-2018
Completion Date
06-Feb-2018

RELATIONS

Buy Standard

Standard
ISO/IEC 27000:2009 - Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary
English language
19 pages
sale 15% off
Preview
sale 15% off
Preview
Standard
SIST ISO/IEC 27000:2011
English language
25 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day
Standard
oSIST ISO/IEC 27000:2010
English language
25 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day
Standard
ISO/IEC 27000:2009 - Technologies de l'information -- Techniques de sécurité -- Systemes de management de la sécurité de l'information -- Vue d'ensemble et vocabulaire
French language
20 pages
sale 15% off
Preview
sale 15% off
Preview
Standard – translation
SIST ISO/IEC 27000:2011 - Standard je bil natisnjen za čitalnico.
Slovenian language
24 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 27000
First edition
2009-05-01
Information technology — Security
techniques — Information security
management systems — Overview and
vocabulary
Technologies de l'information — Techniques de sécurité — Systèmes
de gestion de la sécurité des informations — Vue d'ensemble et
vocabulaire
Reference number
ISO/IEC 27000:2009(E)
ISO/IEC 2009
---------------------- Page: 1 ----------------------
ISO/IEC 27000:2009(E)
PDF disclaimer

This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but

shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In

downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat

accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.

Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation

parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In

the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2009

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,

electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or

ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2009 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27000:2009(E)
Contents Page

Foreword............................................................................................................................................................ iv

0 Introduction ........................................................................................................................................... v

1 Scope ..................................................................................................................................................... 1

2 Terms and definitions........................................................................................................................... 1

3 Information security management systems ...................................................................................... 6

3.1 Introduction ........................................................................................................................................... 6

3.2 What is an ISMS?.................................................................................................................................. 7

3.3 Process approach................................................................................................................................. 8

3.4 Why an ISMS is important.................................................................................................................... 9

3.5 Establishing, monitoring, maintaining and improving an ISMS .................................................... 10

3.6 ISMS critical success factors ............................................................................................................ 11

3.7 Benefits of the ISMS family of standards......................................................................................... 11

4 ISMS family of standards ................................................................................................................... 12

4.1 General information............................................................................................................................ 12

4.2 Standards describing an overview and terminology ...................................................................... 13

4.3 Standards specifying requirements.................................................................................................. 13

4.4 Standards describing general guidelines ........................................................................................ 14

4.5 Standards describing sector-specific guidelines............................................................................ 15

Annex A (informative) Verbal forms for the expression of provisions ....................................................... 16

Annex B (informative) Categorized terms...................................................................................................... 17

Bibliography ..................................................................................................................................................... 19

© ISO/IEC 2009 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27000:2009(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are members of

ISO or IEC participate in the development of International Standards through technical committees

established by the respective organization to deal with particular fields of technical activity. ISO and IEC

technical committees collaborate in fields of mutual interest. Other international organizations, governmental

and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information

technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of the joint technical committee is to prepare International Standards. Draft International

Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as

an International Standard requires approval by at least 75 % of the national bodies casting a vote.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent

rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

ISO/IEC 27000 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, IT Security techniques.
iv © ISO/IEC 2009 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27000:2009(E)
0 Introduction
0.1 Overview

International Standards for management systems provide a model to follow in setting up and operating a

management system. This model incorporates the features on which experts in the field have reached a

consensus as being the international state of the art. ISO/IEC JTC 1 SC 27 maintains an expert committee

dedicated to the development of international management systems standards for information security,

otherwise known as the Information Security Management System (ISMS) family of standards.

Through the use of the ISMS family of standards, organizations can develop and implement a framework for

managing the security of their information assets and prepare for an independent assessment of their ISMS

applied to the protection of information, such as financial information, intellectual property, and employee

details, or information entrusted to them by customers or third parties.
0.2 ISMS family of standards

The ISMS family of standards is intended to assist organizations of all types and sizes to implement and

operate an ISMS. The ISMS family of standards consists of the following International Standards, under the

general title Information technology — Security techniques:

⎯ ISO/IEC 27000:2009, Information security management systems — Overview and vocabulary

⎯ ISO/IEC 27001:2005, Information security management systems — Requirements
⎯ ISO/IEC 27002:2005, Code of practice for information security management
⎯ ISO/IEC 27003, Information security management system implementation guidance
⎯ ISO/IEC 27004, Information security management — Measurement
⎯ ISO/IEC 27005:2008, Information security risk management

⎯ ISO/IEC 27006:2007, Requirements for bodies providing audit and certification of information security

management systems
⎯ ISO/IEC 27007, Guidelines for information security management systems auditing

⎯ ISO/IEC 27011, Information security management guidelines for telecommunications organizations based

on ISO/IEC 27002

NOTE The general title “Information technology — Security techniques” indicates that these standards were prepared

by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.

International Standards not under the same general title that are also part of the ISMS family of standards are

as follows:

⎯ ISO 27799:2008, Health informatics — Information security management in health using ISO/IEC 27002

1) Standards identified throughout this subclause with no release year indicated are still under development.

© ISO/IEC 2009 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 27000:2009(E)
0.3 Purpose of this International Standard

This International Standard provides an overview of information security management systems, which form

the subject of the ISMS family of standards, and defines related terms.

NOTE Annex A provides clarification on how verbal forms are used to express requirements and/or guidance in the

ISMS family of standards.
The ISMS family of standards includes standards that:
a) define requirements for an ISMS and for those certifying such systems;

b) provide direct support, detailed guidance and/or interpretation for the overall Plan-Do-Check-Act (PDCA)

processes and requirements;
c) address sector-specific guidelines for ISMS; and
d) address conformity assessment for ISMS.
The terms and definitions provided in this International Standard:
⎯ cover commonly used terms and definitions in the ISMS family of standards;

⎯ will not cover all terms and definitions applied within the ISMS family of standards; and

⎯ do not limit the ISMS family of standards in defining terms for own use.

Standards addressing only the implementation of controls, as opposed to addressing all controls, from

ISO/IEC 27002 are excluded from the ISMS family of standards.

To reflect the changing status of the ISMS family of standards, this International Standard is expected to be

continually updated on a more frequent basis than would normally be the case for other ISO/IEC standards.

vi © ISO/IEC 2009 – All rights reserved
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27000:2009(E)
Information technology — Security techniques — Information
security management systems — Overview and vocabulary
1 Scope
This International Standard provides:
a) an overview of the ISMS family of standards;
b) an introduction to information security management systems (ISMS);
c) a brief description of the Plan-Do-Check-Act (PDCA) process; and
d) terms and definitions for use in the ISMS family of standards.

This International Standard is applicable to all types of organization (e.g. commercial enterprises, government

agencies, non-profit organizations).
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

NOTE A term in a definition or note which is defined elsewhere in this clause is indicated by boldface followed by its

entry number in parentheses. Such a boldface term can be replaced in the definition by its complete definition.

For example:

attack (2.4) is defined as “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make

unauthorized use of an asset (2.3)”;
asset is defined as “anything that has value to the organization”.
If the term “asset” is replaced by its definition:

attack then becomes “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make

unauthorized use of anything that has value to the organization”.
2.1
access control

means to ensure that access to assets (2.3) is authorized and restricted based on business and security

requirements
2.2
accountability
responsibility of an entity for its actions and decisions
© ISO/IEC 2009 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC 27000:2009(E)
2.3
asset
anything that has value to the organization
NOTE There are many types of assets, including:
a) information (2.18);
b) software, such as a computer program;
c) physical, such as computer;
d) services;
e) people, and their qualifications, skills, and experience; and
f) intangibles, such as reputation and image.
2.4
attack

attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of

an asset (2.3)
2.5
authentication
provision of assurance that a claimed characteristic of an entity is correct
2.6
authenticity
property that an entity is what it claims to be
2.7
availability
property of being accessible and usable upon demand by an authorized entity
2.8
business continuity

processes (2.31) and/or procedures (2.30) for ensuring continued business operations

2.9
confidentiality

property that information is not made available or disclosed to unauthorized individuals, entities, or processes

(2.31)
2.10
control

means of managing risk (2.34), including policies (2.28), procedures (2.30), guidelines (2.16), practices or

organizational structures, which can be administrative, technical, management, or legal in nature

NOTE Control is also used as a synonym for safeguard or countermeasure.
2.11
control objective

statement describing what is to be achieved as a result of implementing controls (2.10)

2.12
corrective action

action to eliminate the cause of a detected nonconformity or other undesirable situation

[ISO 9000:2005]
2 © ISO/IEC 2009 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 27000:2009(E)
2.13
effectiveness
extent to which planned activities are realized and planned results achieved
[ISO 9000:2005]
2.14
efficiency

relationship between the results achieved and how well the resources have been used

2.15
event
occurrence of a particular set of circumstances
[ISO/IEC Guide 73:2002]
2.16
guideline
recommendation of what is expected to be done to achieve an objective
2.17
impact
adverse change to the level of business objectives achieved
2.18
information asset
knowledge or data that has value to the organization
2.19
information security

preservation of confidentiality (2.9), integrity (2.25) and availability (2.7) of information

NOTE In addition, other properties, such as authenticity (2.6), accountability (2.2), non-repudiation (2.27), and

reliability (2.33) can also be involved.
2.20
information security event

identified occurrence of a system, service or network state indicating a possible breach of information

security (2.19) policy (2.28) or failure of controls (2.10), or a previously unknown situation that may be

security relevant
2.21
information security incident

single or a series of unwanted or unexpected information security events (2.20) that have a significant

probability of compromising business operations and threatening information security (2.19)

2.22
information security incident management

processes (2.31) for detecting, reporting, assessing, responding to, dealing with, and learning from

information security incidents (2.21)
2.23
information security management system
ISMS

part of the overall management system (2.26), based on a business risk approach, to establish, implement,

operate, monitor, review, maintain and improve information security (2.19)
© ISO/IEC 2009 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC 27000:2009(E)
2.24
information security risk

potential that a threat (2.45) will exploit a vulnerability (2.46) of an asset (2.3) or group of assets and thereby

cause harm to the organization
2.25
integrity
property of protecting the accuracy and completeness of assets (2.3)
2.26
management system

framework of policies (2.28), procedures (2.30), guidelines (2.16) and associated resources to achieve the

objectives of the organization
2.27
non-repudiation

ability to prove the occurrence of a claimed event (2.15) or action and its originating entities, in order to

resolve disputes about the occurrence or non-occurrence of the event (2.15) or action and involvement of

entities in the event (2.15)
2.28
policy
overall intention and direction as formally expressed by management
2.29
preventive action

action to eliminate the cause of a potential nonconformity or other undesirable potential situation

[ISO 9000:2005]
2.30
procedure
specified way to carry out an activity or a process (2.31)
[ISO 9000:2005]
2.31
process

set of interrelated or interacting activities which transforms inputs into outputs

[ISO 9000:2005]
2.32
record
document stating results achieved or providing evidence of activities performed
[ISO 9000:2005]
2.33
reliability
property of consistent intended behaviour and results
2.34
risk
combination of the probability of an event (2.15) and its consequence
[ISO/IEC Guide 73:2002]
4 © ISO/IEC 2009 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 27000:2009(E)
2.35
risk acceptance
decision to accept a risk (2.34)
[ISO/IEC Guide 73:2002]
2.36
risk analysis
systematic use of information to identify sources and to estimate risk (2.34)
[ISO/IEC Guide 73:2002]

NOTE Risk analysis provides a basis for risk evaluation (2.41), risk treatment (2.43) and risk acceptance (2.35).

2.37
risk assessment
overall process (2.31) of risk analysis (2.36) and risk evaluation (2.41)
[ISO/IEC Guide 73:2002]
2.38
risk communication

exchange or sharing of information about risk (2.34) between the decision-maker and other stakeholders

[ISO/IEC Guide 73:2002]
2.39
risk criteria
terms of reference by which the significance of risk (2.34) is assessed
[ISO/IEC Guide 73:2002]
2.40
risk estimation
activity to assign values to the probability and consequences of a risk (2.34)
[ISO/IEC Guide 73:2002]
2.41
risk evaluation

process (2.31) of comparing the estimated risk (2.34) against given risk criteria (2.39) to determine the

significance of the risk (2.34)
[ISO/IEC Guide 73:2002]
2.42
risk management

coordinated activities to direct and control an organization with regard to risk (2.34)

[ISO/IEC Guide 73:2002]

NOTE Risk management generally includes risk assessment (2.37), risk treatment (2.43), risk acceptance (2.35),

risk communication (2.38), risk monitoring and risk review.
2.43
risk treatment
process (2.31) of selection and implementation of measures to modify risk (2.34)
[ISO/IEC Guide 73:2002]
© ISO/IEC 2009 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO/IEC 27000:2009(E)
2.44
statement of applicability

documented statement describing the control objectives (2.11) and controls (2.10) that are relevant and

applicable to the organization's ISMS (2.23)
2.45
threat

potential cause of an unwanted incident, which may result in harm to a system or organization

2.46
vulnerability

weakness of an asset (2.3) or control (2.10) that can be exploited by a threat (2.45)

3 Information security management systems
3.1 Introduction
Organizations of all types and sizes:
a) collect, process, store, and transmit large amounts of information;

b) recognise that information, and related processes, systems, networks and people are important assets for

achieving organization objectives;
c) face a range of risks that may affect the functioning of assets; and
d) modify risks by implementing information security controls.

All information held and processed by an organization is subject to threats of attack, error, nature (for example,

flood or fire), etc, and is subject to vulnerabilities inherent in its use. The term information security is generally

based on information being considered as an asset which has a value requiring appropriate protection, for

example, against the loss of availability, confidentiality and integrity. Enabling accurate and complete

information to be available in a timely manner to those with an authorized need is a catalyst for business

efficiency.

Protecting information assets through defining, achieving, maintaining, and improving information security

effectively is essential to enable an organization to achieve its objectives, and maintain and enhance its legal

compliance and image. These coordinated activities directing the implementation of suitable controls and

treating unacceptable information security risks are generally known as elements of information security

management.

As information security risks and the effectiveness of controls change depending on shifting circumstances,

organizations need to:

a) monitor and evaluate the effectiveness of implemented controls and procedures;

b) identify emerging risks to be treated; and
c) select, implement and improve appropriate controls as needed.

To interrelate and coordinate such information security activities, each organization needs to establish its

policy and objectives for information security and achieve those objectives effectively by using a management

system.
6 © ISO/IEC 2009 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/IEC 27000:2009(E)
3.2 What is an ISMS?
3.2.1 Overview and principles

An ISMS (Information Security Management System) provides a model for establishing, implementing,

operating, monitoring, reviewing, maintaining and improving the protection of information assets to achieve

business objectives based upon a risk assessment and the organization's risk acceptance levels designed to

effectively treat and manage risks. Analysing requirements for the protection of information assets and

applying appropriate controls to ensure the protection of these information assets, as required, contributes to

the successful implementation of an ISMS. The following fundamental principles also contribute to the

successful implementation of an ISMS:
a) awareness of the need for information security;
b) assignment of responsibility for information security;
c) incorporating management commitment and the interests of stakeholders;
d) enhancing societal values;

e) risk assessments determining appropriate controls to reach acceptable levels of risk;

f) security incorporated as an essential element of information networks and systems;

g) active prevention and detection of information security incidents;
h) ensuring a comprehensive approach to information security management; and

i) continual reassessment of information security and making of modifications as appropriate.

3.2.2 Information

Information is an asset that, like other important business assets, is essential to an organization's business

and consequently needs to be suitably protected. Information can be stored in many forms, including: digital

form (e.g. data files stored on electronic or optical media), material form (e.g. on paper), as well as

unrepresented information in the form of knowledge of the employees. Information may be transmitted by

various means including: courier, electronic or verbal communication. Whatever form information takes, or the

means by which the information is transmitted, it always needs appropriate protection.

An organization's information is dependent upon information and communications technology. This technology

is an essential element in any organization and assists in facilitating the creation, processing, storing,

transmitting, protection and destruction of information. Where the extent of the interconnected global business

environment expands so does the requirement to protect information as this information is now exposed to a

wider variety of threats and vulnerabilities.
3.2.3 Information security

Information security includes three main dimensions: confidentiality, availability and integrity. With the aim of

ensuring sustained business success and continuity, and in minimising impacts, information security involves

the application and management of appropriate security measures that involves consideration of a wide range

of threats.

Information security is achieved through the implementation of an applicable set of controls, selected through

the chosen risk management process and managed using an ISMS, including policies, processes, procedures,

organizational structures, software and hardware to protect the identified information assets. These controls

need to be specified, implemented, monitored, reviewed and improved where necessary, to ensure that the

specific security and business objectives of the organization are met. Relevant information security controls

are expected to be seamlessly integrated with an organization's business processes.

© ISO/IEC 2009 – All rights reserved 7
---------------------- Page: 13 ----------------------
ISO/IEC 27000:2009(E)
3.2.4 Management

Management involves activities to direct, control and continually improve the organization within appropriate

structures. Management activities include the act, manner, or practice of organizing, handling, directing,

supervising, and controlling resources. Management structures extend from one person in a small

organization to management hierarchies consisting of many individuals in large organizations.

In terms of an ISMS, management involves the supervision and making of decisions necessary to achieve

business objectives through the protection of the organization's information assets. Management of

information security is expressed through the formulation and use of information security policies, standards,

procedures and guidelines, which are then applied throughout the organization by all individuals associated

with the organization.

NOTE The term “management” may sometimes refer to people (i.e. a person or group of people with authority and

responsibility for the conduct and control of an organization). The term “management” addressed in this clause is not in

this sense.
3.2.5 Management system

A management system uses a framework of resources to achieve an organization's objectives. The

management system includes organizational structure, policies, planning activities, responsibilities, practices,

procedures, processes and resources.
In terms of information security, a management system allows an organization to:
a) satisfy the security requirements of customers and other stakeholders;
b) improve an organization's plans and activities;
c) meet the organization's information security objectives;
d) comply with regulations, legislation and industry mandates; and

e) manage information assets in an organized way that facilitates continual improvement and adjustment to

current organizational goals and to the environment.
3.3 Process approach

Organizations need to identify and manage many activities in order to function effectively and efficiently. Any

activity using resources needs to be managed to enable the transformation of inputs into outputs using a set

of interrelated or interacting activities – this is also known as a process. The output from one process can

directly form the input to another process and generally this transformation is carried out under planned and

controlled conditions. The application of a system of processes within an organization, together with the

identification and interactions of these processes, and their management, can be referred to as a “process

approach”.

The process approach for the ISMS presented in the ISMS family of standards is based on the operating

principle adopted in ISO's management system standards commonly known as the Plan – Do – Check – Act

(PDCA) process.

a) Plan – establish objectives and make plans (analyze the organization's situation, establish the overall

objectives and set targets, and develop plans to achieve them);
b) Do – implement plans (do what was planned to do);

c) Check – measure results (measure/monitor the extent to which achievements meet planned objectives);

and

d) Act – correct and improve activities (learn from mistakes to improve activities to achieve better results).

8 © ISO/IEC 2009 – All rights reserved
---------------------- Page: 14 ----------------------
ISO/IEC 27000:2009(E)
3.4 Why an ISMS is important

As part of an organization's ISMS, risks associated with an organization's information assets need to be

addressed. Achieving information security requires the management of risk, and encompasses risks from

physical, human and technology related threats associated with all forms of information within or used by the

organization.

The adoption of an ISMS is expected to be a strategic decision for an organization and it is necessary that this

decision is seamlessly integrated, scaled and updated in accordance with the needs of the organization.

The design and implementation of an organization's ISMS is influenced by the needs and objectives of the

organization, security requirements, the business processes employed and the size and structure of the

organization. The design
...

SLOVENSKI STANDARD
SIST ISO/IEC 27000:2011
01-marec-2011

Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske

varnosti - Pregled in izrazoslovje

Information technology - Security techniques - Information security management systems

- Overview and vocabulary

Technologies de l'information - Techniques de sécurité - Systèmes de management de

la sécurité de l'information - Vue d'ensemble et vocabulaire
Ta slovenski standard je istoveten z: ISO/IEC 27000:2009
ICS:
01.040.35 Informacijska tehnologija. Information technology.
Pisarniški stroji (Slovarji) Office machines
(Vocabularies)
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
SIST ISO/IEC 27000:2011 en,fr

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST ISO/IEC 27000:2011
---------------------- Page: 2 ----------------------
SIST ISO/IEC 27000:2011
INTERNATIONAL ISO/IEC
STANDARD 27000
First edition
2009-05-01
Information technology — Security
techniques — Information security
management systems — Overview and
vocabulary
Technologies de l'information — Techniques de sécurité — Systèmes
de gestion de la sécurité des informations — Vue d'ensemble et
vocabulaire
Reference number
ISO/IEC 27000:2009(E)
ISO/IEC 2009
---------------------- Page: 3 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
PDF disclaimer

This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but

shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In

downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat

accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.

Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation

parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In

the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2009

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,

electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or

ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2009 – All rights reserved
---------------------- Page: 4 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
Contents Page

Foreword............................................................................................................................................................ iv

0 Introduction ........................................................................................................................................... v

1 Scope ..................................................................................................................................................... 1

2 Terms and definitions........................................................................................................................... 1

3 Information security management systems ...................................................................................... 6

3.1 Introduction ........................................................................................................................................... 6

3.2 What is an ISMS?.................................................................................................................................. 7

3.3 Process approach................................................................................................................................. 8

3.4 Why an ISMS is important.................................................................................................................... 9

3.5 Establishing, monitoring, maintaining and improving an ISMS .................................................... 10

3.6 ISMS critical success factors ............................................................................................................ 11

3.7 Benefits of the ISMS family of standards......................................................................................... 11

4 ISMS family of standards ................................................................................................................... 12

4.1 General information............................................................................................................................ 12

4.2 Standards describing an overview and terminology ...................................................................... 13

4.3 Standards specifying requirements.................................................................................................. 13

4.4 Standards describing general guidelines ........................................................................................ 14

4.5 Standards describing sector-specific guidelines............................................................................ 15

Annex A (informative) Verbal forms for the expression of provisions ....................................................... 16

Annex B (informative) Categorized terms...................................................................................................... 17

Bibliography ..................................................................................................................................................... 19

© ISO/IEC 2009 – All rights reserved iii
---------------------- Page: 5 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are members of

ISO or IEC participate in the development of International Standards through technical committees

established by the respective organization to deal with particular fields of technical activity. ISO and IEC

technical committees collaborate in fields of mutual interest. Other international organizations, governmental

and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information

technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of the joint technical committee is to prepare International Standards. Draft International

Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as

an International Standard requires approval by at least 75 % of the national bodies casting a vote.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent

rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

ISO/IEC 27000 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, IT Security techniques.
iv © ISO/IEC 2009 – All rights reserved
---------------------- Page: 6 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
0 Introduction
0.1 Overview

International Standards for management systems provide a model to follow in setting up and operating a

management system. This model incorporates the features on which experts in the field have reached a

consensus as being the international state of the art. ISO/IEC JTC 1 SC 27 maintains an expert committee

dedicated to the development of international management systems standards for information security,

otherwise known as the Information Security Management System (ISMS) family of standards.

Through the use of the ISMS family of standards, organizations can develop and implement a framework for

managing the security of their information assets and prepare for an independent assessment of their ISMS

applied to the protection of information, such as financial information, intellectual property, and employee

details, or information entrusted to them by customers or third parties.
0.2 ISMS family of standards

The ISMS family of standards is intended to assist organizations of all types and sizes to implement and

operate an ISMS. The ISMS family of standards consists of the following International Standards, under the

general title Information technology — Security techniques:

⎯ ISO/IEC 27000:2009, Information security management systems — Overview and vocabulary

⎯ ISO/IEC 27001:2005, Information security management systems — Requirements
⎯ ISO/IEC 27002:2005, Code of practice for information security management
⎯ ISO/IEC 27003, Information security management system implementation guidance
⎯ ISO/IEC 27004, Information security management — Measurement
⎯ ISO/IEC 27005:2008, Information security risk management

⎯ ISO/IEC 27006:2007, Requirements for bodies providing audit and certification of information security

management systems
⎯ ISO/IEC 27007, Guidelines for information security management systems auditing

⎯ ISO/IEC 27011, Information security management guidelines for telecommunications organizations based

on ISO/IEC 27002

NOTE The general title “Information technology — Security techniques” indicates that these standards were prepared

by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.

International Standards not under the same general title that are also part of the ISMS family of standards are

as follows:

⎯ ISO 27799:2008, Health informatics — Information security management in health using ISO/IEC 27002

1) Standards identified throughout this subclause with no release year indicated are still under development.

© ISO/IEC 2009 – All rights reserved v
---------------------- Page: 7 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
0.3 Purpose of this International Standard

This International Standard provides an overview of information security management systems, which form

the subject of the ISMS family of standards, and defines related terms.

NOTE Annex A provides clarification on how verbal forms are used to express requirements and/or guidance in the

ISMS family of standards.
The ISMS family of standards includes standards that:
a) define requirements for an ISMS and for those certifying such systems;

b) provide direct support, detailed guidance and/or interpretation for the overall Plan-Do-Check-Act (PDCA)

processes and requirements;
c) address sector-specific guidelines for ISMS; and
d) address conformity assessment for ISMS.
The terms and definitions provided in this International Standard:
⎯ cover commonly used terms and definitions in the ISMS family of standards;

⎯ will not cover all terms and definitions applied within the ISMS family of standards; and

⎯ do not limit the ISMS family of standards in defining terms for own use.

Standards addressing only the implementation of controls, as opposed to addressing all controls, from

ISO/IEC 27002 are excluded from the ISMS family of standards.

To reflect the changing status of the ISMS family of standards, this International Standard is expected to be

continually updated on a more frequent basis than would normally be the case for other ISO/IEC standards.

vi © ISO/IEC 2009 – All rights reserved
---------------------- Page: 8 ----------------------
SIST ISO/IEC 27000:2011
INTERNATIONAL STANDARD ISO/IEC 27000:2009(E)
Information technology — Security techniques — Information
security management systems — Overview and vocabulary
1 Scope
This International Standard provides:
a) an overview of the ISMS family of standards;
b) an introduction to information security management systems (ISMS);
c) a brief description of the Plan-Do-Check-Act (PDCA) process; and
d) terms and definitions for use in the ISMS family of standards.

This International Standard is applicable to all types of organization (e.g. commercial enterprises, government

agencies, non-profit organizations).
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

NOTE A term in a definition or note which is defined elsewhere in this clause is indicated by boldface followed by its

entry number in parentheses. Such a boldface term can be replaced in the definition by its complete definition.

For example:

attack (2.4) is defined as “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make

unauthorized use of an asset (2.3)”;
asset is defined as “anything that has value to the organization”.
If the term “asset” is replaced by its definition:

attack then becomes “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make

unauthorized use of anything that has value to the organization”.
2.1
access control

means to ensure that access to assets (2.3) is authorized and restricted based on business and security

requirements
2.2
accountability
responsibility of an entity for its actions and decisions
© ISO/IEC 2009 – All rights reserved 1
---------------------- Page: 9 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
2.3
asset
anything that has value to the organization
NOTE There are many types of assets, including:
a) information (2.18);
b) software, such as a computer program;
c) physical, such as computer;
d) services;
e) people, and their qualifications, skills, and experience; and
f) intangibles, such as reputation and image.
2.4
attack

attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of

an asset (2.3)
2.5
authentication
provision of assurance that a claimed characteristic of an entity is correct
2.6
authenticity
property that an entity is what it claims to be
2.7
availability
property of being accessible and usable upon demand by an authorized entity
2.8
business continuity

processes (2.31) and/or procedures (2.30) for ensuring continued business operations

2.9
confidentiality

property that information is not made available or disclosed to unauthorized individuals, entities, or processes

(2.31)
2.10
control

means of managing risk (2.34), including policies (2.28), procedures (2.30), guidelines (2.16), practices or

organizational structures, which can be administrative, technical, management, or legal in nature

NOTE Control is also used as a synonym for safeguard or countermeasure.
2.11
control objective

statement describing what is to be achieved as a result of implementing controls (2.10)

2.12
corrective action

action to eliminate the cause of a detected nonconformity or other undesirable situation

[ISO 9000:2005]
2 © ISO/IEC 2009 – All rights reserved
---------------------- Page: 10 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
2.13
effectiveness
extent to which planned activities are realized and planned results achieved
[ISO 9000:2005]
2.14
efficiency

relationship between the results achieved and how well the resources have been used

2.15
event
occurrence of a particular set of circumstances
[ISO/IEC Guide 73:2002]
2.16
guideline
recommendation of what is expected to be done to achieve an objective
2.17
impact
adverse change to the level of business objectives achieved
2.18
information asset
knowledge or data that has value to the organization
2.19
information security

preservation of confidentiality (2.9), integrity (2.25) and availability (2.7) of information

NOTE In addition, other properties, such as authenticity (2.6), accountability (2.2), non-repudiation (2.27), and

reliability (2.33) can also be involved.
2.20
information security event

identified occurrence of a system, service or network state indicating a possible breach of information

security (2.19) policy (2.28) or failure of controls (2.10), or a previously unknown situation that may be

security relevant
2.21
information security incident

single or a series of unwanted or unexpected information security events (2.20) that have a significant

probability of compromising business operations and threatening information security (2.19)

2.22
information security incident management

processes (2.31) for detecting, reporting, assessing, responding to, dealing with, and learning from

information security incidents (2.21)
2.23
information security management system
ISMS

part of the overall management system (2.26), based on a business risk approach, to establish, implement,

operate, monitor, review, maintain and improve information security (2.19)
© ISO/IEC 2009 – All rights reserved 3
---------------------- Page: 11 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
2.24
information security risk

potential that a threat (2.45) will exploit a vulnerability (2.46) of an asset (2.3) or group of assets and thereby

cause harm to the organization
2.25
integrity
property of protecting the accuracy and completeness of assets (2.3)
2.26
management system

framework of policies (2.28), procedures (2.30), guidelines (2.16) and associated resources to achieve the

objectives of the organization
2.27
non-repudiation

ability to prove the occurrence of a claimed event (2.15) or action and its originating entities, in order to

resolve disputes about the occurrence or non-occurrence of the event (2.15) or action and involvement of

entities in the event (2.15)
2.28
policy
overall intention and direction as formally expressed by management
2.29
preventive action

action to eliminate the cause of a potential nonconformity or other undesirable potential situation

[ISO 9000:2005]
2.30
procedure
specified way to carry out an activity or a process (2.31)
[ISO 9000:2005]
2.31
process

set of interrelated or interacting activities which transforms inputs into outputs

[ISO 9000:2005]
2.32
record
document stating results achieved or providing evidence of activities performed
[ISO 9000:2005]
2.33
reliability
property of consistent intended behaviour and results
2.34
risk
combination of the probability of an event (2.15) and its consequence
[ISO/IEC Guide 73:2002]
4 © ISO/IEC 2009 – All rights reserved
---------------------- Page: 12 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
2.35
risk acceptance
decision to accept a risk (2.34)
[ISO/IEC Guide 73:2002]
2.36
risk analysis
systematic use of information to identify sources and to estimate risk (2.34)
[ISO/IEC Guide 73:2002]

NOTE Risk analysis provides a basis for risk evaluation (2.41), risk treatment (2.43) and risk acceptance (2.35).

2.37
risk assessment
overall process (2.31) of risk analysis (2.36) and risk evaluation (2.41)
[ISO/IEC Guide 73:2002]
2.38
risk communication

exchange or sharing of information about risk (2.34) between the decision-maker and other stakeholders

[ISO/IEC Guide 73:2002]
2.39
risk criteria
terms of reference by which the significance of risk (2.34) is assessed
[ISO/IEC Guide 73:2002]
2.40
risk estimation
activity to assign values to the probability and consequences of a risk (2.34)
[ISO/IEC Guide 73:2002]
2.41
risk evaluation

process (2.31) of comparing the estimated risk (2.34) against given risk criteria (2.39) to determine the

significance of the risk (2.34)
[ISO/IEC Guide 73:2002]
2.42
risk management

coordinated activities to direct and control an organization with regard to risk (2.34)

[ISO/IEC Guide 73:2002]

NOTE Risk management generally includes risk assessment (2.37), risk treatment (2.43), risk acceptance (2.35),

risk communication (2.38), risk monitoring and risk review.
2.43
risk treatment
process (2.31) of selection and implementation of measures to modify risk (2.34)
[ISO/IEC Guide 73:2002]
© ISO/IEC 2009 – All rights reserved 5
---------------------- Page: 13 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
2.44
statement of applicability

documented statement describing the control objectives (2.11) and controls (2.10) that are relevant and

applicable to the organization's ISMS (2.23)
2.45
threat

potential cause of an unwanted incident, which may result in harm to a system or organization

2.46
vulnerability

weakness of an asset (2.3) or control (2.10) that can be exploited by a threat (2.45)

3 Information security management systems
3.1 Introduction
Organizations of all types and sizes:
a) collect, process, store, and transmit large amounts of information;

b) recognise that information, and related processes, systems, networks and people are important assets for

achieving organization objectives;
c) face a range of risks that may affect the functioning of assets; and
d) modify risks by implementing information security controls.

All information held and processed by an organization is subject to threats of attack, error, nature (for example,

flood or fire), etc, and is subject to vulnerabilities inherent in its use. The term information security is generally

based on information being considered as an asset which has a value requiring appropriate protection, for

example, against the loss of availability, confidentiality and integrity. Enabling accurate and complete

information to be available in a timely manner to those with an authorized need is a catalyst for business

efficiency.

Protecting information assets through defining, achieving, maintaining, and improving information security

effectively is essential to enable an organization to achieve its objectives, and maintain and enhance its legal

compliance and image. These coordinated activities directing the implementation of suitable controls and

treating unacceptable information security risks are generally known as elements of information security

management.

As information security risks and the effectiveness of controls change depending on shifting circumstances,

organizations need to:

a) monitor and evaluate the effectiveness of implemented controls and procedures;

b) identify emerging risks to be treated; and
c) select, implement and improve appropriate controls as needed.

To interrelate and coordinate such information security activities, each organization needs to establish its

policy and objectives for information security and achieve those objectives effectively by using a management

system.
6 © ISO/IEC 2009 – All rights reserved
---------------------- Page: 14 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
3.2 What is an ISMS?
3.2.1 Overview and principles

An ISMS (Information Security Management System) provides a model for establishing, implementing,

operating, monitoring, reviewing, maintaining and improving the protection of information assets to achieve

business objectives based upon a risk assessment and the organization's risk acceptance levels designed to

effectively treat and manage risks. Analysing requirements for the protection of information assets and

applying appropriate controls to ensure the protection of these information assets, as required, contributes to

the successful implementation of an ISMS. The following fundamental principles also contribute to the

successful implementation of an ISMS:
a) awareness of the need for information security;
b) assignment of responsibility for information security;
c) incorporating management commitment and the interests of stakeholders;
d) enhancing societal values;

e) risk assessments determining appropriate controls to reach acceptable levels of risk;

f) security incorporated as an essential element of information networks and systems;

g) active prevention and detection of information security incidents;
h) ensuring a comprehensive approach to information security management; and

i) continual reassessment of information security and making of modifications as appropriate.

3.2.2 Information

Information is an asset that, like other important business assets, is essential to an organization's business

and consequently needs to be suitably protected. Information can be stored in many forms, including: digital

form (e.g. data files stored on electronic or optical media), material form (e.g. on paper), as well as

unrepresented information in the form of knowledge of the employees. Information may be transmitted by

various means including: courier, electronic or verbal communication. Whatever form information takes, or the

means by which the information is transmitted, it always needs appropriate protection.

An organization's information is dependent upon information and communications technology. This technology

is an essential element in any organization and assists in facilitating the creation, processing, storing,

transmitting, protection and destruction of information. Where the extent of the interconnected global business

environment expands so does the requirement to protect information as this information is now exposed to a

wider variety of threats and vulnerabilities.
3.2.3 Information security

Information security includes three main dimensions: confidentiality, availability and integrity. With the aim of

ensuring sustained business success and continuity, and in minimising impacts, information security involves

the application and management of appropriate security measures that involves consideration of a wide range

of threats.

Information security is achieved through the implementation of an applicable set of controls, selected through

the chosen risk management process and managed using an ISMS, including policies, processes, procedures,

organizational structures, software and hardware to protect the identified information assets. These controls

need to be specified, implemented, monitored, reviewed and improved where necessary, to ensure that the

specific security and business objectives of the organization are met. Relevant information security controls

are expected to be seamlessly integrated with an organization's business processes.

© ISO/IEC 2009 – All rights reserved 7
---------------------- Page: 15 ----------------------
SIST ISO/IEC 27000:2011
ISO/IEC 27000:2009(E)
3.2.4 Management

Management involves activities to direct, control and continually improve the organization within appropriate

structures. Management activities include the act, manner, or practice of organizing, handling, directing,

supervising, and controlling resources. Management structures extend from one person in a small

organization to management hierarchies consisting of many individuals in large organizations.

In terms of an ISMS, management involves the supervision and making of decisions necessary to achieve

business objectives through the protection of the organization's information assets. Management of

information security is expressed through the formulation and use of information security policies, standards,

procedures and guidelines, which are then applied throughout the organization by all individuals associated

with the organization.

NOTE The term “management” may sometimes refer to people (i.e. a person or group of people with authority and

responsibility for the conduct and control of an organization). The term “management” addressed in this clause is not in

this sense.
3.2.5 Management system

A management system uses a framework of resources to achieve an organization's objectives. The

management system includes organizational structure, policies, planning activities, responsibilities, practices,

procedures, processes and resources.
In terms of information security, a management system allows an organization to:
a) satisfy the security requirements of customers and other stakeholders;
b) improve an organization's plans and activities;
c) meet the organization's information security objectives;
d) comply with regulations, legislation and industry mandates; and

e) manage information assets in an organized way that facilitates continual improvement and adjustment to

current organizational goals and to the environment.
3.3 Process approach

Organizations need to identify and manage many activities in order to function effectively and efficiently. Any

activity using resources needs to be managed to enable the transformation of inputs into outputs using a set

of interrelated or interacting activities – this is also known as a process. The output from one process can

directly form the input to another process and generally this transformation is carried out under planned and

controlled conditions. The application of a system of processes within an organization, together with the

identification and interactions of these processes, and their management, can be referred to as a “process

approach”.

The process approach for the ISMS presented in the ISMS family of standards is based on the operating

principle adopted in ISO's management system standards commonly known as the Plan – Do – Check – Act

(PDCA) process.
a) Plan – establish objectives and ma
...

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske varnosti - Pregled in izrazoslovjeTechnologies de l'information - Techniques de sécurité - Systèmes de management de la sécurité de l'information - Vue d'ensemble et vocabulaireInformation technology - Security techniques - Information security management systems - Overview and vocabulary35.040Nabori znakov in kodiranje informacijCharacter sets and information coding01.040.35Informacijska tehnologija. Pisarniški stroji (Slovarji)Information technology. Office machines (Vocabularies)ICS:Ta slovenski standard je istoveten z:ISO/IEC 27000:2009oSIST ISO/IEC 27000:2010en01-december-2010oSIST ISO/IEC 27000:2010SLOVENSKI

STANDARD
oSIST ISO/IEC 27000:2010
Reference numberISO/IEC 27000:2009(E)© ISO/IEC 2009

INTERNATIONAL STANDARD ISO/IEC27000First edition2009-05-01Information technology — Security techniques — Information security management systems — Overview and vocabulary Technologies de l'information — Techniques de sécurité — Systèmes de gestion de la sécurité des informations — Vue d'ensemble et vocabulaire

oSIST ISO/IEC 27000:2010

ISO/IEC 27000:2009(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

COPYRIGHT PROTECTED DOCUMENT

ISO/IEC 2009 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 • CH-1211 Geneva 20 Tel.

+ 41 22 749 01 11 Fax
+ 41 22 749 09 47 E-mail
copyright@iso.org Web
www.iso.org Published in Switzerland
ii © ISO/IEC 2009 – All rights reserved
oSIST ISO/IEC 27000:2010

ISO/IEC 27000:2009(E) © ISO/IEC 2009 – All rights reserved iiiContents Page Foreword............................................................................................................................................................iv 0 Introduction...........................................................................................................................................v 1 Scope.....................................................................................................................................................1 2 Terms and definitions...........................................................................................................................1 3 Information security management systems......................................................................................6 3.1 Introduction...........................................................................................................................................6 3.2 What is an ISMS?..................................................................................................................................7 3.3 Process approach.................................................................................................................................8 3.4 Why an ISMS is important....................................................................................................................9 3.5 Establishing, monitoring, maintaining and improving an ISMS....................................................10 3.6 ISMS critical success factors............................................................................................................11 3.7 Benefits of the ISMS family of standards.........................................................................................11 4 ISMS family of standards...................................................................................................................12 4.1 General information............................................................................................................................12 4.2 Standards describing an overview and terminology......................................................................13 4.3 Standards specifying requirements..................................................................................................13 4.4 Standards describing general guidelines........................................................................................14 4.5 Standards describing sector-specific guidelines............................................................................15 Annex A (informative)

Verbal forms for the expression of provisions.......................................................16 Annex B (informative)

Categorized terms......................................................................................................17 Bibliography.....................................................................................................................................................19

oSIST ISO/IEC 27000:2010

ISO/IEC 27000:2009(E) iv © ISO/IEC 2009 – All rights reserved Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27000 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. oSIST ISO/IEC 27000:2010

ISO/IEC 27000:2009(E) © ISO/IEC 2009 – All rights reserved v0 Introduction 0.1 Overview International Standards for management systems provide a model to follow in setting up and operating a management system. This model incorporates the features on which experts in the field have reached a consensus as being the international state of the art. ISO/IEC JTC 1 SC 27 maintains an expert committee dedicated to the development of international management systems standards for information security, otherwise known as the Information Security Management System (ISMS) family of standards. Through the use of the ISMS family of standards, organizations can develop and implement a framework for managing the security of their information assets and prepare for an independent assessment of their ISMS applied to the protection of information, such as financial information, intellectual property, and employee details, or information entrusted to them by customers or third parties. 0.2 ISMS family of standards The ISMS family of standards1) is intended to assist organizations of all types and sizes to implement and operate an ISMS. The ISMS family of standards consists of the following International Standards, under the general title Information technology — Security techniques: ⎯ ISO/IEC 27000:2009, Information security management systems — Overview and vocabulary ⎯ ISO/IEC 27001:2005, Information security management systems — Requirements ⎯ ISO/IEC 27002:2005, Code of practice for information security management ⎯ ISO/IEC 27003, Information security management system implementation guidance ⎯ ISO/IEC 27004, Information security management — Measurement ⎯ ISO/IEC 27005:2008, Information security risk management ⎯ ISO/IEC 27006:2007, Requirements for bodies providing audit and certification of information security management systems ⎯ ISO/IEC 27007, Guidelines for information security management systems auditing ⎯ ISO/IEC 27011, Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 NOTE The general title “Information technology — Security techniques” indicates that these standards were prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. International Standards not under the same general title that are also part of the ISMS family of standards are as follows: ⎯ ISO 27799:2008, Health informatics — Information security management in health using ISO/IEC 27002

1) Standards identified throughout this subclause with no release year indicated are still under development. oSIST ISO/IEC 27000:2010

ISO/IEC 27000:2009(E) vi © ISO/IEC 2009 – All rights reserved 0.3 Purpose of this International Standard This International Standard provides an overview of information security management systems, which form the subject of the ISMS family of standards, and defines related terms. NOTE Annex A provides clarification on how verbal forms are used to express requirements and/or guidance in the ISMS family of standards. The ISMS family of standards includes standards that: a) define requirements for an ISMS and for those certifying such systems; b) provide direct support, detailed guidance and/or interpretation for the overall Plan-Do-Check-Act (PDCA) processes and requirements; c) address sector-specific guidelines for ISMS; and d) address conformity assessment for ISMS. The terms and definitions provided in this International Standard: ⎯ cover commonly used terms and definitions in the ISMS family of standards; ⎯ will not cover all terms and definitions applied within the ISMS family of standards; and ⎯ do not limit the ISMS family of standards in defining terms for own use. Standards addressing only the implementation of controls, as opposed to addressing all controls, from ISO/IEC 27002 are excluded from the ISMS family of standards. To reflect the changing status of the ISMS family of standards, this International Standard is expected to be continually updated on a more frequent basis than would normally be the case for other ISO/IEC standards.

oSIST ISO/IEC 27000:2010

INTERNATIONAL STANDARD ISO/IEC 27000:2009(E) © ISO/IEC 2009 – All rights reserved 1Information technology — Security techniques — Information security management systems — Overview and vocabulary 1 Scope This International Standard provides: a) an overview of the ISMS family of standards; b) an introduction to information security management systems (ISMS); c) a brief description of the Plan-Do-Check-Act (PDCA) process; and d) terms and definitions for use in the ISMS family of standards. This International Standard is applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations). 2 Terms and definitions For the purposes of this document, the following terms and definitions apply. NOTE A term in a definition or note which is defined elsewhere in this clause is indicated by boldface followed by its entry number in parentheses. Such a boldface term can be replaced in the definition by its complete definition. For example: attack (2.4) is defined as “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset (2.3)”; asset is defined as “anything that has value to the organization”. If the term “asset” is replaced by its definition: attack then becomes “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of anything that has value to the organization”. 2.1 access control means to ensure that access to assets (2.3) is authorized and restricted based on business and security requirements 2.2 accountability responsibility of an entity for its actions and decisions oSIST ISO/IEC 27000:2010

ISO/IEC 27000:2009(E) 2 © ISO/IEC 2009 – All rights reserved 2.3 asset anything that has value to the organization NOTE There are many types of assets, including: a) information (2.18); b) software, such as a computer program; c) physical, such as computer; d) services; e) people, and their qualifications, skills, and experience; and f) intangibles, such as reputation and image. 2.4 attack attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset (2.3) 2.5 authentication provision of assurance that a claimed characteristic of an entity is correct 2.6 authenticity property that an entity is what it claims to be 2.7 availability property of being accessible and usable upon demand by an authorized entity 2.8 business continuity processes (2.31) and/or procedures (2.30) for ensuring continued business operations 2.9 confidentiality property that information is not made available or disclosed to unauthorized individuals, entities, or processes (2.31) 2.10 control means of managing risk (2.34), including policies (2.28), procedures (2.30), guidelines (2.16), practices or organizational structures, which can be administrative, technical, management, or legal in nature NOTE Control is also used as a synonym for safeguard or countermeasure. 2.11 control objective statement describing what is to be achieved as a result of implementing controls (2.10) 2.12 corrective action action to eliminate the cause of a detected nonconformity or other undesirable situation [ISO 9000:2005] oSIST ISO/IEC 27000:2010

ISO/IEC 27000:2009(E) © ISO/IEC 2009 – All rights reserved 32.13 effectiveness extent to which planned activities are realized and planned results achieved [ISO 9000:2005] 2.14 efficiency relationship between the results achieved and how well the resources have been used 2.15 event occurrence of a particular set of circumstances [ISO/IEC Guide 73:2002] 2.16 guideline recommendation of what is expected to be done to achieve an objective 2.17 impact adverse change to the level of business objectives achieved 2.18 information asset knowledge or data that has value to the organization 2.19 information security preservation of confidentiality (2.9), integrity (2.25) and availability (2.7) of information NOTE In addition, other properties, such as authenticity (2.6), accountability (2.2), non-repudiation (2.27), and reliability (2.33) can also be involved. 2.20 information security event identified occurrence of a system, service or network state indicating a possible breach of information security (2.19) policy (2.28) or failure of controls (2.10), or a previously unknown situation that may be security relevant 2.21 information security incident single or a series of unwanted or unexpected information security events (2.20) that have a significant probability of compromising business operations and threatening information security (2.19) 2.22 information security incident management processes (2.31) for detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents (2.21) 2.23 information security management system ISMS part of the overall management system (2.26), based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security (2.19) oSIST ISO/IEC 27000:2010

ISO/IEC 27000:2009(E) 4 © ISO/IEC 2009 – All rights reserved 2.24 information security risk potential that a threat (2.45) will exploit a vulnerability (2.46) of an asset (2.3) or group of assets and thereby cause harm to the organization 2.25 integrity property of protecting the accuracy and completeness of assets (2.3) 2.26 management system framework of policies (2.28), procedures (2.30), guidelines (2.16) and associated resources to achieve the objectives of the organization 2.27 non-repudiation ability to prove the occurrence of a claimed event (2.15) or action and its originating entities, in order to resolve disputes about the occurrence or non-occurrence of the event (2.15) or action and involvement of entities in the event (2.15) 2.28 policy overall intention and direction as formally expressed by management 2.29 preventive action action to eliminate the cause of a potential nonconformity or other undesirable potential situation [ISO 9000:2005] 2.30 procedure specified way to carry out an activity or a process (2.31) [ISO 9000:2005] 2.31 process set of interrelated or interacting activities which transforms inputs into outputs [ISO 9000:2005] 2.32 record document stating results achieved or providing evidence of activities performed [ISO 9000:2005] 2.33 reliability property of consistent intended behaviour and results 2.34 risk combination of the probability of an event (2.15) and its consequence [ISO/IEC Guide 73:2002] oSIST ISO/IEC 27000:2010

ISO/IEC 27000:2009(E) © ISO/IEC 2009 – All rights reserved 52.35 risk acceptance decision to accept a risk (2.34) [ISO/IEC Guide 73:2002] 2.36 risk analysis systematic use of information to identify sources and to estimate risk (2.34) [ISO/IEC Guide 73:2002] NOTE Risk analysis provides a basis for risk evaluation (2.41), risk treatment (2.43) and risk acceptance (2.35). 2.37 risk assessment overall process (2.31) of risk analysis (2.36) and risk evaluation (2.41) [ISO/IEC Guide 73:2002] 2.38 risk communication exchange or sharing of information about risk (2.34) between the decision-maker and other stakeholders [ISO/IEC Guide 73:2002] 2.39 risk criteria terms of reference by which the significance of risk (2.34) is assessed [ISO/IEC Guide 73:2002] 2.40 risk estimation activity to assign values to the probability and consequences of a risk (2.34) [ISO/IEC Guide 73:2002] 2.41 risk evaluation process (2.31) of comparing the estimated risk (2.34) against given risk criteria (2.39) to determine the significance of the risk (2.34) [ISO/IEC Guide 73:2002] 2.42 risk management coordinated activities to direct and control an organization with regard to risk (2.34) [ISO/IEC Guide 73:2002] NOTE Risk management generally includes risk assessment (2.37), risk treatment (2.43), risk acceptance (2.35), risk communication (2.38), risk monitoring and risk review. 2.43 risk treatment process (2.31) of selection and implementation of measures to modify risk (2.34) [ISO/IEC Guide 73:2002] oSIST ISO/IEC 27000:2010

ISO/IEC 27000:2009(E) 6 © ISO/IEC 2009 – All rights reserved 2.44 statement of applicability documented statement describing the control objectives (2.11) and controls (2.10) that are relevant and applicable to the organization's ISMS (2.23) 2.45 threat potential cause of an unwanted incident, which may result in harm to a system or organization 2.46 vulnerability weakness of an asset (2.3) or control (2.10) that can be exploited by a threat (2.45) 3 Information security management systems 3.1 Introduction Organizations of all types and sizes: a) collect, process, store, and transmit large amounts of information; b) recognise that information, and related processes, systems, networks and people are important assets for achieving organization objectives; c) face a range of risks that may affect the functioning of assets; and d) modify risks by implementing information security controls. All information held and processed by an organization is subject to threats of attack, error, nature (for example, flood or fire), etc, and is subject to vulnerabilities inherent in its use. The term information security is generally based on information being considered as an asset which has a value requiring appropriate protection, for example, against the loss of availability, confidentiality and integrity. Enabling accurate and complete information to be available in a timely manner to those with an authorized need is a catalyst for business efficiency. Protecting information assets through defining, achieving, maintaining, and improving information security effectively is essential to enable an organization to achieve its objectives, and maintain and enhance its legal compliance and image. These coordinated activities directing the implementation of suitable controls and treating unacceptable information security risks are generally known as elements of information security management. As information security risks and the effectiveness of controls change depending on shifting circumstances, organizations need to: a) monitor and evaluate the effectiveness of implemented controls and procedures; b) identify emerging risks to be treated; and c) select, implement and improve appropriate controls as needed. To interrelate and coordinate such information security activities, each organization needs to establish its policy and objectives for information security and achieve those objectives effectively by using a management system. oSIST ISO/IEC 27000:2010

ISO/IEC 27000:2009(E) © ISO/IEC 2009 – All rights reserved 73.2 What is an ISMS? 3.2.1 Overview and principles An ISMS (Information Security Management System) provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the protection of information assets to achieve business objectives based upon a risk assessment and the organization's risk acceptance levels designed to effectively treat and manage risks. Analysing requirements for the protection of information assets and applying appropriate controls to ensure the protection of these information assets, as required, contributes to the successful implementation of an ISMS. The following fundamental principles also contribute to the successful implementation of an ISMS: a) awareness of the need for information security; b) assignment of responsibility for information security; c) incorporating management commitment and the interests of stakeholders; d) enhancing societal values; e) risk assessments determining appropriate controls to reach acceptable levels of risk; f) security incorporated as an essential element of information networks and systems; g) active prevention and detection of information security incidents; h) ensuring a comprehensive approach to information security management; and i) continual reassessment of information security and making of modifications as appropriate. 3.2.2 Information Information is an asset that, like other important business assets, is essential to an organization's business and consequently needs to be suitably protected. Information can be stored in many forms, including: digital form (e.g. data files stored on electronic or optical media), material form (e.g. on paper), as well as unrepresented information in the form of knowledge of the employees. Information may be transmitted by various means including: courier, electronic or verbal communication. Whatever form information takes, or the means by which the information is transmitted, it always needs appropriate protection. An organization's information is dependent upon information and communications technology. This technology is an essential element in any organization and assists in facilitating the creation, processing, storing, transmitting, protection and destruction of information. Where the extent of the interconnected global business environment expands so does the requirement to protect information as this information is now exposed to a wider variety of threats and vulnerabilities. 3.2.3 Information security Information security includes three main dimensions: confidentiality, availability and integrity. With the aim of ensuring sustained business success and continuity, and in minimising impacts, information security involves the application and management of appropriate security measures that involves consideration of a wide range of threats. Information security is achieved through the implementation of an applicable set of controls, selected through the chosen risk management process and managed using an ISMS, including policies, processes, procedures, organizational structures, software and hardware to protect the identified information assets. These controls need to be specified, implemented, monitored, reviewed and improved where necessary, to ensure that the specific security and business objectives of the organization are met. Relevant information security controls are expected to be seamlessly integrated with an organization's business processes. oSIST ISO/IEC 27000:2010

ISO/IEC 27000:2009(E) 8 © ISO/IEC 2009 – All rights reserved 3.2.4 Management Management involves activities to direct, control and continually improve the organization within appropriate structures. Management activities include the act, manner, or practice of organizing, handling, directing, supervising, and controlling resources. Management structures extend from one person in a small organization to management hierarchies consisting of many individuals in large organizations. In terms of an ISMS, management involves the supervision and making of decisions necessary to achieve business objectives through the protection of the organization's information assets. Management of information security is expressed through the formulation and use of information security policies, standards, procedures and guidelines, which are then applied throughout the organization by all individuals associated with the organization. NOTE The term “management” may sometimes refer to people (i.e. a person or group of people with authority and responsibility for the conduct and control of an organization). The term “management” addressed in this clause is not in this sense. 3.2.5 Management system A management system uses a framework of resources to achieve an organization's objectives. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources. In terms of information security, a management system allows an organization to: a) satisfy the security requirements of customers and other stakeholders; b) improve an organization's plans and activities; c) meet the organization's information security objectives; d) comply with regulations, legislation and industry mandates; and e) manage information assets in an organized way that facilitates continual improvement and adjustment to current organizational goals and to the environment. 3.3 Process approach Organizations need to identify and manage many activities in order to function effectively and efficiently. Any activity using resources needs to be managed to enable the transformation of inputs into outputs using a set of interrelated or interacting activities – this is also known as a process. The output from one process can directly form the input to another process and generally this transformation is carried out under planned and controlled conditions. The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management, can be referred to as a “process approach”. The process approach for the ISMS presented in the ISMS family of standards is based on the operating principle adopted in ISO's management system standards commonly known as the Plan – Do – Check – Act (PDCA) process. a) Plan – establish objectives and make plans (analyze the organization's situation, establish the overall objectives and set targets, and develop plans to achieve them); b) Do – implement plans (do what was planned to do); c) Check – measure results (measure/monitor the extent to which achievements meet planned objectives); and d) Act – correct and improve activities (learn from mistakes to improve activities to achieve better results). oSIST ISO/IEC 27000:2010

ISO/IEC 27000:2009(E) © ISO/IEC 2009 – All rights reserved 93.4 Why an ISMS is important As part of an organization's ISMS, risks associated with an organization's information assets need to be addressed. Achieving information security requires the management of risk, and encompasses risks from physical, human and technology related threats associated with all forms of information within or used by the organization. The adoption of an ISMS is expected to be a strategic decision for an organization and it is necessary that this decision is seamlessly integrated, scaled and updated in accordance with the needs of the organization. The design and implementation of an organization's ISMS is influenced by the needs and objectives of the organization, security requirements, the business processes employed and the size and structure of the organization. The design and operation of an ISMS needs to reflect the interests and information security requirements of all of the organization's st

...

NORME ISO/CEI
INTERNATIONALE 27000
Première édition
2009-05-01
Technologies de l'information —
Techniques de sécurité — Systèmes de
management de la sécurité de
l'information — Vue d'ensemble et
vocabulaire
Information technology — Security techniques — Information security
management systems — Overview and vocabulary
Numéro de référence
ISO/CEI 27000:2009(F)
ISO/CEI 2009
---------------------- Page: 1 ----------------------
ISO/CEI 27000:2009(F)
PDF – Exonération de responsabilité

Le présent fichier PDF peut contenir des polices de caractères intégrées. Conformément aux conditions de licence d'Adobe, ce fichier

peut être imprimé ou visualisé, mais ne doit pas être modifié à moins que l'ordinateur employé à cet effet ne bénéficie d'une licence

autorisant l'utilisation de ces polices et que celles-ci y soient installées. Lors du téléchargement de ce fichier, les parties concernées

acceptent de fait la responsabilité de ne pas enfreindre les conditions de licence d'Adobe. Le Secrétariat central de l'ISO décline toute

responsabilité en la matière.
Adobe est une marque déposée d'Adobe Systems Incorporated.

Les détails relatifs aux produits logiciels utilisés pour la création du présent fichier PDF sont disponibles dans la rubrique General Info

du fichier; les paramètres de création PDF ont été optimisés pour l'impression. Toutes les mesures ont été prises pour garantir

l'exploitation de ce fichier par les comités membres de l'ISO. Dans le cas peu probable où surviendrait un problème d'utilisation,

veuillez en informer le Secrétariat central à l'adresse donnée ci-dessous.
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO/CEI 2009

Droits de reproduction réservés. Sauf prescription différente, aucune partie de cette publication ne peut être reproduite ni utilisée sous

quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et les microfilms, sans l'accord écrit

de l'ISO à l'adresse ci-après ou du comité membre de l'ISO dans le pays du demandeur.

ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Version française parue en 2010
Publié en Suisse
ii © ISO/CEI 2009 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO/CEI 27000:2009(F)
Sommaire Page

Avant-propos .....................................................................................................................................................iv

0 Introduction............................................................................................................................................v

1 Domaine d'application ..........................................................................................................................1

2 Termes et définitions ............................................................................................................................1

3 Systèmes de management de la sécurité de l'information ...............................................................1

3.1 Introduction............................................................................................................................................6

3.2 Qu'est ce qu'un SMSI ?.........................................................................................................................6

3.3 Approche processus.............................................................................................................................8

3.4 Raisons pour lesquelles un SMSI est important................................................................................8

3.5 Établissement, surveillance, mise à jour et amélioration d'un SMSI...............................................9

3.6 Facteurs critiques de succès du SMSI..............................................................................................11

3.7 Avantages de la famille des normes SMSI........................................................................................11

4 La famille des normes SMSI...............................................................................................................12

4.1 Informations générales.......................................................................................................................12

4.2 Normes décrivant une vue d'ensemble et une terminologie ..........................................................13

4.3 Normes spécifiant des exigences......................................................................................................14

4.4 Normes décrivant des lignes directrices générales ........................................................................15

4.5 Normes décrivant des lignes directrices propres à un secteur .....................................................16

Annexe A (informative) Expressions verbales pour exprimer des dispositions........................................17

Annexe B (informative) Termes classés par catégories ...............................................................................18

Bibliographie.....................................................................................................................................................20

© ISO/CEI 2009 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO/CEI 27000:2009(F)
Avant-propos

L'ISO (Organisation internationale de normalisation) et la CEI (Commission électrotechnique internationale)

forment le système spécialisé de la normalisation mondiale. Les organismes nationaux membres de l'ISO ou

de la CEI participent au développement de Normes internationales par l'intermédiaire des comités techniques

créés par l'organisation concernée afin de s'occuper des domaines particuliers de l'activité technique. Les

comités techniques de l'ISO et de la CEI collaborent dans des domaines d'intérêt commun. D'autres

organisations internationales, gouvernementales et non gouvernementales, en liaison avec l'ISO et la CEI

participent également aux travaux. Dans le domaine des technologies de l'information, l'ISO et la CEI ont créé

un comité technique mixte, l'ISO/CEI JTC 1.

Les Normes internationales sont rédigées conformément aux règles données dans les Directives ISO/CEI,

Partie 2.

La tâche principale du comité technique mixte est d'élaborer les Normes internationales. Les projets de

Normes internationales adoptés par le comité technique mixte sont soumis aux organismes nationaux pour

vote. Leur publication comme Normes internationales requiert l'approbation de 75 % au moins des

organismes nationaux votants.

L'attention est appelée sur le fait que certains des éléments du présent document peuvent faire l'objet de

droits de propriété intellectuelle ou de droits analogues. L'ISO et la CEI ne sauraient être tenues pour

responsables de ne pas avoir identifié de tels droits de propriété et averti de leur existence.

L'ISO/CEI 27000 a été élaborée par le comité technique mixte ISO/CEI JTC 1, Technologies de l'information,

sous-comité SC 27, Techniques de sécurité des technologies de l'information.
iv © ISO/CEI 2009 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO/CEI 27000:2009(F)
0 Introduction
0.1 Vue d'ensemble

Les Normes internationales relatives aux systèmes de management fournissent un modèle en matière

d'établissement et d'exploitation d'un système de management. Ce modèle comprend les caractéristiques que

les experts dans le domaine s'accordent à reconnaître comme reflétant l'état de l'art au niveau international.

Le sous-comité ISO/CEI JTC 1 SC 27 bénéficie de l'expérience d'un comité d'experts qui se consacre à

l'élaboration des Normes internationales sur les systèmes de management pour la sécurité de l'information,

connues également comme famille de normes des Systèmes de Management de la Sécurité de l'Information

(SMSI).

Grâce à l'utilisation de la famille de normes du SMSI, les organisations peuvent élaborer et mettre en œuvre

un cadre de référence pour gérer la sécurité de leurs actifs informationnels et se préparer à une évaluation

indépendante de leurs SMSI en matière de protection de l'information, comme par exemple les informations

financières, la propriété intellectuelle, les informations sur les employés, etc., ou les informations qui leur sont

confiées par des clients ou des tiers.
0.2 La famille de normes du SMSI

La famille de normes du SMSI a pour objet d'aider les organisations de tous types et de toutes tailles à

déployer et exploiter un SMSI. Dans le domaine des «Technologies de l'information — Techniques de

sécurité», le titre général de chacune des normes du SMSI se présente comme suit:

⎯ ISO/CEI 27000:2009, Systèmes de management de la sécurité de l'information — Vue d'ensemble et

vocabulaire

⎯ ISO/CEI 27001:2005, Systèmes de management de la sécurité de l'information — Exigences

⎯ ISO/CEI 27002:2005, Code de bonne pratique pour le management de la sécurité de l'information

⎯ ISO/CEI 27003, Guide de mise en œuvre du système de management de la sécurité de l'information

⎯ ISO/CEI 27004, Management de la sécurité de l'information — Mesurage
⎯ ISO/CEI 27005:2008, Management du risque de la sécurité de l'information

⎯ ISO/CEI 27006:2007, Exigences pour les organismes procédant à l'audit et à la certification des

systèmes de management de la sécurité de l'information

⎯ ISO/CEI 27007, Lignes directrices pour l'audit des systèmes de management de la sécurité de

l'information

⎯ ISO/CEI 27011:2008, Lignes directrices du management de la sécurité de l'information pour les

organismes de télécommunications sur la base de l'ISO/CEI 27002

NOTE Le titre général «Technologies de l'information – Techniques de sécurité» indique que ces normes ont été

élaborées par le comité technique mixte ISO/CEI JTC 1, Technologies de l'information, sous-comité SC 27, Techniques de

sécurité.

1) Les normes mentionnées dans cette section qui ne comportent pas d'année de publication sont toujours en cours

d'élaboration.
© ISO/CEI 2009 – Tous droits réservés v
---------------------- Page: 5 ----------------------
ISO/CEI 27000:2009(F)

Les Normes internationales qui font également partie de la famille de normes du SMSI, mais qui ne sont pas

comprises comme «Technologies de l'information – Techniques de sécurité» sont les suivantes:

⎯ ISO/CEI 27799:2008, Informatique de santé — Management de la sécurité de l'information relative à la

santé en utilisant l'ISO/CEI 27002
0.3 Objet de la présente Norme internationale

L'ISO/CEI 27000 présente une vue d'ensemble des systèmes de management de la sécurité de l'information,

qui constituent l'objet de la famille de normes du SMSI, et définit les termes qui s'y rapportent.

NOTE L'Annexe A fournit des éclaircissements sur la façon dont les normes de la famille SMSI doivent être

interprétées en fonction des expressions verbales utilisées, celles-ci exprimant des exigences et/ou des lignes directrices.

La famille de normes du SMSI comporte des normes qui:

a) définissent les exigences pour un SMSI et pour les organisations certifiant de tels systèmes;

b) apportent un soutien direct, des recommandations détaillées et/ou une interprétation des processus et

des exigences générales selon le modèle Planifier-Déployer-Contrôler-Agir (PDCA);

c) traitent des pratiques propres à des secteurs particuliers en matière de SMSI;

d) traitent de l'évaluation de la conformité d'un SMSI.
Les termes et les définitions fournis dans cette Norme internationale:

a) couvrent les termes et les définitions d'usage courant dans la famille de normes du SMSI;

b) ne couvrent pas l'ensemble des termes et des définitions utilisés dans la famille de normes du SMSI;

c) ne limitent pas la famille de normes du SMSI en définissant des termes pour un usage propre.

Les normes ne traitant que de la mise en œuvre des mesures, par opposition au traitement de l'ensemble des

mesures prévu dans l'ISO/CEI 27002, sont exclues de la famille de normes du SMSI.

L'ISO/CEI 27000 est une norme délivrée gratuitement.

Pour tenir compte des fréquentes évolutions de la famille de normes du SMSI, on s'attend à ce que

l'ISO/CEI 27000 soit remise à jour en permanence et sur une base plus fréquente que celle prévue pour les

autres normes ISO/CEI.
vi © ISO/CEI 2009 – Tous droits réservés
---------------------- Page: 6 ----------------------
NORME INTERNATIONALE ISO/CEI 27000:2009(F)
Technologies de l'information — Techniques de sécurité —
Systèmes de management de la sécurité de l'information — Vue
d'ensemble et vocabulaire
1 Domaine d'application
La présente Norme internationale fournit:
a) une vue d'ensemble de la famille de normes du SMSI;

b) une introduction aux systèmes de management de la sécurité de l'information (SMSI);

c) une brève description du processus Planifier-Déployer-Contrôler-Agir (PDCA); et

d) les termes et définitions utilisés dans la famille de normes du SMSI.

La présente Norme internationale est applicable à tous les types d'organisations (par exemple: entreprises

commerciales, organisations publiques, organisations à but non lucratif).
2 Termes et définitions

Pour les besoins du présent document, les termes et définitions suivants s'appliquent.

Si ces termes et ces définitions s'appliquent également à d'autres documents, cela doit être indiqué dans ces

autres documents à l'aide de l'alinéa d'introduction suivant:

Pour les besoins du présent document, les termes et définitions fournis dans l'ISO/CEI 27000 s'appliquent.

Un terme utilisé dans une définition ou une note et défini à un autre endroit du présent article figure en

caractères gras, suivi de la référence de l'entrée entre parenthèses. Ce terme en caractères gras peut être

remplacé dans la définition ou la note par sa propre définition.
Par exemple:

attaque (2.4) est définie comme une «tentative de détruire, de rendre public, de modifier, d'invalider, de voler

ou d'obtenir un accès non autorisé ou d'utiliser sans autorisation un actif (2.3)»;

actif est défini comme «tout élément représentant de la valeur pour l'organisation».

En remplaçant le terme «actif» par sa définition, on obtient:

attaque est alors définie comme une «tentative de détruire, de rendre public, de modifier, d'invalider, de voler,

d'obtenir un accès non autorisé ou d'utiliser sans autorisation tout élément représentant de la valeur pour

l'organisation».
© ISO/CEI 2009 – Tous droits réservés 1
---------------------- Page: 7 ----------------------
ISO/CEI 27000:2009(F)
2.1
contrôle d'accès

moyens mis en œuvre pour assurer que l'accès aux actifs (2.3) est autorisé et limité selon les exigences

propres à la sécurité et à l'activité métier
2.2
imputabilité
responsabilité d'une entité par rapport à ses actions et ses décisions
2.3
actif
tout élément représentant de la valeur pour l'organisation
NOTE Il existe plusieurs sortes d'actifs, dont:
(a) l'information (2.18);
(b) les logiciels, par exemple un programme informatique;
(c) les actifs physiques, par exemple un ordinateur;
(d) les services;
(e) le personnel, et leurs qualifications, compétences et expérience;
(f) les actifs incorporels, par exemple la réputation et l'image.
2.4
attaque

tentative de détruire, de rendre public, de modifier, d'invalider, de voler ou d'obtenir un accès non autorisé ou

d'utiliser sans autorisation un actif (2.3)
2.5
authentification
moyen pour une entité d'assurer la légitimité d'une caractéristique revendiquée
2.6
authenticité
propriété selon laquelle une entité est ce qu'elle revendique être
2.7
disponibilité
propriété d'être accessible et utilisable à la demande par une entité autorisée
2.8
continuité de l'activité

processus (2.31) et/ou procédures (2.30) permettant d'assurer la continuité de l'activité métier

2.9
confidentialité

propriété selon laquelle l'information n'est pas rendue disponible ou divulguée à des personnes, des entités

ou des processus (2.31) non autorisés
2.10
mesure de sécurité

moyens de gestion des risques (2.34), comprenant les politiques (2.28), les procédures (2.30), les lignes

directrices (2.16), les pratiques ou l'organisation, qui peuvent être de nature administrative, technique,

manégériale ou juridique

NOTE Mesure de sécurité est également synonyme de protection ou de contre-mesure.

2.11
objectif de sécurité

déclaration décrivant ce qui doit être atteint comme résultat de la mise en oeuvre des mesures de

sécurité (2.10)
2 © ISO/CEI 2009 – Tous droits réservés
---------------------- Page: 8 ----------------------
ISO/CEI 27000:2009(F)
2.12
action corrective

action visant à éliminer la cause d'une non-conformité ou d'une autre situation indésirable détectée

[ISO 9000:2005]
2.13
efficacité

niveau de réalisation des activités planifiées et d'obtention des résultats escomptés

[ISO 9000:2005]
2.14
efficience
rapport entre le résultat obtenu et les ressources utilisées
2.15
événement
occurrence d'un ensemble particulier de circonstances
[ISO/CEI Guide 73:2002]
2.16
ligne directrice
recommandation de ce qui doit être fait pour atteindre un objectif
2.17
impact
altération préjudiciable à la réalisation des objectifs métiers
2.18
actif informationnel
savoir ou données représentant de la valeur pour l'organisation
2.19
sécurité de l'information

protection de la confidentialité (2.9), de l'intégrité (2.25) et de la disponibilité (2.7) de l'information; en outre,

d'autres propriétés, telles que l'authenticité (2.6), l'imputabilité (2.2), la non-répudiation (2.27) et la

fiabilité (2.33), peuvent également être concernées
2.20
événement lié à la sécurité de l'information

occurrence identifiée de l'état d'un système, d'un service ou d'un réseau indiquant une faille possible dans la

politique (2.28) de sécurité de l'information (2.19) ou un échec des mesures de sécurité (2.10) ou encore

une situation inconnue jusqu'alors et pouvant relever de la sécurité
2.21
incident lié à la sécurité de l'information

un ou plusieurs événements liés à la sécurité de l'information (2.20) indésirables ou inattendus présentant

une probabilité forte de compromettre les opérations liées à l'activité de l'organisation et de menacer la

sécurité de l'information (2.19)
2.22
gestion des incidents liés à la sécurité de l'information

processus (2.31) pour détecter, rapporter, apprécier, intervenir, résoudre et tirer les enseignements des

incidents liés à la sécurité de l'information (2.21)
© ISO/CEI 2009 – Tous droits réservés 3
---------------------- Page: 9 ----------------------
ISO/CEI 27000:2009(F)
2.23
système de management de la sécurité de l'information
SMSI

partie du système de management global (2.26), basée sur une approche du risque lié à l'activité, visant

à établir, mettre en œuvre, exploiter, surveiller, réexaminer, tenir à jour et améliorer la sécurité de

l'information (2.19)
2.24
risque lié à la sécurité de l'information

possibilité qu'une menace (2.45) exploite une vulnérabilité (2.46) d'un actif (2.3) ou d'un groupe d'actifs et

nuise donc à l'organisation
2.25
intégrité
propriété de protection de l'exactitude et de la complétude des actifs (2.3)
2.26
système de management

cadre de référence des politiques (2.28), procédures (2.30), lignes directrices (2.16) et ressources

associées pour atteindre les objectifs de l'organisation
2.27
non-répudiation

capacité à prouver l'occurrence d'un événement (2.15) ou d'une action donné et les entités qui en sont à

l'origine, de manière à résoudre les litiges entre l'occurrence ou la non-occurrence de l'événement (2.15) ou

de l'action et l'implication des entités dans l'événement (2.15)
2.28
politique

orientations et intentions globales d'une organisation telles qu'elles sont exprimées formellement par la

direction
2.29
action préventive

action visant à éliminer la cause d'une non-conformité potentielle ou d'une autre situation potentielle

indésirable
[ISO 9000:2005]
2.30
procédure
manière spécifiée d'effectuer une activité ou un processus (2.31)
[ISO 9000:2005]
2.31
processus

ensemble d'activités corrélées ou interactives qui transforme des éléments d'entrée en éléments de sortie

[ISO 9000:2005]
2.32
enregistrement

document faisant état de résultats obtenus ou apportant la preuve de la réalisation d'une activité

[ISO 9000:2005]
2.33
fiabilité
propriété relative à un comportement et des résultats prévus et cohérents
4 © ISO/CEI 2009 – Tous droits réservés
---------------------- Page: 10 ----------------------
ISO/CEI 27000:2009(F)
2.34
risque
combinaison de la probabilité d'un événement (2.15) et de ses conséquences
[Guide ISO/CEI 73:2002]
2.35
acceptation des risques
décision d'accepter un risque (2.34)
[Guide ISO/CEI 73:2002]
2.36
analyse des risques

utilisation systématique d'informations pour identifier les sources et pour estimer le risque (2.34)

[Guide ISO/CEI 73:2002]

NOTE L'analyse des risques fournit une base pour l'évaluation des risques (2.41), le traitement des

risques (2.43) et l'acceptation des risques (2.35)
2.37
appréciation des risques

ensemble du processus (2.31) d'analyse des risques (2.36) et d'évaluation des risques (2.41)

[Guide ISO/CEI 73:2002]
2.38
communication relative aux risques

échange ou partage d'informations concernant le risque (2.34) entre le décideur et d'autres parties prenantes

[Guide ISO/CEI 73:2002]
2.39
critères de risque
termes de référence permettant d'apprécier l'importance des risques (2.34)
[Guide ISO/CEI 73:2002]
2.40
estimation des risques

activité consistant à affecter des valeurs à la probabilité et aux conséquences d'un risque (2.34)

[Guide ISO/CEI 73:2002]
2.41
évaluation des risques

processus (2.31) de comparaison du risque (2.34) estimé avec des critères de risque (2.39) donnés

pour déterminer l'importance du risque (2.34)
[Guide ISO/CEI 73:2002]
2.42
gestion du risque

activités coordonnées visant à diriger et contrôler une organisation vis-à-vis du risque (2.34)

[Guide ISO/CEI 73:2002]

NOTE La gestion du risque comporte généralement l'appréciation des risques (2.37), le traitement des

risques (2.43), l'acceptation des risques (2.35), la communication relative aux risques (2.38), la surveillance et le

réexamen du risque.
© ISO/CEI 2009 – Tous droits réservés 5
---------------------- Page: 11 ----------------------
ISO/CEI 27000:2009(F)
2.43
traitement des risques

processus (2.31) de sélection et de mise en œuvre des mesures visant à modifier le risque (2.34)

[Guide ISO/CEI 73:2002]
2.44
déclaration d'applicabilité

déclaration documentée décrivant les objectifs de sécurité (2.11), ainsi que les mesures de sécurité (2.10)

appropriés et applicables au SMSI (2.23) d'une organisation
2.45
menace

cause potentielle d'un incident indésirable, qui peut nuire à un système ou une organisation

2.46
vulnérabilité

faille dans un actif (2.3) ou dans une mesure de sécurité (2.10) qui peut être exploitée par une menace (2.45)

3 Systèmes de management de la sécurité de l'information
3.1 Introduction
Des organisations de toutes catégories et de toutes tailles:

a) collectent, traitent, stockent et transmettent de grandes quantités d'informations;

b) reconnaissent que les informations et les processus associés, les systèmes, les réseaux et les gens qui

s'y rattachent sont des actifs importants pour la réalisation des objectifs de l'organisation;

c) font face à un éventail de risques qui peut avoir des répercussions sur le fonctionnement des actifs; et

d) modifient les risques en mettant en œuvre des mesures de sécurité de l'information. des menaces

d'attaque, d'erreur et d'événement naturel.

Toutes les informations détenues et traitées par une organisation sont exposées à des menaces d'attaque,

d'erreur, d'évènement naturel (par exemple, inondation ou incendie), etc. et sont exposées à des

vulnérabilités inhérentes à leur utilisation. Le terme sécurité de l'information repose, en général, sur le fait que

l'information est considéré comme un actif qui a une valeur et qui, en tant que tel, nécessite une protection

appropriée contre, par exemple, la perte de disponibilité, de confidentialité et d'intégrité. Permettre aux

personnes qui en ont l'autorisation et le besoin de disposer d'informations précises et complètes en temps

utile est un catalyseur pour l'efficience de l'organisation.

Pour qu'une organisation puisse atteindre ses objectifs, se mettre en conformité avec la loi et valoriser son

image, il lui est essentiel de protéger ses actifs. Protéger les actifs d'information en définissant, accomplissant,

maintenant et améliorant efficacement la sécurité de l'information est essentiel pour permettre à une

organisation d'atteindre ses objectifs et maintenir et améliorer sa conformité légale et son image. Ces activités

coordonnées visant à orienter la mise en œuvre de mesures appropriées et du traitement des risques

inacceptables liés à la sécurité de l'information, sont connues généralement comme éléments de

management de la sécurité de l'information.

Les risques liés à la sécurité de l'information et l'efficacité des mesures changeant en fonction des

conjonctures, les organisations doivent:

a) surveiller et évaluer l'efficacité des mesures et des procédures mises en œuvre;

b) identifier les risques émergents qu'il faut traiter; et

c) sélectionner, mettre en œuvre et améliorer les mesures appropriées le cas échéant.

6 © ISO/CEI 2009 – Tous droits réservés
---------------------- Page: 12 ----------------------
ISO/CEI 27000:2009(F)

Pour relier ces activités de sécurité de l'information et les coordonner, chaque organisation doit établir sa

politique et ses objectifs en matière de sécurité de l'information et atteindre ces objectifs de manière efficace

en utilisant un système de management.
3.2 Qu'est ce qu'un SMSI?
3.2.1 Vue d'ensemble et principes

Un SMSI (Système de Management de la Sécurité et de l'Information) fournit un modèle destiné à

l'établissement, à la mise en œuvre, à l'exploitation, à la surveillance, au réexamen, à la mise à jour et à

l'amélioration de la protection des actifs informationnels afin d'atteindre les objectifs métier en se fondant sur

l'appréciation des risques et sur les niveaux d'acceptation des risques définis par l'organisation pour traiter et

gérer efficacement les risques. L'analyse des exigences de protection des actifs informationnels et

l'application des mesures appropriées pour assurer comme il se doit la protection de ces actifs, contribuent à

la réussite de la mise en œuvre d'un SMSI. Les principes essentiels suivants y contribuent également:

a) la sensibilisation à la sécurité de l'information;
b) l'attribution des responsabilités liées à la sécurité de l'information;

c) la prise en compte de l'engagement de la direction et des intérêts des parties prenantes;

d) la consolidation des valeurs sociales;

e) l'appréciation des risques déterminant les mesures appropriées pour arriver à des niveaux de risques

acceptables;

f) l'intégration de la sécurité comme élément essentiel des systèmes et des réseaux d'information;

g) la prévention active et détection des incidents liés à la sécurité de l'information;

h) la garantie d'une approche globale du management de la sécurité de l'information; et

i) le réexamen continu de l'appréciation de la sécurité de l'information et la mise en œuvre de modifications

le cas échéant.
3.2.2 L'information

L'information est un actif qui, comme tous les autres actifs importants de l'organisation, est essentiel à son

fonctionnement et nécessite, par conséquent, d'être protégé de manière adéquate. L'information peut être

stockée sous différentes formes, notamment numérique (par exemple, les fichiers de données stockés sur un

support électronique ou optique), matérielle (par exemple, sur papier), ainsi que les connaissances des

salariés qui ne constituent pas une information tangible. L'information peut être transmise par différents

moyens, notamment par courrier, par communication électronique ou verbale. Quelle que soit la forme que

prend l'information ou quel que soit son vecteur de transmission, elle nécessite toujours une protection

appropriée.

L'information d'une organisation dépend des technologies de l'information et des communications. Ces

technologies sont un élément essentiel dans toute organisation et elle facilite la création, le traitement, le

stockage, la transmission, la protection et la destruction de l'information. Alors que l'étendue des

environnements de travail globaux interconnectés des organisations s'accroît, la nécessité de protéger

l'information s'accroît également, car cette information est maintenant exposée à une plus grande diversité de

menaces et de vulnérabilités.
3.2.3 Sécurité de l'information

La sécurité de l'information comprend trois grandes dimensions: la confidentialité, la disponibilité et l'intégrité.

Dans le but d'assurer la réussite durable de l'organisation et sa continuité, et de réduire le plus possible les

© ISO/CEI 2009 – Tous droits réservés 7
---------------------- Page: 13 ----------------------
ISO/CEI 27000:2009(F)

impacts, la sécurité de l'information implique l'application et le management de mesures de sécurité

appropriées, ce qui implique la prise en compte d'un vaste éventail de menaces.

La sécurité de l'information s'obtient par la mise en œuvre d'un ensemble de mesures applicables,

sélectionnées au moyen d'un processus déterminé de gestion du risque et gérées au moyen d'un SMSI,

incluant des politiques, des processus, des procédures, des structures organisationnelles, des logiciels et

des matériels pour protéger l'actif infor
...

SLOVENSKI SIST ISO/IEC 27000
STANDARD marec 2011
Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Pregled in izrazoslovje
Information technology – Security techniques – Information security management
systems - Overview and vocabulary
Technologies de l'information – Techniques de sécurité – Systèmes de
management de la sécurité de l'information - Vue d'ensemble et vocabulaire
Referenčna oznaka
ICS 01.140.35, 35.040 SIST ISO/IEC 27000:2011 (sl)
Nadaljevanje na straneh od 2 do 25

© 2013-05 Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST ISO/IEC 27000 : 2011
NACIONALNI UVOD

Standard SIST ISO/IEC 27000 (sl), Informacijska tehnologija – Varnostne tehnike – Sistemi

upravljanja informacijske varnosti – Pregled in izrazoslovje, 2011, ima status slovenskega standarda

in je istoveten mednarodnemu standardu ISO/IEC 27000 (en), Information technology – Security

techniques – Information security management systems – Overview and vocabulary, prva izdaja,

2009-05-01.
NACIONALNI PREDGOVOR

Mednarodni standard ISO/IEC 27000:2009 je pripravil pododbor združenega tehničnega odbora

Mednarodne organizacije za standardizacijo in Mednarodne elektrotehniške komisije ISO/IEC JTC

1/SC 27 Varnostne tehnike v informacijski tehnologiji.

Slovenski standard SIST ISO/IEC 27000:2011 je prevod mednarodnega standarda ISO/IEC

27000:2009. Slovensko izdajo standarda SIST ISO/IEC 27000:2011 je pripravil tehnični odbor

SIST/TC ITC Informacijska tehnologija. V primeru spora glede besedila slovenskega prevoda je

odločilen izvirni mednarodni standard v angleškem jeziku.

Odločitev za izdajo tega standarda je dne 18. novembra 2010 sprejel SIST/TC ITC Informacijska

tehnologija.
OSNOVA ZA IZDAJO STANDARDA
– privzem standarda ISO/IEC 27000:2009
OPOMBE

– Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO/IEC

27000:2011 to pomeni “slovenski standard”.
– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.

– Definicije pojmov so povzete po mednarodnih standardih ISO 9000, Sistemi vodenja kakovosti –

Osnove in slovar, in ISO Guide 73, Risk management – Vocabulary.

– V besedilu SIST ISO/IEC 27000 so v točkah 0.2, 4.1, 4.2, 4.3, 4.4, 4.5 in v dodatku navedeni

mednarodni standardi ISO/IEC 27000, ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27003, ISO/IEC

27004, ISO/IEC 27005, ISO/IEC 27006, ISO/IEC 27007, ISO/IEC 27011 in ISO 27799. Pri tem je

vedno mišljena njihova zadnja izdaja.
---------------------- Page: 2 ----------------------
SIST ISO/IEC 27000 : 2011
VSEBINA Stran

Predgovor .................................................................................................................................................4

0 Uvod ......................................................................................................................................................5

1 Področje uporabe ..................................................................................................................................7

2 Izrazi in definicije ...................................................................................................................................7

3 Sistemi upravljanja informacijske varnosti ..........................................................................................12

3.1 Uvod .................................................................................................................................................12

3.2 Kaj je SUIV .......................................................................................................................................12

3.3 Procesni pristop................................................................................................................................14

3.4 Zakaj je SUIV pomemben ................................................................................................................14

3.5 Vzpostavljanje, spremljanje, vzdrževanje in izboljševanje SUIV .....................................................15

3.6 Kritični dejavniki uspeha SUIV .........................................................................................................16

3.7 Koristi skupine standardov SUIV......................................................................................................17

4 Skupina standardov SUIV ...................................................................................................................17

4.1 Splošne informacije ..........................................................................................................................17

4.2 Standardi, ki opisujejo pregled in izrazje..........................................................................................18

4.3 Standardi, ki določajo zahteve .........................................................................................................19

4.4 Standardi, ki opisujejo splošne smernice.........................................................................................19

4.5 Standardi, ki opisujejo smernice za posamezne sektorje ................................................................20

Dodatek A (informativni): Glagolske oblike za izražanje določil ............................................................22

Dodatek B (informativni): Kategorizacija izrazov....................................................................................23

Literatura ................................................................................................................................................25

---------------------- Page: 3 ----------------------
SIST ISO/IEC 27000 : 2011
Predgovor

ISO (Mednarodna organizacija za standardizacijo) in IEC (Mednarodna elektrotehniška komisija)

tvorita specializiran sistem za svetovno standardizacijo. Nacionalni organi, ki so člani ISO ali IEC,

sodelujejo pri pripravi mednarodnih standardov prek tehničnih odborov, ki jih za obravnavanje

določenih strokovnih področij ustanovi ustrezna organizacija. Tehnični odbori ISO in IEC sodelujejo na

področjih skupnega interesa. Pri delu sodelujejo tudi druge mednarodne, vladne in nevladne

organizacije, povezane z ISO in IEC. Na področju informacijske tehnologije sta ISO in IEC vzpostavila

združeni tehnični odbor ISO/IEC JTC 1.

Mednarodni standardi so pripravljeni v skladu s pravili, podanimi v 2. delu Direktiv ISO/IEC.

Glavna naloga tehničnih odborov je priprava mednarodnih standardov. Osnutki mednarodnih

standardov, ki jih sprejmejo tehnični odbori, se pošljejo vsem članom v glasovanje. Za objavo

mednarodnega standarda je treba pridobiti soglasje najmanj 75 odstotkov članov, ki se udeležijo

glasovanja.

Opozoriti je treba na možnost, da je lahko nekaj elementov tega mednarodnega standarda predmet

patentnih pravic. ISO in IEC ne prevzemata odgovornosti za prepoznavanje katerih koli ali vseh takih

patentnih pravic.

ISO/IEC 27000 je pripravil združeni tehnični odbor JTC ISO/IEC 1 Informacijska tehnologija, pododbor

SC 27 Varnostne tehnike IT.
---------------------- Page: 4 ----------------------
SIST ISO/IEC 27000 : 2011
0 Uvod
0.1 Pregled

Mednarodni standardi za sisteme upravljanja zagotavljajo model za ravnanje pri vzpostavljanju in

delovanju sistema upravljanja. Ta model vključuje značilnosti, za katere so strokovnjaki s tega

področja dosegli soglasje, da je to mednarodno doseženo stanje tehnike. V okviru ISO/IEC JTC 1 SC

27 deluje strokovna komisija, namenjena razvoju mednarodnih standardov za sisteme upravljanja

informacijske varnosti, sicer poznanih kot skupina standardov Sistem upravljanja informacijske

varnosti – SUIV.

Z uporabo skupine standardov SUIV lahko organizacije razvijejo in ustvarijo okvir za upravljanje

varnosti svojih informacij ter se pripravijo na neodvisno oceno svojega SUIV, ki ga uporabljajo za

zaščito podatkov, kot so na primer finančni podatki, podatki o intelektualni lastnini in podrobnosti o

zaposlenih ali informacije, ki jim jih zaupajo njihove stranke ali tretje osebe.
0.2 Skupina standardov SUIV

Namen skupine standardov SUIV je pomagati organizacijam vseh vrst in velikosti pri izvedbi in

delovanju SUIV. Skupino standardov SUIV sestavljajo naslednji mednarodni standardi pod skupnim

naslovom Informacijska tehnologija – Varnostne tehnike:

− ISO/IEC 27000:2009, Sistemi upravljanja informacijske varnosti – Pregled in izrazoslovje

− ISO/IEC 27001:2005, Sistemi upravljanja informacijske varnosti – Zahteve
− ISO/IEC 27002:2005, Pravila obnašanja pri upravljanju informacijske varnosti
− ISO/IEC 27003, Smernice za izvedbo sistema upravljanja informacijske varnosti
− ISO/IEC 27004, Upravljanje informacijske varnosti – Merjenje
− ISO/IEC 27005:2008, Obvladovanje tveganj informacijske varnosti

− ISO/IEC 27006:2007, Zahteve za organe, ki izvajajo presoje in certificiranje sistemov upravljanja

informacijske varnosti
− ISO/IEC 27007, Smernice za presojo sistemov upravljanja informacijske varnosti

− ISO/IEC 27011, Smernice za upravljanje informacijske varnosti telekomunikacijskih organizacij,

zasnovane na ISO/IEC 27002

OPOMBA: Splošni naslov "Informacijska tehnologija – Varnostne tehnike" kaže, da je te standarde pripravil združeni

tehnični odbor JTC ISO/IEC 1 Informacijska tehnologija, pododbor SC 27 Varnostne tehnike IT.

Mednarodni standard, ki ni naslovljen z istim splošnim naslovom, a je prav tako del skupine

standardov SUIV, je:

− ISO 27799:2008, Zdravstvena informatika – Upravljanje informacijske varnosti v zdravstvu z

uporabo standarda ISO/IEC 27002
0.3 Namen tega mednarodnega standarda

Ta mednarodni standard daje pregled sistemov upravljanja informacijske varnosti, ki so predmet

skupine standardov SUIV, in določa s tem povezane izraze.

OPOMBA: Dodatek A pojasnjuje uporabo izrazov za izražanje zahtev in/ali navodil v skupini standardov SUIV.

Skupina standardov SUIV vključuje standarde, ki:
a) določajo zahteve za SUIV in za tiste, ki certificirajo takšne sisteme,
Standardi, navedeni v tej podtočki brez letnice objave, so še v razvoju.
---------------------- Page: 5 ----------------------
SIST ISO/IEC 27000 : 2011

b) zagotavljajo neposredno podporo, podrobna navodila in/ali razlage za celotne procese in zahteve

postopka »načrtuj-izvedi-preveri-ukrepaj« (PDCA),
c) se nanašajo na smernice za SUIV, specifične za posamezne sektorje,
d) se nanašajo na ugotavljanje skladnosti za SUIV.
Izrazi in definicije, navedeni v tem mednarodnem standardu:
− obsegajo izraze in definicije, pogosto uporabljene v skupini standardov SUIV,

− ne bodo zajeli vseh izrazov in definicij, ki se uporabljajo v skupini standardov SUIV, in

− ne omejujejo skupine standardov SUIV pri opredeljevanju pogojev za lastno uporabo.

Standardi, ki obravnavajo le izvedbo kontrol, namesto da bi obravnavali vse kontrole, so izključeni iz

skupine standardov SUIV.

Da bi ta mednarodni standard odražal spreminjajoči se status skupine standardov SUIV, je

pričakovati, da se bo posodabljal nenehno in pogosteje, kot to ponavadi velja za druge standarde

ISO/IEC.
---------------------- Page: 6 ----------------------
SIST ISO/IEC 27000 : 2011
Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Pregled in izrazoslovje
1 Področje uporabe
Ta mednarodni standard navaja:
a) pregled skupine standardov SUIV,
b) uvod v sisteme upravljanja informacijske varnosti (SUIV),
c) kratek opis procesa načrtuj-izvedi-preveri-ukrepaj (PDCA) ter
d) izraze in definicije za uporabo v skupini standardov SUIV.

Ta mednarodni standard je uporaben za vse vrste organizacij (npr. gospodarske družbe, državne

organe, nepridobitne organizacije).
2 Izrazi in definicije
V tem dokumenta so uporabljeni naslednji izrazi in definicije.

OPOMBA: Izraz v definiciji ali opombi, ki je opredeljen drugje v tej točki, je zapisan s krepko pisavo in mu sledi njegovo

številčenje v oklepaju. Tak krepko označen izraz v definiciji se lahko nadomesti z njegovo celotno definicijo.

Na primer:

napad (2.4) je opredeljen kot "poskus uničiti, izpostaviti, spremeniti, onemogočiti, ukrasti ali pridobiti

nepooblaščen dostop do dobrine ali nepooblaščena uporaba te dobrine (2.3)",
dobrina je opredeljena kot "kar koli, kar ima vrednost za organizacijo".
Če se izraz "dobrina" nadomesti s svojo definicijo:

napad potem postane "poskus uničiti, izpostaviti, spremeniti, onemogočiti, ukrasti ali pridobiti nepooblaščen

dostop do česar koli, kar ima vrednost za organizacijo, ali nepooblaščena uporaba česar koli, kar ima vrednost

za organizacijo ".
2.1
nadzor dostopa

pomeni zagotovitev, da je dostop do dobrin (2.3) pooblaščen in omejen na podlagi poslovnih in

varnostnih zahtev
2.2
odgovornost
odgovornost subjekta za njegova dejanja in odločitve
2.3
dobrina
kar koli, kar ima vrednost za organizacijo
OPOMBA: Obstaja več vrst dobrin, vključno z:
a) informacijo (2.18),
b) programsko opremo, kot je računalniški program,
c) fizičnimi sredstvi, kot je računalnik,
d) storitvami,
e) osebjem in njegovimi kvalifikacijami, veščinami in izkušnjami ter
f) neopredmetenimi dobrinami, kot sta ugled in javna podoba.
---------------------- Page: 7 ----------------------
SIST ISO/IEC 27000 : 2011
2.4
napad

poskus uničiti, izpostaviti, spremeniti, onemogočiti, ukrasti ali pridobiti nepooblaščen dostop do

dobrine ali nepooblaščena uporaba te dobrine (2.3)
2.5
overjanje
priskrba zagotovila, da je zatrjevana lastnost subjekta prava
2.6
verodostojnost
lastnost, da je subjekt to, kar trdi, da je
2.7
razpoložljivost
lastnost, da je nekaj na zahtevo pooblaščenega subjekta dostopno in uporabno
2.8
neprekinjeno poslovanje

procesi (2.31) in/ali postopki (2.30) za zagotavljanje neprekinjenih poslovnih dejavnosti

2.9
zaupnost

lastnost, da informacija ni na voljo ali razkrita nepooblaščenim posameznikom, subjektom ali

procesom (2.31)
2.10
kontrola

načini obvladovanja tveganja (2.34), vključno s politikami (2.28), postopki (2.30), smernicami

(2.16), praksami ali organizacijskimi strukturami, ki so po naravi lahko upravni, tehnični, upravljalni ali

pravni
OPOMBA: Kontrola se uporablja tudi kot sopomenka za zaščito ali protiukrep.
2.11
cilj kontrole
izjava, ki opisuje, kaj bo doseženo kot rezultat izvajanja kontrol (2.10)
2.12
korektivni ukrep
ukrep za odpravo vzroka ugotovljene neskladnosti ali druge neželene situacije
[ISO 9000:2005]
2.13
uspešnost

obseg, v katerem so planirane aktivnosti realizirane in planirani rezultati doseženi

[ISO 9000:2005]
2.14
učinkovitost
razmerje med doseženimi rezultati in sredstvi, ki so bili zanje porabljeni
1) Opomba SI: V skupini standardov SUIV se uporablja tudi izraz popravni ukrep.
---------------------- Page: 8 ----------------------
SIST ISO/IEC 27000 : 2011
2.15
dogodek
nastop določenega niza okoliščin
[ISO/IEC Guide 73:2002]
2.16
smernica
priporočilo, kaj se pričakuje, da je treba storiti za dosego cilja
2.17
vpliv
sprememba, neugodna za raven doseženih poslovnih ciljev
2.18
informacija
znanje ali podatek, ki ima vrednost za organizacijo
2.19
informacijska varnost

ohranjanje zaupnosti (2.9), celovitosti (2.25) in razpoložljivosti (2.7) informacije

OPOMBA: Poleg tega so lahko vključene tudi druge lastnosti, kot so verodostojnost (2.6), odgovornost (2.2),

nezanikanje (2.27) in zanesljivost (2.33).
2.20
informacijski varnostni dogodek

prepoznano dogajanje v sistemu, storitvi ali omrežju, ki kaže na morebitno kršitev informacijske

varnosti (2.19), politike (2.28) ali odpovedi kontrol (2.10) ali na do tedaj še neznano okoliščino, ki je

lahko pomembna za varnost
2.21
informacijski varnostni incident

eden ali več neželenih ali nepričakovanih informacijskih varnostnih dogodkov (2.20), ki

predstavljajo veliko verjetnost ogrožanja poslovnih dejavnosti in informacijske varnosti (2.19)

2.22
upravljanje informacijskih varnostnih incidentov

procesi (2.31) za odkrivanje, poročanje in ocenjevanje informacijskih varnostnih incidentov (2.21)

ter za odzivanje nanje, ukvarjanje z njimi in učenje iz njih
2.23
sistem upravljanja informacijske varnosti
SUIV

del celotnega sistema upravljanja (2.26), ki temelji na pristopu poslovnega tveganja in je namenjen

vzpostavitvi, izvedbi, delovanju, spremljanju, pregledovanju, vzdrževanju in izboljševanju

informacijske varnosti (2.19)
2.24
informacijsko varnostno tveganje

možnost, da bo grožnja (2.45) izkoristila ranljivost (2.46) dobrine (2.3) ali skupine dobrin in s tem

škodila organizaciji
2.25
celovitost
lastnost varovanja točnosti in celovitosti dobrin (2.3)
---------------------- Page: 9 ----------------------
SIST ISO/IEC 27000 : 2011
2.26
sistem upravljanja

ogrodje politik (2.28), postopkov (2.30), smernic (2.16) in z njimi povezanih virov za doseganje

ciljev organizacije
2.27
nezanikanje

sposobnost dokazati, da je določeni subjekt izvedel zahtevani dogodek (2.15) ali dejanje, zaradi

razrešitve spora glede izvedbe ali neizvedbe dogodka (2.15) oziroma dejanja ter vključenosti subjekta

v dogodek (2.15).
2.28
politika
celota namena in usmeritev, kot jih je uradno izrazilo vodstvo
2.29
preventivni ukrep

ukrep za odpravo vzroka potencialne neskladnosti ali druge potencialne neželene situacije

[ISO 9000:2005]
2.30
postopek
specificiran način za izvedbo aktivnosti ali procesa (2.31)
[ISO 9000:2005]
2.31
proces

skupek med seboj povezanih ali medsebojno vplivajočih aktivnosti, ki pretvarja vhode v izhode

[ISO 9000:2005]
2.32
zapis
dokument, ki navaja dosežene rezultate ali podaja dokaz o izvedenih aktivnostih
[ISO 9000:2005]
2.33
zanesljivost
čvrsto predvideno ravnanje in učinki
2.34
tveganje
kombinacija verjetnosti dogodka (2.15) in njegove posledice
[ISO/IEC Guide 73:2002]
2.35
sprejetje tveganja
odločitev, da se tveganje (2.34) sprejme
[ISO/IEC Guide 73:2002]

Opomba SI: V skupini standardov SUIV se uporablja tudi izraz preprečevalni ukrep.

---------------------- Page: 10 ----------------------
SIST ISO/IEC 27000 : 2011
2.36
analiza tveganja

sistematična uporaba informacij za prepoznavanje virov in ocenjevanje tveganja (2.34)

[ISO/IEC Guide 73:2002]

OPOMBA: Analiza tveganja je podlaga za vrednotenje tveganja (2.41), obravnavo tveganja (2.43) in sprejetje tveganja

(2.35).
2.37
ocenjevanje tveganja
celovit proces (2.31) analize tveganja (2.36) in vrednotenja tveganja (2.41)
[ISO/IEC Guide 73:2002]
2.38
obveščanje o tveganju

izmenjava ali razpošiljanje informacije o tveganju (2.34) med odločevalci in drugimi deležniki

[ISO/IEC Guide 73:2002]
2.39
kriterij tveganja
formalni pogoji, po katerih se ocenjuje pomembnost tveganja (2.34)
[ISO/IEC Guide 73:2002]
2.40
ocena tveganja
povezovanje vrednosti z verjetnostjo in posledicami tveganja (2.34)
[ISO/IEC Guide 73:2002]
2.41
vrednotenje tveganja

proces (2.31), s katerim se ocenjeno tveganje (2.34) primerja s kriterijem tveganja (2.39), da se

določi pomembnost tveganja (2.34)
[ISO/IEC Guide 73:2002]
2.42
obvladovanje tveganja
usklajene aktivnosti organizacije za usmerjanje in nadzor tveganja (2.34)
[ISO/IEC Guide 73:2002]

OPOMBA: Obvladovanje tveganja na splošno vključuje ocenjevanje tveganja (2.37), obravnavanje tveganja (2.43),

sprejetje tveganja (2.35), obveščanje o tveganju (2.38), spremljanje tveganja in proučitev tveganja.

2.43
obravnavanje tveganja
proces (2.31) izbire in izvedbe ukrepov za spremembo tveganja (2.34)
[ISO/IEC Guide 73:2002]
---------------------- Page: 11 ----------------------
SIST ISO/IEC 27000 : 2011
2.44
izjava o uporabnosti

dokumentirana izjava, ki opisuje cilje kontrole (2.11) in kontrole (2.10), ki so pomembni in uporabni

za SUIV (2.23) organizacije
2.45
grožnja

možen vzrok neželenega incidenta, ki lahko povzroči škodo sistemu ali organizaciji

2.46
ranljivost
slabost dobrine (2.3) ali kontrole (2.10), ki jo lahko izkoristi grožnja (2.45)
3 Sistemi upravljanja informacijske varnosti
3.1 Uvod
Organizacije vseh vrst in velikosti:
a) zbirajo, obdelujejo, shranjujejo in prenašajo velike količine informacij,

b) priznavajo, da so informacije in s tem povezani procesi, sistemi, omrežja in ljudje pomembne

dobrine za doseganje ciljev organizacije,
c) se soočajo z vrstami tveganja, ki lahko vplivajo na delovanje dobrin, in
d) zmanjšujejo tveganja z izvajanjem informacijskih varnostnih kontrol.

Vse informacije, ki jih hrani in obdeluje organizacija, so predmet groženj napada, napake, naravnih

pojavov (na primer poplave ali požara) ipd. in so izpostavljene ranljivosti, ki izhaja iz njihove uporabe.

Izraz informacijska varnost temelji na dojemanju informacije kot dobrine z vrednostjo, ki zahteva

ustrezno zaščito, na primer pred izgubo razpoložljivosti, zaupnosti in celovitosti. Zagotavljanje točnih

in popolnih informacij, ki so pravočasno na voljo pooblaščenim uporabnikom, pospešuje poslovno

učinkovitost.

Ščitenje informacij je ključnega pomena, da organizacija z določanjem, doseganjem, vzdrževanjem in

izboljševanjem informacijske varnosti uspešno dosega svoje cilje ter vzdržuje in krepi skladnost

poslovanja s predpisi in javno podobo. Te usklajene aktivnosti usmerjanja izvajanja ustreznih kontrol

in obravnavanja sprejemljivih tveganj informacijske varnosti so na splošno znane kot elementi

upravljanja informacijske varnosti.

Ker se tveganja informacijske varnosti in uspešnost kontrol spreminjajo glede na spreminjajoče se

okoliščine, morajo organizacije:
a) spremljati in vrednotiti uspešnost izvajanja kontrol in postopkov,
b) prepoznati nastajajoča tveganja, ki jih je treba obravnavati, in
c) izbrati, izvajati in izboljševati ustrezne potrebne kontrole.

Da bi vsaka organizacija medsebojno povezovala in usklajevala takšne aktivnosti informacijske

varnosti, mora določiti politiko in cilje informacijske varnosti ter uspešno dosegati te cilje z uporabo

sistema upravljanja.
3.2 Kaj je SUIV
3.2.1 Pregled in načela

SUIV (sistem upravljanja informacijske varnosti) zagotavlja model za vzpostavitev, izvajanje,

delovanje, spremljanje, pregledovanje, vzdrževanje in izboljševanje zaščite informacij za doseganje

poslovnih ciljev, ki temeljijo na oceni tveganja in sprejemljivih ravneh tveganja organizacije,

zasnovanih tako, da uspešno obravnavajo in obvladujejo tveganja. Analiza zahtev za zaščito

---------------------- Page: 12 ----------------------
SIST ISO/IEC 27000 : 2011

informacij in uporaba ustreznih kontrol za zaščito informacij prispevata k uspešni izvedbi SUIV v

organizaciji. K uspešni izvedbi SUIV prav tako prispevajo naslednja temeljna načela:

a) zavedanje o potrebnosti informacijske varnosti,
b) dodelitev odgovornosti za informacijsko varnost,
c) vključevanje zavezanosti vodstva in interesov deležnikov,
d) krepitev družbenih vrednot,

e) ocenjevanja tveganja, ki določajo ustrezne kontrole za doseganje sprejemljivih ravni tveganja,

f) vključevanje varnosti kot bistvenega elementa informacijskih omrežij in sistemov,

g) aktivno preprečevanje in odkrivanje informacijskih varnostnih incidentov,
h) zagotavljanje celovitega pristopa k upravljanju informacijske varnosti in

i) nenehno ponovno ocenjevanje informacijske varnosti in izvajanje ustreznih sprememb.

3.2.2 Informacija

Informacija je dobrina, ki je tako kot druge pomembne poslovne dobrine bistvenega pomena za

poslovanje organizacije in jo je zato treba ustrezno zaščititi. Informacija je lahko shranjena v različnih

oblikah, kot sta digitalna (na primer podatki, shranjeni na elektronskih ali optičnih medijih), fizična (npr.

na papirju) oblika, pa tudi kot nepredstavljive informacije v obliki znanja zaposlenih. Informacije se

lahko prenašajo na različne načine, vključno s kurirsko, elektronsko ali govorno komunikacijo. Ne

glede na obliko shranjevanja ali način prenašanja informacije vedno potrebujejo ustrezno zaščito.

Informacije organizacije so odvisne od njene informacijske in komunikacijske tehnologije. Ta

tehnologija je bistveni element v vsaki organizaciji ter pomaga pri ustvarjanju, obdelovanju,

shranjevanju, posredovanju, zaščiti in uničevanju informacij. Ker se obseg medsebojno povezanega

globalnega poslovanja širi, se širijo tudi zahteve po zaščiti informacij, saj so informacije sedaj

izpostavljene širši paleti groženj in ranljivosti.
3.2.3 Informacijska varnost

Informacijska varnost vključuje tri glavne razsežnosti: zaupnost, razpoložljivost in celovitost. Za

zagotavljanje stalne poslovne uspešnosti in neprekinjenega poslovanja ter za zmanjševanje vplivov

informacijska varnost vključuje uporabo in upravljanje ustreznih varnostnih ukrepov, ki morajo

upoštevati širok obseg groženj.

Informacijska varnost se doseže z izvajanjem uporabnega nabora kontrol, določenega s pomočjo

izbranih postopkov za obvladovanje tveganja in vodenih z uporabo SUIV, vključno s politikami,

procesi, postopki, organizacijskimi strukturami ter programsko in strojno opremo za zaščito

prepoznanih informacij. Te kontrole morajo biti natančno določene, izvedene, nadzorovane,

pregledovane, in kadar je potrebno, tudi izboljšane, da se zagotovi izpolnjevanje posebnih varnostnih

in poslovnih ciljev organizacije. Pričakuje se, da so ustrezni postopki nadzora informacijske varnosti

celovito vgrajeni v poslovne procese organizacije.
3.2.4 Upravljanje

Upravljanje vključuje dejavnosti, ki usmerjajo, nadzirajo in nenehno izboljšujejo organizacijo znotraj

ustreznih struktur. Upravljavske dejavnosti vključujejo delovanje, način ali prakso organiziranja

upravljanja, usmerjanja, nadziranja in preverjanja virov. Strukture upravljanja segajo od ene osebe v

majhni organizaciji do upravljavske hierarhije, sestavljene iz številnih posameznikov v velikih

organizacijah.

V zvezi s SUIV upravljanje vključuje nadzor in sprejemanje odločitev, potrebnih za doseganje

poslovnih ciljev z zaščito informacij organizacije. Upravljanje informacijske varnosti se izkazuje v

oblikovanju in uporabi informacijskih varnostnih politik, standardov, postopkov in smernic, ki jih nato v

celotni organizaciji uporabljajo vsi posamezniki, povezani z organizacijo.
---------------------- Page: 13 ----------------------
SIST ISO/IEC 27000 : 2011

OPOMBA: Izraz "upravljanje" se lahko včasih nanaša na ljudi (to je osebo ali skupino ljudi s pooblastili in odgovornostjo za

vodenje in izvajanje nadzora v organizaciji). Izraz "upravljanje", obravnavan v tej točki, se ne uporablja v tem

pomenu.
3.2.5 Sistem upravljanja

Sistem upravljanja uporablja določen razpon virov za dosego ciljev organizacije. Sistem upravljanja

vključuje organizacijsko strukturo, politike, aktivnosti načrtovanja, odgovornosti, prakse, postopke,

procese in vire.
Z vidika informacijske varnosti sistem upravljanja omogoča organizaciji, da:
a) izpolnjuje varnostne zahteve kupcev in drugih zainteresiranih strani,
b) izboljšuje načrte in dejavnosti organizacije,
c) izpolnjuje cilje informacijske varnosti organizacije,
d) je skladna s predpisi, zakonodajo in industrijskimi dogovori ter

e) upravlja informacije na organiziran način, ki omogoča nenehno izboljševanje in prilagajanje

trenutnim organizacijskim ciljem in okolju.
3.3 Procesni pristop

Organizacije morajo prepoznati in upravljati številne aktivnosti, da bi delovale uspešno in učinkovito.

Vsako aktivnost, ki uporablja vire, je treba upravljati tako, da se omogoči preoblikovanje vhodov v

izhode z uporabo določenih medsebojno povezanih ali medsebojno odvisnih aktivnosti. To je znano

tudi kot proces. Izhod iz enega procesa lahko neposredno oblikuje vhod v drug proces in na splošno

se to preoblikovanje izvaja v okviru načrtovanih nadzorovanih pogojev. Uporaba sistema procesov v

organizaciji skupaj s prepoznavanjem in medsebojnim delovanjem teh procesov ter njihovim

upravljanjem se lahko imenuje "procesni pristop".

Procesni pristop za SUIV, predstavljen v skupini standardov SUIV, temelji na načelu izvajanja,

sprejetem v standardih ISO za sisteme upravljanja, splošno znanem kot proces "načrtuj-izvedi-

preveri-ukrepaj" (PDCA):

a) načrtuj – določi cilje in izdelaj načrte (analiziraj stanje v organizaciji, vzpostavi skupne cilje in

določi konkretne cilje ter razvij načrte za njihovo uresničitev);
b) izvedi – izvedi načrte (naredi to, kar je bilo načrtovano, da se naredi);

c) preveri – meri rezultate (meri/nadzoruj, v kolikšni meri dosežki izpolnjujejo načrtovane cilje) in

d) ukrepaj – popravi in izboljšaj aktivnosti (učenje iz napak za izboljšanje aktivnosti za doseganje

boljših rezultatov).
3.4 Zakaj je SUIV pomemben

V sklopu SUIV organizacije morajo biti obravnavana tveganja, povezana z informacijami te

organizacije. Doseganje informacijske varnosti zahteva obvladovanje tveganja in zajema tveganja, ki

izhajajo iz fizičnih, človeških in tehnoloških groženj ter se nanašajo na vse oblike informacij znotraj

organizacije ali ki jih organizacija uporablja.

Sprejetje SUIV naj bi bila strateška odločitev za organizacijo in ta odločitev mora biti celovito vgrajena,

razširj
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.