SIST EN ISO/IEC 27000:2020
(Main)Information technology - Security techniques - Information security management systems - Overview and vocabulary (ISO/IEC 27000:2018)
Information technology - Security techniques - Information security management systems - Overview and vocabulary (ISO/IEC 27000:2018)
This document provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards. This document is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, notfor-profit organizations).
The terms and definitions provided in this document
— cover commonly used terms and definitions in the ISMS family of standards;
— do not cover all terms and definitions applied within the ISMS family of standards; and
— do not limit the ISMS family of standards in defining new terms for use.
Informationstechnik - Sicherheitsverfahren - Informationssicherheits-Managementsysteme - Überblick und Terminologie (ISO/IEC 27000:2018)
Technologies de l'information - Techniques de sécurité - Systèmes de management de la sécurité de l'information - Vue d'ensemble et vocabulaire (ISO/IEC 27000:2018)
Informacijska tehnologija - Varnostne tehnike - Sistemi vodenja informacijske varnosti - Pregled in izrazje (ISO/IEC 27000:2018)
Ta dokument podaja pregled sistemov vodenja informacijske varnosti (ISMS). Podaja tudi izraze in definicije, ki so pogosto uporabljeni v skupini standardov za sisteme vodenja informacijske varnosti. Ta dokument se uporablja za vse vrste in velikosti organizacij (npr. trgovska podjetja, vladne agencije, neprofitne organizacije).
Izrazi in definicije v tem dokumentu
‒ zajemajo pogosto uporabljene izraze in definicije v skupini standardov za sisteme vodenja informacijske varnosti;
‒ ne zajemajo vseh izrazov in definicij, ki se uporabljajo v skupini standardov za sisteme vodenja informacijske varnosti; in
‒ ne omejujejo skupine standardov za sisteme vodenja informacijske varnosti pri opredeljevanju novih izrazov za uporabo.
General Information
Relations
Overview
EN ISO/IEC 27000:2020 (identical to ISO/IEC 27000:2018) provides an authoritative overview and vocabulary for Information Security Management Systems (ISMS). Published by CEN as the European adoption of ISO/IEC 27000:2018, this standard sets the foundational terminology and conceptual framework used across the ISMS family of standards. It explains what an ISMS is, why it matters, and how the ISMS standards interrelate-essential for consistent implementation, assessment and communication about information security.
Key topics
- Terms and definitions: Clause 3 establishes standardized vocabulary for use across the ISO/IEC 27000 series, reducing ambiguity in policy, documentation and audits.
- ISMS fundamentals: Describes the nature and principles of an ISMS, including information, information security, management and management systems.
- Process approach: Aligns ISMS concepts with a process-based management-system model and the high-level structure used by management system standards.
- Establishing and operating an ISMS: High-level guidance on identifying security requirements, assessing and treating information security risks, selecting and implementing controls, and monitoring effectiveness.
- Continual improvement: Emphasizes monitoring, maintenance and continual improvement of the ISMS to sustain and enhance security posture.
- ISMS critical success factors and benefits: Outlines factors that affect success and the organizational benefits of adopting the ISMS family of standards.
- ISMS family mapping: Summarizes related standards (requirements, guidelines and sector-specific documents) and how they support ISO/IEC 27000.
Applications
- Organizations implementing an ISMS or preparing for ISO/IEC 27001 certification will use EN ISO/IEC 27000 as the baseline terminology and conceptual guide.
- Security managers, IT teams and risk officers rely on the standard to align policies, risk assessments and control selection with internationally recognized definitions.
- Auditors and certification bodies use consistent vocabulary and scope definitions to assess conformance.
- Consultants and trainers reference EN ISO/IEC 27000 when designing ISMS frameworks, training materials and gap analyses.
Related standards
Key documents in the ISMS family referenced by EN ISO/IEC 27000 include:
- ISO/IEC 27001 (requirements for an ISMS)
- ISO/IEC 27002 (guidelines for controls)
- ISO/IEC 27005 (information security risk management)
- Other guidance and sector-specific standards such as ISO/IEC 27003, 27004, 27006, 27007, 27017, 27018, etc.
EN ISO/IEC 27000:2020 is essential reading for anyone building, operating, auditing or advising on information security management systems-providing the common language and high-level framework needed for effective ISMS implementation and communication.
Frequently Asked Questions
SIST EN ISO/IEC 27000:2020 is a standard published by the Slovenian Institute for Standardization (SIST). Its full title is "Information technology - Security techniques - Information security management systems - Overview and vocabulary (ISO/IEC 27000:2018)". This standard covers: This document provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards. This document is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, notfor-profit organizations). The terms and definitions provided in this document — cover commonly used terms and definitions in the ISMS family of standards; — do not cover all terms and definitions applied within the ISMS family of standards; and — do not limit the ISMS family of standards in defining new terms for use.
This document provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards. This document is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, notfor-profit organizations). The terms and definitions provided in this document — cover commonly used terms and definitions in the ISMS family of standards; — do not cover all terms and definitions applied within the ISMS family of standards; and — do not limit the ISMS family of standards in defining new terms for use.
SIST EN ISO/IEC 27000:2020 is classified under the following ICS (International Classification for Standards) categories: 01.040.35 - Information technology (Vocabularies); 03.100.70 - Management systems; 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.
SIST EN ISO/IEC 27000:2020 has the following relationships with other standards: It is inter standard links to SIST EN ISO/IEC 27000:2017, oSIST prEN ISO/IEC 27000:2025. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
You can purchase SIST EN ISO/IEC 27000:2020 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of SIST standards.
Standards Content (Sample)
SLOVENSKI STANDARD
01-april-2020
Nadomešča:
SIST EN ISO/IEC 27000:2017
Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske
varnosti - Pregled in izrazje (ISO/IEC 27000:2018)
Information technology - Security techniques - Information security management
systems - Overview and vocabulary (ISO/IEC 27000:2018)
Informationstechnik - Sicherheitsverfahren - Informationssicherheits-
Managementsysteme - Überblick und Terminologie (ISO/IEC 27000:2018)
Technologies de l'information - Techniques de sécurité - Systèmes de management de la
sécurité de l'information - Vue d'ensemble et vocabulaire (ISO/IEC 27000:2018)
Ta slovenski standard je istoveten z: EN ISO/IEC 27000:2020
ICS:
01.040.35 Informacijska tehnologija. Information technology
(Slovarji) (Vocabularies)
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD
EN ISO/IEC 27000
NORME EUROPÉENNE
EUROPÄISCHE NORM
February 2020
ICS 01.040.35; 35.030
Supersedes EN ISO/IEC 27000:2017
English version
Information technology - Security techniques - Information
security management systems - Overview and vocabulary
(ISO/IEC 27000:2018)
Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -
- Systèmes de management de la sécurité de Informationssicherheits-Managementsysteme -
l'information - Vue d'ensemble et vocabulaire (ISO/IEC Überblick und Terminologie (ISO/IEC 27000:2018)
27000:2018)
This European Standard was approved by CEN on 20 October 2019.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 27000:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 27000:2018 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by August 2020, and conflicting national standards shall
be withdrawn at the latest by August 2020.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 27000:2017.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27000:2018 has been approved by CEN as EN ISO/IEC 27000:2020 without any
modification.
INTERNATIONAL ISO/IEC
STANDARD 27000
Fifth edition
2018-02
Information technology — Security
techniques — Information security
management systems — Overview and
vocabulary
Technologies de l'information — Techniques de sécurité — Systèmes
de management de la sécurité de l'information — Vue d'ensemble et
vocabulaire
Reference number
ISO/IEC 27000:2018(E)
©
ISO/IEC 2018
ISO/IEC 27000:2018(E)
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Information security management systems .11
4.1 General .11
4.2 What is an ISMS? .11
4.2.1 Overview and principles .11
4.2.2 Information.12
4.2.3 Information security .12
4.2.4 Management .12
4.2.5 Management system .13
4.3 Process approach .13
4.4 Why an ISMS is important .13
4.5 Establishing, monitoring, maintaining and improving an ISMS .14
4.5.1 Overview .14
4.5.2 Identifying information security requirements .14
4.5.3 Assessing information security risks .15
4.5.4 Treating information security risks . .15
4.5.5 Selecting and implementing controls .15
4.5.6 Monitor, maintain and improve the effectiveness of the ISMS .16
4.5.7 Continual improvement .16
4.6 ISMS critical success factors .17
4.7 Benefits of the ISMS family of standards .17
5 ISMS family of standards .18
5.1 General information .18
5.2 Standard describing an overview and terminology: ISO/IEC 27000 (this document) .19
5.3 Standards specifying requirements .19
5.3.1 ISO/IEC 27001 .19
5.3.2 ISO/IEC 27006 .20
5.3.3 ISO/IEC 27009 .20
5.4 Standards describing general guidelines .20
5.4.1 ISO/IEC 27002 .20
5.4.2 ISO/IEC 27003 .20
5.4.3 ISO/IEC 27004 .21
5.4.4 ISO/IEC 27005 .21
5.4.5 ISO/IEC 27007 .21
5.4.6 ISO/IEC TR 27008 .21
5.4.7 ISO/IEC 27013 .22
5.4.8 ISO/IEC 27014 .22
5.4.9 ISO/IEC TR 27016 .22
5.4.10 ISO/IEC 27021 .22
5.5 Standards describing sector-specific guidelines .23
5.5.1 ISO/IEC 27010 .23
5.5.2 ISO/IEC 27011 .23
5.5.3 ISO/IEC 27017 .23
5.5.4 ISO/IEC 27018 .24
5.5.5 ISO/IEC 27019 .24
5.5.6 ISO 27799 .25
Bibliography .26
© ISO/IEC 2018 – All rights reserved iii
ISO/IEC 27000:2018(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/ iso/ foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, SC 27, IT
Security techniques.
This fifth edition cancels and replaces the fourth edition (ISO/IEC 27000:2016), which has been
technically revised. The main changes compared to the previous edition are as follows:
— the Introduction has been reworded;
— some terms and definitions have been removed;
— Clause 3 has been aligned on the high-level structure for MSS;
— Clause 5 has been updated to reflect the changes in the standards concerned;
— Annexes A and B have been deleted.
iv © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
Introduction
0.1 Overview
International Standards for management systems provide a model to follow in setting up and
operating a management system. This model incorporates the features on which experts in the field
have reached a consensus as being the international state of the art. ISO/IEC JTC 1/SC 27 maintains an
expert committee dedicated to the development of international management systems standards for
information security, otherwise known as the Information Security Management system (ISMS) family
of standards.
Through the use of the ISMS family of standards, organizations can develop and implement a framework
for managing the security of their information assets, including financial information, intellectual
property, and employee details, or information entrusted to them by customers or third parties. These
standards can also be used to prepare for an independent assessment of their ISMS applied to the
protection of information.
0.2 Purpose of this document
The ISMS family of standards includes standards that:
a) define requirements for an ISMS and for those certifying such systems;
b) provide direct support, detailed guidance and/or interpretation for the overall process to establish,
implement, maintain, and improve an ISMS;
c) address sector-specific guidelines for ISMS; and
d) address conformity assessment for ISMS.
0.3 Content of this document
In this document, the following verbal forms are used:
— “shall” indicates a requirement;
— “should” indicates a recommendation;
— “may” indicates a permission;
— “can” indicates a possibility or a capability.
Information marked as "NOTE" is for guidance in understanding or clarifying the associated
requirement. “Notes to entry” used in Clause 3 provide additional information that supplements the
terminological data and can contain provisions relating to the use of a term.
© ISO/IEC 2018 – All rights reserved v
INTERNATIONAL STANDARD ISO/IEC 27000:2018(E)
Information technology — Security techniques —
Information security management systems — Overview
and vocabulary
1 Scope
This document provides the overview of information security management systems (ISMS). It also
provides terms and definitions commonly used in the ISMS family of standards. This document is
applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-
for-profit organizations).
The terms and definitions provided in this document
— cover commonly used terms and definitions in the ISMS family of standards;
— do not cover all terms and definitions applied within the ISMS family of standards; and
— do not limit the ISMS family of standards in defining new terms for use.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
access control
means to ensure that access to assets is authorized and restricted based on business and security
requirements (3.56)
3.2
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized
use of an asset
3.3
audit
systematic, independent and documented process (3.54) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
© ISO/IEC 2018 – All rights reserved 1
ISO/IEC 27000:2018(E)
3.4
audit scope
extent and boundaries of an audit (3.3)
[SOURCE: ISO 19011:2011, 3.14, modified — Note 1 to entry has been deleted.]
3.5
authentication
provision of assurance that a claimed characteristic of an entity is correct
3.6
authenticity
property that an entity is what it claims to be
3.7
availability
property of being accessible and usable on demand by an authorized entity
3.8
base measure
measure (3.42) defined in terms of an attribute and the method for quantifying it
Note 1 to entry: A base measure is functionally independent of other measures.
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.3, modified — Note 2 to entry has been deleted.]
3.9
competence
ability to apply knowledge and skills to achieve intended results
3.10
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes (3.54)
3.11
conformity
fulfilment of a requirement (3.56)
3.12
consequence
outcome of an event (3.21) affecting objectives (3.49)
Note 1 to entry: An event can lead to a range of consequences.
Note 2 to entry: A consequence can be certain or uncertain and, in the context of information security, is usually
negative.
Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 4 to entry: Initial consequences can escalate through knock-on effects.
[SOURCE: ISO Guide 73:2009, 3.6.1.3, modified — Note 2 to entry has been changed after “and”.]
3.13
continual improvement
recurring activity to enhance performance (3.52)
2 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
3.14
control
measure that is modifying risk (3.61)
Note 1 to entry: Controls include any process (3.54), policy (3.53), device, practice, or other actions which modify
risk (3.61).
Note 2 to entry: It is possible that controls not always exert the intended or assumed modifying effect.
[SOURCE: ISO Guide 73:2009, 3.8.1.1 — Note 2 to entry has been changed.]
3.15
control objective
statement describing what is to be achieved as a result of implementing controls (3.14)
3.16
correction
action to eliminate a detected nonconformity (3.47)
3.17
corrective action
action to eliminate the cause of a nonconformity (3.47) and to prevent recurrence
3.18
derived measure
measure (3.42) that is defined as a function of two or more values of base measures (3.8)
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.8, modified — Note 1 to entry has been deleted.]
3.19
documented information
information required to be controlled and maintained by an organization (3.50) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to
— the management system (3.41), including related processes (3.54);
— information created in order for the organization (3.50) to operate (documentation);
— evidence of results achieved (records).
3.20
effectiveness
extent to which planned activities are realized and planned results achieved
3.21
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can be one or more occurrences, and can have several causes.
Note 2 to entry: An event can consist of something not happening.
Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.
[SOURCE: ISO Guide 73:2009, 3.5.1.3, modified — Note 4 to entry has been deleted.]
© ISO/IEC 2018 – All rights reserved 3
ISO/IEC 27000:2018(E)
3.22
external context
external environment in which the organization seeks to achieve its objectives (3.49)
Note 1 to entry: External context can include the following:
— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive
environment, whether international, national, regional or local;
— key drivers and trends having impact on the objectives of the organization (3.50);
— relationships with, and perceptions and values of, external stakeholders (3.37).
[SOURCE: ISO Guide 73:2009, 3.3.1.1]
3.23
governance of information security
system by which an organization’s (3.50) information security (3.28) activities are directed and
controlled
3.24
governing body
person or group of people who are accountable for the performance (3.52) and conformity of the
organization (3.50)
Note 1 to entry: The governing body can, in some jurisdictions, be a board of directors.
3.25
indicator
measure (3.42) that provides an estimate or evaluation
3.26
information need
insight necessary to manage objectives (3.49), goals, risks and problems
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.12]
3.27
information processing facilities
any information processing system, service or infrastructure, or the physical location housing it
3.28
information security
preservation of confidentiality (3.10), integrity (3.36) and availability (3.7) of information
Note 1 to entry: In addition, other properties, such as authenticity (3.6), accountability, non-repudiation (3.48),
and reliability (3.55) can also be involved.
3.29
information security continuity
processes (3.54) and procedures for ensuring continued information security (3.28) operations
3.30
information security event
identified occurrence of a system, service or network state indicating a possible breach of information
security (3.28) policy (3.53) or failure of controls (3.14), or a previously unknown situation that can be
security relevant
3.31
information security incident
single or a series of unwanted or unexpected information security events (3.30) that have a significant
probability of compromising business operations and threatening information security (3.28)
4 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
3.32
information security incident management
set of processes (3.54) for detecting, reporting, assessing, responding to, dealing with, and learning
from information security incidents (3.31)
3.33
information security management system (ISMS) professional
person who establishes, implements, maintains and continuously improves one or more information
security management system processes (3.54)
3.34
information sharing community
group of organizations (3.50) that agree to share information
Note 1 to entry: An organization can be an individual.
3.35
information system
set of applications, services, information technology assets, or other information-handling components
3.36
integrity
property of accuracy and completeness
3.37
interested party (preferred term)
stakeholder (admitted term)
person or organization (3.50) that can affect, be affected by, or perceive itself to be affected by a decision
or activity
3.38
internal context
internal environment in which the organization (3.50) seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— governance, organizational structure, roles and accountabilities;
— policies (3.53), objectives (3.49), and the strategies that are in place to achieve them;
— the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes (3.54),
systems and technologies);
— information systems (3.35), information flows and decision-making processes (both formal and informal);
— relationships with, and perceptions and values of, internal stakeholders (3.37);
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— form and extent of contractual relationships.
[SOURCE: ISO Guide 73:2009, 3.3.1.2]
3.39
level of risk
magnitude of a risk (3.61) expressed in terms of the combination of consequences (3.12) and their
likelihood (3.40)
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — “or combination of risks” has been deleted in the
definition.]
© ISO/IEC 2018 – All rights reserved 5
ISO/IEC 27000:2018(E)
3.40
likelihood
chance of something happening
[SOURCE: ISO Guide 73:2009, 3.6.1.1, modified — Notes 1 and 2 to entry have been deleted.]
3.41
management system
set of interrelated or interacting elements of an organization (3.50) to establish policies (3.53) and
objectives (3.49) and processes (3.54) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning
and operation.
Note 3 to entry: The scope of a management system may include the whole of the organization, specific and
identified functions of the organization, specific and identified sections of the organization, or one or more
functions across a group of organizations.
3.42
measure
variable to which a value is assigned as the result of measurement (3.43)
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.15, modified — Note 2 to entry has been deleted.]
3.43
measurement
process (3.54) to determine a value
3.44
measurement function
algorithm or calculation performed to combine two or more base measures (3.8)
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.20]
3.45
measurement method
logical sequence of operations, described generically, used in quantifying an attribute with respect to a
specified scale
Note 1 to entry: The type of measurement method depends on the nature of the operations used to quantify an
attribute (3.4). Two types can be distinguished:
— subjective: quantification involving human judgment; and
— objective: quantification based on numerical rules.
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.21, modified — Note 2 to entry has been deleted.]
3.46
monitoring
determining the status of a system, a process (3.54) or an activity
Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.
3.47
nonconformity
non-fulfilment of a requirement (3.56)
3.48
non-repudiation
ability to prove the occurrence of a claimed event (3.21) or action and its originating entities
6 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
3.49
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and
environmental goals) and can apply at different levels [such as strategic, organization-wide, project, product and
process (3.54)].
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an
operational criterion, as an information security objective or by the use of other words with similar meaning (e.g.
aim, goal, or target).
Note 4 to entry: In the context of information security management systems, information security objectives are
set by the organization, consistent with the information security policy, to achieve specific results.
3.50
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.49)
Note 1 to entry: The concept of organization includes but is not limited to sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
3.51
outsource
make an arrangement where an external organization (3.50) performs part of an organization’s function
or process (3.54)
Note 1 to entry: An external organization is outside the scope of the management system (3.41), although the
outsourced function or process is within the scope.
3.52
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
Note 2 to entry: Performance can relate to the management of activities, processes (3.54), products (including
services), systems or organizations (3.50).
3.53
policy
intentions and direction of an organization (3.50), as formally expressed by its top management (3.75)
3.54
process
set of interrelated or interacting activities which transforms inputs into outputs
3.55
reliability
property of consistent intended behaviour and results
3.56
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and
interested parties that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, for example in documented information.
© ISO/IEC 2018 – All rights reserved 7
ISO/IEC 27000:2018(E)
3.57
residual risk
risk (3.61) remaining after risk treatment (3.72)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risk can also be referred to as “retained risk”.
3.58
review
activity undertaken to determine the suitability, adequacy and effectiveness (3.20) of the subject matter
to achieve established objectives (3.49)
[SOURCE: ISO Guide 73:2009, 3.8.2.2, modified — Note 1 to entry has been deleted.]
3.59
review object
specific item being reviewed
3.60
review objective
statement describing what is to be achieved as a result of a review (3.59)
3.61
risk
effect of uncertainty on objectives (3.49)
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73:2009,
3.5.1.3) and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence.
Note 5 to entry: In the context of information security management systems, information security risks can be
expressed as effect of uncertainty on information security objectives.
Note 6 to entry: Information security risk is associated with the potential that threats will exploit vulnerabilities
of an information asset or group of information assets and thereby cause harm to an organization.
3.62
risk acceptance
informed decision to take a particular risk (3.61)
Note 1 to entry: Risk acceptance can occur without risk treatment (3.72) or during the process (3.54) of risk
treatment.
Note 2 to entry: Accepted risks are subject to monitoring (3.46) and review (3.58).
[SOURCE: ISO Guide 73:2009, 3.7.1.6]
3.63
risk analysis
process (3.54) to comprehend the nature of risk (3.61) and to determine the level of risk (3.39)
Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.67) and decisions about risk treatment (3.72).
Note 2 to entry: Risk analysis includes risk estimation.
[SOURCE: ISO Guide 73:2009, 3.6.1]
8 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
3.64
risk assessment
overall process (3.54) of risk identification (3.68), risk analysis (3.63) and risk evaluation (3.67)
[SOURCE: ISO Guide 73:2009, 3.4.1]
3.65
risk communication and consultation
set of continual and iterative processes (3.54) that an organization conducts to provide, share or obtain
information, and to engage in dialogue with stakeholders (3.37) regarding the management of risk (3.61)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.41), significance,
evaluation, acceptability and treatment of risk.
Note 2 to entry: Consultation is a two-way process of informed communication between an organization (3.50) and
its stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is
— a process which impacts on a decision through influence rather than power; and
— an input to decision making, not joint decision making.
3.66
risk criteria
terms of reference against which the significance of risk (3.61) is evaluated
Note 1 to entry: Risk criteria are based on organizational objectives, and external context (3.22) and internal
context (3.38).
Note 2 to entry: Risk criteria can be derived from standards, laws, policies (3.53) and other requirements (3.56).
[SOURCE: ISO Guide 73:2009, 3.3.1.3]
3.67
risk evaluation
process (3.54) of comparing the results of risk analysis (3.63) with risk criteria (3.66) to determine
whether the risk (3.61) and/or its magnitude is acceptable or tolerable
Note 1 to entry: Risk evaluation assists in the decision about risk treatment (3.72).
[SOURCE: ISO Guide 73:2009, 3.7.1]
3.68
risk identification
process (3.54) of finding, recognizing and describing risks (3.61)
Note 1 to entry: Risk identification involves the identification of risk sources, events (3.21), their causes and their
potential consequences (3.12).
Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions,
and stakeholders’ (3.37) needs.
[SOURCE: ISO Guide 73:2009, 3.5.1]
3.69
risk management
coordinated activities to direct and control an organization (3.50) with regard to risk (3.61)
[SOURCE: ISO Guide 73:2009, 2.1]
© ISO/IEC 2018 – All rights reserved 9
ISO/IEC 27000:2018(E)
3.70
risk management process
systematic application of management policies (3.53), procedures and practices to the activities of
communicating, consulting, establishing the context and identifying, analysing, evaluating, treating,
monitoring and reviewing risk (3.61)
Note 1 to entry: ISO/IEC 27005 uses the term “process” (3.54) to describe risk management overall. The elements
within the risk management (3.69) process are referred to as “activities”.
[SOURCE: ISO Guide 73:2009, 3.1, modified — Note 1 to entry has been added.]
3.71
risk owner
person or entity with the accountability and authority to manage a risk (3.61)
[SOURCE: ISO Guide 73:2009, 3.5.1.5]
3.72
risk treatment
process (3.54) to modify risk (3.61)
Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source;
— changing the likelihood (3.40);
— changing the consequences (3.12);
— sharing the risk with another party or parties (including contracts and risk financing);
— retaining the risk by informed choice.
Note 2 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk
mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
Note 3 to entry: Risk treatment can create new risks or modify existing risks.
[SOURCE: ISO Guide 73:2009, 3.8.1, modified — “decision” has been replaced by “choice” in Note 1
to entry.]
3.73
security implementation standard
document specifying authorized ways for realizing security
3.74
threat
potential cause of an unwanted incident, which can result in harm to a system or organization (3.50)
3.75
top management
person or group of people who directs and controls an organization (3.50) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system (3.41) covers only part of an organization, then top
management refers to those who direct and control that part of the organization.
10 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
Note 3 to entry: Top management is sometimes called executive management and can include Chief Executive
Officers, Chief Financial Officers, Chief Information Officers, and similar roles.
3.76
trusted information communication entity
autonomous organization (3.50) supporting information exchange within an information sharing
community (3.34)
3.77
vulnerability
weakness of an asset or control (3.14) that can be exploited by one or more threats (3.74)
4 Information security management systems
4.1 General
Organizations of all types and sizes:
a) collect, process, store, and transmit information;
b) recognize that information, and related processes, systems, networks and people are important
assets for achieving organization objectives;
c) face a range of risks that can affect the functioning of assets; and
d) address their perceived risk exposure by implementing information security controls.
All information held and processed by an organization is subject to threats of attack, error, nature (for
example, flood or fire), etc., and is subject to vulnerabilities inherent in its use. The term information
security is generally based on information being considered as an asset which has a value requiring
appropriate protection, for example, against the loss of availability, confidentiality and integrity.
Enabling accurate and complete information to be available in a timely manner to those with an
authorized need is a catalyst for business efficiency.
Protecting information assets through defining, achieving, maintaining, and improving information
security effectively is essential to enable an organization to achieve its objectives, and maintain and
enhance its legal compliance and image. These coordinated activities directing the implementation of
suitable controls and treating unacceptable information security risks are gen
...
SLOVENSKI STANDARD
01-april-2020
Nadomešča:
SIST EN ISO/IEC 27000:2017
Informacijska tehnologija - Varnostne tehnike - Sistemi vodenja informacijske
varnosti - Pregled in izrazje (ISO/IEC 27000:2018)
Information technology - Security techniques - Information security management
systems - Overview and vocabulary (ISO/IEC 27000:2018)
Informationstechnik - Sicherheitsverfahren - Informationssicherheits-
Managementsysteme - Überblick und Terminologie (ISO/IEC 27000:2018)
Technologies de l'information - Techniques de sécurité - Systèmes de management de
la sécurité de l'information - Vue d'ensemble et vocabulaire (ISO/IEC 27000:2018)
Ta slovenski standard je istoveten z: EN ISO/IEC 27000:2020
ICS:
01.040.35 Informacijska tehnologija. Information technology
(Slovarji) (Vocabularies)
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD
EN ISO/IEC 27000
NORME EUROPÉENNE
EUROPÄISCHE NORM
February 2020
ICS 01.040.35; 35.030
Supersedes EN ISO/IEC 27000:2017
English version
Information technology - Security techniques - Information
security management systems - Overview and vocabulary
(ISO/IEC 27000:2018)
Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -
- Systèmes de management de la sécurité de Informationssicherheits-Managementsysteme -
l'information - Vue d'ensemble et vocabulaire (ISO/IEC Überblick und Terminologie (ISO/IEC 27000:2018)
27000:2018)
This European Standard was approved by CEN on 20 October 2019.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 27000:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 27000:2018 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by August 2020, and conflicting national standards shall
be withdrawn at the latest by August 2020.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 27000:2017.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27000:2018 has been approved by CEN as EN ISO/IEC 27000:2020 without any
modification.
INTERNATIONAL ISO/IEC
STANDARD 27000
Fifth edition
2018-02
Information technology — Security
techniques — Information security
management systems — Overview and
vocabulary
Technologies de l'information — Techniques de sécurité — Systèmes
de management de la sécurité de l'information — Vue d'ensemble et
vocabulaire
Reference number
ISO/IEC 27000:2018(E)
©
ISO/IEC 2018
ISO/IEC 27000:2018(E)
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Information security management systems .11
4.1 General .11
4.2 What is an ISMS? .11
4.2.1 Overview and principles .11
4.2.2 Information.12
4.2.3 Information security .12
4.2.4 Management .12
4.2.5 Management system .13
4.3 Process approach .13
4.4 Why an ISMS is important .13
4.5 Establishing, monitoring, maintaining and improving an ISMS .14
4.5.1 Overview .14
4.5.2 Identifying information security requirements .14
4.5.3 Assessing information security risks .15
4.5.4 Treating information security risks . .15
4.5.5 Selecting and implementing controls .15
4.5.6 Monitor, maintain and improve the effectiveness of the ISMS .16
4.5.7 Continual improvement .16
4.6 ISMS critical success factors .17
4.7 Benefits of the ISMS family of standards .17
5 ISMS family of standards .18
5.1 General information .18
5.2 Standard describing an overview and terminology: ISO/IEC 27000 (this document) .19
5.3 Standards specifying requirements .19
5.3.1 ISO/IEC 27001 .19
5.3.2 ISO/IEC 27006 .20
5.3.3 ISO/IEC 27009 .20
5.4 Standards describing general guidelines .20
5.4.1 ISO/IEC 27002 .20
5.4.2 ISO/IEC 27003 .20
5.4.3 ISO/IEC 27004 .21
5.4.4 ISO/IEC 27005 .21
5.4.5 ISO/IEC 27007 .21
5.4.6 ISO/IEC TR 27008 .21
5.4.7 ISO/IEC 27013 .22
5.4.8 ISO/IEC 27014 .22
5.4.9 ISO/IEC TR 27016 .22
5.4.10 ISO/IEC 27021 .22
5.5 Standards describing sector-specific guidelines .23
5.5.1 ISO/IEC 27010 .23
5.5.2 ISO/IEC 27011 .23
5.5.3 ISO/IEC 27017 .23
5.5.4 ISO/IEC 27018 .24
5.5.5 ISO/IEC 27019 .24
5.5.6 ISO 27799 .25
Bibliography .26
© ISO/IEC 2018 – All rights reserved iii
ISO/IEC 27000:2018(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/ iso/ foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, SC 27, IT
Security techniques.
This fifth edition cancels and replaces the fourth edition (ISO/IEC 27000:2016), which has been
technically revised. The main changes compared to the previous edition are as follows:
— the Introduction has been reworded;
— some terms and definitions have been removed;
— Clause 3 has been aligned on the high-level structure for MSS;
— Clause 5 has been updated to reflect the changes in the standards concerned;
— Annexes A and B have been deleted.
iv © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
Introduction
0.1 Overview
International Standards for management systems provide a model to follow in setting up and
operating a management system. This model incorporates the features on which experts in the field
have reached a consensus as being the international state of the art. ISO/IEC JTC 1/SC 27 maintains an
expert committee dedicated to the development of international management systems standards for
information security, otherwise known as the Information Security Management system (ISMS) family
of standards.
Through the use of the ISMS family of standards, organizations can develop and implement a framework
for managing the security of their information assets, including financial information, intellectual
property, and employee details, or information entrusted to them by customers or third parties. These
standards can also be used to prepare for an independent assessment of their ISMS applied to the
protection of information.
0.2 Purpose of this document
The ISMS family of standards includes standards that:
a) define requirements for an ISMS and for those certifying such systems;
b) provide direct support, detailed guidance and/or interpretation for the overall process to establish,
implement, maintain, and improve an ISMS;
c) address sector-specific guidelines for ISMS; and
d) address conformity assessment for ISMS.
0.3 Content of this document
In this document, the following verbal forms are used:
— “shall” indicates a requirement;
— “should” indicates a recommendation;
— “may” indicates a permission;
— “can” indicates a possibility or a capability.
Information marked as "NOTE" is for guidance in understanding or clarifying the associated
requirement. “Notes to entry” used in Clause 3 provide additional information that supplements the
terminological data and can contain provisions relating to the use of a term.
© ISO/IEC 2018 – All rights reserved v
INTERNATIONAL STANDARD ISO/IEC 27000:2018(E)
Information technology — Security techniques —
Information security management systems — Overview
and vocabulary
1 Scope
This document provides the overview of information security management systems (ISMS). It also
provides terms and definitions commonly used in the ISMS family of standards. This document is
applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-
for-profit organizations).
The terms and definitions provided in this document
— cover commonly used terms and definitions in the ISMS family of standards;
— do not cover all terms and definitions applied within the ISMS family of standards; and
— do not limit the ISMS family of standards in defining new terms for use.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
access control
means to ensure that access to assets is authorized and restricted based on business and security
requirements (3.56)
3.2
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized
use of an asset
3.3
audit
systematic, independent and documented process (3.54) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
© ISO/IEC 2018 – All rights reserved 1
ISO/IEC 27000:2018(E)
3.4
audit scope
extent and boundaries of an audit (3.3)
[SOURCE: ISO 19011:2011, 3.14, modified — Note 1 to entry has been deleted.]
3.5
authentication
provision of assurance that a claimed characteristic of an entity is correct
3.6
authenticity
property that an entity is what it claims to be
3.7
availability
property of being accessible and usable on demand by an authorized entity
3.8
base measure
measure (3.42) defined in terms of an attribute and the method for quantifying it
Note 1 to entry: A base measure is functionally independent of other measures.
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.3, modified — Note 2 to entry has been deleted.]
3.9
competence
ability to apply knowledge and skills to achieve intended results
3.10
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes (3.54)
3.11
conformity
fulfilment of a requirement (3.56)
3.12
consequence
outcome of an event (3.21) affecting objectives (3.49)
Note 1 to entry: An event can lead to a range of consequences.
Note 2 to entry: A consequence can be certain or uncertain and, in the context of information security, is usually
negative.
Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 4 to entry: Initial consequences can escalate through knock-on effects.
[SOURCE: ISO Guide 73:2009, 3.6.1.3, modified — Note 2 to entry has been changed after “and”.]
3.13
continual improvement
recurring activity to enhance performance (3.52)
2 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
3.14
control
measure that is modifying risk (3.61)
Note 1 to entry: Controls include any process (3.54), policy (3.53), device, practice, or other actions which modify
risk (3.61).
Note 2 to entry: It is possible that controls not always exert the intended or assumed modifying effect.
[SOURCE: ISO Guide 73:2009, 3.8.1.1 — Note 2 to entry has been changed.]
3.15
control objective
statement describing what is to be achieved as a result of implementing controls (3.14)
3.16
correction
action to eliminate a detected nonconformity (3.47)
3.17
corrective action
action to eliminate the cause of a nonconformity (3.47) and to prevent recurrence
3.18
derived measure
measure (3.42) that is defined as a function of two or more values of base measures (3.8)
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.8, modified — Note 1 to entry has been deleted.]
3.19
documented information
information required to be controlled and maintained by an organization (3.50) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to
— the management system (3.41), including related processes (3.54);
— information created in order for the organization (3.50) to operate (documentation);
— evidence of results achieved (records).
3.20
effectiveness
extent to which planned activities are realized and planned results achieved
3.21
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can be one or more occurrences, and can have several causes.
Note 2 to entry: An event can consist of something not happening.
Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.
[SOURCE: ISO Guide 73:2009, 3.5.1.3, modified — Note 4 to entry has been deleted.]
© ISO/IEC 2018 – All rights reserved 3
ISO/IEC 27000:2018(E)
3.22
external context
external environment in which the organization seeks to achieve its objectives (3.49)
Note 1 to entry: External context can include the following:
— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive
environment, whether international, national, regional or local;
— key drivers and trends having impact on the objectives of the organization (3.50);
— relationships with, and perceptions and values of, external stakeholders (3.37).
[SOURCE: ISO Guide 73:2009, 3.3.1.1]
3.23
governance of information security
system by which an organization’s (3.50) information security (3.28) activities are directed and
controlled
3.24
governing body
person or group of people who are accountable for the performance (3.52) and conformity of the
organization (3.50)
Note 1 to entry: The governing body can, in some jurisdictions, be a board of directors.
3.25
indicator
measure (3.42) that provides an estimate or evaluation
3.26
information need
insight necessary to manage objectives (3.49), goals, risks and problems
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.12]
3.27
information processing facilities
any information processing system, service or infrastructure, or the physical location housing it
3.28
information security
preservation of confidentiality (3.10), integrity (3.36) and availability (3.7) of information
Note 1 to entry: In addition, other properties, such as authenticity (3.6), accountability, non-repudiation (3.48),
and reliability (3.55) can also be involved.
3.29
information security continuity
processes (3.54) and procedures for ensuring continued information security (3.28) operations
3.30
information security event
identified occurrence of a system, service or network state indicating a possible breach of information
security (3.28) policy (3.53) or failure of controls (3.14), or a previously unknown situation that can be
security relevant
3.31
information security incident
single or a series of unwanted or unexpected information security events (3.30) that have a significant
probability of compromising business operations and threatening information security (3.28)
4 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
3.32
information security incident management
set of processes (3.54) for detecting, reporting, assessing, responding to, dealing with, and learning
from information security incidents (3.31)
3.33
information security management system (ISMS) professional
person who establishes, implements, maintains and continuously improves one or more information
security management system processes (3.54)
3.34
information sharing community
group of organizations (3.50) that agree to share information
Note 1 to entry: An organization can be an individual.
3.35
information system
set of applications, services, information technology assets, or other information-handling components
3.36
integrity
property of accuracy and completeness
3.37
interested party (preferred term)
stakeholder (admitted term)
person or organization (3.50) that can affect, be affected by, or perceive itself to be affected by a decision
or activity
3.38
internal context
internal environment in which the organization (3.50) seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— governance, organizational structure, roles and accountabilities;
— policies (3.53), objectives (3.49), and the strategies that are in place to achieve them;
— the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes (3.54),
systems and technologies);
— information systems (3.35), information flows and decision-making processes (both formal and informal);
— relationships with, and perceptions and values of, internal stakeholders (3.37);
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— form and extent of contractual relationships.
[SOURCE: ISO Guide 73:2009, 3.3.1.2]
3.39
level of risk
magnitude of a risk (3.61) expressed in terms of the combination of consequences (3.12) and their
likelihood (3.40)
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — “or combination of risks” has been deleted in the
definition.]
© ISO/IEC 2018 – All rights reserved 5
ISO/IEC 27000:2018(E)
3.40
likelihood
chance of something happening
[SOURCE: ISO Guide 73:2009, 3.6.1.1, modified — Notes 1 and 2 to entry have been deleted.]
3.41
management system
set of interrelated or interacting elements of an organization (3.50) to establish policies (3.53) and
objectives (3.49) and processes (3.54) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning
and operation.
Note 3 to entry: The scope of a management system may include the whole of the organization, specific and
identified functions of the organization, specific and identified sections of the organization, or one or more
functions across a group of organizations.
3.42
measure
variable to which a value is assigned as the result of measurement (3.43)
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.15, modified — Note 2 to entry has been deleted.]
3.43
measurement
process (3.54) to determine a value
3.44
measurement function
algorithm or calculation performed to combine two or more base measures (3.8)
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.20]
3.45
measurement method
logical sequence of operations, described generically, used in quantifying an attribute with respect to a
specified scale
Note 1 to entry: The type of measurement method depends on the nature of the operations used to quantify an
attribute (3.4). Two types can be distinguished:
— subjective: quantification involving human judgment; and
— objective: quantification based on numerical rules.
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.21, modified — Note 2 to entry has been deleted.]
3.46
monitoring
determining the status of a system, a process (3.54) or an activity
Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.
3.47
nonconformity
non-fulfilment of a requirement (3.56)
3.48
non-repudiation
ability to prove the occurrence of a claimed event (3.21) or action and its originating entities
6 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
3.49
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and
environmental goals) and can apply at different levels [such as strategic, organization-wide, project, product and
process (3.54)].
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an
operational criterion, as an information security objective or by the use of other words with similar meaning (e.g.
aim, goal, or target).
Note 4 to entry: In the context of information security management systems, information security objectives are
set by the organization, consistent with the information security policy, to achieve specific results.
3.50
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.49)
Note 1 to entry: The concept of organization includes but is not limited to sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
3.51
outsource
make an arrangement where an external organization (3.50) performs part of an organization’s function
or process (3.54)
Note 1 to entry: An external organization is outside the scope of the management system (3.41), although the
outsourced function or process is within the scope.
3.52
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
Note 2 to entry: Performance can relate to the management of activities, processes (3.54), products (including
services), systems or organizations (3.50).
3.53
policy
intentions and direction of an organization (3.50), as formally expressed by its top management (3.75)
3.54
process
set of interrelated or interacting activities which transforms inputs into outputs
3.55
reliability
property of consistent intended behaviour and results
3.56
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and
interested parties that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, for example in documented information.
© ISO/IEC 2018 – All rights reserved 7
ISO/IEC 27000:2018(E)
3.57
residual risk
risk (3.61) remaining after risk treatment (3.72)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risk can also be referred to as “retained risk”.
3.58
review
activity undertaken to determine the suitability, adequacy and effectiveness (3.20) of the subject matter
to achieve established objectives (3.49)
[SOURCE: ISO Guide 73:2009, 3.8.2.2, modified — Note 1 to entry has been deleted.]
3.59
review object
specific item being reviewed
3.60
review objective
statement describing what is to be achieved as a result of a review (3.59)
3.61
risk
effect of uncertainty on objectives (3.49)
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73:2009,
3.5.1.3) and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence.
Note 5 to entry: In the context of information security management systems, information security risks can be
expressed as effect of uncertainty on information security objectives.
Note 6 to entry: Information security risk is associated with the potential that threats will exploit vulnerabilities
of an information asset or group of information assets and thereby cause harm to an organization.
3.62
risk acceptance
informed decision to take a particular risk (3.61)
Note 1 to entry: Risk acceptance can occur without risk treatment (3.72) or during the process (3.54) of risk
treatment.
Note 2 to entry: Accepted risks are subject to monitoring (3.46) and review (3.58).
[SOURCE: ISO Guide 73:2009, 3.7.1.6]
3.63
risk analysis
process (3.54) to comprehend the nature of risk (3.61) and to determine the level of risk (3.39)
Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.67) and decisions about risk treatment (3.72).
Note 2 to entry: Risk analysis includes risk estimation.
[SOURCE: ISO Guide 73:2009, 3.6.1]
8 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
3.64
risk assessment
overall process (3.54) of risk identification (3.68), risk analysis (3.63) and risk evaluation (3.67)
[SOURCE: ISO Guide 73:2009, 3.4.1]
3.65
risk communication and consultation
set of continual and iterative processes (3.54) that an organization conducts to provide, share or obtain
information, and to engage in dialogue with stakeholders (3.37) regarding the management of risk (3.61)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.41), significance,
evaluation, acceptability and treatment of risk.
Note 2 to entry: Consultation is a two-way process of informed communication between an organization (3.50) and
its stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is
— a process which impacts on a decision through influence rather than power; and
— an input to decision making, not joint decision making.
3.66
risk criteria
terms of reference against which the significance of risk (3.61) is evaluated
Note 1 to entry: Risk criteria are based on organizational objectives, and external context (3.22) and internal
context (3.38).
Note 2 to entry: Risk criteria can be derived from standards, laws, policies (3.53) and other requirements (3.56).
[SOURCE: ISO Guide 73:2009, 3.3.1.3]
3.67
risk evaluation
process (3.54) of comparing the results of risk analysis (3.63) with risk criteria (3.66) to determine
whether the risk (3.61) and/or its magnitude is acceptable or tolerable
Note 1 to entry: Risk evaluation assists in the decision about risk treatment (3.72).
[SOURCE: ISO Guide 73:2009, 3.7.1]
3.68
risk identification
process (3.54) of finding, recognizing and describing risks (3.61)
Note 1 to entry: Risk identification involves the identification of risk sources, events (3.21), their causes and their
potential consequences (3.12).
Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions,
and stakeholders’ (3.37) needs.
[SOURCE: ISO Guide 73:2009, 3.5.1]
3.69
risk management
coordinated activities to direct and control an organization (3.50) with regard to risk (3.61)
[SOURCE: ISO Guide 73:2009, 2.1]
© ISO/IEC 2018 – All rights reserved 9
ISO/IEC 27000:2018(E)
3.70
risk management process
systematic application of management policies (3.53), procedures and practices to the activities of
communicating, consulting, establishing the context and identifying, analysing, evaluating, treating,
monitoring and reviewing risk (3.61)
Note 1 to entry: ISO/IEC 27005 uses the term “process” (3.54) to describe risk management overall. The elements
within the risk management (3.69) process are referred to as “activities”.
[SOURCE: ISO Guide 73:2009, 3.1, modified — Note 1 to entry has been added.]
3.71
risk owner
person or entity with the accountability and authority to manage a risk (3.61)
[SOURCE: ISO Guide 73:2009, 3.5.1.5]
3.72
risk treatment
process (3.54) to modify risk (3.61)
Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source;
— changing the likelihood (3.40);
— changing the consequences (3.12);
— sharing the risk with another party or parties (including contracts and risk financing);
— retaining the risk by informed choice.
Note 2 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk
mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
Note 3 to entry: Risk treatment can create new risks or modify existing risks.
[SOURCE: ISO Guide 73:2009, 3.8.1, modified — “decision” has been replaced by “choice” in Note 1
to entry.]
3.73
security implementation standard
document specifying authorized ways for realizing security
3.74
threat
potential cause of an unwanted incident, which can result in harm to a system or organization (3.50)
3.75
top management
person or group of people who directs and controls an organization (3.50) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system (3.41) covers only part of an organization, then top
management refers to those who direct and control that part of the organization.
10 © ISO/IEC 2018 – All rights reserved
ISO/IEC 27000:2018(E)
Note 3 to entry: Top management is sometimes called executive management and can include Chief Executive
Officers, Chief Financial Officers, Chief Information Officers, and similar roles.
3.76
trusted information communication entity
autonomous organization (3.50) supporting information exchange within an information sharing
community (3.34)
3.77
vulnerability
weakness of an asset or control (3.14) that can be exploited by one or more threats (3.74)
4 Information security management systems
4.1 General
Organizations of all types and sizes:
a) collect, process, store, and transmit information;
b) recognize that information, and related processes, systems, networks and people are important
assets for achieving organization objectives;
c) face a range of risks that can affect the functioning of assets; and
d) address their perceived risk exposure by implementing information security controls.
All information held and processed by an organization is subject to threats of attack, error, nature (for
example, flood or fire), etc., and is subject to vulnerabilities inherent in its use. The term information
security is generally based on information being considered as an asset which has a value requiring
appropriate protection, for example, against the loss of availability, confidentiality and integrity.
Enabling accurate and complete information to be available in a timely manner to those with an
authorized need is a catalyst for business efficiency.
Protecting information assets through defining, achieving, maintaining, and improving information
security effectively is essential to enable an organization to achieve its objectives, and maintain and
enhance its legal compliance and image. These coordinated activities directing the implementation of
suitable controls and treating unacceptable information security risks are general
...
SIST EN ISO/IEC 27000
SL O V EN S K I
S T ANDAR D
april 2020
Informacijska tehnologija – Varnostne tehnike – Sistemi vodenja
informacijske varnosti – Pregled in izrazje (ISO/IEC 27000:2018)
Information technology – Security techniques – Information security management
systems – Overview and vocabulary (ISO/IEC 27000:2018)
Informationstechnik – Sicherheitsverfahren – Informationssicherheits-
Managementsysteme – Überblick und Terminologie (ISO/IEC 27000:2018)
Technologies de l'information – Techniques de sécurité – Systèmes de
management de la sécurité de l'information – Vue d'ensemble et vocabulaire
(ISO/IEC 27000:2018)
Referenčna oznaka
ICS 01.040.35; 03.100.70; 35.030 SIST EN ISO/IEC 27000 : 2020 (sl)
Nadaljevanje na straneh II in III ter od 2 do 34
© 2024-12. Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
SIST EN ISO/IEC 27000 : 2020
NACIONALNI UVOD
Standard SIST EN ISO/IEC 27000 (sl), Informacijska tehnologija – Varnostne tehnike – Sistemi
vodenja informacijske varnosti – Pregled in izrazje (ISO/IEC 27000:2018), 2020, ima status
slovenskega standarda in je enakovreden evropskemu standardu EN ISO/IEC 27000 (en, fr, de),
Information technology – Security techniques – Information security management systems – Overview
and vocabulary (ISO/IEC 27000:2018), 2020.
NACIONALNI PREDGOVOR
Besedilo standarda EN ISO/IEC 27000:2020 je pripravil združeni tehnični odbor Mednarodne
organizacije za standardizacijo (ISO) in Mednarodne elektrotehniške komisije (IEC) ISO/IEC JTC 1
Informacijska tehnologija. Slovenski standard SIST EN ISO/IEC 27000:2020 je prevod angleškega
besedila evropskega standarda EN ISO/IEC 27000:2020. V primeru spora glede besedila slovenskega
prevoda v tem standardu je odločilen izvirni evropski standard v angleškem jeziku. Slovensko izdajo
standarda je pripravil SIST/TC ITC Informacijska tehnologija.
Odločitev za privzem tega standarda je dne 18. 11. 2024 sprejel SIST/TC ITC Informacijska
tehnologija.
OSNOVA ZA IZDAJO STANDARDA
̶ privzem standarda EN ISO/IEC 27000:2020
PREDHODNA IZDAJA
̶ SIST EN ISO/IEC 27000:2017, Informacijska tehnologija – Varnostne tehnike – Sistemi
upravljanja informacijske varnosti – Pregled in izrazje (ISO/IEC 27000:2016)
OPOMBE
̶ Povsod, kjer se v besedilu standarda uporablja izraz "evropski standard", v SIST EN ISO/IEC
27000:2020 to pomeni "slovenski standard".
̶ Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
̶ V podtočki 5.4.10 (točke 5.4 Standardi, ki opisujejo splošne smernice) je v evropskem standardu
naveden napačen naslov standarda ISO/IEC 27021. Pravi naslov je "Information technology –
Security techniques – Competence requirements for information security management systems
professionals".
̶ V podtočki 5.4.2 (točke 5.4 Standardi, ki opisujejo splošne smernice) ter poglavju Viri in literatura
je v evropskem standardu naveden napačen naslov standarda ISO/IEC 27003. Pravi naslov je
"Information technology – Security techniques – Information security management systems –
Guidance".
̶ Ta nacionalni dokument je enakovreden EN ISO/IEC 27000:2020 in je objavljen z dovoljenjem
CEN-CENELEC
Upravni center
Rue de la Science 23
B-1040 Bruselj
Belgija
II
SIST EN ISO/IEC 27000 : 2020
̶ This national document is identical with EN ISO 27000:2020 and is published with the permission
of
CEN-CENELEC
Management Centre
Rue de la Science 23
B-1040 Brussels
Belgium
III
SIST EN ISO/IEC 27000 : 2020
(prazna stran)
IV
EVROPSKI STANDARD EN ISO/IEC 27000
EUROPEAN STANDARD
NORME EUROPÉENNE
februar 2020
EUROPÄISCHE NORM
ICS 01.040.35; 03.100.70; 35.030
Slovenska izdaja
Informacijska tehnologija – Varnostne tehnike – Sistemi vodenja
informacijske varnosti – Pregled in izrazje
(ISO/IEC 27000:2018)
Information technology – Security Technologies de l'information – Informationstechnik –
techniques – Information security Techniques de sécurité – Sicherheitsverfahren –
management systems – Overview Systèmes de management de la Informationssicherheits-
and vocabulary (ISO/IEC sécurité de l'information – Vue Managementsysteme – Überblick
27000:2018) d'ensemble et vocabulaire und Terminologie (ISO/IEC
(ISO/IEC 27000:2018) 27000:2018)
Ta evropski standard je CEN sprejel dne 20. oktobra 2019.
Člani CEN in CENELEC morajo izpolnjevati notranje predpise CEN/CENELEC, s katerimi je predpisano, da mora biti ta
standard brez kakršnihkoli sprememb sprejet kot nacionalni standard. Seznami najnovejših izdaj teh nacionalnih
standardov in njihovi bibliografski podatki so na zahtevo na voljo pri Upravnem centru CEN-CENELEC ali kateremkoli
članu CEN in CENELEC.
Ta evropski standard obstaja v treh uradnih izdajah (angleški, francoski, nemški). Izdaje v drugih jezikih, ki jih člani
CEN in CENELEC na lastno odgovornost prevedejo in izdajo ter prijavijo pri Upravnem centru CEN-CENELEC, veljajo
kot uradne izdaje.
Člani CEN in CENELEC so nacionalni organi za standarde in nacionalni elektrotehniški odbori Avstrije, Belgije,
Bolgarije, Cipra, Češke republike, Danske, Estonije, Finske, Francije, Grčije, Hrvaške, Irske, Islandije, Italije, Latvije,
Litve, Luksemburga, Madžarske, Malte, Nemčije, Nizozemske, Norveške, Poljske, Portugalske, Republike Severna
Makedonija, Romunije, Slovaške, Slovenije, Srbije, Španije, Švedske, Švice, Turčije in Združenega kraljestva.
CEN-CENELEC
CEN-CENELEC Upravni center
Rue de la Science 23, B-1040 Bruselj
© 2020 CEN/CENELEC Lastnice vseh oblik avtorskih pravic so vse države Ref. oznaka EN ISO/IEC 27000:2020 E
članice CEN in CENELEC.
SIST EN ISO/IEC 27000 : 2020
VSEBINA Stran
Evropski predgovor . 3
SIST EN ISO/IEC 27000 : 2020
Evropski predgovor
Besedilo standarda ISO/IEC 27000:2018 je pripravil tehnični odbor ISO/IEC JTC 1 "Informacijska
tehnologija" Mednarodne organizacije za standardizacijo (ISO) in ga je kot EN ISO/IEC 27000:2020
sprejel tehnični odbor CEN/CLC/JTC 13 "Kibernetska varnost in varstvo podatkov", katerega
sekretariat vodi DIN.
Ta evropski standard mora z objavo istovetnega besedila ali z razglasitvijo dobiti status nacionalnega
standarda najpozneje do avgusta 2020, nacionalne standarde, ki so v nasprotju s tem standardom, pa
je treba razveljaviti najpozneje do avgusta 2020.
Opozoriti je treba na možnost, da je lahko nekaj elementov tega dokumenta predmet patentnih pravic.
CEN ni odgovoren za identificiranje katerekoli ali vseh takih patentnih pravic.
Ta dokument nadomešča EN ISO/IEC 27000:2017.
V skladu z notranjimi predpisi CEN-CENELEC morajo ta evropski standard obvezno uvesti nacionalne
organizacije za standardizacijo naslednjih držav: Avstrije, Belgije, Bolgarije, Cipra, Češke republike,
Danske, Estonije, Finske, Francije, Grčije, Hrvaške, Irske, Islandije, Italije, Latvije, Litve, Luksemburga,
Madžarske, Malte, Nemčije, Nizozemske, Norveške, Poljske, Portugalske, Republike Severna
Makedonija, Romunije, Slovaške, Slovenije, Srbije, Španije, Švedske, Švice, Turčije in Združenega
kraljestva.
Razglasitvena objava
Besedilo standarda ISO/IEC 27000:2018 je CEN odobril kot EN ISO/IEC 27000:2020 brez sprememb.
SIST EN ISO/IEC 27000 : 2020
Vsebina Stran
Predgovor k mednarodnemu standardu . 6
Uvod .7
1 Področje uporabe . 8
2 Zveze s standardi . 8
3 Izrazi in definicije . 8
4 Sistemi vodenja informacijske varnosti . 18
4.1 Splošno . 18
4.2 Kaj je sistem vodenja informacijske varnosti? . 18
4.2.1 Pregled in načela . 18
4.2.2 Informacija . 19
4.2.3 Informacijska varnost . 19
4.2.4 Vodenje . 19
4.2.5 Sistem vodenja . 20
4.3 Procesni pristop . 20
4.4 Zakaj je sistem vodenja informacijske varnosti pomemben . 20
4.5 Vzpostavljanje, spremljanje, vzdrževanje in izboljševanje sistema vodenja informacijske
varnosti. 21
4.5.1 Pregled . 21
4.5.2 Prepoznavanje zahtev informacijske varnosti . 21
4.5.3 Ocenjevanje tveganj informacijske varnosti . 22
4.5.4 Obravnavanje tveganj informacijske varnosti . 22
4.5.5 Izbiranje in izvajanje kontrol . 22
4.5.6 Spremljanje, vzdrževanje in izboljševanje uspešnosti sistema vodenja informacijske
varnosti . 23
4.5.7 Nenehno izboljševanje . 24
4.6 Ključni dejavniki uspeha sistema vodenja informacijske varnosti . 24
4.7 Koristi skupine standardov za sistem vodenja informacijske varnosti . 24
5 Skupina standardov za sistem vodenja informacijske varnosti . 25
5.1 Splošne informacije . 25
5.2 Standardi, ki opisujejo pregled in terminologijo: ISO/IEC 27000 (ta dokument) . 26
5.3 Standardi, ki določajo zahteve . 26
5.3.1 ISO/IEC 27001 . 26
5.3.2 ISO/IEC 27006 . 27
5.3.3 ISO/IEC 27009 . 27
5.4 Standardi, ki opisujejo splošne smernice. 27
5.4.1 ISO/IEC 27002 . 27
5.4.2 ISO/IEC 27003 . 28
5.4.3 ISO/IEC 27004 . 28
5.4.4 ISO/IEC 27005 . 28
SIST EN ISO/IEC 27000 : 2020
5.4.5 ISO/IEC 27007 . 28
5.4.6 ISO/IEC TR 27008 . 28
5.4.7 ISO/IEC 27013 . 29
5.4.8 ISO/IEC 27014 . 29
5.4.9 ISO/IEC TR 27016 . 29
5.4.10 ISO/IEC 27021 . 30
5.5 Standardi, ki opisujejo smernice za določene sektorje . 30
5.5.1 ISO/IEC 27010 . 30
5.5.2 ISO/IEC 27011 . 30
5.5.3 ISO/IEC 27017 . 31
5.5.4 ISO/IEC 27018 . 31
5.5.5 ISO/IEC 27019 . 31
5.5.6 ISO 27799 . 32
Viri in literatura . 33
SIST EN ISO/IEC 27000 : 2020
Predgovor k mednarodnemu standardu
ISO (Mednarodna organizacija za standardizacijo) je svetovna zveza nacionalnih organov za
standarde (članov ISO). Mednarodne standarde po navadi pripravljajo tehnični odbori ISO. Vsak član,
ki želi delovati na določenem področju, za katero je bil ustanovljen tehnični odbor, ima pravico biti
zastopan v tem odboru. Pri delu sodelujejo tudi mednarodne vladne in nevladne organizacije,
povezane z ISO. V vseh zadevah, ki so povezane s standardizacijo na področju elektrotehnike, ISO
tesno sodeluje z Mednarodno elektrotehniško komisijo (IEC).
Postopki, uporabljeni pri pripravi tega dokumenta, in predvideni postopki za njegovo vzdrževanje so
opisani v 1. delu Direktiv ISO/IEC. Posebna pozornost naj se nameni različnim kriterijem odobritve,
potrebnim za različne vrste dokumentov ISO. Ta dokument je bil zasnovan v skladu z uredniškimi
pravili Direktiv ISO/IEC, 2. del (glej www.iso.org/directives).
Opozoriti je treba na možnost, da bi lahko bil kateri od elementov tega dokumenta predmet patentnih
pravic. ISO ni odgovoren za identificiranje katerekoli ali vseh takih patentnih pravic. Podrobnosti o
morebitnih patentnih pravicah, identificiranih med pripravo tega dokumenta, bodo navedene v uvodu
in/ali na seznamu patentnih izjav, ki jih je prejela organizacija ISO (glej www.iso.org/patents).
Vsakršna trgovska imena, uporabljena v tem dokumentu, so informacije za uporabnike in ne pomenijo
podpore blagovni znamki.
Za razlago prostovoljne narave standardov, pomena specifičnih pojmov in izrazov ISO, povezanih z
ugotavljanjem skladnosti, ter informacij o tem, kako ISO upošteva načela Svetovne trgovinske
organizacije (WTO) v Tehničnih ovirah pri trgovanju (TBT), glej naslednjo povezavo:
.
www.iso.org/iso/foreword.html
Ta dokument je pripravil tehnični odbor ISO/IEC JTC 1 Informacijska tehnologija, pododbor SC 27
Varnostne tehnike IT.
Ta peta izdaja preklicuje in nadomešča četrto izdajo (ISO/IEC 27000:2016), ki je tehnično revidirana.
Glavne spremembe glede na predhodno izdajo so naslednje:
‒ uvod je preoblikovan,
‒ nekateri izrazi in definicije so odstranjeni,
‒ točka 3 je usklajena s strukturo visoke ravni standardov za sisteme vodenja (MSS),
‒ točka 5 je posodobljena tako, da odraža spremembe v zadevnih standardih,
‒ dodatka A in B sta izbrisana.
SIST EN ISO/IEC 27000 : 2020
Uvod
0.1 Pregled
Mednarodni standardi za sisteme vodenja zagotavljajo model kot zgled za vzpostavitev in upravljanje
sistema vodenja. Ta model vključuje značilnosti, o katerih so si strokovnjaki na tem področju enotni,
da gre za mednarodno stanje tehnike. V okviru ISO/IEC JTC 1/SC 27 deluje strokovni odbor,
namenjen razvoju mednarodnih standardov za sisteme vodenja informacijske varnosti, sicer znanih
kot skupina standardov za sistem vodenja informacijske varnosti (ISMS).
Z uporabo skupine standardov za sistem vodenja informacijske varnosti lahko organizacije razvijejo in
uporabljajo okvir za upravljanje varnosti svojih informacijskih sredstev, vključno s finančnimi podatki,
intelektualno lastnino in podatki o zaposlenih, ali informacij, ki so jim jih zaupali odjemalci ali tretje
stranke. Ti standardi se lahko uporabljajo tudi za priprave na neodvisno ocenjevanje njihovega
sistema vodenja informacijske varnosti, ki se uporablja za zaščito informacij.
0.2 Namen tega dokumenta
V skupini standardov za sistem vodenja informacijske varnosti so standardi, ki:
a) opredeljujejo zahteve za sistem vodenja informacijske varnosti in za vse, ki certificirajo take
sisteme;
b) zagotavljajo neposredno podporo, podrobne napotke in/ali razlago za celoten proces
vzpostavitve, izvajanja, vzdrževanja in izboljšanja sistema vodenja informacijske varnosti;
c) obravnavajo področno specifične smernice za sistem vodenja informacijske varnosti; in
d) obravnavajo ugotavljanje skladnosti sistema vodenja informacijske varnosti.
0.3 Vsebina tega dokumenta
V tem dokumentu so uporabljene naslednje glagolske oblike:
‒ "treba je" ali "mora" označuje zahtevo;
‒ "naj" označuje priporočilo;
‒ "sme" označuje dovoljenje;
‒ "lahko" označuje možnost ali sposobnost.
Informacije, označene kot "OPOMBA", so namenjene usmerjanju pri razumevanju ali pojasnjevanju
pripadajoče zahteve. "OPOMBE" v točki 3 podajajo dodatne informacije, ki dopolnjujejo terminološke
podatke in lahko vsebujejo določila v zvezi z uporabo izraza.
SIST EN ISO/IEC 27000 : 2020
Informacijska tehnologija ‒ Varnostne tehnike ‒ Sistemi vodenja informacijske
varnosti ‒ Pregled in izrazje
1 Področje uporabe
Ta dokument podaja pregled sistemov vodenja informacijske varnosti (ISMS). Podaja tudi izraze in
definicije, ki so pogosto uporabljeni v skupini standardov za sisteme vodenja informacijske varnosti. Ta
dokument se uporablja za vse vrste in velikosti organizacij (npr. trgovska podjetja, vladne agencije,
neprofitne organizacije).
Izrazi in definicije v tem dokumentu
‒ zajemajo pogosto uporabljene izraze in definicije v skupini standardov za sisteme vodenja
informacijske varnosti;
‒ ne zajemajo vseh izrazov in definicij, ki se uporabljajo v skupini standardov za sisteme vodenja
informacijske varnosti; in
‒ ne omejujejo skupine standardov za sisteme vodenja informacijske varnosti pri opredeljevanju
novih izrazov za uporabo.
2 Zveze s standardi
Ta dokument ne vsebuje zvez s standardi.
3 Izrazi in definicije
ISO in IEC hranita terminološke podatkovne zbirke za uporabo pri standardizaciji na naslednjih
naslovih:
‒ Platforma za spletno brskanje ISO: na voljo na https://www.iso.org/obp
‒ IEC Electropedia: na voljo na https://www.electropedia.org/
3.1
nadzor dostopa
pomeni zagotoviti, da je dostop do sredstev odobren in omejen na podlagi poslovnih oziroma
varnostnih zahtev (3.56)
3.2
napad
poskus uničenja, razkrivanja, spreminjanja, onemogočanja, kraje ali nepooblaščenega dostopa do
sredstva ali njegova nepooblaščena uporaba
3.3
presoja
sistematičen, neodvisen in dokumentiran proces (3.54) pridobivanja dokazov presoje in njihovega
objektivnega vrednotenja, da bi se določil obseg, v katerem so izpolnjeni kriteriji presoje
OPOMBA 1: Presoja je lahko notranja (presoja prve stranke) ali zunanja (presoja druge ali tretje stranke), lahko pa je tudi
kombinirana presoja (kombinacija dveh ali več disciplin).
OPOMBA 2: Notranjo presojo izvaja organizacija sama ali zunanja stranka v njenem imenu.
OPOMBA 3: Izraza "dokazi presoje" in "kriteriji presoje" sta opredeljena v standardu ISO 19011.
SIST EN ISO/IEC 27000 : 2020
3.4
obseg presoje
obseg in meje presoje (3.3)
[VIR: ISO 19011:2011, 3.14, spremenjen – izbrisana je opomba.]
3.5
avtentikacija
podajanje zagotovila, da je navedena značilnost subjekta pravilna
3.6
verodostojnost
lastnost, da je subjekt res to, kar trdi, da je
3.7
razpoložljivost
lastnost, da je nekaj dostopno in uporabno na zahtevo pooblaščenega subjekta
3.8
osnovna mera
mera (3.42), ki je opredeljena glede na atribut in metodo za njeno količinsko določitev
OPOMBA: Osnovna mera je funkcionalno neodvisna od drugih mer.
[VIR: ISO/IEC/IEEE 15939:2017, 3.3, spremenjen – izbrisana je opomba 2.]
3.9
kompetentnost
zmožnost uporabe znanja in veščin za doseganje predvidenih rezultatov
3.10
zaupnost
lastnost, da informacija ni na voljo ali razkrita nepooblaščenim posameznikom, subjektom ali
procesom (3.54)
3.11
skladnost
izpolnitev zahteve (3.56)
3.12
posledica
izid dogodka (3.21), ki vpliva na cilje (3.49)
OPOMBA 1: Dogodek ima lahko različne posledice.
OPOMBA 2: Posledica je lahko gotova ali negotova in v kontekstu informacijske varnosti je običajno negativna.
OPOMBA 3: Posledice se lahko izražajo kakovostno ali količinsko.
OPOMBA 4: Prve posledice se lahko stopnjujejo zaradi njihovega posrednega vpliva.
[VIR: ISO Vodilo 73:2009, 3.6.1.3, spremenjen – spremenjena je opomba 2 po besedi "in".]
3.13
nenehno izboljševanje
ponavljajoča se aktivnost za izboljšanje delovanja (3.52)
SIST EN ISO/IEC 27000 : 2020
3.14
kontrola
ukrep, ki spreminja tveganje (3.61)
OPOMBA 1: Kontrole vključujejo katerikoli proces (3.54), politiko (3.53), napravo, prakso ali druga dejanja, ki
spreminjajo tveganje (3.61).
OPOMBA 2: Možno je, da kontrole ne bodo vedno imele nameravanega ali pričakovanega spreminjajočega se učinka.
[VIR: ISO Vodilo 73:2009, 3.8.1.1 – spremenjena je opomba 2.]
3.15
cilj kontrole
izjava, ki opisuje, kaj bo doseženo kot rezultat izvajanja kontrol (3.14)
3.16
korekcija
ukrep za odpravo zaznane neskladnosti (3.47)
3.17
korektivni ukrep
ukrep za odpravo vzroka neskladnosti (3.47) in preprečitev njene ponovitve
3.18
izpeljana mera
mera (3.42), ki je opredeljena kot funkcija dveh ali več vrednosti osnovnih mer (3.8)
[VIR: ISO/IEC/IEEE 15939:2017, 3.8, spremenjen – opomba je izbrisana.]
3.19
dokumentirane informacije
informacije, ki jih mora organizacija (3.50) obvladovati in vzdrževati, ter medij, ki jih vsebuje
OPOMBA 1: Dokumentirane informacije so lahko v kakršnikoli obliki in mediju in iz kakršnegakoli vira.
OPOMBA 2: Dokumentirane informacije se lahko nanašajo na:
‒ sistem vodenja (3.41), vključno s pripadajočimi procesi (3.54);
‒ informacije, ustvarjene zato, da bi organizacija delovala (3.50) (dokumentacija);
‒ dokaze o doseženih rezultatih (zapisi).
3.20
uspešnost
obseg, v katerem so uresničene načrtovane dejavnosti in so doseženi načrtovani rezultati
3.21
dogodek
pojav ali sprememba določenega spleta okoliščin
OPOMBA 1: Dogodek je lahko en ali več pojavov in ima lahko več vzrokov.
OPOMBA 2: Dogodek je lahko sestavljen iz nečesa, kar se ne zgodi.
OPOMBA 3: Dogodek se lahko včasih imenuje "incident" ali "nesreča".
[VIR: ISO Vodilo 73:2009, 3.5.1.3, spremenjen – opomba 4 je izbrisana.]
3.22
zunanji kontekst
zunanje okolje, v katerem želi organizacija doseči svoje cilje (3.49)
SIST EN ISO/IEC 27000 : 2020
OPOMBA: Zunanji kontekst lahko obsega naslednje:
‒ kulturno, socialno, politično, pravno, regulativno, finančno, tehnološko, ekonomsko, naravno in konkurenčno okolje, ki je
lahko mednarodno, nacionalno, regionalno ali lokalno;
‒ ključna gonila in trende, ki vplivajo na cilje organizacije (3.50);
‒ odnose z zunanjimi deležniki (3.37) ter njihova dojemanja in vrednote.
[VIR: ISO Vodilo 73:2009, 3.3.1.1]
3.23
upravljanje informacijske varnosti
sistem, s katerim organizacija (3.50) vodi in nadzira aktivnosti informacijske varnosti (3.28)
3.24
upravljavski organ
oseba ali skupina ljudi, ki so odgovorni za izvajanje (3.52) in skladnost organizacije (3.50)
OPOMBA: Upravljavski organ je v nekaterih pristojnostih lahko upravni odbor.
3.25
kazalnik
mera (3.42), ki podaja oceno ali vrednotenje
3.26
potreba po informacijah
vpogled, ki je potreben za upravljanje ciljev (3.49), načrtov, tveganj in težav
[VIR: ISO/IEC/IEEE 15939:2017, 3.12]
3.27
naprave za obdelavo informacij
katerikoli sistem, storitev ali infrastruktura za obdelavo informacij oziroma fizična lokacija, na kateri je
kaj od naštetega
3.28
informacijska varnost
ohranjanje zaupnosti (3.10), celovitosti (3.36) in razpoložljivosti (3.7) informacij
OPOMBA: Poleg tega lahko vključuje tudi druge lastnosti, kot so verodostojnost (3.6), odgovornost, neizpodbitnost
(3.48) in zanesljivost (3.55).
3.29
neprekinjena informacijska varnost
procesi (3.54) in postopki za zagotavljanje neprekinjene informacijske varnosti (3.28)
3.30
informacijski varnostni dogodek
prepoznano dogajanje v sistemu, storitvi ali omrežju, ki kaže na morebitno kršitev informacijske
varnostne (3.28) politike (3.53) ali odpovedi kontrol (3.14) ali na do tedaj še neznano situacijo, ki je
morda pomembna za varnost
3.31
informacijski varnostni incident
eden ali več neželenih ali nepričakovanih informacijskih varnostnih dogodkov (3.30), ki predstavljajo
veliko verjetnost ogrožanja poslovnih dejavnosti in informacijske varnosti (3.28)
SIST EN ISO/IEC 27000 : 2020
3.32
vodenje informacijskih varnostnih incidentov
nabor procesov (3.54) za odkrivanje, poročanje in ocenjevanje informacijskih varnostnih incidentov
(3.31), ter za odzivanje nanje, njihovo obravnavo in učenje iz njih
3.33
strokovnjak za sisteme vodenja informacijske varnosti
oseba, ki vzpostavi, izvaja, vzdržuje in nenehno izboljšuje enega ali več procesov (3.54) sistema
vodenja informacijske varnosti
3.34
skupnost za deljenje informacij
skupina organizacij (3.50), ki se dogovori za deljenje informacij
OPOMBA: Organizacija je lahko tudi posameznik.
3.35
informacijski sistem
nabor aplikacij, storitev, sredstev informacijske tehnologije ali drugih sestavnih delov za ravnanje z
informacijami
3.36
celovitost
lastnost točnosti in popolnosti
3.37
zainteresirana stran (prednostni izraz)
deležnik (sprejeti izraz)
oseba ali organizacija (3.50), ki lahko vpliva na neko odločitev ali dejavnost, na katero lahko vpliva
neka odločitev ali aktivnost ali ki domneva, da lahko neka odločitev ali dejavnost vpliva nanjo
3.38
notranji kontekst
notranje okolje, v katerem želi organizacija (3.50) doseči svoje cilje
OPOMBA: Notranji kontekst lahko obsega:
‒ upravljanje, organizacijsko strukturo, vloge in odgovornosti;
‒ politike (3.53), cilje (3.49) in uveljavljene strategije za doseganje teh ciljev;
‒ zmogljivosti, razumljene v smislu virov in znanja (npr. kapital, čas, ljudje, procesi (3.54), sistemi in tehnologije);
‒ informacijske sisteme (3.35), informacijske tokove in procese odločanja (formalne in neformalne);
‒ odnose z notranjimi deležniki (3.37) ter njihova dojemanja in vrednote;
‒ kulturo organizacije;
‒ standarde, smernice in modele, ki jih sprejme organizacija;
‒ obliko in obseg pogodbenih razmerij.
[VIR: ISO Vodilo 73:2009, 3.3.1.2]
3.39
stopnja tveganja
velikost tveganja (3.61), izražena s kombinacijo posledic (3.12) in njihove verjetnosti (3.40)
[VIR: ISO Vodilo 73:2009, 3.6.1.8, spremenjen – v definiciji je izbrisano "ali kombinacija tveganj".]
3.40
verjetnost
možnost, da se nekaj zgodi
SIST EN ISO/IEC 27000 : 2020
[VIR: ISO Vodilo 73:2009, 3.6.1.1, spremenjen – izbrisani sta opombi 1 in 2 k vnosu.]
3.41
sistem vodenja
skupek medsebojno povezanih ali interaktivnih elementov organizacije (3.50) za vzpostavljanje politike
(3.53) in ciljev (3.49) ter procesov (3.54) za doseganje teh ciljev
OPOMBA 1: Sistem vodenja lahko obravnava eno samo ali več področij.
OPOMBA 2: Elementi sistema vključujejo strukturo, vloge in odgovornosti ter načrtovanje in delovanje.
OPOMBA 3: Sistem vodenja lahko obsega celotno organizacijo, specifične in identificirane funkcije organizacije,
specifične in identificirane dele organizacije ali eno ali več funkcij v skupini organizacij.
3.42
mera
spremenljivka, ki se ji dodeli vrednost kot rezultat merjenja (3.43)
[VIR: ISO/IEC/IEEE 15939:2017, 3.15, spremenjen – izbrisana je opomba 2.]
3.43
merjenje
proces (3.54) za določitev vrednosti
3.44
merilna funkcija
algoritem ali izračun, ki se izvede zaradi združevanja dveh ali več osnovnih mer (3.8)
[VIR: ISO/IEC/IEEE 15939:2017, 3.20]
3.45
merilna metoda
logično zaporedje splošno opisanih operacij, ki se uporabljajo za količinsko določitev atributa glede na
določeno merilo
OPOMBA: Vrsta merilne metode je odvisna od narave operacij, ki se uporabljajo za količinsko določitev atributa
(3.4). Razlikujemo med dvema vrstama:
‒ subjektivna: količinsko določanje, ki vključuje človeško presojo; in
‒ objektivna: količinsko določanje na podlagi numeričnih pravil.
[VIR: ISO/IEC/IEEE 15939:2017, 3.21, spremenjen – izbrisana je opomba 2.]
3.46
spremljanje
ugotavljanje stanja sistema, procesa (3.54) ali aktivnosti
OPOMBA: Za ugotavljanje stanja bo morda potrebno preverjanje, nadzor ali kritično opazovanje.
3.47
neskladnost
neizpolnitev zahteve (3.56)
3.48
neizpodbitnost
sposobnost dokazati, da se je zatrjevani dogodek (3.21) ali dejanje zgodil ter kdo so izvorni udeleženci
3.49
cilj
rezultat, ki naj bi bil dosežen
SIST EN ISO/IEC 27000 : 2020
OPOMBA 1: Cilj je lahko strateški, taktični ali operativni.
OPOMBA 2: Cilji se lahko nanašajo na različna področja (npr. finančni cilji, cilji varnosti in zdravja ter okoljski cilji) in se
lahko uporabljajo na različnih ravneh (npr. strateški, po celotni organizaciji, projektni, na ravni izdelka in
ravni procesa (3.54)).
OPOMBA 3: Cilj se lahko izrazi tudi na drugačne načine, npr. kot predvideni izid, namen, operativno merilo, kot cilj
informacijske varnosti ali z drugimi besedami s podobnim pomenom (npr. okvirni cilj, izvedbeni cilj ali
tarča).
OPOMBA 4: V kontekstu sistemov vodenja informacijske varnosti organizacija v skladu z informacijsko varnostno
politiko postavlja cilje informacijske varnosti, da bi dosegla specifične rezultate.
3.50
organizacija
oseba ali skupina ljudi, ki ima lastne funkcije z odgovornostmi, pooblastili in odnosi za doseganje
svojih ciljev (3.49)
OPOMBA: Pojem organizacije med drugim vključuje samostojne podjetnike, družbe, korporacije, firme, podjetja,
organe oblasti, partnerstva, dobrodelne ustanove ali institucije, njihove dele ali kombinacije, ki so lahko
povezani ali nepovezani, javni ali zasebni.
3.51
zunanje izvajanje
skleniti dogovor, po katerem zunanja organizacija (3.50) izvaja del funkcije ali procesa (3.54) neke
organizacije
OPOMBA: Zunanja organizacija je zunaj obsega sistema vodenja (3.41), čeprav je zunanjemu izvajalcu v izvajanje
oddana funkcija ali proces znotraj obsega.
3.52
izvajanje
merljiv rezultat
OPOMBA 1: Izvajanje se lahko nanaša na količinske ali kakovostne ugotovitve.
OPOMBA 2: Izvajanje se lahko nanaša na vodenje aktivnosti, procesov (3.54), izdelkov (vključno s storitvami),
sistemov ali organizacij (3.50).
3.53
politika
namere in usmeritev organizacije (3.50), ki jih formalno izraža njeno najvišje vodstvo (3.75)
3.54
proces
nabor medsebojno povezanih ali interaktivnih aktivnosti, ki vhode pretvorijo v izhode
3.55
zanesljivost
skupek doslednega predvidenega vedenja in rezultatov
3.56
zahteva
potreba ali pričakovanje, ki je izraženo, na splošno samoumevno ali obvezno
OPOMBA 1: "Na splošno samoumevno" pomeni, da je navada ali uveljavljena praksa organizacije in zainteresiranih
strani, da je obravnavana potreba ali pričakovanje samoumevno.
OPOMBA 2: Specificirana zahteva je tista, ki je navedena, na primer v dokumentiranih informacijah.
3.57
preostalo tveganje
tveganje (3.61), ki ostane po obravnavanju tveganja (3.72)
SIST EN ISO/IEC 27000 : 2020
OPOMBA 1: Preostalo tveganje lahko zajema neznano tveganje.
OPOMBA 2: Preostalo tveganje se lahko imenuje tudi "zadržano tveganje".
3.58
pregled
aktivnost, s katero se ugotavljajo primernost in ustreznost predmeta obravnave ter njegova uspešnost
(3.20) pri doseganju zastavljenih ciljev (3.49)
[VIR: ISO Vodilo 73:2009, 3.8.2.2, spremenjen – izbrisana je opomba.]
3.59
predmet pregleda
določena zadeva, ki se pregleduje
3.60
cilj pregleda
izjava, ki opisuje, kaj je treba doseči kot rezultat pregleda (3.59)
3.61
tveganje
učinek negotovosti na cilje (3.49)
OPOMBA 1: Učinek je odstopanje – pozitivno ali negativno – od pričakovanega.
OPOMBA 2: Negotovost je stanje, tudi delno, pomanjkanja informacij v zvezi z razumevanjem dogodka ali znanjem o
dogodku, njegovi posledici ali verjetnosti.
OPOMBA 3: Tveganje se pogosto označuje s sklicevanjem na možne "dogodke" (kot so opredeljeni v ISO Vodilu
73:2009, 3.5.1.3) in "posledice" (kot so opredeljene v ISO Vodilu 73:2009, 3.6.1.3) ali na kombinacijo
obojih.
OPOMBA 4: Tveganje se pogosto izraža kot kombinacija posledic nekega dogodka (vključno s spremembami
okoliščin) in pripadajoče "verjetnosti" (kot je opredeljena v ISO Vodilu 73:2009, 3.6.1.1) nastanka.
OPOMBA 5: V kontekstu sistemov vodenja informacijske varnosti se lahko tveganja informacijske varnosti izrazijo kot
učinek negotovosti, ki vpliva na cilje informacijske varnosti.
OPOMBA 6: Tveganje informacijske varnosti je povezano z morebitno možnostjo, da bodo grožnje izkoristile ranljivosti
informacijskega sredstva ali skupine informacijskih sredstev in s tem škodovale organizaciji.
3.62
sprejetje tveganja
informirana odločitev o prevzemu določenega tveganja (3.61)
OPOMBA 1: Sprejetje tveganja lahko nastopi brez obravnavanja tveganja (3.72) ali med procesom (3.54)
obravnavanja tveganja.
OPOMBA 2: Sprejeta tveganja so predmet spremljanja (3.46) in pregleda (3.58).
[VIR: ISO Vodilo 73:2009, 3.7.1.6]
3.63
analiza tveganja
proces (3.54) za razumevanje narave tveganja (3.61) in za določitev stopnje tveganja (3.39)
OPOMBA 1: Analiza tveganja je podlaga za ovrednotenje tveganja (3.67) in odločitve o obravnavanju tveganja (3.72).
OPOMBA 2: Analiza tveganja zajema oceno tveganja.
[VIR: ISO Vodilo 73:2009, 3.6.1]
SIST EN ISO/IEC 27000 : 2020
3.64
ocenjevanje tveganja
splošen proces (3.54) identifikacije tveganja (3.68), analize tveganja (3.63) in ovrednotenja tveganja
(3.67)
[VIR: ISO Vodilo 73:2009, 3.4.1]
3.65
obveščanje in posvetovanje o tveganjih
skupek stalnih in ponavljajočih se procesov (3.54), ki jih organizacija izvaja zaradi zagotavljanja,
deljenja ali pridobivanja informacij ter za vzpostavitev dialoga z deležniki (3.37) v zvezi z
obvladovanjem tveganja (3.61)
OPOMBA 1: Informacije se lahko navezujejo na obstoj, naravo, obliko, verjetnost (3.40), pomembnost, vrednotenje,
sprejemljivost in obravnavanje tveganja.
OPOMBA 2: Posvetovanje je dvosmerni proces informiranega komuniciranja med organizacijo (3.50) in njenimi
deležniki o nekem vprašanju, preden sprejme odločitev ali določi usmeritev pri omenjenem vprašanju.
Posvetovanje je:
‒ proces, ki učinkuje na odločitev z vplivanjem namesto z močjo; in
‒ prispevek k odločanju, ne pa skupno odločanje.
3.66
merila tveganja
referenčni pogoji, na podlagi katerih se vrednoti pomembnost tveganja (3.61)
OPOMBA 1: Merila tveganja temeljijo na organizacijskih ciljih ter zunanjem kontekstu (3.22) in notranjem kontekstu
(3.38).
OPOMBA 2: Merila tveganja lahko izhajajo iz standardov, zakonov, politik (3.53) in drugih zahtev (3.56).
[VIR: ISO Vodilo 73:2009, 3.3.1.3]
3.67
ovrednotenje tveganja
proces (3.54) primerjanja rezultatov analize tveganja (3.63) z merili tveganja (3.66), da se ugotovi, ali
je tveganje (3.61) in/ali njegova stopnja sprejemljiva ali dopustna
OPOMBA: Ovrednotenje tveganja je v pomoč pri odločanju o obravnavanju tveganja (3.72).
[VIR: ISO Vodilo 73:2009, 3.7.1]
3.68
identifikacija tveganja
proces (3.54) iskanja, prepoznavanja in opisovanja tveganj (3.61)
OPOMBA 1: Identifikacija tveganja vključuje identifikacijo virov tveganja, dogodkov (3.21), njihovih vzrokov in njihovih
možnih posledic (3.12).
OPOMBA 2: Identifikacija tveganja lahko vključuje pretekle podatke, teoretično analizo, argumentirana in strokovna
mnenja ter potrebe deležnikov (3.37).
[VIR: ISO Vodilo 73:2009, 3.5.1]
3.69
obvladovanje tveganja
usklajene aktivnosti za usmerjanje in nadzorovanje organizacije (3.50) v zvezi s tveganjem (3.61)
[VIR: ISO Vodilo 73:2009, 2.1]
SIST EN ISO/IEC 27000 : 2020
3.70
proces obvladovanja tveganja
sistematična uporaba upravljavskih politik (3.53), postopkov in praks pri aktivnostih komuniciranja,
posvetovanja, vzpostavljanja konteksta ter identifikacije, analiziranja, vrednotenja, obravnavanja,
spremljanja in pregledovanja tveganja (3.61)
OPOMBA: V standardu ISO/IEC 27005 se izraz "proces" (3.54) uporablja za opisovanje obvladovanja tveganja na
splošno. Elementi v procesu obvladovanja tveganja (3.69) se imenujejo "aktivnosti".
[VIR: ISO Vodilo 73:2009, 3.1, spremenjen – dodana je opomba.]
3.71
nosilec tveganja
oseba ali subjekt, ki je odgovoren in pristojen za obvladovanje tveganja (3.61)
[VIR: ISO Vodilo 73:2009, 3.5.1.5]
3.72
obravnavanje tveganja
proces (3.54) za spreminjanje tveganja (3.61)
OPOMBA 1: Obravnavanje tveganja lahko vključuje:
‒ preprečevanje tveganja s tem, da se ne začne ali nadaljuje izvajanje aktivnosti, ki povzroča tveganje;
‒ sprejemanje ali povečevanje tveganja za namene izkoriščanja priložnosti;
‒ odstranjevanje vira tveganja;
‒ spreminjanje verjetnosti (3.40);
‒ spreminjanje posledic (3.12);
‒ deljenje tveganja z drugo stranko ali strankami (vključno s pogodbami in financiranjem tveganja);
‒ ohranjanje tveganja z ozaveščeno izbiro.
OPOMBA 2: Obravnavanja tveganj, ki se navezujejo na negativne posledice, se včasih imenuje jo"ublažitev tveganja",
"odpravljanje tveganja", "preprečevanje tveganja" in "zmanjševanje tveganja".
OPOMBA 3: Obravnavanje tveganja lahko ustvari nova tveganja ali spremeni obstoječa tveganja.
[VIR: ISO Vodilo 73:2009, 3.8.1, spremenjen – izraz "odločitev" je zamenjan z izrazom "izbira" v
opombi 1.]
3.73
standard za izvajanje varnosti
dokument, ki določa pooblaščene načine izvajanja varnosti
3.74
grožnja
možen vzrok neželenega incidenta, ki lahko škoduje sistemu ali organizaciji (3.50)
3.75
najvišje vodstvo
oseba ali skupina ljudi, ki na najvišji ravni usmerja in obvladuje organizacijo (3.50)
OPOMBA 1: Najvišje vodstvo je pristojno za prenos pooblastil in zagotavljanje virov znotraj organizacije.
OPOMBA 2: Če obseg sistema vodenja (3.41) zajema samo del organizacije, potem je najvišje vodstvo tisto, ki
usmerja in obvladuje ta del organizacije.
OPOMBA 3: Najvišje vodstvo se včasih imenuje izvršno vodstvo in lahko vključuje generalne direktorje, finančne
direktorje, direktorje informatike in podobne vloge.
SIST EN ISO/IEC 27000 : 2020
3.76
subjekt za sporočanje zaupanja vrednih informacij
neodvisna organizacija (3.50), ki podpira izmenjavo informacij znotraj skupnosti za deljenje informacij
(3.34)
3.77
ranljivost
slabost sredstva ali kontrole (3.14), ki jo lahko izkoristi ena ali več groženj (3.74)
4 Sistemi vodenja informacijske varnosti
4.1 Splošno
Organizacije vseh vrst in velikosti:
a) zbirajo, obdelujejo, shranjujejo in prenašajo informacije;
b) priznavajo, da so informacije in z njimi povezani procesi, sistemi, omrežja ter ljudje pomembna
sredstva za doseganje ciljev organizacije;
c) se soočajo z vrsto tveganj, ki lahko vplivajo na delovanje sredstev; in
d) obravnavajo svojo zaznano izpostavljenost tveganju z izvajanjem kontrol informacijske varnosti.
Vse informacije, ki jih hrani in obdeluje organizacija, so predmet groženj napada, napake, naravnih
pojavov (na primer poplave ali požara) itd. in so izpostavljene ranljivosti, ki izhaja iz njihove uporabe.
Izraz informacijska varnost temelji na dojemanju informacije kot sredstva z vrednostjo, ki zahteva
ustrezno zaščito, na primer pred izgubo razpoložljivosti, zaupnosti in celovitosti. Zagotavljanje točnih in
popolnih informacij, ki so pravočasno na voljo pooblaščenim uporabnikom, pospešuje poslovno
učinkovitost.
Ščitenje informacijskih sredstev je ključnega pomena, da organizacija z določanjem, doseganjem,
vzdrževanjem in izboljševanjem informacijske varnosti uspešno dosega svoje cilje ter vzdržuje in krepi
skladnost poslovanja s predpisi in javno podobo. Te usklajene aktivnosti usmerjanja izvajanja
ustreznih kontrol in obravnavanja nesprejemljivih tveganj informacijske varnosti so na splošno znane
kot elementi vodenja informacijske varnosti.
Ker se tveganja informacijske varnosti in uspešnost kontrol spreminjajo glede na spreminjajoče se
okoliščine, morajo organizacije:
a) spremljati in vrednotiti uspešnost izvajanja kontrol in postopkov;
b) prepoznati nastajajoča tveganja, ki jih je treba obravnavati; in
c) izbrati, izvajati in po potrebi izboljševati potrebne kontrole.
Za medsebojno povezovanje in usklajevanje teh aktivnosti informacijske varnosti mora vsaka
organizacija oblikovati svojo politiko in cilje informacijske varnosti ter jih uspešno dosegati z uporabo
sistema vodenja.
4.2 Kaj je sistem vodenja informacijske varnosti?
4.2.1 Pregled in načela
Sistem vodenja informacijske varnosti zajema politike, postopke, smernice ter z njimi povezane vire in
aktivnosti, ki jih organizacija skupaj upravlja zato, da zaščiti svoja informacijska sredstva. Sistem
vodenja informacijske varnosti je sistematičen pristop za vzpostavitev, izvajanje, delovanje,
spremljanje, pr
...
SIST EN ISO/IEC 27000:2020は、情報技術におけるセキュリティ技術に関する規格であり、情報セキュリティ管理システム(ISMS)の概要および用語を提供しています。この標準の重要なポイントは、情報セキュリティ管理システムの基本的な理解を促進することです。具体的には、ISMSのフレームワークに関連する用語や定義を整備し、関連する他の規格との結びつきを明確にします。 この標準の強みは、情報セキュリティ管理の実装に際して、組織が必要とする基礎知識を一元的に提供する点です。EN ISO/IEC 27000は、情報セキュリティのさまざまな側面をカバーしており、企業や組織がリスクを適切に管理し、安全な情報環境を構築するための重要な指針となります。また、ISMSファミリーの標準の中で共通の用語が定義されていることで、国際的な標準化と一貫性を促進しています。 さらに、この標準は、情報セキュリティの重要性が高まる現代において、企業が遵守すべき要件を提供するための基盤ともなります。デジタルトランスフォーメーションが進む中で、組織はこの標準を参照することで、情報セキュリティ対策を強化し、顧客やステークホルダーからの信頼性を高めることが期待できます。SIST EN ISO/IEC 27000:2020は、セキュリティ管理の土台を築くための不可欠な文書であり、情報セキュリティへの取り組みを体系的に支援します。
SIST EN ISO/IEC 27000:2020 표준은 정보 기술 및 보안 기술 분야에서 정보 보안 관리 시스템(ISMS)에 대한 포괄적인 개요와 용어 정의를 제공합니다. 이 표준의 주요 강점 중 하나는 ISMS 관련 표준에서 자주 사용되는 용어를 명확히 정리하여, 보안 관리의 일관성과 이해를 높일 수 있도록 돕는다는 점입니다. 또한, SIST EN ISO/IEC 27000:2020은 정보 보안 관리 시스템의 범위를 명료하게 제한하고 있어, 조직들이 정보 보안을 효과적으로 관리하고 위험을 최소화하는 데 필요한 체계를 구축하는 데 큰 도움을 줍니다. 이는 특히 정보 보안의 중요성이 날로 증가하는 현대 사회에서 더욱 중요한 요소로 작용하고 있습니다. 이 표준은 다양한 산업 분야에 적용 가능하여, 기업들이 자사의 정보 자산을 보호하고 규정 준수를 유지하는 데 가장 적절한 기준을 제시합니다. 따라서 SIST EN ISO/IEC 27000:2020은 정보 보안 관리 분야의 업무를 수행하는 모든 전문가들에게 필수적인 자료로 평가받고 있습니다. 정보 보안의 기본 원칙과 용어에 대한 명확한 이해를 통해, 안전하고 신뢰할 수 있는 정보 보안 관리 시스템을 구축하고 유지하는 데 유용한 지침을 제공합니다.
La norme SIST EN ISO/IEC 27000:2020 offre une vue d'ensemble claire et concise des systèmes de gestion de la sécurité de l'information (ISMS). Cette norme constitue un élément fondamental du cadre plus large des normes relatives à la sécurité de l'information. En établissant un vocabulaire commun et en fournissant des définitions précises, elle facilite la communication et la compréhension entre les différentes parties prenantes impliquées dans la mise en œuvre et la gestion des ISMS. L’un des points forts de cette norme est sa capacité à synthétiser des concepts complexes liés à la sécurité de l'information, rendant leur application plus accessible aux organisations de toutes tailles. En outre, la norme est conçue pour être applicable à tout type d'organisation, qu'elle soit publique ou privée, ce qui renforce sa pertinence dans un paysage technologique en constante évolution. La norme SIST EN ISO/IEC 27000:2020 joue également un rôle essentiel dans l'harmonisation des pratiques de sécurité de l'information à l'échelle internationale, permettant aux organisations de démontrer leur engagement envers la sécurité et la confidentialité des données. Grâce à l'intégration des termes et définitions spécifiques, cette norme permet un alignement efficace avec d'autres normes de la famille ISO/IEC 27000, favorisant ainsi une compréhension globale et une mise en œuvre cohérente des pratiques de gestion de la sécurité de l'information. En somme, la norme SIST EN ISO/IEC 27000:2020 est un outil indispensable pour toute organisation cherchant à établir ou à améliorer son système de gestion de la sécurité de l'information, tout en assurant la conformité avec les exigences globales des normes ISO/IEC.
Die SIST EN ISO/IEC 27000:2020 ist ein entscheidendes Dokument, das einen umfassenden Überblick über Informationssicherheits-Managementsysteme (ISMS) bietet. Der Standard definiert nicht nur die Grundlagen der Informationssicherheit, sondern liefert auch eine klare Sammlung von Begriffen und Definitionen, die in der gesamten Familie der ISMS-Standards verwendet werden. Ein herausragendes Merkmal dieses Standards ist seine umfassende Reichweite. Er zielt darauf ab, Organisationen eine einheitliche Grundlage für die Implementierung und das Verständnis von Informationssicherheitspraktiken zu bieten. Durch die Definition zentraler Begriffe wird die Kommunikation innerhalb und zwischen Organisationen erleichtert, wodurch Missverständnisse vermieden werden. Ein weiterer Vorteil der SIST EN ISO/IEC 27000:2020 ist ihre Relevanz für alle Arten von Organisationen, unabhängig von Größe oder Branche. Die Standards sensibilisieren Unternehmen für die Bedeutung eines strukturierten Ansatzes in der Informationssicherheit und fördern die Integration von Sicherheitspraktiken in bestehende Managementsysteme. Die systematische Anordnung der Inhalte und die klare Gliederung machen es einfach, wichtige Informationen schnell zu finden. Dies ist besonders für Unternehmen von Bedeutung, die ihre Sicherheitsmaßnahmen optimieren und gleichzeitig die Anforderungen der Informationstechnologie erfüllen möchten. Zusammenfassend lässt sich sagen, dass die SIST EN ISO/IEC 27000:2020 nicht nur ein fundamentales Referenzdokument für die Informationssicherheit ist, sondern auch einen strategischen Rahmen bietet, der Organisationen dabei unterstützt, ihre Sicherheitsstrategien effektiv zu gestalten und kontinuierlich zu verbessern.
The SIST EN ISO/IEC 27000:2020 standard plays a pivotal role in the realm of information security management systems (ISMS), offering a comprehensive overview and a foundational vocabulary that is essential for understanding the broader ISMS frameworks. This standard delineates the scope of information security, emphasizing the importance of establishing, implementing, maintaining, and continually improving ISMS within organizations. One of the key strengths of SIST EN ISO/IEC 27000:2020 is its clarity in defining terms and concepts related to information security management. The standard serves as a reference point for organizations aiming to implement an ISMS, ensuring all stakeholders share a common understanding of essential terminology. This shared vocabulary is crucial not only for the effective communication of ideas but also for the streamlined development and integration of ISMS across various sectors. Furthermore, the standard's relevance cannot be overstated, as information security remains a critical concern for organizations of all sizes. In an increasingly digital world, the need for robust security frameworks aligned with international best practices is paramount. By providing an overview of ISMS, SIST EN ISO/IEC 27000:2020 supports organizations in achieving compliance with more detailed standards, thus allowing them to navigate the complexities of information security governance effectively. In summary, SIST EN ISO/IEC 27000:2020 stands out for its comprehensive scope, clear definitions, and significant relevance to the field of information security management systems. It is an indispensable resource for organizations seeking to enhance their security posture and align their practices with standardized international guidelines.
Le document SIST EN ISO/IEC 27000:2020 présente un cadre essentiel pour la gestion de la sécurité de l'information à travers une vue d'ensemble des systèmes de gestion de la sécurité de l'information (ISMS). Cette norme est fondamentale car elle définit les termes et les définitions communément utilisés dans la famille de normes ISMS, facilitant ainsi la compréhension et l'application des concepts de sécurité de l'information. Une des forces majeures de cette norme est sa capacité à fournir une structure unifiée qui permet aux organisations d'aligner leurs pratiques de gestion de la sécurité de l'information avec les meilleures pratiques reconnues internationalement. Cela rend le SIST EN ISO/IEC 27000 particulièrement pertinent dans un contexte où la cybersécurité est devenue une préoccupation croissante pour les entreprises de toutes tailles. Le champ d'application de cette norme touche divers secteurs, ce qui en fait un outil précieux pour toute organisation cherchant à établir ou à renforcer son système de gestion de la sécurité de l'information. En clarifiant le vocabulaire associé à l'ISMS, le document aide à éviter les ambiguïtés qui pourraient nuire à l'implémentation efficace de mesures de sécurité. En résumé, le SIST EN ISO/IEC 27000:2020 joue un rôle crucial en tant que référence dans le domaine de la gestion de la sécurité de l'information, apportant des éclaircissements nécessaires sur les concepts et assurant l'uniformité dans l'application de ces principes. Sa pertinence dans le développement d'un ISMS performant ne peut être sous-estimée dans le paysage numérique actuel.
SIST EN ISO/IEC 27000:2020 표준은 정보 기술 및 보안 기술 분야에서 정보 보안 관리 시스템(ISMS)에 대한 종합적인 개요와 용어 정의를 제공합니다. 이 표준의 주요 강점은 정보 보안 관리 시스템의 구조와 기능을 이해하는 데 필요한 기초적인 개념과 용어를 명확하게 제시하며, 이를 통해 기업 및 조직이 ISMS를 효과적으로 구현하고 운영할 수 있도록 지원한다는 점입니다. ISMS 관련 표준군에서 사용되는 일반적인 용어와 정의를 제공함으로써, SIST EN ISO/IEC 27000은 정보 보안 관리에 대한 일관된 이해를 촉진합니다. 이는 보안 정책 수립, 리스크 관리, 그리고 정보 보호 대책을 논의하는 데 있어 필수적인 기본 요소로 작용하며, 다양한 이해관계자 간의 소통을 원활하게 해줍니다. 또한, 이 표준은 정보 보안 관리의 실천과 관련된 다양한 관점과 접근 방법을 포괄적으로 다루고 있어, 최신 기술 및 위협 환경에서의 정보 보호 솔루션 개발에 중요한 역할을 합니다. 보안 위협이 날로 증가하고 있는 현대 사회에서, SIST EN ISO/IEC 27000:2020의 중요성은 더욱 강조되고 있으며, 조직의 정보 보안 전략을 강화하는 데 필수적인 자료로 인식됩니다. 총체적으로 SIST EN ISO/IEC 27000:2020은 정보 보안 관리 시스템의 체계적 이해를 위한 강력한 기반을 제공하며, 정보 보호와 관련된 다양한 논의에 있어 필수적인 표준으로 자리 잡고 있습니다.
SIST EN ISO/IEC 27000:2020は、情報技術におけるセキュリティ技術に関連する標準であり、情報セキュリティ管理システム(ISMS)の概要および用語集を提供します。この標準の範囲は、ISMSに関連する用語と定義を整理し、情報セキュリティの基礎として機能することにあります。 この標準の強みは、情報セキュリティ管理システムの実装および運用を行う際の共通言語を提供する点にあります。SIST EN ISO/IEC 27000は、組織が情報セキュリティのベストプラクティスを理解し、コミュニケーションを円滑に行うための指針となります。また、標準は、情報セキュリティに関する最新の脅威やリスクを考慮し、組織が迅速に対応できるようにするためのフレームワークを提供します。 さらに、情報セキュリティ管理システムの導入を目指す組織にとって、この標準が提供する用語と定義は、政策や手順の整備において非常に重要です。これにより、情報セキュリティ管理における一貫性が保たれ、さまざまな業界のニーズに応じた調整が容易になります。 総じて、SIST EN ISO/IEC 27000:2020は、情報セキュリティに関心のあるすべての組織に対して非常に関連性が高く、実用的なリソースを提供する標準であり、情報セキュリティ管理システムの基礎を築く上で欠かせない文書です。
The SIST EN ISO/IEC 27000:2020 standard serves as a foundational overview of information security management systems (ISMS), establishing a critical framework for organizations to follow in managing and protecting information assets. Its scope encompasses both the delineation of ISMS principles and the provision of a comprehensive glossary of terms and definitions essential to the ISMS family of standards. One of the standout strengths of this standard is its role in creating a common understanding of the terminology associated with information security. By providing precise definitions, SIST EN ISO/IEC 27000:2020 facilitates consistent communication and implementation of security measures across organizations, irrespective of their size or sector. This is particularly pertinent in today’s complex threat landscape, where clarity in terms is crucial for effective information security management. Moreover, the relevance of this standard cannot be overstated. As organizations increasingly recognize the importance of information security in safeguarding their operations and reputation, having a structured overview of ISMS helps in aligning security strategies with business objectives. The standard serves as a reference point, guiding organizations in the development, implementation, and maintenance of effective management systems tailored to their specific security risks and needs. In summary, SIST EN ISO/IEC 27000:2020's standardized approach to information security terminology and its comprehensive overview of information security management systems significantly contribute to the establishment of robust information security practices, thereby enhancing organizational resilience in the face of security challenges.
Die SIST EN ISO/IEC 27000:2020 ist ein wegweisendes Dokument im Bereich der Informationssicherheit, das einen umfassenden Überblick über Informationssicherheitsmanagementsysteme (ISMS) bietet. Der Standard legt nicht nur die Grundsätze und Rahmenbedingungen für die Implementierung und Verwaltung von ISMS fest, sondern definiert auch eine klare und präzise Terminologie, die in der gesamten Familie der ISMS-Standards verwendet wird. Der klare Fokus der SIST EN ISO/IEC 27000:2020 auf Begriffsdefinitionen ist besonders hervorzuheben, da dies dazu beiträgt, ein einheitliches Verständnis in der Anwendung der Sicherheitsstandards zu fördern. Durch die Standardisierung der verwendeten Begriffe unterstützt dieser Standard Organisationen dabei, die Komplexität der Informationssicherheit zu reduzieren und einen gemeinsamen Wissensstand zu schaffen. Dies ist besonders relevant in einer Zeit, in der Cyber-Bedrohungen zunehmend ausgeklügelt werden und eine klare Kommunikation über Sicherheitspraktiken unerlässlich ist. Ein weiterer großer Vorteil der SIST EN ISO/IEC 27000:2020 ist, dass der Standard als Grundlage für die Entwicklung weiterer spezifischer Standards im Bereich Informationssicherheit dient. Die klare Gliederung und die umfassende Übersicht machen es Organisationen leichter, die Schritte zur Schaffung und Aufrechterhaltung eines effektiven ISMS zu planen und umzusetzen. Darüber hinaus fördert dieser Standard die Wiederverwendbarkeit von Begriffen und Konzepten, was zu einer verbesserten Effizienz bei der Schulung von Mitarbeitenden und der Erstellung von Dokumentationen führt. Die Relevanz der SIST EN ISO/IEC 27000:2020 erstreckt sich über verschiedene Branchen hinweg, da sie die Basis für eine solide Informationssicherheitsstrategie bildet und einen Rahmen für die kontinuierliche Verbesserung der Sicherheitspraktiken bietet. In einer zunehmend digitalisierten Welt ist die Bedeutung von Informationssicherheit nicht zu unterschätzen, und dieser Standard unterstützt Organisationen dabei, ihre Sicherheitsziele effektiv zu erreichen und ihre Informationswerte zu schützen. Die systematische Herangehensweise an die Informationssicherheit, die in der SIST EN ISO/IEC 27000:2020 beschrieben wird, ist entscheidend für den Aufbau eines resilienten und vertrauenswürdigen Sicherheitsmanagementsystems.
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...