oSIST ISO/IEC 27005:2011
(Main)Information technology - Security techniques - Information security risk management
Information technology - Security techniques - Information security risk management
ISO/IEC 27005:2008 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2008. ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.
Technologies de l'information - Techniques de sécurité - Gestion des risques en sécurité de l'information
L'ISO/CEI 27005:2008 fournit des lignes directrices relatives � la gestion des risques en s�curit� de l'information. Elle vient en appui des concepts g�n�raux �nonc�s dans l'ISO/CEI 27001; elle est con�ue pour aider � la mise en place de la s�curit� de l'information bas�e sur une approche de gestion des risques. Il est important de conna�tre les concepts, les mod�les, les processus et les terminologies d�crites dans l'ISO/CEI 27001 et l'ISO/CEI 27002 afin de bien comprendre l'ISO/CEI 27005:2008. L'ISO/CEI 27005:2008 est applicable � tous types d'organisations (par exemple les entreprises commerciales, les agences gouvernementales, les organisations � but non lucratif) qui ont l'intention de g�rer des risques susceptibles de compromettre la s�curit� des informations de l'organisation.
Informacijska tehnologija - Varnostne tehnike - Upravljanje tveganj informacijske varnosti
General Information
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 27005
First edition
2008-06-15
Information technology — Security
techniques — Information security risk
management
Technologies de l'information — Techniques de sécurité — Gestion du
risque en sécurité de l'information
Reference number
ISO/IEC 27005:2008(E)
©
ISO/IEC 2008
---------------------- Page: 1 ----------------------
ISO/IEC 27005:2008(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2008
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2008 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27005:2008(E)
Contents Page
Foreword. v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions. 1
4 Structure of this International Standard. 3
5 Background . 3
6 Overview of the information security risk management process. 4
7 Context establishment . 7
7.1 General considerations. 7
7.2 Basic Criteria. 7
7.3 The scope and boundaries . 8
7.4 Organization for information security risk management. 9
8 Information security risk assessment . 9
8.1 General description of information security risk assessment. 9
8.2 Risk analysis . 10
8.2.1 Risk identification. 10
8.2.2 Risk estimation . 14
8.3 Risk evaluation. 16
9 Information security risk treatment . 17
9.1 General description of risk treatment. 17
9.2 Risk reduction . 19
9.3 Risk retention . 20
9.4 Risk avoidance. 20
9.5 Risk transfer . 20
10 Information security risk acceptance . 21
11 Information security risk communication . 21
12 Information security risk monitoring and review . 22
12.1 Monitoring and review of risk factors. 22
12.2 Risk management monitoring, reviewing and improving. 23
Annex A (informative) Defining the scope and boundaries of the information security risk
management process. 25
A.1 Study of the organization. 25
A.2 List of the constraints affecting the organization . 26
A.3 List of the legislative and regulatory references applicable to the organization. 28
A.4 List of the constraints affecting the scope . 28
Annex B (informative) Identification and valuation of assets and impact assessment. 30
B.1 Examples of asset identification . 30
B.1.1 The identification of primary assets . 30
B.1.2 List and description of supporting assets .31
B.2 Asset valuation . 35
B.3 Impact assessment. 38
Annex C (informative) Examples of typical threats . 39
Annex D (informative) Vulnerabilities and methods for vulnerability assessment . 42
© ISO/IEC 2008 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27005:2008(E)
D.1 Examples of vulnerabilities. 42
D.2 Methods for assessment of technical vulnerabilities. 45
Annex E (informative) Information security risk assessment approaches . 47
E.1 High-level information security risk assessment . 47
E.2 Detailed information security risk assessment . 48
E.2.1 Example 1 Matrix with predefined values.48
E.2.2 Example 2 Ranking of Threats by Measures of Risk. 50
E.2.3 Example 3 Assessing a value for the likelihood and the possible consequences of risks . 51
Annex F (informative) Constraints for risk reduction . 53
Bibliography . 55
iv © ISO/IEC 2008 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27005:2008(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27005 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This first edition of ISO/IEC 27005 cancels and replaces ISO/IEC TR 13335-3:1998, and
ISO/IEC TR 13335-4:2000, of which it constitutes a technical revision.
© ISO/IEC 2008 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 27005:2008(E)
Introduction
This International Standard provides guidelines for Information Security Risk Management in an organization,
supporting in particular the requirements of an ISMS according to ISO/IEC 27001. However, this International
Standard does not provide any specific methodology for information security risk management. It is up to the
organization to define their approach to risk management, depending for example on the scope of the ISMS,
context of risk management, or industry sector. A number of existing methodologies can be used under the
framework described in this International Standard to implement the requirements of an ISMS.
This International Standard is relevant to managers and staff concerned with information security risk
management within an organization and, where appropriate, external parties supporting such activities.
vi © ISO/IEC 2008 – All rights reserved
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27005:2008(E)
Information technology — Security techniques — Information
security risk management
1 Scope
This International Standard provides guidelines for information security risk management.
This International Standard supports the general concepts specified in ISO/IEC 27001 and is designed to
assist the satisfactory implementation of information security based on a risk management approach.
Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and
ISO/IEC 27002 is important for a complete understanding of this International Standard.
This International Standard is applicable to all types of organizations (e.g. commercial enterprises,
government agencies, non-profit organizations) which intend to manage risks that could compromise the
organization’s information security.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
ISO/IEC 27002:2005, Information technology — Security techniques — Code of practice for information
security management
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27001, ISO/IEC 27002 and the
following apply.
3.1
impact
adverse change to the level of business objectives achieved
3.2
information security risk
potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm
to the organization
NOTE It is measured in terms of a combination of the likelihood of an event and its consequence.
© ISO/IEC 2008 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC 27005:2008(E)
3.3
risk avoidance
decision not to become involved in, or action to withdraw from, a risk situation
[ISO/IEC Guide 73:2002]
3.4
risk communication
exchange or sharing of information about risk between the decision-maker and other stakeholders
[ISO/IEC Guide 73:2002]
3.5
risk estimation
process to assign values to the probability and consequences of a risk
[ISO/IEC Guide 73:2002]
NOTE 1 In the context of this International Standard, the term “activity” is used instead of the term “process” for risk
estimation.
NOTE 2 In the context of this International Standard, the term “likelihood” is used instead of the term “probability” for
risk estimation.
3.6
risk identification
process to find, list and characterize elements of risk
[ISO/IEC Guide 73:2002]
NOTE In the context of this International Standard, the term “activity” is used instead of the term “process” for risk
identification.
3.7
risk reduction
actions taken to lessen the probability, negative consequences, or both, associated with a risk
[ISO/IEC Guide 73:2002]
NOTE In the context of this International Standard, the term “likelihood” is used instead of the term “probability” for
risk reduction.
3.8
risk retention
acceptance of the burden of loss or benefit of gain from a particular risk
[ISO/IEC Guide 73:2002]
NOTE In the context of information security risks, only negative consequences (losses) are considered for risk
retention.
3.9
risk transfer
sharing with another party the burden of loss or benefit of gain, for a risk
[ISO/IEC Guide 73:2002]
NOTE In the context of information security risks, only negative consequences (losses) are considered for risk
transfer.
2 © ISO/IEC 2008 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 27005:2008(E)
4 Structure of this International Standard
This standard contains the description of the information security risk management process and its activities.
The background information is provided in Clause 5.
A general overview of the information security risk management process is given in Clause 6.
All information security risk management activities as presented in Clause 6 are subsequently described in the
following clauses:
ƒ Context establishment in Clause 7,
ƒ Risk assessment in Clause 8,
ƒ Risk treatment in Clause 9,
ƒ Risk acceptance in Clause 10,
ƒ Risk communication in Clause 11,
ƒ Risk monitoring and review in Clause 12.
Additional information for information security risk management activities is presented in the annexes. The
context establishment is supported by Annex A (Defining the scope and boundaries of the information security
risk management process). Identification and valuation of assets and impact assessments are discussed in
Annex B (examples for assets), Annex C (examples of typical threats) and Annex D (examples of typical
vulnerabilities).
Examples of information security risk assessment approaches are presented in Annex E.
Constraints for risk reduction are presented in Annex F.
All risk management activities as presented from Clause 7 to Clause 12 are structured as follows:
Input: Identifies any required information to perform the activity.
Action: Describes the activity.
Implementation guidance: Provides guidance on performing the action. Some of this guidance may not be
suitable in all cases and so other ways of performing the action may be more appropriate.
Output: Identifies any information derived after performing the activity.
5 Background
A systematic approach to information security risk management is necessary to identify organizational needs
regarding information security requirements and to create an effective information security management
system (ISMS). This approach should be suitable for the organization´s environment, and in particular should
be aligned with overall enterprise risk management. Security efforts should address risks in an effective and
timely manner where and when they are needed. Information security risk management should be an integral
part of all information security management activities and should be applied both to the implementation and
the ongoing operation of an ISMS.
Information security risk management should be a continual process. The process should establish the
context, assess the risks and treat the risks using a risk treatment plan to implement the recommendations
and decisions. Risk management analyses what can happen and what the possible consequences can be,
before deciding what should be done and when, to reduce the risk to an acceptable level.
© ISO/IEC 2008 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC 27005:2008(E)
Information security risk management should contribute to the following:
ƒ Risks being identified
ƒ Risks being assessed in terms of their consequences to the business and the likelihood of their
occurrence
ƒ The likelihood and consequences of these risks being communicated and understood
ƒ Priority order for risk treatment being established
ƒ Priority for actions to reduce risks occurring
ƒ Stakeholders being involved when risk management decisions are made and kept informed of the risk
management status
ƒ Effectiveness of risk treatment monitoring
ƒ Risks and the risk management process being monitored and reviewed regularly
ƒ Information being captured to improve the risk management approach
ƒ Managers and staff being educated about the risks and the actions taken to mitigate them
The information security risk management process can be applied to the organization as a whole, any discrete
part of the organization (e.g. a department, a physical location, a service), any information system, existing or
planned or particular aspects of control (e.g. business continuity planning).
6 Overview of the information security risk management process
The information security risk management process consists of context establishment (Clause 7), risk
assessment (Clause 8), risk treatment (Clause 9), risk acceptance (Clause 10), risk communication
(Clause 11), and risk monitoring and review (Clause 12).
4 © ISO/IEC 2008 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 27005:2008(E)
Figure 1 — Information security risk management process
As Figure 1 illustrates, the information security risk management process can be iterative for risk assessment
and/or risk treatment activities. An iterative approach to conducting risk assessment can increase depth and
detail of the assessment at each iteration. The iterative approach provides a good balance between
minimizing the time and effort spent in identifying controls, while still ensuring that high risks are appropriately
assessed.
© ISO/IEC 2008 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO/IEC 27005:2008(E)
The context is established first. Then a risk assessment is conducted. If this provides sufficient information to
effectively determine the actions required to modify the risks to an acceptable level then the task is complete
and the risk treatment follows. If the information is insufficient, another iteration of the risk assessment with
revised context (e.g. risk evaluation criteria, risk acceptance criteria or impact criteria) will be conducted,
possibly on limited parts of the total scope (see Figure 1, Risk Decision Point 1).
The effectiveness of the risk treatment depends on the results of the risk assessment. It is possible that the
risk treatment will not immediately lead to an acceptable level of residual risk. In this situation, another
iteration of the risk assessment with changed context parameters (e.g. risk assessment, risk acceptance or
impact criteria), if necessary, may be required, followed by further risk treatment (see Figure 1, Risk Decision
Point 2).
The risk acceptance activity has to ensure residual risks are explicitly accepted by the managers of the
organization. This is especially important in a situation where the implementation of controls is omitted or
postponed, e.g. due to cost.
During the whole information security risk management process it is important that risks and their treatment
are communicated to the appropriate managers and operational staff. Even before the treatment of the risks,
information about identified risks can be very valuable to manage incidents and may help to reduce potential
damage. Awareness by managers and staff of the risks, the nature of the controls in place to mitigate the risks
and the areas of concern to the organization assist in dealing with incidents and unexpected events in the
most effective manner. The detailed results of every activity of the information security risk management
process and from the two risk decision points should be documented.
ISO/IEC 27001 specifies that the controls implemented within the scope, boundaries and context of the ISMS
shall be risk based. The application of an information security risk management process can satisfy this
requirement. There are many approaches by which the process can be successfully implemented in an
organization. The organization should use whatever approach best suits their circumstances for each specific
application of the process.
In an ISMS, establishing the context, risk assessment, developing risk treatment plan and risk acceptance are
all part of the “plan” phase. In the “do” phase of the ISMS, the actions and controls required to reduce the risk
to an acceptable level are implemented according to the risk treatment plan. In the “check” phase of the ISMS,
managers will determine the need for revisions of the risk assessment and risk treatment in the light of
incidents and changes in circumstances. In the ”act” phase, any actions required, including additional
application of the information security risk management process, are performed.
The following table summarizes the information security risk management activities relevant to the four
phases of the ISMS process:
Table 1 — Alignment of ISMS and Information Security Risk Management Process
ISMS Process Information Security Risk Management Process
Establishing the context
Risk assessment
Plan
Developing risk treatment plan
Risk acceptance
Do Implementation of risk treatment plan
Continual monitoring and reviewing of risks
Check
Maintain and improve the Information Security Risk
Act
Management Process
6 © ISO/IEC 2008 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/IEC 27005:2008(E)
7 Context establishment
7.1 General considerations
Input: All information about the organization relevant to the information security risk management context
establishment.
Action: The context for information security risk management should be established, which involves setting the
basic criteria necessary for information security risk management (7.2), defining the scope and boundaries
(7.3), and establishing an appropriate organization operating the information security risk management (7.4).
Implementation guidance:
It is essential to determine the purpose of the information security risk management as this affects the overall
process and the context establishment in particular. This purpose can be:
ƒ Supporting an ISMS
ƒ Legal compliance and evidence of due diligence
ƒ Preparation of a business continuity plan
ƒ Preparation of an incident response plan
ƒ Description of the information security requirements for a product, a service or a mechanism
Implementation guidance for context establishment elements needed to support an ISMS is further discussed in
Clauses 7.2, 7.3 and 7.4 below.
NOTE ISO/IEC 27001 does not use the term “context”. However, all of Clause 7 relates to the requirements “define
the scope and boundaries of the ISMS” [4.2.1 a)], “define an ISMS policy” [4.2.1 b)] and “define the risk assessment
approach” [4.2.1 c)], specified in ISO/IEC 27001.
Output: The specification of basic criteria, the scope and boundaries, and the organization for the information
security risk management process.
7.2 Basic Criteria
Depending on the scope and objectives of the risk management, different approaches can be applied. The
approach might also be different for each iteration.
An appropriate risk management approach should be selected or developed that addresses basic criteria such
as: risk evaluation criteria, impact criteria, risk acceptance criteria.
Additionally, the organization should assess whether necessary resources are available to:
ƒ Perform risk assessment and establish a risk treatment plan
ƒ Define and implement policies and procedures, including implementation of the controls selected
ƒ Monitor controls
ƒ Monitor the information security risk management process
NOTE See also ISO/IEC 27001 (Clause 5.2.1) concerning the provision of resources for the implementation and
operation of an ISMS.
Risk evaluation criteria
Risk evaluation criteria should be developed for evaluating the organization's information security risk
considering the followings:
ƒ The strategic value of the business information process
ƒ The criticality of the information assets involved
ƒ Legal and regulatory requirements, and contractual obligations
ƒ Operational and business importance of availability, confidentiality and integrity
ƒ Stakeholders expectations and perceptions, and negative consequences for goodwill and reputation
Additionally, risk evaluation criteria can be used to specify priorities for risk treatment.
© ISO/IEC 2008 – All rights reserved 7
---------------------- Page: 13 ----------------------
ISO/IEC 27005:2008(E)
Impact criteria
Impact criteria should be developed and specified in terms of the degree of damage or costs to the
organization caused by an information security event considering the following:
ƒ Level of classification of the impacted information asset
ƒ Breaches of information security (e.g. loss of confidentiality, integrity and availability)
ƒ Impaired operations (internal or third parties)
ƒ Loss of business and financial value
ƒ Disruption of plans and deadlines
ƒ Damage of reputation
ƒ Breaches of legal, regulatory or contractual requirements
NOTE See also ISO/IEC 27001 [Clause 4.2.1 d) 4] concerning the impact criteria identification for losses of
confidentiality, integrity and availability.
Risk acceptance criteria
Risk acceptance criteria should be developed and specified. Risk acceptance criteria often depend on the
organization's policies, goals, objectives and the interests of stakeholders.
An organization should define its own scales for levels of risk acceptance. The following should be considered
during development:
ƒ Risk acceptance criteria may include multiple thresholds, with a desired target level of risk, but provision
for senior managers to accept risks above this level under defined circumstances
ƒ Risk acceptance criteria may be expressed as the ratio of estimated profit (or other business benefit) to
the estimated risk
ƒ Different risk acceptance criteria may apply to different classes of risk, e.g. risks that could result in non-
compliance with regulations or laws may not be accepted, while acceptance of hig
...
NORME ISO/CEI
INTERNATIONALE 27005
Première édition
2008-06-15
Technologies de l'information —
Techniques de sécurité — Gestion
des risques en sécurité de l'information
Information technology — Security techniques — Information security
risk management
Numéro de référence
ISO/CEI 27005:2008(F)
©
ISO/CEI 2008
---------------------- Page: 1 ----------------------
ISO/CEI 27005:2008(F)
PDF – Exonération de responsabilité
Le présent fichier PDF peut contenir des polices de caractères intégrées. Conformément aux conditions de licence d'Adobe, ce fichier
peut être imprimé ou visualisé, mais ne doit pas être modifié à moins que l'ordinateur employé à cet effet ne bénéficie d'une licence
autorisant l'utilisation de ces polices et que celles-ci y soient installées. Lors du téléchargement de ce fichier, les parties concernées
acceptent de fait la responsabilité de ne pas enfreindre les conditions de licence d'Adobe. Le Secrétariat central de l'ISO décline toute
responsabilité en la matière.
Adobe est une marque déposée d'Adobe Systems Incorporated.
Les détails relatifs aux produits logiciels utilisés pour la création du présent fichier PDF sont disponibles dans la rubrique General Info
du fichier; les paramètres de création PDF ont été optimisés pour l'impression. Toutes les mesures ont été prises pour garantir
l'exploitation de ce fichier par les comités membres de l'ISO. Dans le cas peu probable où surviendrait un problème d'utilisation,
veuillez en informer le Secrétariat central à l'adresse donnée ci-dessous.
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO/CEI 2008
Droits de reproduction réservés. Sauf prescription différente, aucune partie de cette publication ne peut être reproduite ni utilisée sous
quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et les microfilms, sans l'accord écrit
de l'ISO à l'adresse ci-après ou du comité membre de l'ISO dans le pays du demandeur.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Version française parue en 2010
Publié en Suisse
ii © ISO/CEI 2008 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO/CEI 27005:2008(F)
Sommaire Page
Avant-propos .v
Introduction.vi
1 Domaine d'application .1
2 Références normatives.1
3 Termes et définitions .1
4 Structure de la présente Norme internationale .3
5 Contexte .3
6 Présentation générale du processus de gestion des risques en sécurité de l'information.4
7 Établissement du contexte.7
7.1 Considérations générales.7
7.2 Critères de base.7
7.3 Domaine d'application et limites.9
7.4 Organisation de la gestion des risques en sécurité de l'information .10
8 Appréciation des risques en sécurité de l'information .10
8.1 Description générale de l'appréciation des risques en sécurité de l'information.10
8.2 Analyse des risques.11
8.2.1 Identification des risques .11
8.2.2 Estimation des risques .15
8.3 Évaluation du risque .18
9 Traitement des risques en sécurité de l'information.19
9.1 Description générale du traitement des risques.19
9.2 Réduction du risque.21
9.3 Maintien du risque.22
9.4 Refus du risque .23
9.5 Transfert du risque.23
10 Acceptation des risques en sécurité de l'information.23
11 Communication relative aux risques en sécurité de l'information .24
12 Surveillance et revue du risque en sécurité de l'information .25
12.1 Surveillance et revue des facteurs de risque .25
12.2 Surveillance, revue et amélioration de la gestion des risques.26
Annexe A (informative) Définition du domaine d'application et des limites du processus de
gestion des risques en sécurité de l'information.28
A.1 Étude de l'organisation.28
A.2 Liste des contraintes affectant l'organisation.29
A.3 Liste des références législatives et réglementaires applicables à l'organisation.31
A.4 Liste des contraintes affectant le domaine d'application .31
Annexe B (informative) Identification et évaluation des actifs et appréciation des impacts.34
B.1 Exemples d'identification des actifs.34
B.1.1 Identification des actifs primordiaux.34
B.1.2 Liste et description des actifs en support .35
B.2 Évaluation des actifs.40
B.3 Appréciation des impacts.43
Annexe C (informative) Exemples de menaces types.45
© ISO/CEI 2008 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO/CEI 27005:2008(F)
Annexe D (informative) Vulnérabilités et méthodes d'appréciation des vulnérabilités .47
D.1 Exemples de vulnérabilités.47
D.2 Méthodes d'appréciation des vulnérabilités techniques.50
Annexe E (informative) Approches d'appréciation des risques en sécurité de l'information.52
E.1 Appréciation des risques de haut niveau en sécurité de l'information .52
E.2 Appréciation détaillée des risques en sécurité de l'information .53
E.2.1 Exemple 1 — Matrice avec valeurs prédéfinies.54
E.2.2 Exemple 2 — Classement des menaces par mesures des risques.56
E.2.3 Exemple 3 — Appréciation d'une valeur relative à la vraisemblance et aux conséquences
possibles des risques .57
Annexe F (informative) Contraintes liées à la réduction du risque.59
Bibliographie .61
iv © ISO/CEI 2008 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO/CEI 27005:2008(F)
Avant-propos
L'ISO (Organisation internationale de normalisation) est une fédération mondiale d'organismes nationaux de
normalisation (comités membres de l'ISO). L'élaboration des Normes internationales est en général confiée
aux comités techniques de l'ISO. Chaque comité membre intéressé par une étude a le droit de faire partie du
comité technique créé à cet effet. Les organisations internationales, gouvernementales et non
gouvernementales, en liaison avec l'ISO participent également aux travaux. L'ISO collabore étroitement avec
la Commission électrotechnique internationale (CEI) en ce qui concerne la normalisation électrotechnique.
Les Normes internationales sont rédigées conformément aux règles données dans les Directives ISO/CEI,
Partie 2.
La tâche principale des comités techniques est d'élaborer les Normes internationales. Les projets de Normes
internationales adoptés par les comités techniques sont soumis aux comités membres pour vote. Leur
publication comme Normes internationales requiert l'approbation de 75 % au moins des comités membres
votants.
L'attention est appelée sur le fait que certains des éléments du présent document peuvent faire l'objet de
droits de propriété intellectuelle ou de droits analogues. L'ISO et la CEI ne sauraient être tenues pour
responsables de ne pas avoir identifié de tels droits de propriété et averti de leur existence.
L'ISO/CEI 27005 a été élaborée par le comité technique ISO/TC JTC 1, Technologies de l'information,
sous-comité SC 27, Techniques de sécurité des technologies de l'information.
Cette première édition de l'ISO/CEI 27005 annule et remplace l'ISO/CEI TR 13335-3:1998 et
l'ISO/CEI TR 13335-4:2000, dont elle constitue une révision technique.
© ISO/CEI 2008 – Tous droits réservés v
---------------------- Page: 5 ----------------------
ISO/CEI 27005:2008(F)
Introduction
La présente Norme internationale contient des lignes directrices relatives à la gestion des risques en sécurité
de l'information dans une organisation, qui viennent notamment en appui des exigences d'un SMSI (système
de management de la sécurité de l'information) tel que défini dans l'ISO/CEI 27001. Cependant, la présente
Norme internationale ne fournit aucune méthodologie spécifique à la gestion des risques en sécurité de
l'information. Il est du ressort de chaque organisation de définir son approche de la gestion des risques, en
fonction, par exemple, du périmètre du SMSI, de ce qui existe dans l'organisme dans le domaine de la gestion
des risques, ou encore de son secteur industriel. Plusieurs méthodologies existantes peuvent être utilisées en
cohérence avec le cadre décrit dans la présente Norme internationale pour appliquer les exigences du SMSI.
La présente Norme internationale s'adresse aux responsables et aux personnels concernés par la gestion des
risques en sécurité de l'information au sein d'une organisation et, le cas échéant, aux tiers prenant part à ces
activités.
vi © ISO/CEI 2008 – Tous droits réservés
---------------------- Page: 6 ----------------------
NORME INTERNATIONALE ISO/CEI 27005:2008(F)
Technologies de l'information — Techniques de sécurité —
Gestion des risques en sécurité de l'information
1 Domaine d'application
La présente Norme internationale contient des lignes directrices relatives à la gestion des risques en sécurité
de l'information.
La présente Norme internationale vient en appui des concepts généraux énoncés dans l'ISO/CEI 27001; elle
est conçue pour aider à la mise en place de la sécurité de l'information basée sur une approche de gestion
des risques.
Il est important de connaître les concepts, les modèles, les processus et les terminologies décrites dans
l'ISO/CEI 27001 et l'ISO/CEI 27002 afin de bien comprendre la présente Norme internationale.
La présente Norme internationale est applicable à tous types d'organisations (par exemple les entreprises
commerciales, les agences gouvernementales, les organisations à but non lucratif) qui ont l'intention de gérer
des risques susceptibles de compromettre la sécurité des informations de l'organisation.
2 Références normatives
Les documents de référence suivants sont indispensables à l'application du présent document. Pour les
références datées, seule l'édition citée s'applique. Pour les références non datées, la dernière édition du
document de référence (y compris les éventuels amendements) s'applique.
ISO/CEI 27001:2005, Technologies de l'information — Techniques de sécurité — Systèmes de management
de la sécurité de l'information — Exigences
ISO/CEI 27002:2005, Technologies de l'information — Techniques de sécurité — Code de bonne pratique
pour le management de la sécurité de l'information
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions donnés dans l'ISO/CEI 27001,
l'ISO/CEI 27002 et les suivants s'appliquent.
3.1
impact
changement radical au niveau des objectifs métiers atteints
3.2
risque de sécurité de l'information
possibilité qu'une menace donnée exploite les vulnérabilités d'un actif ou d'un groupe d'actifs et nuise donc à
l'organisation
NOTE Le risque est mesuré en termes de combinaison entre la vraisemblance d'un événement et ses conséquences.
© ISO/CEI 2008 – Tous droits réservés 1
---------------------- Page: 7 ----------------------
ISO/CEI 27005:2008(F)
3.3
refus du risque
décision de se retirer d'une situation à risque, ou de ne pas s'y engager
[ISO/CEI Guide 73:2002]
3.4
communication relative aux risques
échange ou partage de l'information concernant un risque entre le décideur et les autres parties prenantes
[ISO/CEI Guide 73:2002]
3.5
estimation des risques
processus utilisé pour affecter des valeurs à la probabilité et aux conséquences d'un risque
[ISO/CEI Guide 73:2002]
NOTE 1 Dans le cadre de la présente Norme internationale, le terme «activité» est utilisé en lieu et place du terme
«processus» pour l'estimation des risques.
NOTE 2 Dans le cadre de la présente Norme internationale, le terme «vraisemblance» est utilisé en lieu et place du
terme «probabilité» pour l'estimation des risques.
3.6
identification des risques
processus utilisé pour trouver, lister et caractériser les éléments à risque
[ISO/CEI Guide 73:2002]
NOTE Dans le cadre de la présente Norme internationale, le terme «activité» est utilisé en lieu et place du terme
«processus» pour l'identification des risques.
3.7
réduction du risque
mesures prises pour diminuer la probabilité, les conséquences négatives, ou les deux à la fois, associées à
un risque
[ISO/CEI Guide 73:2002]
NOTE Dans le cadre de la présente Norme internationale, le terme «vraisemblance» est utilisé en lieu et place du
terme «probabilité» pour la réduction du risque.
3.8
maintien du risque
acceptation du poids de la perte ou du bénéfice de gain découlant d'un risque particulier
[ISO/CEI Guide 73:2002]
NOTE Dans le cadre des risques en sécurité de l'information, seules les conséquences négatives (pertes) sont
prises en compte pour le maintien du risque.
3.9
transfert du risque
partage avec un tiers du poids de la perte ou du bénéfice de gain découlant d'un risque
[ISO/CEI Guide 73:2002]
NOTE Dans le cadre des risques en sécurité de l'information, uniquement les conséquences négatives (pertes) sont
prises en compte pour le transfert du risque.
2 © ISO/CEI 2008 – Tous droits réservés
---------------------- Page: 8 ----------------------
ISO/CEI 27005:2008(F)
4 Structure de la présente Norme internationale
La présente norme contient la description du processus de gestion des risques en sécurité de l'information, et
la description de ses activités.
Les informations générales sont fournies dans l'Article 5.
Un aperçu général du processus de gestion des risques en sécurité de l'information est donné dans l'Article 6.
Toutes les activités liées à la gestion des risques en sécurité de l'information, telles que présentées dans
l'Article 6, sont ensuite décrites dans les articles suivants:
• établissement du contexte dans l'Article 7;
• appréciation des risques dans l'Article 8;
• traitement des risques dans l'Article 9;
• acceptation des risques dans l'Article 10;
• communication relative aux risques dans l'Article 11;
• surveillance et revue du risque dans l'Article 12.
Des informations supplémentaires relatives aux activités de gestion des risques en sécurité de l'information
sont présentées dans les annexes. L'établissement du contexte est abordé dans l'Annexe A (Définition du
domaine d'application et des limites du processus de gestion des risques en sécurité de l'information).
L'identification, la valorisation des actifs et l'appréciation des impacts sont traitées dans l'Annexe B (exemples
d'actifs), dans l'Annexe C (exemples de menaces type) et dans l'Annexe D (exemples de vulnérabilités type).
Des exemples d'approches relatives à l'appréciation des risques en sécurité de l'information sont présentés
dans l'Annexe E.
Les contraintes liées à la réduction du risque sont traitées dans l'Annexe F.
Toutes les activités liées à la gestion des risques, présentées dans les Articles 7 à 12, sont structurées de la
manière suivante:
Élément(s) d'entrée: Identifie toute information requise pour réaliser l'activité.
Action: Décrit l'activité.
Préconisations de mise en œuvre: Propose des préconisations pour réaliser l'action. Il se peut que certaines
préconisations ne soient pas adaptées à tous les cas, et que d'autres solutions pour réaliser l'action s'avèrent
préférables.
Élément(s) de sortie: Identifie toute information obtenue après la réalisation de l'activité.
5 Contexte
Une approche systématique de la gestion des risques en sécurité de l'information est nécessaire pour
identifier les besoins organisationnels concernant les exigences en matière de sécurité de l'information, et
pour créer un système de management de la sécurité de l'information (SMSI) efficace. Il convient que cette
approche soit adaptée à l'environnement de l'organisation, et soit notamment alignée sur la démarche
générale de gestion des risques de l'entreprise. Il convient que les efforts effectués en matière de sécurité
adressent les risques de manière efficace et opportune quand et lorsque cela est nécessaire. Il convient que
la gestion des risques en sécurité de l'information fasse partie intégrante de l'ensemble des activités de
management de la sécurité de l'information et qu'elle s'applique à la fois à la mise en œuvre et au
fonctionnement d'un SMSI.
© ISO/CEI 2008 – Tous droits réservés 3
---------------------- Page: 9 ----------------------
ISO/CEI 27005:2008(F)
Il convient que la gestion des risques en sécurité de l'information soit un processus continu. Il convient que ce
processus établisse le contexte, apprécie les risques et les traite à l'aide d'un plan de traitement des risques
permettant de mettre en œuvre les recommandations et décisions. La gestion des risques analyse les
évènements susceptibles de se produire ainsi que leurs possibles conséquences avant de décider de ce qui
pourrait être fait, dans quels délais et à quel moment, pour réduire les risques à un niveau acceptable.
Il convient que la gestion des risques en sécurité de l'information contribue é ce qui suit:
• l'identification des risques
• l'appréciation des risques en termes de conséquences sur les activités métier et de vraisemblance
• la communication et la compréhension de la vraisemblance et des conséquences de ces risques
• l'établissement d'un ordre de priorité pour le traitement des risques
• la définition des priorités d'actions afin de réduire les occurrences des risques
• l'implication des parties prenantes lors de la prise de décisions relatives à la gestion des risques et
l'information sur l'état de la gestion des risques
• l'efficacité de la supervision du traitement des risques
• la surveillance et la revue régulières des risques et du processus de gestion des risques
• la capture de l'information afin d'améliorer l'approche de gestion des risques
• la formation des dirigeants et du personnel sur les risques et les actions à entreprendre pour les atténuer
Le processus de gestion des risques en sécurité de l'information peut s'appliquer à l'organisation dans son
ensemble, à toute partie distincte de l'organisation (à titre d'exemples un département, un lieu physique, un
service), à tout système d'information existant ou prévu, ou à des types particuliers de mesures de sécurité
(par exemple la planification de la continuité d'activité).
6 Présentation générale du processus de gestion des risques en sécurité de
l'information
Le processus de gestion des risques en sécurité de l'information comprend l'établissement du
contexte (Article 7), l'appréciation des risques (Article 8), le traitement des risques (Article 9), l'acceptation des
risques (Article 10), la communication relatives aux risques (Article 11), ainsi que la surveillance et la revue du
risque (Article 12).
4 © ISO/CEI 2008 – Tous droits réservés
---------------------- Page: 10 ----------------------
ISO/CEI 27005:2008(F)
Figure 1 — Processus de gestion des risques en sécurité de l'information
Comme l'illustre la Figure 1, le processus de gestion des risques en sécurité de l'information peut être itératif
pour les activités d'appréciation et/ou de traitement des risques. Une approche itérative de conduite de
l'appréciation des risques permet d'approfondir et de préciser l'appréciation à chaque itération. Cette
approche itérative assure un bon équilibre entre la minimisation du temps et des efforts investis dans
l'identification des mesures de sécurité et l'assurance que les risques élevés sont correctement appréciés.
© ISO/CEI 2008 – Tous droits réservés 5
---------------------- Page: 11 ----------------------
ISO/CEI 27005:2008(F)
Le contexte est établi en premier lieu. Une appréciation des risques est ensuite réalisée. Si cette appréciation
donne suffisamment d'informations pour déterminer correctement les actions nécessaires pour ramener les
risques à un niveau acceptable, la tâche est alors terminée et suivie par le traitement des risques. Si les
informations ne sont pas suffisantes, une autre itération de l'appréciation des risques sera réalisée avec un
contexte révisé (par exemple les critères d'évaluation des risques, les critères d'acceptation des risques ou
les critères d'impact) et, éventuellement, sur des parties limitées de l'ensemble du domaine d'application
(voir Figure 1, point de décision du risque n° 1).
L'efficacité du traitement des risques dépend des résultats de l'appréciation des risques. Il est possible que le
traitement des risques ne donne pas immédiatement un niveau acceptable de risque résiduel. Dans ce cas,
une nouvelle itération de l'appréciation des risques utilisant, si nécessaire, de nouveaux paramètres de
contexte (à titre d'exemples l'appréciation des risques, l'acceptation des risques ou les critères d'impact) peut
être requise et suivie d'un autre traitement des risques (voir la Figure 1, Point de décision du risque n° 2).
L'activité d'acceptation des risques doit garantir que les risques résiduels sont explicitement acceptés par les
dirigeants de l'organisation. Elle est particulièrement importante dans une situation où la mise en œuvre de
mesures de sécurité est omise ou reportée, par exemple en raison des coûts.
Au cours du processus de gestion des risques en sécurité de l'information, il est important que les risques et
leur traitement soient communiqués aux dirigeants et au personnel concerné. Avant même le traitement des
risques, les informations relatives aux risques identifiés peuvent être très utiles pour gérer les incidents et
contribuer à réduire les dommages potentiels. La sensibilisation des dirigeants et du personnel aux risques, la
nature des mesures de sécurité mises en place pour atténuer les risques et les problèmes rencontrés par
l'organisation sont utiles pour gérer les incidents et les événements imprévus de la manière la plus efficace. Il
convient de documenter les résultats détaillés de toute activité du processus de gestion des risques en
sécurité de l'information, ainsi que ceux obtenus à partir des deux points de décision de risque.
L'ISO/CEI 27001 spécifie que les mesures de sécurité mises en œuvre dans le domaine d'application, les
limites et le contexte du SMSI doivent être fondées sur le risque. L'application d'un processus de gestion des
risques en sécurité de l'information peut répondre à cette exigence. De nombreuses approches de ce
processus peuvent être mises en œuvre avec succès au sein d'une organisation. Il convient que cette
dernière utilise l'approche la plus adaptée à ses besoins pour chacun des usages spécifiques du processus.
Dans un SMSI, l'établissement du contexte, l'appréciation des risques, l'élaboration d'un plan de traitement
des risques et l'acceptation des risques font partie intégrante de la phase «Planifier». Lors de la phase
«Déployer» du SMSI, les actions et mesures de sécurité requises pour ramener le risque à un niveau
acceptable sont mises en œuvre, conformément au plan de traitement des risques. Lors de la phase
«Contrôler» du SMSI, les dirigeants déterminent les besoins en matière de révision de l'appréciation et du
traitement des risques à la lumière des incidents et des changements de situations. Lors de la phase «Agir»,
toutes les actions nécessaires, y compris une itération supplémentaire du processus de gestion des risques
en sécurité de l'information, sont réalisées.
Le tableau suivant résume les activités de gestion des risques en sécurité de l'information associées aux
quatre phases du processus SMSI.
Tableau 1 — Alignement du SMSI et du processus de gestion des risques en sécurité de l'information
Processus SMSI Processus de gestion des risques
en sécurité de l'information
Établissement du contexte
Appréciation des risques
Planifier
Élaboration du plan de traitement des risques
Acceptation des risques
Déployer Mise en œuvre du plan de traitement des risques
Contrôler Surveillance et revue continues des risques
Maintien et amélioration du processus de gestion des
Agir
risques en sécurité de l'information
6 © ISO/CEI 2008 – Tous droits réservés
---------------------- Page: 12 ----------------------
ISO/CEI 27005:2008(F)
7 Établissement du contexte
7.1 Considérations générales
Éléments d'entrée: Toutes les informations relatives à l'organisation permettant l'établissement du contexte de
la gestion des risques en sécurité de l'information.
Action: Il convient d'établir le contexte de la gestion des risques en sécurité de l'information, ce qui implique
de déterminer les critères de base nécessaires à la gestion des risques en sécurité de l'information (7.2), de
définir le domaine d'application et les limites (7.3), et d'établir une organisation adaptée au fonctionnement de
la gestion des risques en sécurité de l'information (7.4).
Préconisations de mise en œuvre:
Il est essentiel de déterminer l'objectif de la gestion des risques en sécurité de l'information puisqu'il influence
l'ensemble du processus et, en particulier, l'établissement du contexte. L'objectif peut être:
• une réponse aux exigences d'un SMSI;
• la conformité avec la loi et la preuve de la mise en œuvre du devoir de précaution;
• la préparation d'un plan de continuité d'activité;
• la préparation d'un plan de réponse aux incidents;
• la description des exigences en matière de sécurité de l'information pour un produit, un service ou un
mécanisme.
Les préconisations de mise en œuvre des éléments d'établissement du contexte nécessaires pour répondre
aux exigences d'un SMSI sont traitées en 7.2, 7.3 et 7.4.
NOTE L'ISO/CEI 270001 n'utilise pas le terme «contexte». Cependant, l'Article 7 aborde les exigen
...
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Informacijska tehnologija - Varnostne tehnike - Upravljanje tveganj informacijske varnostiTechnologies de l'information -- Techniques de sécurité -- Gestion des risques en sécurité de l'informationInformation technology -- Security techniques -- Information security risk management35.040Nabori znakov in kodiranje informacijCharacter sets and information codingICS:Ta slovenski standard je istoveten z:ISO/IEC 27005:2008oSIST ISO/IEC 27005:2011en,fr01-februar-2011oSIST ISO/IEC 27005:2011SLOVENSKI
STANDARD
oSIST ISO/IEC 27005:2011
Reference numberISO/IEC 27005:2008(E)© ISO/IEC 2008
INTERNATIONAL STANDARD ISO/IEC27005First edition2008-06-15Information technology — Security techniques — Information security risk management Technologies de l'information — Techniques de sécurité — Gestion du risque en sécurité de l'information
oSIST ISO/IEC 27005:2011
ISO/IEC 27005:2008(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
COPYRIGHT PROTECTED DOCUMENT
©
ISO/IEC 2008 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 • CH-1211 Geneva 20 Tel.
+ 41 22 749 01 11 Fax
+ 41 22 749 09 47 E-mail
copyright@iso.org Web
www.iso.org Published in Switzerland
ii © ISO/IEC 2008 – All rights reserved
oSIST ISO/IEC 27005:2011
ISO/IEC 27005:2008(E) © ISO/IEC 2008 – All rights reserved iiiContents Page Foreword.v Introduction.vi 1 Scope.1 2 Normative references.1 3 Terms and definitions.1 4 Structure of this International Standard.3 5 Background.3 6 Overview of the information security risk management process.4 7 Context establishment.7 7.1 General considerations.7 7.2 Basic Criteria.7 7.3 The scope and boundaries.8 7.4 Organization for information security risk management.9 8 Information security risk assessment.9 8.1 General description of information security risk assessment.9 8.2 Risk analysis.10 8.2.1 Risk identification.10 8.2.2 Risk estimation.14 8.3 Risk evaluation.16 9 Information security risk treatment.17 9.1 General description of risk treatment.17 9.2 Risk reduction.19 9.3 Risk retention.20 9.4 Risk avoidance.20 9.5 Risk transfer.20 10 Information security risk acceptance.21 11 Information security risk communication.21 12 Information security risk monitoring and review.22 12.1 Monitoring and review of risk factors.22 12.2 Risk management monitoring, reviewing and improving.23 Annex A (informative)
Defining the scope and boundaries of the information security risk management process.25 A.1 Study of the organization.25 A.2 List of the constraints affecting the organization.26 A.3 List of the legislative and regulatory references applicable to the organization.28 A.4 List of the constraints affecting the scope.28 Annex B (informative)
Identification and valuation of assets and impact assessment.30 B.1 Examples of asset identification.30 B.1.1 The identification of primary assets.30 B.1.2 List and description of supporting assets.31 B.2 Asset valuation.35 B.3 Impact assessment.38 Annex C (informative)
Examples of typical threats.39 Annex D (informative)
Vulnerabilities and methods for vulnerability assessment.42 oSIST ISO/IEC 27005:2011
ISO/IEC 27005:2008(E) iv © ISO/IEC 2008 – All rights reserved D.1 Examples of vulnerabilities.42 D.2 Methods for assessment of technical vulnerabilities.45 Annex E (informative)
Information security risk assessment approaches.47 E.1 High-level information security risk assessment.47 E.2 Detailed information security risk assessment.48 E.2.1 Example 1 Matrix with predefined values.48 E.2.2 Example 2 Ranking of Threats by Measures of Risk.50 E.2.3 Example 3 Assessing a value for the likelihood and the possible consequences of risks.51 Annex F (informative)
Constraints for risk reduction.53 Bibliography.55
oSIST ISO/IEC 27005:2011
ISO/IEC 27005:2008(E) © ISO/IEC 2008 – All rights reserved vForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27005 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. This first edition of ISO/IEC 27005 cancels and replaces ISO/IEC TR 13335-3:1998, and ISO/IEC TR 13335-4:2000, of which it constitutes a technical revision. oSIST ISO/IEC 27005:2011
ISO/IEC 27005:2008(E) vi © ISO/IEC 2008 – All rights reserved Introduction This International Standard provides guidelines for Information Security Risk Management in an organization, supporting in particular the requirements of an ISMS according to ISO/IEC 27001. However, this International Standard does not provide any specific methodology for information security risk management. It is up to the organization to define their approach to risk management, depending for example on the scope of the ISMS, context of risk management, or industry sector. A number of existing methodologies can be used under the framework described in this International Standard to implement the requirements of an ISMS. This International Standard is relevant to managers and staff concerned with information security risk management within an organization and, where appropriate, external parties supporting such activities.
oSIST ISO/IEC 27005:2011
INTERNATIONAL STANDARD ISO/IEC 27005:2008(E) © ISO/IEC 2008 – All rights reserved 1Information technology — Security techniques — Information security risk management 1 Scope This International Standard provides guidelines for information security risk management. This International Standard supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this International Standard. This International Standard is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization’s information security. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27001:2005, Information technology — Security techniques — Information security management systems — Requirements ISO/IEC 27002:2005, Information technology — Security techniques — Code of practice for information security management 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 27001, ISO/IEC 27002 and the following apply. 3.1 impact adverse change to the level of business objectives achieved 3.2 information security risk potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization NOTE It is measured in terms of a combination of the likelihood of an event and its consequence. oSIST ISO/IEC 27005:2011
ISO/IEC 27005:2008(E) 2 © ISO/IEC 2008 – All rights reserved 3.3 risk avoidance decision not to become involved in, or action to withdraw from, a risk situation [ISO/IEC Guide 73:2002] 3.4 risk communication exchange or sharing of information about risk between the decision-maker and other stakeholders [ISO/IEC Guide 73:2002] 3.5 risk estimation process to assign values to the probability and consequences of a risk [ISO/IEC Guide 73:2002] NOTE 1 In the context of this International Standard, the term “activity” is used instead of the term “process” for risk estimation. NOTE 2 In the context of this International Standard, the term “likelihood” is used instead of the term “probability” for risk estimation. 3.6 risk identification process to find, list and characterize elements of risk [ISO/IEC Guide 73:2002] NOTE In the context of this International Standard, the term “activity” is used instead of the term “process” for risk identification. 3.7 risk reduction actions taken to lessen the probability, negative consequences, or both, associated with a risk [ISO/IEC Guide 73:2002] NOTE In the context of this International Standard, the term “likelihood” is used instead of the term “probability” for risk reduction. 3.8 risk retention acceptance of the burden of loss or benefit of gain from a particular risk [ISO/IEC Guide 73:2002] NOTE In the context of information security risks, only negative consequences (losses) are considered for risk retention. 3.9 risk transfer sharing with another party the burden of loss or benefit of gain, for a risk [ISO/IEC Guide 73:2002] NOTE In the context of information security risks, only negative consequences (losses) are considered for risk transfer. oSIST ISO/IEC 27005:2011
ISO/IEC 27005:2008(E) © ISO/IEC 2008 – All rights reserved 34 Structure of this International Standard This standard contains the description of the information security risk management process and its activities. The background information is provided in Clause 5. A general overview of the information security risk management process is given in Clause 6. All information security risk management activities as presented in Clause 6 are subsequently described in the following clauses: ƒ Context establishment in Clause 7, ƒ Risk assessment in Clause 8, ƒ Risk treatment in Clause 9, ƒ Risk acceptance in Clause 10, ƒ Risk communication in Clause 11, ƒ Risk monitoring and review in Clause 12. Additional information for information security risk management activities is presented in the annexes. The context establishment is supported by Annex A (Defining the scope and boundaries of the information security risk management process). Identification and valuation of assets and impact assessments are discussed in Annex B (examples for assets), Annex C (examples of typical threats) and Annex D (examples of typical vulnerabilities). Examples of information security risk assessment approaches are presented in Annex E. Constraints for risk reduction are presented in Annex F. All risk management activities as presented from Clause 7 to Clause 12 are structured as follows: Input: Identifies any required information to perform the activity. Action: Describes the activity. Implementation guidance: Provides guidance on performing the action. Some of this guidance may not be suitable in all cases and so other ways of performing the action may be more appropriate. Output: Identifies any information derived after performing the activity. 5 Background A systematic approach to information security risk management is necessary to identify organizational needs regarding information security requirements and to create an effective information security management system (ISMS). This approach should be suitable for the organization´s environment, and in particular should be aligned with overall enterprise risk management. Security efforts should address risks in an effective and timely manner where and when they are needed. Information security risk management should be an integral part of all information security management activities and should be applied both to the implementation and the ongoing operation of an ISMS. Information security risk management should be a continual process. The process should establish the context, assess the risks and treat the risks using a risk treatment plan to implement the recommendations and decisions. Risk management analyses what can happen and what the possible consequences can be, before deciding what should be done and when, to reduce the risk to an acceptable level. oSIST ISO/IEC 27005:2011
ISO/IEC 27005:2008(E) 4 © ISO/IEC 2008 – All rights reserved Information security risk management should contribute to the following: ƒ Risks being identified ƒ Risks being assessed in terms of their consequences to the business and the likelihood of their occurrence ƒ The likelihood and consequences of these risks being communicated and understood ƒ Priority order for risk treatment being established ƒ Priority for actions to reduce risks occurring ƒ Stakeholders being involved when risk management decisions are made and kept informed of the risk management status ƒ Effectiveness of risk treatment monitoring ƒ Risks and the risk management process being monitored and reviewed regularly ƒ Information being captured to improve the risk management approach ƒ Managers and staff being educated about the risks and the actions taken to mitigate them The information security risk management process can be applied to the organization as a whole, any discrete part of the organization (e.g. a department, a physical location, a service), any information system, existing or planned or particular aspects of control (e.g. business continuity planning). 6 Overview of the information security risk management process The information security risk management process consists of context establishment (Clause 7), risk assessment (Clause 8), risk treatment (Clause 9), risk acceptance (Clause 10), risk communication (Clause 11), and risk monitoring and review (Clause 12). oSIST ISO/IEC 27005:2011
ISO/IEC 27005:2008(E) © ISO/IEC 2008 – All rights reserved 5 Figure 1 — Information security risk management process As Figure 1 illustrates, the information security risk management process can be iterative for risk assessment and/or risk treatment activities. An iterative approach to conducting risk assessment can increase depth and detail of the assessment at each iteration. The iterative approach provides a good balance between minimizing the time and effort spent in identifying controls, while still ensuring that high risks are appropriately assessed. oSIST ISO/IEC 27005:2011
ISO/IEC 27005:2008(E) 6 © ISO/IEC 2008 – All rights reserved The context is established first. Then a risk assessment is conducted. If this provides sufficient information to effectively determine the actions required to modify the risks to an acceptable level then the task is complete and the risk treatment follows. If the information is insufficient, another iteration of the risk assessment with revised context (e.g. risk evaluation criteria, risk acceptance criteria or impact criteria) will be conducted, possibly on limited parts of the total scope (see Figure 1, Risk Decision Point 1). The effectiveness of the risk treatment depends on the results of the risk assessment. It is possible that the risk treatment will not immediately lead to an acceptable level of residual risk. In this situation, another iteration of the risk assessment with changed context parameters (e.g. risk assessment, risk acceptance or impact criteria), if necessary, may be required, followed by further risk treatment (see Figure 1, Risk Decision Point 2). The risk acceptance activity has to ensure residual risks are explicitly accepted by the managers of the organization. This is especially important in a situation where the implementation of controls is omitted or postponed, e.g. due to cost. During the whole information security risk management process it is important that risks and their treatment are communicated to the appropriate managers and operational staff. Even before the treatment of the risks, information about identified risks can be very valuable to manage incidents and may help to reduce potential damage. Awareness by managers and staff of the risks, the nature of the controls in place to mitigate the risks and the areas of concern to the organization assist in dealing with incidents and unexpected events in the most effective manner. The detailed results of every activity of the information security risk management process and from the two risk decision points should be documented. ISO/IEC 27001 specifies that the controls implemented within the scope, boundaries and context of the ISMS shall be risk based. The application of an information security risk management process can satisfy this requirement. There are many approaches by which the process can be successfully implemented in an organization. The organization should use whatever approach best suits their circumstances for each specific application of the process. In an ISMS, establishing the context, risk assessment, developing risk treatment plan and risk acceptance are all part of the “plan” phase. In the “do” phase of the ISMS, the actions and controls required to reduce the risk to an acceptable level are implemented according to the risk treatment plan. In the “check” phase of the ISMS, managers will determine the need for revisions of the risk assessment and risk treatment in the light of incidents and changes in circumstances. In the ”act” phase, any actions required, including additional application of the information security risk management process, are performed. The following table summarizes the information security risk management activities relevant to the four phases of the ISMS process: Table 1 — Alignment of ISMS and Information Security Risk Management Process ISMS Process Information Security Risk Management Process Plan Establishing the context Risk assessment Developing risk treatment plan Risk acceptance Do Implementation of risk treatment plan Check Continual monitoring and reviewing of risks Act Maintain and improve the Information Security Risk Management Process oSIST ISO/IEC 27005:2011
ISO/IEC 27005:2008(E) © ISO/IEC 2008 – All rights reserved 77 Context establishment 7.1 General considerations Input: All information about the organization relevant to the information security risk management context establishment. Action: The context for information security risk management should be established, which involves setting the basic criteria necessary for information security risk management (7.2), defining the scope and boundaries (7.3), and establishing an appropriate organization operating the information security risk management (7.4). Implementation guidance: It is essential to determine the purpose of the information security risk management as this affects the overall process and the context establishment in particular. This purpose can be: ƒ Supporting an ISMS ƒ Legal compliance and evidence of due diligence ƒ Preparation of a business continuity plan ƒ Preparation of an incident response plan ƒ Description of the information security requirements for a product, a service or a mechanism Implementation guidance for context establishment elements needed to support an ISMS is further discussed in Clauses 7.2, 7.3 and 7.4 below. NOTE ISO/IEC 27001 does not use the term “context”. However, all of Clause 7 relates to the requirements “define the scope and boundaries of the ISMS” [4.2.1 a)], “define an ISMS policy” [4.2.1 b)] and “define the risk assessment approach” [4.2.1 c)], specified in ISO/IEC 27001. Output: The specification of basic criteria, the scope and boundaries, and the organization for the information security risk management process. 7.2 Basic Criteria Depending on the scope and objectives of the risk management, different approaches can be applied. The approach might also be different for each iteration. An appropriate risk management approach should be selected or developed that addresses basic criteria such as: risk evaluation criteria, impact criteria, risk acceptance criteria. Additionally, the organization should assess whether necessary resources are available to: ƒ Perform risk assessment and establish a risk treatment plan ƒ Define and implement policies and procedures, including implementation of the controls selected ƒ Monitor controls ƒ Monitor the information security risk management process NOTE See also ISO/IEC 27001 (Clause 5.2.1) concerning the provision of resources for the implementation and operation of an ISMS. Risk evaluation criteria Risk evaluation criteria should be developed for evaluating the organization's information security risk considering the followings: ƒ The strategic value of the business information process ƒ The criticality of the information assets involved ƒ Legal and regulatory requirements, and contractual obligations ƒ Operational and business importance of availability, confidentiality and integrity ƒ Stakeholders expectations and perceptions, and negative consequences for goodwill and reputation Additionally, risk evaluation criteria can be used to specify priorities for risk treatment. oSIST ISO/IEC 27005:2011
ISO/IEC 27005:2008(E) 8 © ISO/IEC 2008 – All rights reserved Impact criteria Impact criteria should be developed and specified in terms of the degree of damage or costs to the organization caused by an information security event considering the following: ƒ Level of classification of the impacted information asset ƒ Breaches of information security (e.g. loss of confidentiality, integrity and availability) ƒ Impaired operations (internal or third parties) ƒ Loss of business and financial value ƒ Disruption of plans and deadlines ƒ Damage of reputation ƒ Breaches of legal, regulatory or contractual requirements NOTE See also ISO/IEC 27001 [Clause 4.2.1 d) 4] concerning the impact criteria identification for losses of confidentiality, integrity and availability. Risk acceptance criteria Risk acceptance criteria should be developed and specified. Risk acceptance criteria often depend on the organization's policies, goals, objectives and the interests of stakeholders. An organization should define its own scales for levels of risk acceptance. The following should be considered during development: ƒ Risk acceptance criteria may include multiple thresholds, with a desired target level of risk, but provision for senior managers to accept risks above this level under defined circumstances ƒ Risk acceptance criteria may be expressed as the ratio of estimated profit (or other business benefit) to the estimated risk ƒ Different risk acceptance criteria may apply to different classes of risk, e.g. risks that could result in non-compliance with regulations or laws may not be accepted, while acceptance of high risks may be allowed if this is specified as a contractual requirement ƒ Risk acceptance criteria may include requirements for future additional treatment, e.g. a risk may be accepted if there is approval and
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.