SIST EN ISO/IEC 27000:2020
(Main)Information technology - Security techniques - Information security management systems - Overview and vocabulary (ISO/IEC 27000:2018)
Information technology - Security techniques - Information security management systems - Overview and vocabulary (ISO/IEC 27000:2018)
This document provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards. This document is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, notfor-profit organizations).
The terms and definitions provided in this document
— cover commonly used terms and definitions in the ISMS family of standards;
— do not cover all terms and definitions applied within the ISMS family of standards; and
— do not limit the ISMS family of standards in defining new terms for use.
Informationstechnik - Sicherheitsverfahren - Informationssicherheits-Managementsysteme - Überblick und Terminologie (ISO/IEC 27000:2018)
Technologies de l'information - Techniques de sécurité - Systèmes de management de la sécurité de l'information - Vue d'ensemble et vocabulaire (ISO/IEC 27000:2018)
Informacijska tehnologija - Varnostne tehnike - Sistemi vodenja informacijske varnosti - Pregled in izrazje (ISO/IEC 27000:2018)
Ta dokument podaja pregled sistemov vodenja informacijske varnosti (ISMS). Podaja tudi izraze in definicije, ki so pogosto uporabljeni v skupini standardov za sisteme vodenja informacijske varnosti. Ta dokument se uporablja za vse vrste in velikosti organizacij (npr. trgovska podjetja, vladne agencije, neprofitne organizacije).
Izrazi in definicije v tem dokumentu
‒ zajemajo pogosto uporabljene izraze in definicije v skupini standardov za sisteme vodenja informacijske varnosti;
‒ ne zajemajo vseh izrazov in definicij, ki se uporabljajo v skupini standardov za sisteme vodenja informacijske varnosti; in
‒ ne omejujejo skupine standardov za sisteme vodenja informacijske varnosti pri opredeljevanju novih izrazov za uporabo.
General Information
Relations
Standards Content (Sample)
SLOVENSKI STANDARD
01-april-2020
Nadomešča:
SIST EN ISO/IEC 27000:2017
Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske
varnosti - Pregled in izrazje (ISO/IEC 27000:2018)
Information technology - Security techniques - Information security management
systems - Overview and vocabulary (ISO/IEC 27000:2018)
Informationstechnik - Sicherheitsverfahren - Informationssicherheits-
Managementsysteme - Überblick und Terminologie (ISO/IEC 27000:2018)
Technologies de l'information - Techniques de sécurité - Systèmes de management de la
sécurité de l'information - Vue d'ensemble et vocabulaire (ISO/IEC 27000:2018)
Ta slovenski standard je istoveten z: EN ISO/IEC 27000:2020
ICS:
01.040.35 Informacijska tehnologija. Information technology
(Slovarji) (Vocabularies)
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD
EN ISO/IEC 27000
NORME EUROPÉENNE
EUROPÄISCHE NORM
February 2020
ICS 01.040.35; 35.030
Supersedes EN ISO/IEC 27000:2017
English version
Information technology - Security techniques - Information
security management systems - Overview and vocabulary
(ISO/IEC 27000:2018)
Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -
- Systèmes de management de la sécurité de Informationssicherheits-Managementsysteme -
l'information - Vue d'ensemble et vocabulaire (ISO/IEC Überblick und Terminologie (ISO/IEC 27000:2018)
27000:2018)
This European Standard was approved by CEN on 20 October 2019.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 27000:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 27000:2018 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by August 2020, and conflicting national standards shall
be withdrawn at the latest by August 2020.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 27000:2017.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27000:2018 has been approved by CEN as EN ISO/IEC 27000:2020 without any
modification.
INTERNATIONAL ISO/IEC
STANDARD 27000
Fifth edition
2018-02
Information technology — Security
techniques — Information security
management systems — Overview and
vocabulary
Technologies de l'information — Techniques de sécurité — Systèmes
de management de la sécurité de l'information — Vue d'ensemble et
vocabulaire
Reference number
ISO/IEC 27000:2018(E)
©
ISO/IEC 2018
ISO/IEC 27000:2018(E)
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Information security management systems .11
4.1 General .11
4.2 What is an ISMS? .11
4.2.1 Overview and principles .11
4.2.2 Information.12
4.2.3 Information security .12
4.2.4 Management .12
4.2.5 Management system .13
4.3 Process approach .13
4.4 Why an ISMS is important .13
4.5 Establishing, monitoring, maintaining and improving an ISMS .14
4.5.1 Overview .14
4.5.2 Identifying information security requirements .14
4.5.3 Assessing information security risks .15
4.5.4 Treating information security risks . .15
4.5.5 Selecting and implementing controls .15
4.5.6 Monitor, maintain and improve the effectiveness of the ISMS .16
4.5.7 Continual improvement .16
4.6 ISMS critical success factors .17
4.7 Benefits of the ISMS family of standards .17
5 ISMS family of standards .18
5.1 General information .18
5.2 Standard describing an overview and terminology: ISO/IEC 27000 (this document) .19
5.3 Standards specifying requirements .19
5.3.1 ISO/IEC 27001 .19
5.3.2 ISO/IEC 27006 .20
5.3.3 ISO/IEC 27009 .20
5.4 Standards describing general guidelines .20
5.4.1 ISO/IEC 27002 .20
5.4.2 ISO/IEC 27003 .20
5.4.3 ISO/IEC 27004 .21
5.4.4 ISO/IEC 27005 .21
5.4.5 ISO/IEC 27007 .21
5.4.6 ISO/IEC TR 27008 .21
5.4.7 ISO/IEC 27013 .22
5.4.8 ISO/IEC 27014 .22
5.4.9 ISO/IEC TR 27016 .22
5.4.10 ISO/IEC 27021 .22
5.5 Standards describing sector-specific guidelines .23
5.5.1 ISO/IEC 27010 .23
5.5.2 ISO/IEC 27011 .23
5.5.3 ISO/IEC 27017 .23
5.5.4 ISO/IEC 27018 .24
5.5.5 ISO/IEC 27019 .24
5.5.6 ISO 27799 .25
Bibliography .26
© ISO/IEC 2018 – All rights reserved iii
ISO/IEC 27000:2018(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/ iso/ foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, SC 27, IT
Security techniques.
This fifth edition cancels and replaces the fourth edition (ISO/IEC 27000:2016), which has been
technically revised. The main changes compared to the previous edition are as follows:
— the Introduction has been reworded;
— some terms and definitions have been removed;
— Clause 3 has been aligned on the high-level structure for MSS;
— Clause 5 has been updated to reflect the changes in the standards concerned;
— Annexes A and B have been deleted.
iv © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
Introduction
0.1 Overview
International Standards for management systems provide a model to follow in setting up and
operating a management system. This model incorporates the features on which experts in the field
have reached a consensus as being the international state of the art. ISO/IEC JTC 1/SC 27 maintains an
expert committee dedicated to the development of international management systems standards for
information security, otherwise known as the Information Security Management system (ISMS) family
of standards.
Through the use of the ISMS family of standards, organizations can develop and implement a framework
for managing the security of their information assets, including financial information, intellectual
property, and employee details, or information entrusted to them by customers or third parties. These
standards can also be used to prepare for an independent assessment of their ISMS applied to the
protection of information.
0.2 Purpose of this document
The ISMS family of standards includes standards that:
a) define requirements for an ISMS and for those certifying such systems;
b) provide direct support, detailed guidance and/or interpretation for the overall process to establish,
implement, maintain, and improve an ISMS;
c) address sector-specific guidelines for ISMS; and
d) address conformity assessment for ISMS.
0.3 Content of this document
In this document, the following verbal forms are used:
— “shall” indicates a requirement;
— “should” indicates a recommendation;
— “may” indicates a permission;
— “can” indicates a possibility or a capability.
Information marked as "NOTE" is for guidance in understanding or clarifying the associated
requirement. “Notes to entry” used in Clause 3 provide additional information that supplements the
terminological data and can contain provisions relating to the use of a term.
© ISO/IEC 2018 – All rights reserved v
INTERNATIONAL STANDARD ISO/IEC 27000:2018(E)
Information technology — Security techniques —
Information security management systems — Overview
and vocabulary
1 Scope
This document provides the overview of information security management systems (ISMS). It also
provides terms and definitions commonly used in the ISMS family of standards. This document is
applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-
for-profit organizations).
The terms and definitions provided in this document
— cover commonly used terms and definitions in the ISMS family of standards;
— do not cover all terms and definitions applied within the ISMS family of standards; and
— do not limit the ISMS family of standards in defining new terms for use.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
access control
means to ensure that access to assets is authorized and restricted based on business and security
requirements (3.56)
3.2
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized
use of an asset
3.3
audit
systematic, independent and documented process (3.54) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
© ISO/IEC 2018 – All rights reserved 1
ISO/IEC 27000:2018(E)
3.4
audit scope
extent and boundaries of an audit (3.3)
[SOURCE: ISO 19011:2011, 3.14, modified — Note 1 to entry has been deleted.]
3.5
authentication
provision of assurance that a claimed characteristic of an entity is correct
3.6
authenticity
property that an entity is what it claims to be
3.7
availability
property of being accessible and usable on demand by an authorized entity
3.8
base measure
measure (3.42) defined in terms of an attribute and the method for quantifying it
Note 1 to entry: A base measure is functionally independent of other measures.
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.3, modified — Note 2 to entry has been deleted.]
3.9
competence
ability to apply knowledge and skills to achieve intended results
3.10
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes (3.54)
3.11
conformity
fulfilment of a requirement (3.56)
3.12
consequence
outcome of an event (3.21) affecting objectives (3.49)
Note 1 to entry: An event can lead to a range of consequences.
Note 2 to entry: A consequence can be certain or uncertain and, in the context of information security, is usually
negative.
Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 4 to entry: Initial consequences can escalate through knock-on effects.
[SOURCE: ISO Guide 73:2009, 3.6.1.3, modified — Note 2 to entry has been changed after “and”.]
3.13
continual improvement
recurring activity to enhance performance (3.52)
2 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
3.14
control
measure that is modifying risk (3.61)
Note 1 to entry: Controls include any process (3.54), policy (3.53), device, practice, or other actions which modify
risk (3.61).
Note 2 to entry: It is possible that controls not always exert the intended or assumed modifying effect.
[SOURCE: ISO Guide 73:2009, 3.8.1.1 — Note 2 to entry has been changed.]
3.15
control objective
statement describing what is to be achieved as a result of implementing controls (3.14)
3.16
correction
action to eliminate a detected nonconformity (3.47)
3.17
corrective action
action to eliminate the cause of a nonconformity (3.47) and to prevent recurrence
3.18
derived measure
measure (3.42) that is defined as a function of two or more values of base measures (3.8)
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.8, modified — Note 1 to entry has been deleted.]
3.19
documented information
information required to be controlled and maintained by an organization (3.50) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to
— the management system (3.41), including related processes (3.54);
— information created in order for the organization (3.50) to operate (documentation);
— evidence of results achieved (records).
3.20
effectiveness
extent to which planned activities are realized and planned results achieved
3.21
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can be one or more occurrences, and can have several causes.
Note 2 to entry: An event can consist of something not happening.
Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.
[SOURCE: ISO Guide 73:2009, 3.5.1.3, modified — Note 4 to entry has been deleted.]
© ISO/IEC 2018 – All rights reserved 3
ISO/IEC 27000:2018(E)
3.22
external context
external environment in which the organization seeks to achieve its objectives (3.49)
Note 1 to entry: External context can include the following:
— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive
environment, whether international, national, regional or local;
— key drivers and trends having impact on the objectives of the organization (3.50);
— relationships with, and perceptions and values of, external stakeholders (3.37).
[SOURCE: ISO Guide 73:2009, 3.3.1.1]
3.23
governance of information security
system by which an organization’s (3.50) information security (3.28) activities are directed and
controlled
3.24
governing body
person or group of people who are accountable for the performance (3.52) and conformity of the
organization (3.50)
Note 1 to entry: The governing body can, in some jurisdictions, be a board of directors.
3.25
indicator
measure (3.42) that provides an estimate or evaluation
3.26
information need
insight necessary to manage objectives (3.49), goals, risks and problems
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.12]
3.27
information processing facilities
any information processing system, service or infrastructure, or the physical location housing it
3.28
information security
preservation of confidentiality (3.10), integrity (3.36) and availability (3.7) of information
Note 1 to entry: In addition, other properties, such as authenticity (3.6), accountability, non-repudiation (3.48),
and reliability (3.55) can also be involved.
3.29
information security continuity
processes (3.54) and procedures for ensuring continued information security (3.28) operations
3.30
information security event
identified occurrence of a system, service or network state indicating a possible breach of information
security (3.28) policy (3.53) or failure of controls (3.14), or a previously unknown situation that can be
security relevant
3.31
information security incident
single or a series of unwanted or unexpected information security events (3.30) that have a significant
probability of compromising business operations and threatening information security (3.28)
4 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
3.32
information security incident management
set of processes (3.54) for detecting, reporting, assessing, responding to, dealing with, and learning
from information security incidents (3.31)
3.33
information security management system (ISMS) professional
person who establishes, implements, maintains and continuously improves one or more information
security management system processes (3.54)
3.34
information sharing community
group of organizations (3.50) that agree to share information
Note 1 to entry: An organization can be an individual.
3.35
information system
set of applications, services, information technology assets, or other information-handling components
3.36
integrity
property of accuracy and completeness
3.37
interested party (preferred term)
stakeholder (admitted term)
person or organization (3.50) that can affect, be affected by, or perceive itself to be affected by a decision
or activity
3.38
internal context
internal environment in which the organization (3.50) seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— governance, organizational structure, roles and accountabilities;
— policies (3.53), objectives (3.49), and the strategies that are in place to achieve them;
— the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes (3.54),
systems and technologies);
— information systems (3.35), information flows and decision-making processes (both formal and informal);
— relationships with, and perceptions and values of, internal stakeholders (3.37);
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— form and extent of contractual relationships.
[SOURCE: ISO Guide 73:2009, 3.3.1.2]
3.39
level of risk
magnitude of a risk (3.61) expressed in terms of the combination of consequences (3.12) and their
likelihood (3.40)
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — “or combination of risks” has been deleted in the
definition.]
© ISO/IEC 2018 – All rights reserved 5
ISO/IEC 27000:2018(E)
3.40
likelihood
chance of something happening
[SOURCE: ISO Guide 73:2009, 3.6.1.1, modified — Notes 1 and 2 to entry have been deleted.]
3.41
management system
set of interrelated or interacting elements of an organization (3.50) to establish policies (3.53) and
objectives (3.49) and processes (3.54) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning
and operation.
Note 3 to entry: The scope of a management system may include the whole of the organization, specific and
identified functions of the organization, specific and identified sections of the organization, or one or more
functions across a group of organizations.
3.42
measure
variable to which a value is assigned as the result of measurement (3.43)
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.15, modified — Note 2 to entry has been deleted.]
3.43
measurement
process (3.54) to determine a value
3.44
measurement function
algorithm or calculation performed to combine two or more base measures (3.8)
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.20]
3.45
measurement method
logical sequence of operations, described generically, used in quantifying an attribute with respect to a
specified scale
Note 1 to entry: The type of measurement method depends on the nature of the operations used to quantify an
attribute (3.4). Two types can be distinguished:
— subjective: quantification involving human judgment; and
— objective: quantification based on numerical rules.
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.21, modified — Note 2 to entry has been deleted.]
3.46
monitoring
determining the status of a system, a process (3.54) or an activity
Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.
3.47
nonconformity
non-fulfilment of a requirement (3.56)
3.48
non-repudiation
ability to prove the occurrence of a claimed event (3.21) or action and its originating entities
6 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
3.49
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and
environmental goals) and can apply at different levels [such as strategic, organization-wide, project, product and
process (3.54)].
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an
operational criterion, as an information security objective or by the use of other words with similar meaning (e.g.
aim, goal, or target).
Note 4 to entry: In the context of information security management systems, information security objectives are
set by the organization, consistent with the information security policy, to achieve specific results.
3.50
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.49)
Note 1 to entry: The concept of organization includes but is not limited to sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
3.51
outsource
make an arrangement where an external organization (3.50) performs part of an organization’s function
or process (3.54)
Note 1 to entry: An external organization is outside the scope of the management system (3.41), although the
outsourced function or process is within the scope.
3.52
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
Note 2 to entry: Performance can relate to the management of activities, processes (3.54), products (including
services), systems or organizations (3.50).
3.53
policy
intentions and direction of an organization (3.50), as formally expressed by its top management (3.75)
3.54
process
set of interrelated or interacting activities which transforms inputs into outputs
3.55
reliability
property of consistent intended behaviour and results
3.56
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and
interested parties that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, for example in documented information.
© ISO/IEC 2018 – All rights reserved 7
ISO/IEC 27000:2018(E)
3.57
residual risk
risk (3.61) remaining after risk treatment (3.72)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risk can also be referred to as “retained risk”.
3.58
review
activity undertaken to determine the suitability, adequacy and effectiveness (3.20) of the subject matter
to achieve established objectives (3.49)
[SOURCE: ISO Guide 73:2009, 3.8.2.2, modified — Note 1 to entry has been deleted.]
3.59
review object
specific item being reviewed
3.60
review objective
statement describing what is to be achieved as a result of a review (3.59)
3.61
risk
effect of uncertainty on objectives (3.49)
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73:2009,
3.5.1.3) and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence.
Note 5 to entry: In the context of information security management systems, information security risks can be
expressed as effect of uncertainty on information security objectives.
Note 6 to entry: Information security risk is associated with the potential that threats will exploit vulnerabilities
of an information asset or group of information assets and thereby cause harm to an organization.
3.62
risk acceptance
informed decision to take a particular risk (3.61)
Note 1 to entry: Risk acceptance can occur without risk treatment (3.72) or during the process (3.54) of risk
treatment.
Note 2 to entry: Accepted risks are subject to monitoring (3.46) and review (3.58).
[SOURCE: ISO Guide 73:2009, 3.7.1.6]
3.63
risk analysis
process (3.54) to comprehend the nature of risk (3.61) and to determine the level of risk (3.39)
Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.67) and decisions about risk treatment (3.72).
Note 2 to entry: Risk analysis includes risk estimation.
[SOURCE: ISO Guide 73:2009, 3.6.1]
8 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
3.64
risk assessment
overall process (3.54) of risk identification (3.68), risk analysis (3.63) and risk evaluation (3.67)
[SOURCE: ISO Guide 73:2009, 3.4.1]
3.65
risk communication and consultation
set of continual and iterative processes (3.54) that an organization conducts to provide, share or obtain
information, and to engage in dialogue with stakeholders (3.37) regarding the management of risk (3.61)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.41), significance,
evaluation, acceptability and treatment of risk.
Note 2 to entry: Consultation is a two-way process of informed communication between an organization (3.50) and
its stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is
— a process which impacts on a decision through influence rather than power; and
— an input to decision making, not joint decision making.
3.66
risk criteria
terms of reference against which the significance of risk (3.61) is evaluated
Note 1 to entry: Risk criteria are based on organizational objectives, and external context (3.22) and internal
context (3.38).
Note 2 to entry: Risk criteria can be derived from standards, laws, policies (3.53) and other requirements (3.56).
[SOURCE: ISO Guide 73:2009, 3.3.1.3]
3.67
risk evaluation
process (3.54) of comparing the results of risk analysis (3.63) with risk criteria (3.66) to determine
whether the risk (3.61) and/or its magnitude is acceptable or tolerable
Note 1 to entry: Risk evaluation assists in the decision about risk treatment (3.72).
[SOURCE: ISO Guide 73:2009, 3.7.1]
3.68
risk identification
process (3.54) of finding, recognizing and describing risks (3.61)
Note 1 to entry: Risk identification involves the identification of risk sources, events (3.21), their causes and their
potential consequences (3.12).
Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions,
and stakeholders’ (3.37) needs.
[SOURCE: ISO Guide 73:2009, 3.5.1]
3.69
risk management
coordinated activities to direct and control an organization (3.50) with regard to risk (3.61)
[SOURCE: ISO Guide 73:2009, 2.1]
© ISO/IEC 2018 – All rights reserved 9
ISO/IEC 27000:2018(E)
3.70
risk management process
systematic application of management policies (3.53), procedures and practices to the activities of
communicating, consulting, establishing the context and identifying, analysing, evaluating, treating,
monitoring and reviewing risk (3.61)
Note 1 to entry: ISO/IEC 27005 uses the term “process” (3.54) to describe risk management overall. The elements
within the risk management (3.69) process are referred to as “activities”.
[SOURCE: ISO Guide 73:2009, 3.1, modified — Note 1 to entry has been added.]
3.71
risk owner
person or entity with the accountability and authority to manage a risk (3.61)
[SOURCE: ISO Guide 73:2009, 3.5.1.5]
3.72
risk treatment
process (3.54) to modify risk (3.61)
Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source;
— changing the likelihood (3.40);
— changing the consequences (3.12);
— sharing the risk with another party or parties (including contracts and risk financing);
— retaining the risk by informed choice.
Note 2 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk
mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
Note 3 to entry: Risk treatment can create new risks or modify existing risks.
[SOURCE: ISO Guide 73:2009, 3.8.1, modified — “decision” has been replaced by “choice” in Note 1
to entry.]
3.73
security implementation standard
document specifying authorized ways for realizing security
3.74
threat
potential cause of an unwanted incident, which can result in harm to a system or organization (3.50)
3.75
top management
person or group of people who directs and controls an organization (3.50) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system (3.41) covers only part of an organization, then top
management refers to those who direct and control that part of the organization.
10 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
Note 3 to entry: Top management is sometimes called executive management and can include Chief Executive
Officers, Chief Financial Officers, Chief Information Officers, and similar roles.
3.76
trusted information communication entity
autonomous organization (3.50) supporting information exchange within an information sharing
community (3.34)
3.77
vulnerability
weakness of an asset or control (3.14) that can be exploited by one or more threats (3.74)
4 Information security management systems
4.1 General
Organizations of all types and sizes:
a) collect, process, store, and transmit information;
b) recognize that information, and related processes, systems, networks and people are important
assets for achieving organization objectives;
c) face a range of risks that can affect the functioning of assets; and
d) address their perceived risk exposure by implementing information security controls.
All information held and processed by an organization is subject to threats of attack, error, nature (for
example, flood or fire), etc., and is subject to vulnerabilities inherent in its use. The term information
security is generally based on information being considered as an asset which has a value requiring
appropriate protection, for example, against the loss of availability, confidentiality and integrity.
Enabling accurate and complete information to be available in a timely manner to those with an
authorized need is a catalyst for business efficiency.
Protecting information assets through defining, achieving, maintaining, and improving information
security effectively is essential to enable an organization to achieve its objectives, and maintain and
enhance its legal compliance and image. These coordinated activities directing the implementation of
suitable controls and treating unacceptable information security risks are gen
...
SLOVENSKI STANDARD
01-april-2020
Nadomešča:
SIST EN ISO/IEC 27000:2017
Informacijska tehnologija - Varnostne tehnike - Sistemi vodenja informacijske
varnosti - Pregled in izrazje (ISO/IEC 27000:2018)
Information technology - Security techniques - Information security management
systems - Overview and vocabulary (ISO/IEC 27000:2018)
Informationstechnik - Sicherheitsverfahren - Informationssicherheits-
Managementsysteme - Überblick und Terminologie (ISO/IEC 27000:2018)
Technologies de l'information - Techniques de sécurité - Systèmes de management de
la sécurité de l'information - Vue d'ensemble et vocabulaire (ISO/IEC 27000:2018)
Ta slovenski standard je istoveten z: EN ISO/IEC 27000:2020
ICS:
01.040.35 Informacijska tehnologija. Information technology
(Slovarji) (Vocabularies)
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD
EN ISO/IEC 27000
NORME EUROPÉENNE
EUROPÄISCHE NORM
February 2020
ICS 01.040.35; 35.030
Supersedes EN ISO/IEC 27000:2017
English version
Information technology - Security techniques - Information
security management systems - Overview and vocabulary
(ISO/IEC 27000:2018)
Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -
- Systèmes de management de la sécurité de Informationssicherheits-Managementsysteme -
l'information - Vue d'ensemble et vocabulaire (ISO/IEC Überblick und Terminologie (ISO/IEC 27000:2018)
27000:2018)
This European Standard was approved by CEN on 20 October 2019.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 27000:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 27000:2018 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by August 2020, and conflicting national standards shall
be withdrawn at the latest by August 2020.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 27000:2017.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27000:2018 has been approved by CEN as EN ISO/IEC 27000:2020 without any
modification.
INTERNATIONAL ISO/IEC
STANDARD 27000
Fifth edition
2018-02
Information technology — Security
techniques — Information security
management systems — Overview and
vocabulary
Technologies de l'information — Techniques de sécurité — Systèmes
de management de la sécurité de l'information — Vue d'ensemble et
vocabulaire
Reference number
ISO/IEC 27000:2018(E)
©
ISO/IEC 2018
ISO/IEC 27000:2018(E)
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Information security management systems .11
4.1 General .11
4.2 What is an ISMS? .11
4.2.1 Overview and principles .11
4.2.2 Information.12
4.2.3 Information security .12
4.2.4 Management .12
4.2.5 Management system .13
4.3 Process approach .13
4.4 Why an ISMS is important .13
4.5 Establishing, monitoring, maintaining and improving an ISMS .14
4.5.1 Overview .14
4.5.2 Identifying information security requirements .14
4.5.3 Assessing information security risks .15
4.5.4 Treating information security risks . .15
4.5.5 Selecting and implementing controls .15
4.5.6 Monitor, maintain and improve the effectiveness of the ISMS .16
4.5.7 Continual improvement .16
4.6 ISMS critical success factors .17
4.7 Benefits of the ISMS family of standards .17
5 ISMS family of standards .18
5.1 General information .18
5.2 Standard describing an overview and terminology: ISO/IEC 27000 (this document) .19
5.3 Standards specifying requirements .19
5.3.1 ISO/IEC 27001 .19
5.3.2 ISO/IEC 27006 .20
5.3.3 ISO/IEC 27009 .20
5.4 Standards describing general guidelines .20
5.4.1 ISO/IEC 27002 .20
5.4.2 ISO/IEC 27003 .20
5.4.3 ISO/IEC 27004 .21
5.4.4 ISO/IEC 27005 .21
5.4.5 ISO/IEC 27007 .21
5.4.6 ISO/IEC TR 27008 .21
5.4.7 ISO/IEC 27013 .22
5.4.8 ISO/IEC 27014 .22
5.4.9 ISO/IEC TR 27016 .22
5.4.10 ISO/IEC 27021 .22
5.5 Standards describing sector-specific guidelines .23
5.5.1 ISO/IEC 27010 .23
5.5.2 ISO/IEC 27011 .23
5.5.3 ISO/IEC 27017 .23
5.5.4 ISO/IEC 27018 .24
5.5.5 ISO/IEC 27019 .24
5.5.6 ISO 27799 .25
Bibliography .26
© ISO/IEC 2018 – All rights reserved iii
ISO/IEC 27000:2018(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/ iso/ foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, SC 27, IT
Security techniques.
This fifth edition cancels and replaces the fourth edition (ISO/IEC 27000:2016), which has been
technically revised. The main changes compared to the previous edition are as follows:
— the Introduction has been reworded;
— some terms and definitions have been removed;
— Clause 3 has been aligned on the high-level structure for MSS;
— Clause 5 has been updated to reflect the changes in the standards concerned;
— Annexes A and B have been deleted.
iv © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
Introduction
0.1 Overview
International Standards for management systems provide a model to follow in setting up and
operating a management system. This model incorporates the features on which experts in the field
have reached a consensus as being the international state of the art. ISO/IEC JTC 1/SC 27 maintains an
expert committee dedicated to the development of international management systems standards for
information security, otherwise known as the Information Security Management system (ISMS) family
of standards.
Through the use of the ISMS family of standards, organizations can develop and implement a framework
for managing the security of their information assets, including financial information, intellectual
property, and employee details, or information entrusted to them by customers or third parties. These
standards can also be used to prepare for an independent assessment of their ISMS applied to the
protection of information.
0.2 Purpose of this document
The ISMS family of standards includes standards that:
a) define requirements for an ISMS and for those certifying such systems;
b) provide direct support, detailed guidance and/or interpretation for the overall process to establish,
implement, maintain, and improve an ISMS;
c) address sector-specific guidelines for ISMS; and
d) address conformity assessment for ISMS.
0.3 Content of this document
In this document, the following verbal forms are used:
— “shall” indicates a requirement;
— “should” indicates a recommendation;
— “may” indicates a permission;
— “can” indicates a possibility or a capability.
Information marked as "NOTE" is for guidance in understanding or clarifying the associated
requirement. “Notes to entry” used in Clause 3 provide additional information that supplements the
terminological data and can contain provisions relating to the use of a term.
© ISO/IEC 2018 – All rights reserved v
INTERNATIONAL STANDARD ISO/IEC 27000:2018(E)
Information technology — Security techniques —
Information security management systems — Overview
and vocabulary
1 Scope
This document provides the overview of information security management systems (ISMS). It also
provides terms and definitions commonly used in the ISMS family of standards. This document is
applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-
for-profit organizations).
The terms and definitions provided in this document
— cover commonly used terms and definitions in the ISMS family of standards;
— do not cover all terms and definitions applied within the ISMS family of standards; and
— do not limit the ISMS family of standards in defining new terms for use.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
access control
means to ensure that access to assets is authorized and restricted based on business and security
requirements (3.56)
3.2
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized
use of an asset
3.3
audit
systematic, independent and documented process (3.54) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
© ISO/IEC 2018 – All rights reserved 1
ISO/IEC 27000:2018(E)
3.4
audit scope
extent and boundaries of an audit (3.3)
[SOURCE: ISO 19011:2011, 3.14, modified — Note 1 to entry has been deleted.]
3.5
authentication
provision of assurance that a claimed characteristic of an entity is correct
3.6
authenticity
property that an entity is what it claims to be
3.7
availability
property of being accessible and usable on demand by an authorized entity
3.8
base measure
measure (3.42) defined in terms of an attribute and the method for quantifying it
Note 1 to entry: A base measure is functionally independent of other measures.
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.3, modified — Note 2 to entry has been deleted.]
3.9
competence
ability to apply knowledge and skills to achieve intended results
3.10
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes (3.54)
3.11
conformity
fulfilment of a requirement (3.56)
3.12
consequence
outcome of an event (3.21) affecting objectives (3.49)
Note 1 to entry: An event can lead to a range of consequences.
Note 2 to entry: A consequence can be certain or uncertain and, in the context of information security, is usually
negative.
Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 4 to entry: Initial consequences can escalate through knock-on effects.
[SOURCE: ISO Guide 73:2009, 3.6.1.3, modified — Note 2 to entry has been changed after “and”.]
3.13
continual improvement
recurring activity to enhance performance (3.52)
2 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
3.14
control
measure that is modifying risk (3.61)
Note 1 to entry: Controls include any process (3.54), policy (3.53), device, practice, or other actions which modify
risk (3.61).
Note 2 to entry: It is possible that controls not always exert the intended or assumed modifying effect.
[SOURCE: ISO Guide 73:2009, 3.8.1.1 — Note 2 to entry has been changed.]
3.15
control objective
statement describing what is to be achieved as a result of implementing controls (3.14)
3.16
correction
action to eliminate a detected nonconformity (3.47)
3.17
corrective action
action to eliminate the cause of a nonconformity (3.47) and to prevent recurrence
3.18
derived measure
measure (3.42) that is defined as a function of two or more values of base measures (3.8)
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.8, modified — Note 1 to entry has been deleted.]
3.19
documented information
information required to be controlled and maintained by an organization (3.50) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to
— the management system (3.41), including related processes (3.54);
— information created in order for the organization (3.50) to operate (documentation);
— evidence of results achieved (records).
3.20
effectiveness
extent to which planned activities are realized and planned results achieved
3.21
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can be one or more occurrences, and can have several causes.
Note 2 to entry: An event can consist of something not happening.
Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.
[SOURCE: ISO Guide 73:2009, 3.5.1.3, modified — Note 4 to entry has been deleted.]
© ISO/IEC 2018 – All rights reserved 3
ISO/IEC 27000:2018(E)
3.22
external context
external environment in which the organization seeks to achieve its objectives (3.49)
Note 1 to entry: External context can include the following:
— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive
environment, whether international, national, regional or local;
— key drivers and trends having impact on the objectives of the organization (3.50);
— relationships with, and perceptions and values of, external stakeholders (3.37).
[SOURCE: ISO Guide 73:2009, 3.3.1.1]
3.23
governance of information security
system by which an organization’s (3.50) information security (3.28) activities are directed and
controlled
3.24
governing body
person or group of people who are accountable for the performance (3.52) and conformity of the
organization (3.50)
Note 1 to entry: The governing body can, in some jurisdictions, be a board of directors.
3.25
indicator
measure (3.42) that provides an estimate or evaluation
3.26
information need
insight necessary to manage objectives (3.49), goals, risks and problems
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.12]
3.27
information processing facilities
any information processing system, service or infrastructure, or the physical location housing it
3.28
information security
preservation of confidentiality (3.10), integrity (3.36) and availability (3.7) of information
Note 1 to entry: In addition, other properties, such as authenticity (3.6), accountability, non-repudiation (3.48),
and reliability (3.55) can also be involved.
3.29
information security continuity
processes (3.54) and procedures for ensuring continued information security (3.28) operations
3.30
information security event
identified occurrence of a system, service or network state indicating a possible breach of information
security (3.28) policy (3.53) or failure of controls (3.14), or a previously unknown situation that can be
security relevant
3.31
information security incident
single or a series of unwanted or unexpected information security events (3.30) that have a significant
probability of compromising business operations and threatening information security (3.28)
4 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
3.32
information security incident management
set of processes (3.54) for detecting, reporting, assessing, responding to, dealing with, and learning
from information security incidents (3.31)
3.33
information security management system (ISMS) professional
person who establishes, implements, maintains and continuously improves one or more information
security management system processes (3.54)
3.34
information sharing community
group of organizations (3.50) that agree to share information
Note 1 to entry: An organization can be an individual.
3.35
information system
set of applications, services, information technology assets, or other information-handling components
3.36
integrity
property of accuracy and completeness
3.37
interested party (preferred term)
stakeholder (admitted term)
person or organization (3.50) that can affect, be affected by, or perceive itself to be affected by a decision
or activity
3.38
internal context
internal environment in which the organization (3.50) seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— governance, organizational structure, roles and accountabilities;
— policies (3.53), objectives (3.49), and the strategies that are in place to achieve them;
— the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes (3.54),
systems and technologies);
— information systems (3.35), information flows and decision-making processes (both formal and informal);
— relationships with, and perceptions and values of, internal stakeholders (3.37);
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— form and extent of contractual relationships.
[SOURCE: ISO Guide 73:2009, 3.3.1.2]
3.39
level of risk
magnitude of a risk (3.61) expressed in terms of the combination of consequences (3.12) and their
likelihood (3.40)
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — “or combination of risks” has been deleted in the
definition.]
© ISO/IEC 2018 – All rights reserved 5
ISO/IEC 27000:2018(E)
3.40
likelihood
chance of something happening
[SOURCE: ISO Guide 73:2009, 3.6.1.1, modified — Notes 1 and 2 to entry have been deleted.]
3.41
management system
set of interrelated or interacting elements of an organization (3.50) to establish policies (3.53) and
objectives (3.49) and processes (3.54) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning
and operation.
Note 3 to entry: The scope of a management system may include the whole of the organization, specific and
identified functions of the organization, specific and identified sections of the organization, or one or more
functions across a group of organizations.
3.42
measure
variable to which a value is assigned as the result of measurement (3.43)
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.15, modified — Note 2 to entry has been deleted.]
3.43
measurement
process (3.54) to determine a value
3.44
measurement function
algorithm or calculation performed to combine two or more base measures (3.8)
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.20]
3.45
measurement method
logical sequence of operations, described generically, used in quantifying an attribute with respect to a
specified scale
Note 1 to entry: The type of measurement method depends on the nature of the operations used to quantify an
attribute (3.4). Two types can be distinguished:
— subjective: quantification involving human judgment; and
— objective: quantification based on numerical rules.
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.21, modified — Note 2 to entry has been deleted.]
3.46
monitoring
determining the status of a system, a process (3.54) or an activity
Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.
3.47
nonconformity
non-fulfilment of a requirement (3.56)
3.48
non-repudiation
ability to prove the occurrence of a claimed event (3.21) or action and its originating entities
6 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
3.49
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and
environmental goals) and can apply at different levels [such as strategic, organization-wide, project, product and
process (3.54)].
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an
operational criterion, as an information security objective or by the use of other words with similar meaning (e.g.
aim, goal, or target).
Note 4 to entry: In the context of information security management systems, information security objectives are
set by the organization, consistent with the information security policy, to achieve specific results.
3.50
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.49)
Note 1 to entry: The concept of organization includes but is not limited to sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
3.51
outsource
make an arrangement where an external organization (3.50) performs part of an organization’s function
or process (3.54)
Note 1 to entry: An external organization is outside the scope of the management system (3.41), although the
outsourced function or process is within the scope.
3.52
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
Note 2 to entry: Performance can relate to the management of activities, processes (3.54), products (including
services), systems or organizations (3.50).
3.53
policy
intentions and direction of an organization (3.50), as formally expressed by its top management (3.75)
3.54
process
set of interrelated or interacting activities which transforms inputs into outputs
3.55
reliability
property of consistent intended behaviour and results
3.56
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and
interested parties that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, for example in documented information.
© ISO/IEC 2018 – All rights reserved 7
ISO/IEC 27000:2018(E)
3.57
residual risk
risk (3.61) remaining after risk treatment (3.72)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risk can also be referred to as “retained risk”.
3.58
review
activity undertaken to determine the suitability, adequacy and effectiveness (3.20) of the subject matter
to achieve established objectives (3.49)
[SOURCE: ISO Guide 73:2009, 3.8.2.2, modified — Note 1 to entry has been deleted.]
3.59
review object
specific item being reviewed
3.60
review objective
statement describing what is to be achieved as a result of a review (3.59)
3.61
risk
effect of uncertainty on objectives (3.49)
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73:2009,
3.5.1.3) and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence.
Note 5 to entry: In the context of information security management systems, information security risks can be
expressed as effect of uncertainty on information security objectives.
Note 6 to entry: Information security risk is associated with the potential that threats will exploit vulnerabilities
of an information asset or group of information assets and thereby cause harm to an organization.
3.62
risk acceptance
informed decision to take a particular risk (3.61)
Note 1 to entry: Risk acceptance can occur without risk treatment (3.72) or during the process (3.54) of risk
treatment.
Note 2 to entry: Accepted risks are subject to monitoring (3.46) and review (3.58).
[SOURCE: ISO Guide 73:2009, 3.7.1.6]
3.63
risk analysis
process (3.54) to comprehend the nature of risk (3.61) and to determine the level of risk (3.39)
Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.67) and decisions about risk treatment (3.72).
Note 2 to entry: Risk analysis includes risk estimation.
[SOURCE: ISO Guide 73:2009, 3.6.1]
8 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
3.64
risk assessment
overall process (3.54) of risk identification (3.68), risk analysis (3.63) and risk evaluation (3.67)
[SOURCE: ISO Guide 73:2009, 3.4.1]
3.65
risk communication and consultation
set of continual and iterative processes (3.54) that an organization conducts to provide, share or obtain
information, and to engage in dialogue with stakeholders (3.37) regarding the management of risk (3.61)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.41), significance,
evaluation, acceptability and treatment of risk.
Note 2 to entry: Consultation is a two-way process of informed communication between an organization (3.50) and
its stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is
— a process which impacts on a decision through influence rather than power; and
— an input to decision making, not joint decision making.
3.66
risk criteria
terms of reference against which the significance of risk (3.61) is evaluated
Note 1 to entry: Risk criteria are based on organizational objectives, and external context (3.22) and internal
context (3.38).
Note 2 to entry: Risk criteria can be derived from standards, laws, policies (3.53) and other requirements (3.56).
[SOURCE: ISO Guide 73:2009, 3.3.1.3]
3.67
risk evaluation
process (3.54) of comparing the results of risk analysis (3.63) with risk criteria (3.66) to determine
whether the risk (3.61) and/or its magnitude is acceptable or tolerable
Note 1 to entry: Risk evaluation assists in the decision about risk treatment (3.72).
[SOURCE: ISO Guide 73:2009, 3.7.1]
3.68
risk identification
process (3.54) of finding, recognizing and describing risks (3.61)
Note 1 to entry: Risk identification involves the identification of risk sources, events (3.21), their causes and their
potential consequences (3.12).
Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions,
and stakeholders’ (3.37) needs.
[SOURCE: ISO Guide 73:2009, 3.5.1]
3.69
risk management
coordinated activities to direct and control an organization (3.50) with regard to risk (3.61)
[SOURCE: ISO Guide 73:2009, 2.1]
© ISO/IEC 2018 – All rights reserved 9
ISO/IEC 27000:2018(E)
3.70
risk management process
systematic application of management policies (3.53), procedures and practices to the activities of
communicating, consulting, establishing the context and identifying, analysing, evaluating, treating,
monitoring and reviewing risk (3.61)
Note 1 to entry: ISO/IEC 27005 uses the term “process” (3.54) to describe risk management overall. The elements
within the risk management (3.69) process are referred to as “activities”.
[SOURCE: ISO Guide 73:2009, 3.1, modified — Note 1 to entry has been added.]
3.71
risk owner
person or entity with the accountability and authority to manage a risk (3.61)
[SOURCE: ISO Guide 73:2009, 3.5.1.5]
3.72
risk treatment
process (3.54) to modify risk (3.61)
Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source;
— changing the likelihood (3.40);
— changing the consequences (3.12);
— sharing the risk with another party or parties (including contracts and risk financing);
— retaining the risk by informed choice.
Note 2 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk
mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
Note 3 to entry: Risk treatment can create new risks or modify existing risks.
[SOURCE: ISO Guide 73:2009, 3.8.1, modified — “decision” has been replaced by “choice” in Note 1
to entry.]
3.73
security implementation standard
document specifying authorized ways for realizing security
3.74
threat
potential cause of an unwanted incident, which can result in harm to a system or organization (3.50)
3.75
top management
person or group of people who directs and controls an organization (3.50) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system (3.41) covers only part of an organization, then top
management refers to those who direct and control that part of the organization.
10 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
Note 3 to entry: Top management is sometimes called executive management and can include Chief Executive
Officers, Chief Financial Officers, Chief Information Officers, and similar roles.
3.76
trusted information communication entity
autonomous organization (3.50) supporting information exchange within an information sharing
community (3.34)
3.77
vulnerability
weakness of an asset or control (3.14) that can be exploited by one or more threats (3.74)
4 Information security management systems
4.1 General
Organizations of all types and sizes:
a) collect, process, store, and transmit information;
b) recognize that information, and related processes, systems, networks and people are important
assets for achieving organization objectives;
c) face a range of risks that can affect the functioning of assets; and
d) address their perceived risk exposure by implementing information security controls.
All information held and processed by an organization is subject to threats of attack, error, nature (for
example, flood or fire), etc., and is subject to vulnerabilities inherent in its use. The term information
security is generally based on information being considered as an asset which has a value requiring
appropriate protection, for example, against the loss of availability, confidentiality and integrity.
Enabling accurate and complete information to be available in a timely manner to those with an
authorized need is a catalyst for business efficiency.
Protecting information assets through defining, achieving, maintaining, and improving information
security effectively is essential to enable an organization to achieve its objectives, and maintain and
enhance its legal compliance and image. These coordinated activities directing the implementation of
suitable controls and treating unacceptable information security risks are general
...
SIST EN ISO/IEC 27000
SL O V EN S K I
S T ANDAR D
april 2020
Informacijska tehnologija – Varnostne tehnike – Sistemi vodenja
informacijske varnosti – Pregled in izrazje (ISO/IEC 27000:2018)
Information technology – Security techniques – Information security management
systems – Overview and vocabulary (ISO/IEC 27000:2018)
Informationstechnik – Sicherheitsverfahren – Informationssicherheits-
Managementsysteme – Überblick und Terminologie (ISO/IEC 27000:2018)
Technologies de l'information – Techniques de sécurité – Systèmes de
management de la sécurité de l'information – Vue d'ensemble et vocabulaire
(ISO/IEC 27000:2018)
Referenčna oznaka
ICS 01.040.35; 03.100.70; 35.030 SIST EN ISO/IEC 27000 : 2020 (sl)
Nadaljevanje na straneh II in III ter od 2 do 34
© 2024-12. Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
SIST EN ISO/IEC 27000 : 2020
NACIONALNI UVOD
Standard SIST EN ISO/IEC 27000 (sl), Informacijska tehnologija – Varnostne tehnike – Sistemi
vodenja informacijske varnosti – Pregled in izrazje (ISO/IEC 27000:2018), 2020, ima status
slovenskega standarda in je enakovreden evropskemu standardu EN ISO/IEC 27000 (en, fr, de),
Information technology – Security techniques – Information security management systems – Overview
and vocabulary (ISO/IEC 27000:2018), 2020.
NACIONALNI PREDGOVOR
Besedilo standarda EN ISO/IEC 27000:2020 je pripravil združeni tehnični odbor Mednarodne
organizacije za standardizacijo (ISO) in Mednarodne elektrotehniške komisije (IEC) ISO/IEC JTC 1
Informacijska tehnologija. Slovenski standard SIST EN ISO/IEC 27000:2020 je prevod angleškega
besedila evropskega standarda EN ISO/IEC 27000:2020. V primeru spora glede besedila slovenskega
prevoda v tem standardu je odločilen izvirni evropski standard v angleškem jeziku. Slovensko izdajo
standarda je pripravil SIST/TC ITC Informacijska tehnologija.
Odločitev za privzem tega standarda je dne 18. 11. 2024 sprejel SIST/TC ITC Informacijska
tehnologija.
OSNOVA ZA IZDAJO STANDARDA
̶ privzem standarda EN ISO/IEC 27000:2020
PREDHODNA IZDAJA
̶ SIST EN ISO/IEC 27000:2017, Informacijska tehnologija – Varnostne tehnike – Sistemi
upravljanja informacijske varnosti – Pregled in izrazje (ISO/IEC 27000:2016)
OPOMBE
̶ Povsod, kjer se v besedilu standarda uporablja izraz "evropski standard", v SIST EN ISO/IEC
27000:2020 to pomeni "slovenski standard".
̶ Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
̶ V podtočki 5.4.10 (točke 5.4 Standardi, ki opisujejo splošne smernice) je v evropskem standardu
naveden napačen naslov standarda ISO/IEC 27021. Pravi naslov je "Information technology –
Security techniques – Competence requirements for information security management systems
professionals".
̶ V podtočki 5.4.2 (točke 5.4 Standardi, ki opisujejo splošne smernice) ter poglavju Viri in literatura
je v evropskem standardu naveden napačen naslov standarda ISO/IEC 27003. Pravi naslov je
"Information technology – Security techniques – Information security management systems –
Guidance".
̶ Ta nacionalni dokument je enakovreden EN ISO/IEC 27000:2020 in je objavljen z dovoljenjem
CEN-CENELEC
Upravni center
Rue de la Science 23
B-1040 Bruselj
Belgija
II
SIST EN ISO/IEC 27000 : 2020
̶ This national document is identical with EN ISO 27000:2020 and is published with the permission
of
CEN-CENELEC
Management Centre
Rue de la Science 23
B-1040 Brussels
Belgium
III
SIST EN ISO/IEC 27000 : 2020
(prazna stran)
IV
EVROPSKI STANDARD EN ISO/IEC 27000
EUROPEAN STANDARD
NORME EUROPÉENNE
februar 2020
EUROPÄISCHE NORM
ICS 01.040.35; 03.100.70; 35.030
Slovenska izdaja
Informacijska tehnologija – Varnostne tehnike – Sistemi vodenja
informacijske varnosti – Pregled in izrazje
(ISO/IEC 27000:2018)
Information technology – Security Technologies de l'information – Informationstechnik –
techniques – Information security Techniques de sécurité – Sicherheitsverfahren –
management systems – Overview Systèmes de management de la Informationssicherheits-
and vocabulary (ISO/IEC sécurité de l'information – Vue Managementsysteme – Überblick
27000:2018) d'ensemble et vocabulaire und Terminologie (ISO/IEC
(ISO/IEC 27000:2018) 27000:2018)
Ta evropski standard je CEN sprejel dne 20. oktobra 2019.
Člani CEN in CENELEC morajo izpolnjevati notranje predpise CEN/CENELEC, s katerimi je predpisano, da mora biti ta
standard brez kakršnihkoli sprememb sprejet kot nacionalni standard. Seznami najnovejših izdaj teh nacionalnih
standardov in njihovi bibliografski podatki so na zahtevo na voljo pri Upravnem centru CEN-CENELEC ali kateremkoli
članu CEN in CENELEC.
Ta evropski standard obstaja v treh uradnih izdajah (angleški, francoski, nemški). Izdaje v drugih jezikih, ki jih člani
CEN in CENELEC na lastno odgovornost prevedejo in izdajo ter prijavijo pri Upravnem centru CEN-CENELEC, veljajo
kot uradne izdaje.
Člani CEN in CENELEC so nacionalni organi za standarde in nacionalni elektrotehniški odbori Avstrije, Belgije,
Bolgarije, Cipra, Češke republike, Danske, Estonije, Finske, Francije, Grčije, Hrvaške, Irske, Islandije, Italije, Latvije,
Litve, Luksemburga, Madžarske, Malte, Nemčije, Nizozemske, Norveške, Poljske, Portugalske, Republike Severna
Makedonija, Romunije, Slovaške, Slovenije, Srbije, Španije, Švedske, Švice, Turčije in Združenega kraljestva.
CEN-CENELEC
CEN-CENELEC Upravni center
Rue de la Science 23, B-1040 Bruselj
© 2020 CEN/CENELEC Lastnice vseh oblik avtorskih pravic so vse države Ref. oznaka EN ISO/IEC 27000:2020 E
članice CEN in CENELEC.
SIST EN ISO/IEC 27000 : 2020
VSEBINA Stran
Evropski predgovor . 3
SIST EN ISO/IEC 27000 : 2020
Evropski predgovor
Besedilo standarda ISO/IEC 27000:2018 je pripravil tehnični odbor ISO/IEC JTC 1 "Informacijska
tehnologija" Mednarodne organizacije za standardizacijo (ISO) in ga je kot EN ISO/IEC 27000:2020
sprejel tehnični odbor CEN/CLC/JTC 13 "Kibernetska varnost in varstvo podatkov", katerega
sekretariat vodi DIN.
Ta evropski standard mora z objavo istovetnega besedila ali z razglasitvijo dobiti status nacionalnega
standarda najpozneje do avgusta 2020, nacionalne standarde, ki so v nasprotju s tem standardom, pa
je treba razveljaviti najpozneje do avgusta 2020.
Opozoriti je treba na možnost, da je lahko nekaj elementov tega dokumenta predmet patentnih pravic.
CEN ni odgovoren za identificiranje katerekoli ali vseh takih patentnih pravic.
Ta dokument nadomešča EN ISO/IEC 27000:2017.
V skladu z notranjimi predpisi CEN-CENELEC morajo ta evropski standard obvezno uvesti nacionalne
organizacije za standardizacijo naslednjih držav: Avstrije, Belgije, Bolgarije, Cipra, Češke republike,
Danske, Estonije, Finske, Francije, Grčije, Hrvaške, Irske, Islandije, Italije, Latvije, Litve, Luksemburga,
Madžarske, Malte, Nemčije, Nizozemske, Norveške, Poljske, Portugalske, Republike Severna
Makedonija, Romunije, Slovaške, Slovenije, Srbije, Španije, Švedske, Švice, Turčije in Združenega
kraljestva.
Razglasitvena objava
Besedilo standarda ISO/IEC 27000:2018 je CEN odobril kot EN ISO/IEC 27000:2020 brez sprememb.
SIST EN ISO/IEC 27000 : 2020
Vsebina Stran
Predgovor k mednarodnemu standardu . 6
Uvod .7
1 Področje uporabe . 8
2 Zveze s standardi . 8
3 Izrazi in definicije . 8
4 Sistemi vodenja informacijske varnosti . 18
4.1 Splošno . 18
4.2 Kaj je sistem vodenja informacijske varnosti? . 18
4.2.1 Pregled in načela . 18
4.2.2 Informacija . 19
4.2.3 Informacijska varnost . 19
4.2.4 Vodenje . 19
4.2.5 Sistem vodenja . 20
4.3 Procesni pristop . 20
4.4 Zakaj je sistem vodenja informacijske varnosti pomemben . 20
4.5 Vzpostavljanje, spremljanje, vzdrževanje in izboljševanje sistema vodenja informacijske
varnosti. 21
4.5.1 Pregled . 21
4.5.2 Prepoznavanje zahtev informacijske varnosti . 21
4.5.3 Ocenjevanje tveganj informacijske varnosti . 22
4.5.4 Obravnavanje tveganj informacijske varnosti . 22
4.5.5 Izbiranje in izvajanje kontrol . 22
4.5.6 Spremljanje, vzdrževanje in izboljševanje uspešnosti sistema vodenja informacijske
varnosti . 23
4.5.7 Nenehno izboljševanje . 24
4.6 Ključni dejavniki uspeha sistema vodenja informacijske varnosti . 24
4.7 Koristi skupine standardov za sistem vodenja informacijske varnosti . 24
5 Skupina standardov za sistem vodenja informacijske varnosti . 25
5.1 Splošne informacije . 25
5.2 Standardi, ki opisujejo pregled in terminologijo: ISO/IEC 27000 (ta dokument) . 26
5.3 Standardi, ki določajo zahteve . 26
5.3.1 ISO/IEC 27001 . 26
5.3.2 ISO/IEC 27006 . 27
5.3.3 ISO/IEC 27009 . 27
5.4 Standardi, ki opisujejo splošne smernice. 27
5.4.1 ISO/IEC 27002 . 27
5.4.2 ISO/IEC 27003 . 28
5.4.3 ISO/IEC 27004 . 28
5.4.4 ISO/IEC 27005 . 28
SIST EN ISO/IEC 27000 : 2020
5.4.5 ISO/IEC 27007 . 28
5.4.6 ISO/IEC TR 27008 . 28
5.4.7 ISO/IEC 27013 . 29
5.4.8 ISO/IEC 27014 . 29
5.4.9 ISO/IEC TR 27016 . 29
5.4.10 ISO/IEC 27021 . 30
5.5 Standardi, ki opisujejo smernice za določene sektorje . 30
5.5.1 ISO/IEC 27010 . 30
5.5.2 ISO/IEC 27011 . 30
5.5.3 ISO/IEC 27017 . 31
5.5.4 ISO/IEC 27018 . 31
5.5.5 ISO/IEC 27019 . 31
5.5.6 ISO 27799 . 32
Viri in literatura . 33
SIST EN ISO/IEC 27000 : 2020
Predgovor k mednarodnemu standardu
ISO (Mednarodna organizacija za standardizacijo) je svetovna zveza nacionalnih organov za
standarde (članov ISO). Mednarodne standarde po navadi pripravljajo tehnični odbori ISO. Vsak član,
ki želi delovati na določenem področju, za katero je bil ustanovljen tehnični odbor, ima pravico biti
zastopan v tem odboru. Pri delu sodelujejo tudi mednarodne vladne in nevladne organizacije,
povezane z ISO. V vseh zadevah, ki so povezane s standardizacijo na področju elektrotehnike, ISO
tesno sodeluje z Mednarodno elektrotehniško komisijo (IEC).
Postopki, uporabljeni pri pripravi tega dokumenta, in predvideni postopki za njegovo vzdrževanje so
opisani v 1. delu Direktiv ISO/IEC. Posebna pozornost naj se nameni različnim kriterijem odobritve,
potrebnim za različne vrste dokumentov ISO. Ta dokument je bil zasnovan v skladu z uredniškimi
pravili Direktiv ISO/IEC, 2. del (glej www.iso.org/directives).
Opozoriti je treba na možnost, da bi lahko bil kateri od elementov tega dokumenta predmet patentnih
pravic. ISO ni odgovoren za identificiranje katerekoli ali vseh takih patentnih pravic. Podrobnosti o
morebitnih patentnih pravicah, identificiranih med pripravo tega dokumenta, bodo navedene v uvodu
in/ali na seznamu patentnih izjav, ki jih je prejela organizacija ISO (glej www.iso.org/patents).
Vsakršna trgovska imena, uporabljena v tem dokumentu, so informacije za uporabnike in ne pomenijo
podpore blagovni znamki.
Za razlago prostovoljne narave standardov, pomena specifičnih pojmov in izrazov ISO, povezanih z
ugotavljanjem skladnosti, ter informacij o tem, kako ISO upošteva načela Svetovne trgovinske
organizacije (WTO) v Tehničnih ovirah pri trgovanju (TBT), glej naslednjo povezavo:
.
www.iso.org/iso/foreword.html
Ta dokument je pripravil tehnični odbor ISO/IEC JTC 1 Informacijska tehnologija, pododbor SC 27
Varnostne tehnike IT.
Ta peta izdaja preklicuje in nadomešča četrto izdajo (ISO/IEC 27000:2016), ki je tehnično revidirana.
Glavne spremembe glede na predhodno izdajo so naslednje:
‒ uvod je preoblikovan,
‒ nekateri izrazi in definicije so odstranjeni,
‒ točka 3 je usklajena s strukturo visoke ravni standardov za sisteme vodenja (MSS),
‒ točka 5 je posodobljena tako, da odraža spremembe v zadevnih standardih,
‒ dodatka A in B sta izbrisana.
SIST EN ISO/IEC 27000 : 2020
Uvod
0.1 Pregled
Mednarodni standardi za sisteme vodenja zagotavljajo model kot zgled za vzpostavitev in upravljanje
sistema vodenja. Ta model vključuje značilnosti, o katerih so si strokovnjaki na tem področju enotni,
da gre za mednarodno stanje tehnike. V okviru ISO/IEC JTC 1/SC 27 deluje strokovni odbor,
namenjen razvoju mednarodnih standardov za sisteme vodenja informacijske varnosti, sicer znanih
kot skupina standardov za sistem vodenja informacijske varnosti (ISMS).
Z uporabo skupine standardov za sistem vodenja informacijske varnosti lahko organizacije razvijejo in
uporabljajo okvir za upravljanje varnosti svojih informacijskih sredstev, vključno s finančnimi podatki,
intelektualno lastnino in podatki o zaposlenih, ali informacij, ki so jim jih zaupali odjemalci ali tretje
stranke. Ti standardi se lahko uporabljajo tudi za priprave na neodvisno ocenjevanje njihovega
sistema vodenja informacijske varnosti, ki se uporablja za zaščito informacij.
0.2 Namen tega dokumenta
V skupini standardov za sistem vodenja informacijske varnosti so standardi, ki:
a) opredeljujejo zahteve za sistem vodenja informacijske varnosti in za vse, ki certificirajo take
sisteme;
b) zagotavljajo neposredno podporo, podrobne napotke in/ali razlago za celoten proces
vzpostavitve, izvajanja, vzdrževanja in izboljšanja sistema vodenja informacijske varnosti;
c) obravnavajo področno specifične smernice za sistem vodenja informacijske varnosti; in
d) obravnavajo ugotavljanje skladnosti sistema vodenja informacijske varnosti.
0.3 Vsebina tega dokumenta
V tem dokumentu so uporabljene naslednje glagolske oblike:
‒ "treba je" ali "mora" označuje zahtevo;
‒ "naj" označuje priporočilo;
‒ "sme" označuje dovoljenje;
‒ "lahko" označuje možnost ali sposobnost.
Informacije, označene kot "OPOMBA", so namenjene usmerjanju pri razumevanju ali pojasnjevanju
pripadajoče zahteve. "OPOMBE" v točki 3 podajajo dodatne informacije, ki dopolnjujejo terminološke
podatke in lahko vsebujejo določila v zvezi z uporabo izraza.
SIST EN ISO/IEC 27000 : 2020
Informacijska tehnologija ‒ Varnostne tehnike ‒ Sistemi vodenja informacijske
varnosti ‒ Pregled in izrazje
1 Področje uporabe
Ta dokument podaja pregled sistemov vodenja informacijske varnosti (ISMS). Podaja tudi izraze in
definicije, ki so pogosto uporabljeni v skupini standardov za sisteme vodenja informacijske varnosti. Ta
dokument se uporablja za vse vrste in velikosti organizacij (npr. trgovska podjetja, vladne agencije,
neprofitne organizacije).
Izrazi in definicije v tem dokumentu
‒ zajemajo pogosto uporabljene izraze in definicije v skupini standardov za sisteme vodenja
informacijske varnosti;
‒ ne zajemajo vseh izrazov in definicij, ki se uporabljajo v skupini standardov za sisteme vodenja
informacijske varnosti; in
‒ ne omejujejo skupine standardov za sisteme vodenja informacijske varnosti pri opredeljevanju
novih izrazov za uporabo.
2 Zveze s standardi
Ta dokument ne vsebuje zvez s standardi.
3 Izrazi in definicije
ISO in IEC hranita terminološke podatkovne zbirke za uporabo pri standardizaciji na naslednjih
naslovih:
‒ Platforma za spletno brskanje ISO: na voljo na https://www.iso.org/obp
‒ IEC Electropedia: na voljo na https://www.electropedia.org/
3.1
nadzor dostopa
pomeni zagotoviti, da je dostop do sredstev odobren in omejen na podlagi poslovnih oziroma
varnostnih zahtev (3.56)
3.2
napad
poskus uničenja, razkrivanja, spreminjanja, onemogočanja, kraje ali nepooblaščenega dostopa do
sredstva ali njegova nepooblaščena uporaba
3.3
presoja
sistematičen, neodvisen in dokumentiran proces (3.54) pridobivanja dokazov presoje in njihovega
objektivnega vrednotenja, da bi se določil obseg, v katerem so izpolnjeni kriteriji presoje
OPOMBA 1: Presoja je lahko notranja (presoja prve stranke) ali zunanja (presoja druge ali tretje stranke), lahko pa je tudi
kombinirana presoja (kombinacija dveh ali več disciplin).
OPOMBA 2: Notranjo presojo izvaja organizacija sama ali zunanja stranka v njenem imenu.
OPOMBA 3: Izraza "dokazi presoje" in "kriteriji presoje" sta opredeljena v standardu ISO 19011.
SIST EN ISO/IEC 27000 : 2020
3.4
obseg presoje
obseg in meje presoje (3.3)
[VIR: ISO 19011:2011, 3.14, spremenjen – izbrisana je opomba.]
3.5
avtentikacija
podajanje zagotovila, da je navedena značilnost subjekta pravilna
3.6
verodostojnost
lastnost, da je subjekt res to, kar trdi, da je
3.7
razpoložljivost
lastnost, da je nekaj dostopno in uporabno na zahtevo pooblaščenega subjekta
3.8
osnovna mera
mera (3.42), ki je opredeljena glede na atribut in metodo za njeno količinsko določitev
OPOMBA: Osnovna mera je funkcionalno neodvisna od drugih mer.
[VIR: ISO/IEC/IEEE 15939:2017, 3.3, spremenjen – izbrisana je opomba 2.]
3.9
kompetentnost
zmožnost uporabe znanja in veščin za doseganje predvidenih rezultatov
3.10
zaupnost
lastnost, da informacija ni na voljo ali razkrita nepooblaščenim posameznikom, subjektom ali
procesom (3.54)
3.11
skladnost
izpolnitev zahteve (3.56)
3.12
posledica
izid dogodka (3.21), ki vpliva na cilje (3.49)
OPOMBA 1: Dogodek ima lahko različne posledice.
OPOMBA 2: Posledica je lahko gotova ali negotova in v kontekstu informacijske varnosti je običajno negativna.
OPOMBA 3: Posledice se lahko izražajo kakovostno ali količinsko.
OPOMBA 4: Prve posledice se lahko stopnjujejo zaradi njihovega posrednega vpliva.
[VIR: ISO Vodilo 73:2009, 3.6.1.3, spremenjen – spremenjena je opomba 2 po besedi "in".]
3.13
nenehno izboljševanje
ponavljajoča se aktivnost za izboljšanje delovanja (3.52)
SIST EN ISO/IEC 27000 : 2020
3.14
kontrola
ukrep, ki spreminja tveganje (3.61)
OPOMBA 1: Kontrole vključujejo katerikoli proces (3.54), politiko (3.53), napravo, prakso ali druga dejanja, ki
spreminjajo tveganje (3.61).
OPOMBA 2: Možno je, da kontrole ne bodo vedno imele nameravanega ali pričakovanega spreminjajočega se učinka.
[VIR: ISO Vodilo 73:2009, 3.8.1.1 – spremenjena je opomba 2.]
3.15
cilj kontrole
izjava, ki opisuje, kaj bo doseženo kot rezultat izvajanja kontrol (3.14)
3.16
korekcija
ukrep za odpravo zaznane neskladnosti (3.47)
3.17
korektivni ukrep
ukrep za odpravo vzroka neskladnosti (3.47) in preprečitev njene ponovitve
3.18
izpeljana mera
mera (3.42), ki je opredeljena kot funkcija dveh ali več vrednosti osnovnih mer (3.8)
[VIR: ISO/IEC/IEEE 15939:2017, 3.8, spremenjen – opomba je izbrisana.]
3.19
dokumentirane informacije
informacije, ki jih mora organizacija (3.50) obvladovati in vzdrževati, ter medij, ki jih vsebuje
OPOMBA 1: Dokumentirane informacije so lahko v kakršnikoli obliki in mediju in iz kakršnegakoli vira.
OPOMBA 2: Dokumentirane informacije se lahko nanašajo na:
‒ sistem vodenja (3.41), vključno s pripadajočimi procesi (3.54);
‒ informacije, ustvarjene zato, da bi organizacija delovala (3.50) (dokumentacija);
‒ dokaze o doseženih rezultatih (zapisi).
3.20
uspešnost
obseg, v katerem so uresničene načrtovane dejavnosti in so doseženi načrtovani rezultati
3.21
dogodek
pojav ali sprememba določenega spleta okoliščin
OPOMBA 1: Dogodek je lahko en ali več pojavov in ima lahko več vzrokov.
OPOMBA 2: Dogodek je lahko sestavljen iz nečesa, kar se ne zgodi.
OPOMBA 3: Dogodek se lahko včasih imenuje "incident" ali "nesreča".
[VIR: ISO Vodilo 73:2009, 3.5.1.3, spremenjen – opomba 4 je izbrisana.]
3.22
zunanji kontekst
zunanje okolje, v katerem želi organizacija doseči svoje cilje (3.49)
SIST EN ISO/IEC 27000 : 2020
OPOMBA: Zunanji kontekst lahko obsega naslednje:
‒ kulturno, socialno, politično, pravno, regulativno, finančno, tehnološko, ekonomsko, naravno in konkurenčno okolje, ki je
lahko mednarodno, nacionalno, regionalno ali lokalno;
‒ ključna gonila in trende, ki vplivajo na cilje organizacije (3.50);
‒ odnose z zunanjimi deležniki (3.37) ter njihova dojemanja in vrednote.
[VIR: ISO Vodilo 73:2009, 3.3.1.1]
3.23
upravljanje informacijske varnosti
sistem, s katerim organizacija (3.50) vodi in nadzira aktivnosti informacijske varnosti (3.28)
3.24
upravljavski organ
oseba ali skupina ljudi, ki so odgovorni za izvajanje (3.52) in skladnost organizacije (3.50)
OPOMBA: Upravljavski organ je v nekaterih pristojnostih lahko upravni odbor.
3.25
kazalnik
mera (3.42), ki podaja oceno ali vrednotenje
3.26
potreba po informacijah
vpogled, ki je potreben za upravljanje ciljev (3.49), načrtov, tveganj in težav
[VIR: ISO/IEC/IEEE 15939:2017, 3.12]
3.27
naprave za obdelavo informacij
katerikoli sistem, storitev ali infrastruktura za obdelavo informacij oziroma fizična lokacija, na kateri je
kaj od naštetega
3.28
informacijska varnost
ohranjanje zaupnosti (3.10), celovitosti (3.36) in razpoložljivosti (3.7) informacij
OPOMBA: Poleg tega lahko vključuje tudi druge lastnosti, kot so verodostojnost (3.6), odgovornost, neizpodbitnost
(3.48) in zanesljivost (3.55).
3.29
neprekinjena informacijska varnost
procesi (3.54) in postopki za zagotavljanje neprekinjene informacijske varnosti (3.28)
3.30
informacijski varnostni dogodek
prepoznano dogajanje v sistemu, storitvi ali omrežju, ki kaže na morebitno kršitev informacijske
varnostne (3.28) politike (3.53) ali odpovedi kontrol (3.14) ali na do tedaj še neznano situacijo, ki je
morda pomembna za varnost
3.31
informacijski varnostni incident
eden ali več neželenih ali nepričakovanih informacijskih varnostnih dogodkov (3.30), ki predstavljajo
veliko verjetnost ogrožanja poslovnih dejavnosti in informacijske varnosti (3.28)
SIST EN ISO/IEC 27000 : 2020
3.32
vodenje informacijskih varnostnih incidentov
nabor procesov (3.54) za odkrivanje, poročanje in ocenjevanje informacijskih varnostnih incidentov
(3.31), ter za odzivanje nanje, njihovo obravnavo in učenje iz njih
3.33
strokovnjak za sisteme vodenja informacijske varnosti
oseba, ki vzpostavi, izvaja, vzdržuje in nenehno izboljšuje enega ali več procesov (3.54) sistema
vodenja informacijske varnosti
3.34
skupnost za deljenje informacij
skupina organizacij (3.50), ki se dogovori za deljenje informacij
OPOMBA: Organizacija je lahko tudi posameznik.
3.35
informacijski sistem
nabor aplikacij, storitev, sredstev informacijske tehnologije ali drugih sestavnih delov za ravnanje z
informacijami
3.36
celovitost
lastnost točnosti in popolnosti
3.37
zainteresirana stran (prednostni izraz)
deležnik (sprejeti izraz)
oseba ali organizacija (3.50), ki lahko vpliva na neko odločitev ali dejavnost, na katero lahko vpliva
neka odločitev ali aktivnost ali ki domneva, da lahko neka odločitev ali dejavnost vpliva nanjo
3.38
notranji kontekst
notranje okolje, v katerem želi organizacija (3.50) doseči svoje cilje
OPOMBA: Notranji kontekst lahko obsega:
‒ upravljanje, organizacijsko strukturo, vloge in odgovornosti;
‒ politike (3.53), cilje (3.49) in uveljavljene strategije za doseganje teh ciljev;
‒ zmogljivosti, razumljene v smislu virov in znanja (npr. kapital, čas, ljudje, procesi (3.54), sistemi in tehnologije);
‒ informacijske sisteme (3.35), informacijske tokove in procese odločanja (formalne in neformalne);
‒ odnose z notranjimi deležniki (3.37) ter njihova dojemanja in vrednote;
‒ kulturo organizacije;
‒ standarde, smernice in modele, ki jih sprejme organizacija;
‒ obliko in obseg pogodbenih razmerij.
[VIR: ISO Vodilo 73:2009, 3.3.1.2]
3.39
stopnja tveganja
velikost tveganja (3.61), izražena s kombinacijo posledic (3.12) in njihove verjetnosti (3.40)
[VIR: ISO Vodilo 73:2009, 3.6.1.8, spremenjen – v definiciji je izbrisano "ali kombinacija tveganj".]
3.40
verjetnost
možnost, da se nekaj zgodi
SIST EN ISO/IEC 27000 : 2020
[VIR: ISO Vodilo 73:2009, 3.6.1.1, spremenjen – izbrisani sta opombi 1 in 2 k vnosu.]
3.41
sistem vodenja
skupek medsebojno povezanih ali interaktivnih elementov organizacije (3.50) za vzpostavljanje politike
(3.53) in ciljev (3.49) ter procesov (3.54) za doseganje teh ciljev
OPOMBA 1: Sistem vodenja lahko obravnava eno samo ali več področij.
OPOMBA 2: Elementi sistema vključujejo strukturo, vloge in odgovornosti ter načrtovanje in delovanje.
OPOMBA 3: Sistem vodenja lahko obsega celotno organizacijo, specifične in identificirane funkcije organizacije,
specifične in identificirane dele organizacije ali eno ali več funkcij v skupini organizacij.
3.42
mera
spremenljivka, ki se ji dodeli vrednost kot rezultat merjenja (3.43)
[VIR: ISO/IEC/IEEE 15939:2017, 3.15, spremenjen – izbrisana je opomba 2.]
3.43
merjenje
proces (3.54) za določitev vrednosti
3.44
merilna funkcija
algoritem ali izračun, ki se izvede zaradi združevanja dveh ali več osnovnih mer (3.8)
[VIR: ISO/IEC/IEEE 15939:2017, 3.20]
3.45
merilna metoda
logično zaporedje splošno opisanih operacij, ki se uporabljajo za količinsko določitev atributa glede na
določeno merilo
OPOMBA: Vrsta merilne metode je odvisna od narave operacij, ki se uporabljajo za količinsko določitev atributa
(3.4). Razlikujemo med dvema vrstama:
‒ subjektivna: količinsko določanje, ki vključuje človeško presojo; in
‒ objektivna: količinsko določanje na podlagi numeričnih pravil.
[VIR: ISO/IEC/IEEE 15939:2017, 3.21, spremenjen – izbrisana je opomba 2.]
3.46
spremljanje
ugotavljanje stanja sistema, procesa (3.54) ali aktivnosti
OPOMBA: Za ugotavljanje stanja bo morda potrebno preverjanje, nadzor ali kritično opazovanje.
3.47
neskladnost
neizpolnitev zahteve (3.56)
3.48
neizpodbitnost
sposobnost dokazati, da se je zatrjevani dogodek (3.21) ali dejanje zgodil ter kdo so izvorni udeleženci
3.49
cilj
rezultat, ki naj bi bil dosežen
SIST EN ISO/IEC 27000 : 2020
OPOMBA 1: Cilj je lahko strateški, taktični ali operativni.
OPOMBA 2: Cilji se lahko nanašajo na različna področja (npr. finančni cilji, cilji varnosti in zdravja ter okoljski cilji) in se
lahko uporabljajo na različnih ravneh (npr. strateški, po celotni organizaciji, projektni, na ravni izdelka in
ravni procesa (3.54)).
OPOMBA 3: Cilj se lahko izrazi tudi na drugačne načine, npr. kot predvideni izid, namen, operativno merilo, kot cilj
informacijske varnosti ali z drugimi besedami s podobnim pomenom (npr. okvirni cilj, izvedbeni cilj ali
tarča).
OPOMBA 4: V kontekstu sistemov vodenja informacijske varnosti organizacija v skladu z informacijsko varnostno
politiko postavlja cilje informacijske varnosti, da bi dosegla specifične rezultate.
3.50
organizacija
oseba ali skupina ljudi, ki ima lastne funkcije z odgovornostmi, pooblastili in odnosi za doseganje
svojih ciljev (3.49)
OPOMBA: Pojem organizacije med drugim vključuje samostojne podjetnike, družbe, korporacije, firme, podjetja,
organe oblasti, partnerstva, dobrodelne ustanove ali institucije, njihove dele ali kombinacije, ki so lahko
povezani ali nepovezani, javni ali zasebni.
3.51
zunanje izvajanje
skleniti dogovor, po katerem zunanja organizacija (3.50) izvaja del funkcije ali procesa (3.54) neke
organizacije
OPOMBA: Zunanja organizacija je zunaj obsega sistema vodenja (3.41), čeprav je zunanjemu izvajalcu v izvajanje
oddana funkcija ali proces znotraj obsega.
3.52
izvajanje
merljiv rezultat
OPOMBA 1: Izvajanje se lahko nanaša na količinske ali kakovostne ugotovitve.
OPOMBA 2: Izvajanje se lahko nanaša na vodenje aktivnosti, procesov (3.54), izdelkov (vključno s storitvami),
sistemov ali organizacij (3.50).
3.53
politika
namere in usmeritev organizacije (3.50), ki jih formalno izraža njeno najvišje vodstvo (3.75)
3.54
proces
nabor medsebojno povezanih ali interaktivnih aktivnosti, ki vhode pretvorijo v izhode
3.55
zanesljivost
skupek doslednega predvidenega vedenja in rezultatov
3.56
zahteva
potreba ali pričakovanje, ki je izraženo, na splošno samoumevno ali obvezno
OPOMBA 1: "Na splošno samoumevno" pomeni, da je navada ali uveljavljena praksa organizacije in zainteresiranih
strani, da je obravnavana potreba ali pričakovanje samoumevno.
OPOMBA 2: Specificirana zahteva je tista, ki je navedena, na primer v dokumentiranih informacijah.
3.57
preostalo tveganje
tveganje (3.61), ki ostane po obravnavanju tveganja (3.72)
SIST EN ISO/IEC 27000 : 2020
OPOMBA 1: Preostalo tveganje lahko zajema neznano tveganje.
OPOMBA 2: Preostalo tveganje se lahko imenuje tudi "zadržano tveganje".
3.58
pregled
aktivnost, s katero se ugotavljajo primernost in ustreznost predmeta obravnave ter njegova uspešnost
(3.20) pri doseganju zastavljenih ciljev (3.49)
[VIR: ISO Vodilo 73:2009, 3.8.2.2, spremenjen – izbrisana je opomba.]
3.59
predmet pregleda
določena zadeva, ki se pregleduje
3.60
cilj pregleda
izjava, ki opisuje, kaj je treba doseči kot rezultat pregleda (3.59)
3.61
tveganje
učinek negotovosti na cilje (3.49)
OPOMBA 1: Učinek je odstopanje – pozitivno ali negativno – od pričakovanega.
OPOMBA 2: Negotovost je stanje, tudi delno, pomanjkanja informacij v zvezi z razumevanjem dogodka ali znanjem o
dogodku, njegovi posledici ali verjetnosti.
OPOMBA 3: Tveganje se pogosto označuje s sklicevanjem na možne "dogodke" (kot so opredeljeni v ISO Vodilu
73:2009, 3.5.1.3) in "posledice" (kot so opredeljene v ISO Vodilu 73:2009, 3.6.1.3) ali na kombinacijo
obojih.
OPOMBA 4: Tveganje se pogosto izraža kot kombinacija posledic nekega dogodka (vključno s spremembami
okoliščin) in pripadajoče "verjetnosti" (kot je opredeljena v ISO Vodilu 73:2009, 3.6.1.1) nastanka.
OPOMBA 5: V kontekstu sistemov vodenja informacijske varnosti se lahko tveganja informacijske varnosti izrazijo kot
učinek negotovosti, ki vpliva na cilje informacijske varnosti.
OPOMBA 6: Tveganje informacijske varnosti je povezano z morebitno možnostjo, da bodo grožnje izkoristile ranljivosti
informacijskega sredstva ali skupine informacijskih sredstev in s tem škodovale organizaciji.
3.62
sprejetje tveganja
informirana odločitev o prevzemu določenega tveganja (3.61)
OPOMBA 1: Sprejetje tveganja lahko nastopi brez obravnavanja tveganja (3.72) ali med procesom (3.54)
obravnavanja tveganja.
OPOMBA 2: Sprejeta tveganja so predmet spremljanja (3.46) in pregleda (3.58).
[VIR: ISO Vodilo 73:2009, 3.7.1.6]
3.63
analiza tveganja
proces (3.54) za razumevanje narave tveganja (3.61) in za določitev stopnje tveganja (3.39)
OPOMBA 1: Analiza tveganja je podlaga za ovrednotenje tveganja (3.67) in odločitve o obravnavanju tveganja (3.72).
OPOMBA 2: Analiza tveganja zajema oceno tveganja.
[VIR: ISO Vodilo 73:2009, 3.6.1]
SIST EN ISO/IEC 27000 : 2020
3.64
ocenjevanje tveganja
splošen proces (3.54) identifikacije tveganja (3.68), analize tveganja (3.63) in ovrednotenja tveganja
(3.67)
[VIR: ISO Vodilo 73:2009, 3.4.1]
3.65
obveščanje in posvetovanje o tveganjih
skupek stalnih in ponavljajočih se procesov (3.54), ki jih organizacija izvaja zaradi zagotavljanja,
deljenja ali pridobivanja informacij ter za vzpostavitev dialoga z deležniki (3.37) v zvezi z
obvladovanjem tveganja (3.61)
OPOMBA 1: Informacije se lahko navezujejo na obstoj, naravo, obliko, verjetnost (3.40), pomembnost, vrednotenje,
sprejemljivost in obravnavanje tveganja.
OPOMBA 2: Posvetovanje je dvosmerni proces informiranega komuniciranja med organizacijo (3.50) in njenimi
deležniki o nekem vprašanju, preden sprejme odločitev ali določi usmeritev pri omenjenem vprašanju.
Posvetovanje je:
‒ proces, ki učinkuje na odločitev z vplivanjem namesto z močjo; in
‒ prispevek k odločanju, ne pa skupno odločanje.
3.66
merila tveganja
referenčni pogoji, na podlagi katerih se vrednoti pomembnost tveganja (3.61)
OPOMBA 1: Merila tveganja temeljijo na organizacijskih ciljih ter zunanjem kontekstu (3.22) in notranjem kontekstu
(3.38).
OPOMBA 2: Merila tveganja lahko izhajajo iz standardov, zakonov, politik (3.53) in drugih zahtev (3.56).
[VIR: ISO Vodilo 73:2009, 3.3.1.3]
3.67
ovrednotenje tveganja
proces (3.54) primerjanja rezultatov analize tveganja (3.63) z merili tveganja (3.66), da se ugotovi, ali
je tveganje (3.61) in/ali njegova stopnja sprejemljiva ali dopustna
OPOMBA: Ovrednotenje tveganja je v pomoč pri odločanju o obravnavanju tveganja (3.72).
[VIR: ISO Vodilo 73:2009, 3.7.1]
3.68
identifikacija tveganja
proces (3.54) iskanja, prepoznavanja in opisovanja tveganj (3.61)
OPOMBA 1: Identifikacija tveganja vključuje identifikacijo virov tveganja, dogodkov (3.21), njihovih vzrokov in njihovih
možnih posledic (3.12).
OPOMBA 2: Identifikacija tveganja lahko vključuje pretekle podatke, teoretično analizo, argumentirana in strokovna
mnenja ter potrebe deležnikov (3.37).
[VIR: ISO Vodilo 73:2009, 3.5.1]
3.69
obvladovanje tveganja
usklajene aktivnosti za usmerjanje in nadzorovanje organizacije (3.50) v zvezi s tveganjem (3.61)
[VIR: ISO Vodilo 73:2009, 2.1]
SIST EN ISO/IEC 27000 : 2020
3.70
proces obvladovanja tveganja
sistematična uporaba upravljavskih politik (3.53), postopkov in praks pri aktivnostih komuniciranja,
posvetovanja, vzpostavljanja konteksta ter identifikacije, analiziranja, vrednotenja, obravnavanja,
spremljanja in pregledovanja tveganja (3.61)
OPOMBA: V standardu ISO/IEC 27005 se izraz "proces" (3.54) uporablja za opisovanje obvladovanja tveganja na
splošno. Elementi v procesu obvladovanja tveganja (3.69) se imenujejo "aktivnosti".
[VIR: ISO Vodilo 73:2009, 3.1, spremenjen – dodana je opomba.]
3.71
nosilec tveganja
oseba ali subjekt, ki je odgovoren in pristojen za obvladovanje tveganja (3.61)
[VIR: ISO Vodilo 73:2009, 3.5.1.5]
3.72
obravnavanje tveganja
proces (3.54) za spreminjanje tveganja (3.61)
OPOMBA 1: Obravnavanje tveganja lahko vključuje:
‒ preprečevanje tveganja s tem, da se ne začne ali nadaljuje izvajanje aktivnosti, ki povzroča tveganje;
‒ sprejemanje ali povečevanje tveganja za namene izkoriščanja priložnosti;
‒ odstranjevanje vira tveganja;
‒ spreminjanje verjetnosti (3.40);
‒ spreminjanje posledic (3.12);
‒ deljenje tveganja z drugo stranko ali strankami (vključno s pogodbami in financiranjem tveganja);
‒ ohranjanje tveganja z ozaveščeno izbiro.
OPOMBA 2: Obravnavanja tveganj, ki se navezujejo na negativne posledice, se včasih imenuje jo"ublažitev tveganja",
"odpravljanje tveganja", "preprečevanje tveganja" in "zmanjševanje tveganja".
OPOMBA 3: Obravnavanje tveganja lahko ustvari nova tveganja ali spremeni obstoječa tveganja.
[VIR: ISO Vodilo 73:2009, 3.8.1, spremenjen – izraz "odločitev" je zamenjan z izrazom "izbira" v
opombi 1.]
3.73
standard za izvajanje varnosti
dokument, ki določa pooblaščene načine izvajanja varnosti
3.74
grožnja
možen vzrok neželenega incidenta, ki lahko škoduje sistemu ali organizaciji (3.50)
3.75
najvišje vodstvo
oseba ali skupina ljudi, ki na najvišji ravni usmerja in obvladuje organizacijo (3.50)
OPOMBA 1: Najvišje vodstvo je pristojno za prenos pooblastil in zagotavljanje virov znotraj organizacije.
OPOMBA 2: Če obseg sistema vodenja (3.41) zajema samo del organizacije, potem je najvišje vodstvo tisto, ki
usmerja in obvladuje ta del organizacije.
OPOMBA 3: Najvišje vodstvo se včasih imenuje izvršno vodstvo in lahko vključuje generalne direktorje, finančne
direktorje, direktorje informatike in podobne vloge.
SIST EN ISO/IEC 27000 : 2020
3.76
subjekt za sporočanje zaupanja vrednih informacij
neodvisna organizacija (3.50), ki podpira izmenjavo informacij znotraj skupnosti za deljenje informacij
(3.34)
3.77
ranljivost
slabost sredstva ali kontrole (3.14), ki jo lahko izkoristi ena ali več groženj (3.74)
4 Sistemi vodenja informacijske varnosti
4.1 Splošno
Organizacije vseh vrst in velikosti:
a) zbirajo, obdelujejo, shranjujejo in prenašajo informacije;
b) priznavajo, da so informacije in z njimi povezani procesi, sistemi, omrežja ter ljudje pomembna
sredstva za doseganje ciljev organizacije;
c) se soočajo z vrsto tveganj, ki lahko vplivajo na delovanje sredstev; in
d) obravnavajo svojo zaznano izpostavljenost tveganju z izvajanjem kontrol informacijske varnosti.
Vse informacije, ki jih hrani in obdeluje organizacija, so predmet groženj napada, napake, naravnih
pojavov (na primer poplave ali požara) itd. in so izpostavljene ranljivosti, ki izhaja iz njihove uporabe.
Izraz informacijska varnost temelji na dojemanju informacije kot sredstva z vrednostjo, ki zahteva
ustrezno zaščito, na primer pred izgubo razpoložljivosti, zaupnosti in celovitosti. Zagotavljanje točnih in
popolnih informacij, ki so pravočasno na voljo pooblaščenim uporabnikom, pospešuje poslovno
učinkovitost.
Ščitenje informacijskih sredstev je ključnega pomena, da organizacija z določanjem, doseganjem,
vzdrževanjem in izboljševanjem informacijske varnosti uspešno dosega svoje cilje ter vzdržuje in krepi
skladnost poslovanja s predpisi in javno podobo. Te usklajene aktivnosti usmerjanja izvajanja
ustreznih kontrol in obravnavanja nesprejemljivih tveganj informacijske varnosti so na splošno znane
kot elementi vodenja informacijske varnosti.
Ker se tveganja informacijske varnosti in uspešnost kontrol spreminjajo glede na spreminjajoče se
okoliščine, morajo organizacije:
a) spremljati in vrednotiti uspešnost izvajanja kontrol in postopkov;
b) prepoznati nastajajoča tveganja, ki jih je treba obravnavati; in
c) izbrati, izvajati in po potrebi izboljševati potrebne kontrole.
Za medsebojno povezovanje in usklajevanje teh aktivnosti informacijske varnosti mora vsaka
organizacija oblikovati svojo politiko in cilje informacijske varnosti ter jih uspešno dosegati z uporabo
sistema vodenja.
4.2 Kaj je sistem vodenja informacijske varnosti?
4.2.1 Pregled in načela
Sistem vodenja informacijske varnosti zajema politike, postopke, smernice ter z njimi povezane vire in
aktivnosti, ki jih organizacija skupaj upravlja zato, da zaščiti svoja informacijska sredstva. Sistem
vodenja informacijske varnosti je sistematičen pristop za vzpostavitev, izvajanje, delovanje,
spremljanje, pr
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.