iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
SIST

oSIST ISO/IEC 27005:2011

(Main)

Information technology - Security techniques - Information security risk management

Information technology - Security techniques - Information security risk management

ISO/IEC 27005:2008 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2008. ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.

Technologies de l'information - Techniques de sécurité - Gestion des risques en sécurité de l'information

L'ISO/CEI 27005:2008 fournit des lignes directrices relatives à la gestion des risques en sécurité de l'information. Elle vient en appui des concepts généraux énoncés dans l'ISO/CEI 27001; elle est conçue pour aider à la mise en place de la sécurité de l'information basée sur une approche de gestion des risques. Il est important de connaître les concepts, les modèles, les processus et les terminologies décrites dans l'ISO/CEI 27001 et l'ISO/CEI 27002 afin de bien comprendre l'ISO/CEI 27005:2008. L'ISO/CEI 27005:2008 est applicable à tous types d'organisations (par exemple les entreprises commerciales, les agences gouvernementales, les organisations à but non lucratif) qui ont l'intention de gérer des risques susceptibles de compromettre la sécurité des informations de l'organisation.

Informacijska tehnologija - Varnostne tehnike - Upravljanje tveganj informacijske varnosti

General Information

Status
Not Published
Public Enquiry End Date
28-Feb-2011
ICS
03.100.70 - Management systems
35.030 - IT Security
Technical Committee
ITC - Information technology
Current Stage
98 - Abandoned project (Adopted Project)
Start Date
22-Jun-2011
Due Date
27-Jun-2011
Completion Date
03-Aug-2011
Ref Project
ISO/IEC 27005:2008 - Information technology — Security techniques — Information security risk management

Buy Standard

ISO/IEC 27005:2008 - Information technology -- Security techniques -- Information security risk managementISO/IEC 27005:2008 - Information technology -- Security techniques -- Information security risk management
PreviousNext
Standard
ISO/IEC 27005:2008 - Information technology -- Security techniques -- Information security risk management
English language
55 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/IEC 27005:2008 - Technologies de l'information -- Techniques de sécurité -- Gestion des risques en sécurité de l'informationISO/IEC 27005:2008 - Technologies de l'information -- Techniques de sécurité -- Gestion des risques en sécurité de l'information
PreviousNext
Standard
ISO/IEC 27005:2008 - Technologies de l'information -- Techniques de sécurité -- Gestion des risques en sécurité de l'information
French language
61 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/IEC 27005:2011ISO/IEC 27005:2011
PreviousNext
Draft
ISO/IEC 27005:2011
English language
61 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


INTERNATIONAL ISO/IEC
STANDARD 27005
First edition
2008-06-15
Information technology — Security
techniques — Information security risk
management
Technologies de l'information — Techniques de sécurité — Gestion du
risque en sécurité de l'information

Reference number
©
ISO/IEC 2008
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2008
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2008 – All rights reserved

Contents Page
Foreword. v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions. 1
4 Structure of this International Standard. 3
5 Background . 3
6 Overview of the information security risk management process. 4
7 Context establishment . 7
7.1 General considerations. 7
7.2 Basic Criteria. 7
7.3 The scope and boundaries . 8
7.4 Organization for information security risk management. 9
8 Information security risk assessment . 9
8.1 General description of information security risk assessment. 9
8.2 Risk analysis . 10
8.2.1 Risk identification. 10
8.2.2 Risk estimation . 14
8.3 Risk evaluation. 16
9 Information security risk treatment . 17
9.1 General description of risk treatment. 17
9.2 Risk reduction . 19
9.3 Risk retention . 20
9.4 Risk avoidance. 20
9.5 Risk transfer . 20
10 Information security risk acceptance . 21
11 Information security risk communication . 21
12 Information security risk monitoring and review . 22
12.1 Monitoring and review of risk factors. 22
12.2 Risk management monitoring, reviewing and improving. 23
Annex A (informative) Defining the scope and boundaries of the information security risk
management process. 25
A.1 Study of the organization. 25
A.2 List of the constraints affecting the organization . 26
A.3 List of the legislative and regulatory references applicable to the organization. 28
A.4 List of the constraints affecting the scope . 28
Annex B (informative) Identification and valuation of assets and impact assessment. 30
B.1 Examples of asset identification . 30
B.1.1 The identification of primary assets . 30
B.1.2 List and description of supporting assets .31
B.2 Asset valuation . 35
B.3 Impact assessment. 38
Annex C (informative) Examples of typical threats . 39
Annex D (informative) Vulnerabilities and methods for vulnerability assessment . 42
© ISO/IEC 2008 – All rights reserved iii

D.1 Examples of vulnerabilities. 42
D.2 Methods for assessment of technical vulnerabilities. 45
Annex E (informative) Information security risk assessment approaches . 47
E.1 High-level information security risk assessment . 47
E.2 Detailed information security risk assessment . 48
E.2.1 Example 1 Matrix with predefined values.48
E.2.2 Example 2 Ranking of Threats by Measures of Risk. 50
E.2.3 Example 3 Assessing a value for the likelihood and the possible consequences of risks . 51
Annex F (informative) Constraints for risk reduction . 53
Bibliography . 55

iv © ISO/IEC 2008 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27005 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This first edition of ISO/IEC 27005 cancels and replaces ISO/IEC TR 13335-3:1998, and
ISO/IEC TR 13335-4:2000, of which it constitutes a technical revision.
© ISO/IEC 2008 – All rights reserved v

Introduction
This International Standard provides guidelines for Information Security Risk Management in an organization,
supporting in particular the requirements of an ISMS according to ISO/IEC 27001. However, this International
Standard does not provide any specific methodology for information security risk management. It is up to the
organization to define their approach to risk management, depending for example on the scope of the ISMS,
context of risk management, or industry sector. A number of existing methodologies can be used under the
framework described in this International Standard to implement the requirements of an ISMS.
This International Standard is relevant to managers and staff concerned with information security risk
management within an organization and, where appropriate, external parties supporting such activities.

vi © ISO/IEC 2008 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 27005:2008(E)

Information technology — Security techniques — Information
security risk management
1 Scope
This International Standard provides guidelines for information security risk management.
This International Standard supports the general concepts specified in ISO/IEC 27001 and is designed to
assist the satisfactory implementation of information security based on a risk management approach.
Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and
ISO/IEC 27002 is important for a complete understanding of this International Standard.
This International Standard is applicable to all types of organizations (e.g. commercial enterprises,
government agencies, non-profit organizations) which intend to manage risks that could compromise the
organization’s information security.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
ISO/IEC 27002:2005, Information technology — Security techniques — Code of practice for information
security management
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27001, ISO/IEC 27002 and the
following apply.
3.1
impact
adverse change to the level of business objectives achieved
3.2
information security risk
potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm
to the organization
NOTE It is measured in terms of a combination of the likelihood of an event and its consequence.
© ISO/IEC 2008 – All rights reserved 1

3.3
risk avoidance
decision not to become involved in, or action to withdraw from, a risk situation
[ISO/IEC Guide 73:2002]
3.4
risk communication
exchange or sharing of information about risk between the decision-maker and other stakeholders
[ISO/IEC Guide 73:2002]
3.5
risk estimation
process to assign values to the probabil
...


NORME ISO/CEI
INTERNATIONALE 27005
Première édition
2008-06-15
Technologies de l'information —
Techniques de sécurité — Gestion
des risques en sécurité de l'information
Information technology — Security techniques — Information security
risk management
Numéro de référence
ISO/CEI 27005:2008(F)
©
ISO/CEI 2008
ISO/CEI 27005:2008(F)
PDF – Exonération de responsabilité
Le présent fichier PDF peut contenir des polices de caractères intégrées. Conformément aux conditions de licence d'Adobe, ce fichier
peut être imprimé ou visualisé, mais ne doit pas être modifié à moins que l'ordinateur employé à cet effet ne bénéficie d'une licence
autorisant l'utilisation de ces polices et que celles-ci y soient installées. Lors du téléchargement de ce fichier, les parties concernées
acceptent de fait la responsabilité de ne pas enfreindre les conditions de licence d'Adobe. Le Secrétariat central de l'ISO décline toute
responsabilité en la matière.
Adobe est une marque déposée d'Adobe Systems Incorporated.
Les détails relatifs aux produits logiciels utilisés pour la création du présent fichier PDF sont disponibles dans la rubrique General Info
du fichier; les paramètres de création PDF ont été optimisés pour l'impression. Toutes les mesures ont été prises pour garantir
l'exploitation de ce fichier par les comités membres de l'ISO. Dans le cas peu probable où surviendrait un problème d'utilisation,
veuillez en informer le Secrétariat central à l'adresse donnée ci-dessous.

DOCUMENT PROTÉGÉ PAR COPYRIGHT

©  ISO/CEI 2008
Droits de reproduction réservés. Sauf prescription différente, aucune partie de cette publication ne peut être reproduite ni utilisée sous
quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et les microfilms, sans l'accord écrit
de l'ISO à l'adresse ci-après ou du comité membre de l'ISO dans le pays du demandeur.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Version française parue en 2010
Publié en Suisse
ii © ISO/CEI 2008 – Tous droits réservés

ISO/CEI 27005:2008(F)
Sommaire Page
Avant-propos .v
Introduction.vi
1 Domaine d'application .1
2 Références normatives.1
3 Termes et définitions .1
4 Structure de la présente Norme internationale .3
5 Contexte .3
6 Présentation générale du processus de gestion des risques en sécurité de l'information.4
7 Établissement du contexte.7
7.1 Considérations générales.7
7.2 Critères de base.7
7.3 Domaine d'application et limites.9
7.4 Organisation de la gestion des risques en sécurité de l'information .10
8 Appréciation des risques en sécurité de l'information .10
8.1 Description générale de l'appréciation des risques en sécurité de l'information.10
8.2 Analyse des risques.11
8.2.1 Identification des risques .11
8.2.2 Estimation des risques .15
8.3 Évaluation du risque .18
9 Traitement des risques en sécurité de l'information.19
9.1 Description générale du traitement des risques.19
9.2 Réduction du risque.21
9.3 Maintien du risque.22
9.4 Refus du risque .23
9.5 Transfert du risque.23
10 Acceptation des risques en sécurité de l'information.23
11 Communication relative aux risques en sécurité de l'information .24
12 Surveillance et revue du risque en sécurité de l'information .25
12.1 Surveillance et revue des facteurs de risque .25
12.2 Surveillance, revue et amélioration de la gestion des risques.26
Annexe A (informative) Définition du domaine d'application et des limites du processus de
gestion des risques en sécurité de l'information.28
A.1 Étude de l'organisation.28
A.2 Liste des contraintes affectant l'organisation.29
A.3 Liste des références législatives et réglementaires applicables à l'organisation.31
A.4 Liste des contraintes affectant le domaine d'application .31
Annexe B (informative) Identification et évaluation des actifs et appréciation des impacts.34
B.1 Exemples d'identification des actifs.34
B.1.1 Identification des actifs primordiaux.34
B.1.2 Liste et description des actifs en support .35
B.2 Évaluation des actifs.40
B.3 Appréciation des impacts.43
Annexe C (informative) Exemples de menaces types.45
© ISO/CEI 2008 – Tous droits réservés iii

ISO/CEI 27005:2008(F)
Annexe D (informative) Vulnérabilités et méthodes d'appréciation des vulnérabilités .47
D.1 Exemples de vulnérabilités.47
D.2 Méthodes d'appréciation des vulnérabilités techniques.50
Annexe E (informative) Approches d'appréciation des risques en sécurité de l'information.52
E.1 Appréciation des risques de haut niveau en sécurité de l'information .52
E.2 Appréciation détaillée des risques en sécurité de l'information .53
E.2.1 Exemple 1 — Matrice avec valeurs prédéfinies.54
E.2.2 Exemple 2 — Classement des menaces par mesures des risques.56
E.2.3 Exemple 3 — Appréciation d'une valeur relative à la vraisemblance et aux conséquences
possibles des risques .57
Annexe F (informative) Contraintes liées à la réduction du risque.59
Bibliographie .61

iv © ISO/CEI 2008 – Tous droits réservés

ISO/CEI 27005:2008(F)
Avant-propos
L'ISO (Organisation internationale de normalisation) est une fédération mondiale d'organismes nationaux de
normalisation (comités membres de l'ISO). L'élaboration des Normes internationales est en général confiée
aux comités techniques de l'ISO. Chaque comité membre intéressé par une étude a le droit de faire partie du
comité technique créé à cet effet. Les organisations internationales, gouvernementales et non
gouvernementales, en liaison avec l'ISO participent également aux travaux. L'ISO collabore étroitement avec
la Commission électrotechnique internationale (CEI) en ce qui concerne la normalisation électrotechnique.
Les Normes internationales sont rédigées conformément aux règles données dans les Directives ISO/CEI,
Partie 2.
La tâche principale des comités techniques est d'élaborer les Normes internationales. Les projets de Normes
internationales adoptés par les comités techniques sont soumis aux comités membres pour vote. Leur
publication comme Normes internationales requiert l'approbation de 75 % au moins des comités membres
votants.
L'attention est appelée sur le fait que certains des éléments du présent document peuvent faire l'objet de
droits de propriété intellectuelle ou de droits analogues. L'ISO et la CEI ne sauraient être tenues pour
responsables de ne pas avoir identifié de tels droits de propriété et averti de leur existence.
L'ISO/CEI 27005 a été élaborée par le comité technique ISO/TC JTC 1, Technologies de l'information,
sous-comité SC 27, Techniques de sécurité des technologies de l'information.
Cette première édition de l'ISO/CEI 27005 annule et remplace l'ISO/CEI TR 13335-3:1998 et
l'ISO/CEI TR 13335-4:2000, dont elle constitue une révision technique.
© ISO/CEI 2008 – Tous droits réservés v

ISO/CEI 27005:2008(F)
Introduction
La présente Norme internationale contient des lignes directrices relatives à la gestion des risques en sécurité
de l'information dans une organisation, qui viennent notamment en appui des exigences d'un SMSI (système
de management de la sécurité de l'information) tel que défini dans l'ISO/CEI 27001. Cependant, la présente
Norme internationale ne fournit aucune méthodologie spécifique à la gestion des risques en sécurité de
l'information. Il est du ressort de chaque organisation de définir son approche de la gestion des risques, en
fonction, par exemple, du périmètre du SMSI, de ce qui existe dans l'organisme dans le domaine de la gestion
des risques, ou encore de son secteur industriel. Plusieurs méthodologies existantes peuvent être utilisées en
cohérence avec le cadre décrit dans la présente Norme internationale pour appliquer les exigences du SMSI.
La présente Norme internationale s'adresse aux responsables et aux personnels concernés par la gestion des
risques en sécurité de l'information au sein d'une organisation et, le cas échéant, aux tiers prenant part à ces
activités.
vi © ISO/CEI 2008 – Tous droits réservés

NORME INTERNATIONALE ISO/CEI 27005:2008(F)

Technologies de l'information — Techniques de sécurité —
Gestion des risques en sécurité de l'information
1 Domaine d'application
La présente Norme internationale contient des lignes directrices relatives à la gestion des risques en sécurité
de l'information.
La présente Norme internationale vient en appui des concepts généraux énoncés dans l'ISO/CEI 27001; elle
est conçue pour aider à la mise en place de la sécurité de l'information basée sur une approche de gestion
des risques.
Il est important de connaître les concepts, les modèles, les processus et les terminologies décrites dans
l'ISO/CEI 27001 et l'ISO/CEI 27002 afin de bien comprendre la présente Norme internationale.
La présente Norme internationale est applicable à tous types d'organisations (par exemple les entreprises
commerciales, les agences gouvernementales, les organisations à but non lucratif) qui ont l'intention de gérer
des risques susceptibles de compromettre la sécurité des informations de l'organisation.
2 Références normatives
Les documents de référence suivants sont indispensables à l'application du présent document. Pour les
références datées, seule l'édition citée s'applique. Pour les références non datées, la dernière édition du
document de référence (y compris les éventuels amendements) s'applique.
ISO/CEI 27001:2005, Technologies de l'information — Techniques de sécurité — Systèmes de management
de la sécurité de l'information — Exigences
ISO/CEI 27002:2005, Technologies de l'information — Techniques de sécurité — Code de bonne pratique
pour le management de la sécurité de l'information
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions donnés dans l'ISO/CEI 27001,
l'ISO/CEI 27002 et les suivants s'appliquent.
3.1
impact
changemen
...


2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Informacijska tehnologija - Varnostne tehnike - Upravljanje tveganj informacijske varnostiTechnologies de l'information -- Techniques de sécurité -- Gestion des risques en sécurité de l'informationInformation technology -- Security techniques -- Information security risk management35.040Nabori znakov in kodiranje informacijCharacter sets and information codingICS:Ta slovenski standard je istoveten z:ISO/IEC 27005:2008oSIST ISO/IEC 27005:2011en,fr01-februar-2011oSIST ISO/IEC 27005:2011SLOVENSKI
STANDARD
Reference numberISO/IEC 27005:2008(E)© ISO/IEC 2008
INTERNATIONAL STANDARD ISO/IEC27005First edition2008-06-15Information technology — Security techniques — Information security risk management Technologies de l'information — Techniques de sécurité — Gestion du risque en sécurité de l'information
©
ISO/IEC 2008 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 • CH-1211 Geneva 20 Tel.
+ 41 22 749 01 11 Fax
+ 41 22 749 09 47 E-mail
copyright@iso.org Web
www.iso.org Published in Switzerland
ii © ISO/IEC 2008 – All rights reserved
Defining the scope and boundaries of the information security risk management process.25 A.1 Study of the organization.25 A.2 List of the constraints affecting the organization.26 A.3 List of the legislative and regulatory references applicable to the organization.28 A.4 List of the constraints affecting the scope.28 Annex B (informative)
Identification and valuation of assets and impact assessment.30 B.1 Examples of asset identification.30 B.1.1 The identification of primary assets.30 B.1.2 List and description of supporting assets.31 B.2 Asset valuation.35 B.3 Impact assessment.38 Annex C (informative)
Examples of typical threats.39 Annex D (informative)
Vulnerabilities and methods for vulnerability assessment.42 oSIST ISO/IEC 27005:2011

Information security risk assessment approaches.47 E.1 High-level information security risk assessment.47 E.2 Detailed information security risk assessment.48 E.2.1 Example 1 Matrix with predefined values.48 E.2.2 Example 2 Ranking of Threats by Measures of Risk.50 E.2.3 Example 3 Assessing a value for the likelihood and the possible consequences of risks.51 Annex F (informative)
Constraints for risk reduction.53 Bibliography.55
INTERNATIONAL STANDARD ISO/IEC 27005:2008(E) © ISO/IEC 2008 – All rights reserved 1Information technology — Security techniques — Information security risk management 1 Scope This International Standard provides guidelines for information security risk management. This International Standard supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this International Standard. This International Standard is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization’s information security. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27001:2005, Information technology — Security techniques — Information security management systems — Requirements ISO/IEC 27002:2005, Information technology — Security techniques — Code of practice for information security management 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 27001, ISO/IEC 27002 and the following apply. 3.1 impact adverse change to the level of business objectives achieved 3.2 information security risk potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization NOTE It is measured in terms of a combination of the likelihood of an event and its consequence. oSIST ISO/IEC 27005:2011
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

SIST
SIST EN ISO/IEC 27001:2023/A1:2025(Amendment)
Information security, cybersecurity and privacy protection - Information security management systems - Requirements - Amendment 1: Climate action changes (ISO/IEC 27001:2022/Amd 1:2024)
EN ISO/IEC 27001:2023/A1:2024
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27005:2024(Main)
Information security, cybersecurity and privacy protection - Guidance on managing information security risks (ISO/IEC 27005:2022)
EN ISO/IEC 27005:2024

This document provides guidance to assist organizations to:
—    fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
—    perform information security risk management activities, specifically information security risk assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.

  • Standard
    71 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    71 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST ISO/IEC 27005:2024(Main)
Information security, cybersecurity and privacy protection - Guidance on managing information security risks
ISO/IEC 27005:2022

This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.

  • Standard
    68 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    62 pages
    English language
    sale 15% off
  • Standard
    66 pages
    French language
    sale 15% off
SIST
SIST EN ISO/IEC 27001:2023(Main)
Information security, cybersecurity and privacy protection - Information security management systems - Requirements (ISO/IEC 27001:2022)
EN ISO/IEC 27001:2023

This document specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations, regardless of type, size or nature. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization claims conformity to this document.

  • Standard
    27 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    27 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard – translation
    26 pages
    Slovenian language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27002:2022(Main)
Information security, cybersecurity and privacy protection - Information security controls (ISO/IEC 27002:2022)
EN ISO/IEC 27002:2022

This document provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations:
a) within the context of an information security management system (ISMS) based on ISO/IEC27001;
b) for implementing information security controls based on internationally recognized best practices;
c) for developing organization-specific information security management guidelines.

  • Standard
    164 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27007:2022(Main)
Information security, cybersecurity and privacy protection - Guidelines for information security management systems auditing (ISO/IEC 27007:2020)
EN ISO/IEC 27007:2022

This document provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011.
This document is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.

  • Standard
    48 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    48 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27017:2021(Main)
Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services (ISO/IEC 27017:2015)
EN ISO/IEC 27017:2021

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
- additional implementation guidance for relevant controls specified in ISO/IEC 27002;
- additional controls with implementation guidance that specifically relate to cloud services.
This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.

  • Standard
    44 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27011:2020(Main)
Information technology - Security techniques - Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations (ISO/IEC 27011:2016)
EN ISO/IEC 27011:2020

The scope of this Recommendation | ISO/IEC 27011:2016 is to define guidelines supporting the implementation of information security controls in telecommunications organizations.
The adoption of this Recommendation | ISO/IEC 27011:2016 will allow telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant security property.

  • Standard
    41 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27019:2020(Main)
Information technology - Security techniques - Information security controls for the energy utility industry (ISO/IEC 27019:2017, Corrected version 2019-08)
EN ISO/IEC 27019:2020

ISO/IEC 27019:2017 provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following:
-      central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices;
-      digital controllers and automation components such as control and field devices or Programmable Logic Controllers (PLCs), including digital sensor and actuator elements;
-      all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes;
-      communication technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote control technology;
-      Advanced Metering Infrastructure (AMI) components, e.g. smart meters;
-      measurement devices, e.g. for emission values;
-      digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor mechanisms;
-      energy management systems, e.g. of Distributed Energy Resources (DER), electric charging infrastructures, in private households, residential buildings or industrial customer installations;
-      distributed components of smart grid environments, e.g. in energy grids, in private households, residential buildings or industrial customer installations;
-      all software, firmware and applications installed on above-mentioned systems, e.g. DMS (Distribution Management System) applications or OMS (Outage Management System);
-      any premises housing the above-mentioned equipment and systems;
-      remote maintenance systems for above-mentioned systems.
ISO/IEC 27019:2017 does not apply to the process control domain of nuclear facilities. This domain is covered by IEC 62645.
ISO/IEC 27019:2017 also includes a requirement to adapt the risk assessment and treatment processes described in ISO/IEC 27001:2013 to the energy utility industry-sector?specific guidance provided in this document.

  • Standard
    46 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    46 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27000:2020(Main)
Information technology - Security techniques - Information security management systems - Overview and vocabulary (ISO/IEC 27000:2018)
EN ISO/IEC 27000:2020

EN ISO/IEC 27000 provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards.

  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard – translation
    36 pages
    Slovenian language
    sale 10% off
    e-Library read for
    1 day