SIST ISO/IEC 27005:2011

SLOVENSKI STANDARD
SIST ISO/IEC 27005:2011
01-september-2011
Informacijska tehnologija - Varnostne tehnike- Obvladovanje informacijskih
varnostnih tveganj
Information technology - Security techniques - Information security risk management
Technologies de l'information - Techniques de sécurité - Management du risque de la
sécurité de l'information
Ta slovenski standard je istoveten z: ISO/IEC 27005:2011
ICS:
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
SIST ISO/IEC 27005:2011 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST ISO/IEC 27005:2011

---------------------- Page: 2 ----------------------

SIST ISO/IEC 27005:2011

INTERNATIONAL ISO/IEC
STANDARD 27005
Second edition
2011-06-01

Information technology — Security
techniques — Information security risk
management
Technologies de l'information — Techniques de sécurité — Gestion des
risques liés à la sécurité de l'information




Reference number
ISO/IEC 27005:2011(E)
©
ISO/IEC 2011

---------------------- Page: 3 ----------------------

SIST ISO/IEC 27005:2011
ISO/IEC 27005:2011(E)

COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2011 – All rights reserved

---------------------- Page: 4 ----------------------

SIST ISO/IEC 27005:2011
ISO/IEC 27005:2011(E)
Contents Page

Foreword .v
Introduction.vi
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Structure of this International Standard .5
5 Background.6
6 Overview of the information security risk management process .7
7 Context establishment.10
7.1 General considerations.10
7.2 Basic Criteria .10
7.2.1 Risk management approach .10
7.2.2 Risk evaluation criteria .10
7.2.3 Impact criteria .11
7.2.4 Risk acceptance criteria .11
7.3 Scope and boundaries.12
7.4 Organization for information security risk management .12
8 Information security risk assessment.13
8.1 General description of information security risk assessment .13
8.2 Risk identification.13
8.2.1 Introduction to risk identification .13
8.2.2 Identification of assets.14
8.2.3 Identification of threats.14
8.2.4 Identification of existing controls.15
8.2.5 Identification of vulnerabilities .15
8.2.6 Identification of consequences.16
8.3 Risk analysis.17
8.3.1 Risk analysis methodologies .17
8.3.2 Assessment of consequences.18
8.3.3 Assessment of incident likelihood .18
8.3.4 Level of risk determination.19
8.4 Risk evaluation .19
9 Information security risk treatment .20
9.1 General description of risk treatment .20
© ISO/IEC 2011 – All rights reserved iii

---------------------- Page: 5 ----------------------

SIST ISO/IEC 27005:2011
ISO/IEC 27005:2011(E)
9.2 Risk modification.22
9.3 Risk retention.23
9.4 Risk avoidance.23
9.5 Risk sharing .23
10 Information security risk acceptance .24
11 Information security risk communication and consultation .24
12 Information security risk monitoring and review .25
12.1 Monitoring and review of risk factors.25
12.2 Risk management monitoring, review and improvement.26
Annex A (informative) Defining the scope and boundaries of the information security risk
management process.28
A.1 Study of the organization.28
A.2 List of the constraints affecting the organization .29
A.3 List of the legislative and regulatory references applicable to the organization.31
A.4 List of the constraints affecting the scope .31
Annex B (informative) Identification and valuation of assets and impact assessment.33
B.1 Examples of asset identification.33
B.1.1 The identification of primary assets .33
B.1.2 List and description of supporting assets .34
B.2 Asset valuation .38
B.3 Impact assessment.41
Annex C (informative) Examples of typical threats .42
Annex D (informative) Vulnerabilities and methods for vulnerability assessment .45
D.1 Examples of vulnerabilities .45
D.2 Methods for assessment of technical vulnerabilities .48
Annex E (informative) Information security risk assessment approaches .50
E.1 High-level information security risk assessment.50
E.2 Detailed information security risk assessment.51
E.2.1 Example 1 Matrix with predefined values .52
E.2.2 Example 2 Ranking of Threats by Measures of Risk .54
E.2.3 Example 3 Assessing a value for the likelihood and the possible consequences of risks.54
Annex F (informative) Constraints for risk modification.56
Annex G (informative) Differences in definitions between ISO/IEC 27005:2008 and ISO/IEC
27005:2011.58
Bibliography .68

iv © ISO/IEC 2011 – All rights reserved

---------------------- Page: 6 ----------------------

SIST ISO/IEC 27005:2011
ISO/IEC 27005:2011(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27005 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This second edition cancels and replaces the first edition (ISO/IEC 27005:2008) which has been technically
revised.
© ISO/IEC 2011 – All rights reserved v

---------------------- Page: 7 ----------------------

SIST ISO/IEC 27005:2011
ISO/IEC 27005:2011(E)
Introduction
This International Standard provides guidelines for information security risk management in an organization,
supporting in particular the requirements of an information security management (ISMS) according to
ISO/IEC 27001. However, this International Standard does not provide any specific method for information
security risk management. It is up to the organization to define their approach to risk management, depending
for example on the scope of the ISMS, context of risk management, or industry sector. A number of existing
methodologies can be used under the framework described in this International Standard to implement the
requirements of an ISMS.
This International Standard is relevant to managers and staff concerned with information security risk
management within an organization and, where appropriate, external parties supporting such activities.
vi © ISO/IEC 2011 – All rights reserved

---------------------- Page: 8 ----------------------

SIST ISO/IEC 27005:2011
INTERNATIONAL STANDARD ISO/IEC 27005:2011(E)

Information technology — Security techniques — Information
security risk management
1 Scope
This International Standard provides guidelines for information security risk management.
This International Standard supports the general concepts specified in ISO/IEC 27001 and is designed to
assist the satisfactory implementation of information security based on a risk management approach.
Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and
ISO/IEC 27002 is important for a complete understanding of this International Standard.
This International Standard is applicable to all types of organizations (e.g. commercial enterprises,
government agencies, non-profit organizations) which intend to manage risks that could compromise the
organization’s information security.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply.
NOTE Differences in definitions between ISO/IEC 27005:2008 and this International Standard are shown in Annex G.
3.1
consequence
outcome of an event (3.3) affecting objectives
[ISO Guide 73:2009]
NOTE 1 An event can lead to a range of consequences.
NOTE 2 A consequence can be certain or uncertain and in the context of information security is usually negative.
NOTE 3 Consequences can be expressed qualitatively or quantitatively.
NOTE 4 Initial consequences can escalate through knock-on effects.
© ISO/IEC 2011 – All rights reserved 1

---------------------- Page: 9 ----------------------

SIST ISO/IEC 27005:2011
ISO/IEC 27005:2011(E)
3.2
control
measure that is modifying risk (3.9)
[ISO Guide 73:2009]

NOTE 1 Controls for information security include any process, policy, procedure, guideline, practice or organizational
structure, which can be administrative, technical, management, or legal in nature which modify information security risk.
NOTE 2 Controls may not always exert the intended or assumed modifying effect.
NOTE 3 Control is also used as a synonym for safeguard or countermeasure.
3.3
event
occurrence or change of a particular set of circumstances
[ISO Guide 73:2009]
NOTE 1 An event can be one or more occurrences, and can have several causes.
NOTE 2 An event can consist of something not happening.
NOTE 3 An event can sometimes be referred to as an “incident” or “accident”.
3.4
external context
external environment in which the organization seeks to achieve its objectives
[ISO Guide 73:2009]
NOTE External context can include:
⎯ the cultural, social, political, legal, regulatory, financial, technological, economic, natural and
competitive environment, whether international, national, regional or local;
⎯ key drivers and trends having impact on the objectives of the organization; and
⎯ relationships with, and perceptions and values of, external stakeholders.
3.5
internal context
internal environment in which the organization seeks to achieve its objectives
[ISO Guide 73:2009]
NOTE Internal context can include:
⎯ governance, organizational structure, roles and accountabilities;
⎯ policies, objectives, and the strategies that are in place to achieve them;
⎯ the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people,
processes, systems and technologies);
⎯ information systems, information flows and decision-making processes (both formal and informal);
⎯ relationships with, and perceptions and values of, internal stakeholders;
⎯ the organization's culture;
⎯ standards, guidelines and models adopted by the organization; and
⎯ form and extent of contractual relationships.

2 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 10 ----------------------

SIST ISO/IEC 27005:2011
ISO/IEC 27005:2011(E)
3.6
level of risk
magnitude of a risk (3.9), expressed in terms of the combination of consequences (3.1) and their likelihood
(3.7)
[ISO Guide 73:2009]
3.7
likelihood
chance of something happening
[ISO Guide 73:2009]
NOTE 1 In risk management terminology, the word “likelihood” is used to refer to the chance of something happening,
whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using
general terms or mathematically (such as a probability or a frequency over a given time period).
NOTE 2 The English term “likelihood” does not have a direct equivalent in some languages; instead, the equivalent of
the term “probability” is often used. However, in English, “probability” is often narrowly interpreted as a mathematical term.
Therefore, in risk management terminology, “likelihood” is used with the intent that it should have the same broad
interpretation as the term “probability” has in many languages other than English.
3.8
residual risk
risk (3.9) remaining after risk treatment (3.17)
[ISO Guide 73:2009]
NOTE 1 Residual risk can contain unidentified risk.
NOTE 2 Residual risk can also be known as “retained risk”.
3.9
risk
effect of uncertainty on objectives

[ISO Guide 73:2009]

NOTE 1 An effect is a deviation from the expected — positive and/or negative.
NOTE 2 Objectives can have different aspects (such as financial, health and safety, information security, and
environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).
NOTE 3 Risk is often characterized by reference to potential events (3.3) and consequences (3.1), or a combination of
these.
NOTE 4 Information security risk is often expressed in terms of a combination of the consequences of an information
security event and the associated likelihood (3.9) of occurrence.
NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an
event, its consequence, or likelihood.
NOTE 6 Information security risk is associated with the potential that threats will exploit vulnerabilities of an information
asset or group of information assets and thereby cause harm to an organization.
3.10
risk analysis
process to comprehend the nature of risk and to determine the level of risk (3.6)
[ISO Guide 73:2009]
© ISO/IEC 2011 – All rights reserved 3

---------------------- Page: 11 ----------------------

SIST ISO/IEC 27005:2011
ISO/IEC 27005:2011(E)
NOTE 1 Risk analysis provides the basis for risk evaluation and decisions about risk treatment.
NOTE 2 Risk analysis includes risk estimation.
3.11
risk assessment
overall process of risk identification (3.15), risk analysis (3.10) and risk evaluation (3.14)
[ISO Guide 73:2009]
3.12
risk communication and consultation
continual and iterative processes that an organization conducts to provide, share or obtain information, and to
engage in dialogue with stakeholders (3.18) regarding the management of risk (3.9)
[ISO Guide 73:2009]
NOTE 1 The information can relate to the existence, nature, form, likelihood, significance, evaluation, acceptability and
treatment of risk.
NOTE 2 Consultation is a two-way process of informed communication between an organization and its stakeholders
on an issue prior to making a decision or determining a direction on that issue. Consultation is:
⎯ a process which impacts on a decision through influence rather than power; and
⎯ an input to decision making, not joint decision making.
3.13
risk criteria
terms of reference against which the significance of a risk (3.9) is evaluated
[ISO Guide 73:2009]
NOTE 1 Risk criteria are based on organizational objectives, and external and internal context.
NOTE 2 Risk criteria can be derived from standards, laws, policies and other requirements.
3.14
risk evaluation
process of comparing the results of risk analysis (3.10) with risk criteria (3.13) to determine whether the risk
and/or its magnitude is acceptable or tolerable
[ISO Guide 73:2009]
NOTE Risk evaluation assists in the decision about risk treatment.
3.15
risk identification
process of finding, recognizing and describing risks
[ISO Guide 73:2009]
NOTE 1 Risk identification involves the identification of risk sources, events, their causes and their potential
consequences.
NOTE 2 Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and
stakeholders’ needs.

4 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 12 ----------------------

SIST ISO/IEC 27005:2011
ISO/IEC 27005:2011(E)
3.16
risk management
coordinated activities to direct and control an organization with regard to risk
[ISO Guide 73:2009]
NOTE This International Standard uses the term ‘process’ to describe risk management overall. The elements within
the risk management process are termed ‘activities’
3.17
risk treatment
process to modify risk
[ISO Guide 73:2009]
NOTE 1 Risk treatment can involve:
⎯ avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
⎯ taking or increasing risk in order to pursue an opportunity;
⎯ removing the risk source;
⎯ changing the likelihood;
⎯ changing the consequences;
⎯ sharing the risk with another party or parties (including contracts and risk financing); and
⎯ retaining the risk by informed choice.
NOTE 2 Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk
elimination”, “risk prevention” and “risk reduction”.
NOTE 3 Risk treatment can create new risks or modify existing risks.
3.18
stakeholder
person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or
activity
[ISO Guide 73:2009]
NOTE A decision maker can be a stakeholder.
4 Structure of this International Standard
This International Standard contains the description of the information security risk management process and
its activities.
The background information is provided in Clause 5.
A general overview of the information security risk management process is given in Clause 6.
All information security risk management activities as presented in Clause 6 are subsequently described in the
following clauses:
ƒ Context establishment in Clause 7,
ƒ Risk assessment in Clause 8,
ƒ Risk treatment in Clause 9,
© ISO/IEC 2011 – All rights reserved 5

---------------------- Page: 13 ----------------------

SIST ISO/IEC 27005:2011
ISO/IEC 27005:2011(E)
ƒ Risk acceptance in Clause 10,
ƒ Risk communication in Clause 11,
ƒ Risk monitoring and review in Clause 12.
Additional information for information security risk management activities is presented in the annexes. The
context establishment is supported by Annex A (Defining the scope and boundaries of the information security
risk management process). Identification and valuation of assets and impact assessments are discussed in
Annex B. Annex C gives examples of typical threats and Annex D discusses vulnerabilities and methods for
vulnerability assessment. Examples of information security risk assessment approaches are presented in
Annex E.
Constraints for risk modification are presented in Annex F.
Differences in definitions between ISO/IEC 27005:2008 and ISO/IEC 27005:2011 are shown in Annex G.
All risk management activities as presented from Clause 7 to Clause 12 are structured as follows:
Input: Identifies any required information to perform the activity.
Action: Describes the activity.
Implementation guidance: Provides guidance on performing the action. Some of this guidance may not be
suitable in all cases and so other ways of performing the action may be more appropriate.
Output: Identifies any information derived after performing the activity.
5 Background
A systematic approach to information security risk management is necessary to identify organizational needs
regarding information security requirements and to create an effective information security management
system (ISMS). This approach should be suitable for the organization´s environment, and in particular should
be aligned with overall enterprise risk management. Security efforts should address risks in an effective and
timely manner where and when they are needed. Information security risk management should be an integral
part of all information security management activities and should be applied both to the implementation and
the ongoing operation of an ISMS.
Information security risk management should be a continual process. The process should establish the
external and internal context, assess the risks and treat the risks using a risk treatment plan to implement the
recommendations and decisions. Risk management analyses what can happen and what the possible
consequences can be, before deciding what should be done and when, to reduce the risk to an acceptable
level.
Information security risk management should contribute to the following:
ƒ Risks being identified
ƒ Risks being assessed in terms of their consequences to the business and the likelihood of their
occurrence
ƒ The likelihood and consequences of these risks being communicated and understood
ƒ Priority order for risk treatment being established
ƒ Priority for actions to reduce risks occurring
ƒ Stakeholders being involved when risk management decisions are made and kept informed of the risk
management status
ƒ Effectiveness of risk treatment monitoring
6 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 14 ----------------------

SIST ISO/IEC 27005:2011
ISO/IEC 27005:2011(E)
ƒ Risks and the risk management process being monitored and reviewed regularly
ƒ Information being captured to improve the risk management approach
ƒ Managers and staff being educated about the risks and the actions taken to mitigate them
The information security risk management process can be applied to the organization as a whole, any discrete
part of the organization (e.g. a department, a physical location, a service), any information system, existing or
planned or particular aspects of control (e.g. business continuity planning).
6 Overview of the information security risk management process
A high level view of the risk management process is specified in ISO 31000 and shown in Figure 1.



Figure 1 — The risk management process

© ISO/IEC 2011 – All rights reserved 7

---------------------- Page: 15 ----------------------

SIST ISO/IEC 27005:2011
ISO/IEC 27005:2011(E)
Figure 2 shows how this International Standard appl
...

NORME ISO/CEI
INTERNATIONALE 27005
Deuxième édition
2011-06-01


Technologies de l'information —
Techniques de sécurité —Gestion des
risques liés à la sécurité de l'information
Information technology — Security techniques — Information security
risk management




Numéro de référence
ISO/CEI 27005:2011(F)
©
ISO/CEI 2011

---------------------- Page: 1 ----------------------
ISO/CEI 27005:2011(F)

DOCUMENT PROTÉGÉ PAR COPYRIGHT


©  ISO/CEI 2011
Droits de reproduction réservés. Sauf prescription différente, aucune partie de cette publication ne peut être reproduite ni utilisée sous
quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et les microfilms, sans l'accord écrit
de l'ISO à l'adresse ci-après ou du comité membre de l'ISO dans le pays du demandeur.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Version française parue en 2013
Publié en Suisse

ii © ISO/CEI 2011 – Tous droits réservés

---------------------- Page: 2 ----------------------
ISO/CEI 27005:2011(F)
Sommaire Page
1  Domaine d'application . 1
2  Références normatives . 1
3  Termes et définitions . 1
4  Structure de la présente Norme internationale . 6
5  Contexte . 6
6  Présentation générale du processus de gestion des risques en sécurité de l'information . 7
7  Établissement du contexte . 11
7.1  Considérations générales . 11
7.2  Critères de base . 12
7.2.1  Approche de gestion des risques . 12
7.2.2  Critères d'évaluation du risque . 12
7.2.3  Critères d'impact . 12
7.2.4  Critères d'acceptation des risques . 13
7.3  Domaine d'application et limites . 13
7.4  Organisation de la gestion des risques en sécurité de l'information . 14
8  Appréciation des risques en sécurité de l'information . 15
8.1  Description générale de l'appréciation des risques en sécurité de l'information . 15
8.2  Identification des risques . 16
8.2.1  Introduction à l'identification des risques . 16
8.2.2  Identification des actifs . 16
8.2.3  Identification des menaces . 17
8.2.4  Identification des mesures de sécurité existantes . 17
8.2.5  Identification des vulnérabilités . 18
8.2.6  Identification des conséquences . 19
8.3  Analyse des risques . 20
8.3.1  Méthodologies d'analyse des risques . 20
8.3.2  Appréciation des conséquences . 21
8.3.3  Appréciation de la vraisemblance d'un incident . 22
8.3.4  Estimation du niveau des risques . 23
8.4  Évaluation des risques . 23
9  Traitement des risques en sécurité de l'information . 24
9.1  Description générale du traitement des risques . 24
9.2  Réduction du risque . 26
9.3  Maintien des risques . 28
9.4  Refus des risques . 28
9.5  Partage des risques . 28
10  Acceptation des risques en sécurité de l'information . 28
11  Communication et concertation relatives aux risques en sécurité de l'information . 29
12  Surveillance et revue du risque en sécurité de l'information . 30
12.1  Surveillance et revue des facteurs de risque . 30
12.2  Surveillance, revue et amélioration de la gestion des risques . 31
Annexe A (informative) Définition du domaine d'application et des limites du processus de
gestion des risques en sécurité de l'information . 33
A.1  Étude de l'organisation . 33
A.2  Liste des contraintes affectant l'organisation . 34
A.3  Liste des références législatives et réglementaires applicables à l'organisation . 36
© ISO/CEI 2011 – Tous droits réservés iii

---------------------- Page: 3 ----------------------
ISO/CEI 27005:2011(F)
A.4  Liste des contraintes affectant le domaine d'application .36
Annexe B (informative) Identification et valorisation des actifs et appréciation des impacts .39
B.1  Exemples d'identification des actifs .39
B.1.1  Identification des actifs primordiaux .39
B.1.2  Liste et description des actifs en support .40
B.2  Valorisation des actifs .45
B.3  Appréciation des impacts .48
Annexe C (informative) Exemples de menaces types .50
Annexe D (informative) Vulnérabilités et méthodes d'appréciation des vulnérabilités .52
D.1  Exemples de vulnérabilités .52
D.2  Méthodes d'appréciation des vulnérabilités techniques .55
Annexe E (informative) Approches d'appréciation des risques en sécurité de l'information .57
E.1  Appréciation des risques de haut niveau en sécurité de l'information .57
E.2  Appréciation détaillée des risques en sécurité de l'information .58
E.2.1  Exemple 1 — Matrice avec valeurs prédéfinies .59
E.2.2  Exemple 2 — Classement des menaces par mesures des risques .61
E.2.3  Exemple 3 — Appréciation d'une valeur relative à la vraisemblance et aux conséquences
possibles des risques .62
Annexe F (informative) Contraintes liées à la réduction du risque .64
Annexe G (informative) Différences de définitions entre l’ISO/CEI 27005:2008 et
l’ISO/CEI 27005:2011 .66
Bibliographie .77

iv © ISO/CEI 2011 – Tous droits réservés

---------------------- Page: 4 ----------------------
ISO/CEI 27005:2011(F)
Avant-propos
L'ISO (Organisation internationale de normalisation) est une fédération mondiale d'organismes nationaux de
normalisation (comités membres de l'ISO). L'élaboration des Normes internationales est en général confiée
aux comités techniques de l'ISO. Chaque comité membre intéressé par une étude a le droit de faire partie du
comité technique créé à cet effet. Les organisations internationales, gouvernementales et non
gouvernementales, en liaison avec l'ISO participent également aux travaux. L'ISO collabore étroitement avec
la Commission électrotechnique internationale (CEI) en ce qui concerne la normalisation électrotechnique.
Les Normes internationales sont rédigées conformément aux règles données dans les Directives ISO/CEI,
Partie 2.
La tâche principale des comités techniques est d'élaborer les Normes internationales. Les projets de Normes
internationales adoptés par les comités techniques sont soumis aux comités membres pour vote. Leur
publication comme Normes internationales requiert l'approbation de 75 % au moins des comités membres
votants.
L'attention est appelée sur le fait que certains des éléments du présent document peuvent faire l'objet de
droits de propriété intellectuelle ou de droits analogues. L'ISO ne saurait être tenue pour responsable de ne
pas avoir identifié de tels droits de propriété et averti de leur existence.
L'ISO/CEI 27005 a été élaborée par le comité technique ISO/CEI JTC 1, Technologies de l'information,
sous-comité SC 27, Techniques de sécurité des technologies de l'information.
Cette deuxième édition annule et remplace la première édition (ISO/CEI 27005:2008), qui a fait l'objet d'une
révision technique.
© ISO/CEI 2011 – Tous droits réservés v

---------------------- Page: 5 ----------------------
ISO/CEI 27005:2011(F)
Introduction
La présente Norme internationale contient des lignes directrices relatives à la gestion des risques en sécurité
de l'information dans une organisation, qui viennent notamment en appui des exigences d'un SMSI (système
de management de la sécurité de l'information) tel que défini dans l'ISO/CEI 27001. Cependant, la présente
Norme internationale ne fournit aucune méthodologie spécifique à la gestion des risques en sécurité de
l'information. Il est du ressort de chaque organisation de définir son approche de la gestion des risques, en
fonction, par exemple, du périmètre du SMSI, de ce qui existe dans l'organisation dans le domaine de la
gestion des risques, ou encore de son secteur industriel. Plusieurs méthodologies existantes peuvent être
utilisées en cohérence avec le cadre décrit dans la présente Norme internationale pour appliquer les
exigences du SMSI.
La présente Norme internationale s'adresse aux responsables et aux personnels concernés par la gestion des
risques en sécurité de l'information au sein d'une organisation et, le cas échéant, aux tiers prenant part à ces
activités.
vi © ISO/CEI 2011 – Tous droits réservés

---------------------- Page: 6 ----------------------
NORME INTERNATIONALE ISO/CEI 27005:2011(F)

Technologies de l'information — Techniques de sécurité —
Gestion des risques en sécurité de l'information
1 Domaine d'application
La présente Norme internationale contient des lignes directrices relatives à la gestion des risques en sécurité
de l'information.
La présente Norme internationale vient en appui des concepts généraux énoncés dans l'ISO/CEI 27001; elle
est conçue pour aider à la mise en place de la sécurité de l'information basée sur une approche de gestion
des risques.
Il est important de connaître les concepts, les modèles, les processus et les terminologies décrites dans
l'ISO/CEI 27001 et l'ISO/CEI 27002 afin de bien comprendre la présente Norme internationale.
La présente Norme internationale est applicable à tous types d'organisations (par exemple les entreprises
commerciales, les agences gouvernementales, les organisations à but non lucratif) qui ont l'intention de gérer
des risques susceptibles de compromettre la sécurité des informations de l'organisation.
2 Références normatives
Les documents de référence suivants sont indispensables pour l'application du présent document. Pour les
références datées, seule l'édition citée s'applique. Pour les références non datées, la dernière édition du
document de référence s'applique (y compris les éventuels amendements).
ISO/CEI 27000, Technologies de l'information — Techniques de sécurité — Systèmes de management de la
sécurité de l'information — Vue d'ensemble et vocabulaire
ISO/CEI 27001:2005, Technologies de l'information — Techniques de sécurité — Systèmes de gestion de la
sécurité de l'information — Exigences
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions donnés dans l'ISO/CEI 27000 et les suivants
s'appliquent.
NOTE Les différences de définitions entre l’ISO/CEI 27005:2008 et la présente Norme internationale sont indiquées
dans l’Annexe G.
3.1
conséquence
effet d’un événement (3.3) affectant les objectifs
[Guide ISO 73:2009]
NOTE 1 Un événement unique peut engendrer des conséquences multiples.
© ISO/CEI 2011 – Tous droits réservés 1

---------------------- Page: 7 ----------------------
ISO/CEI 27005:2011(F)
NOTE 2 Une conséquence peut être certaine ou incertaine et dans le cadre de la sécurité de l’information elle est
généralement négative.
NOTE 3 Les conséquences peuvent être exprimées de façon qualitative ou quantitative.
NOTE 4 Des conséquences initiales peuvent déclencher des réactions en chaîne.
3.2
mesure de sécurité
mesure qui modifie un risque (3.9)
[Guide ISO 73:2009]
NOTE 1 Une mesure de sécurité du risque en sécurité de l’information inclut n’importe quel processus, politique,
procédure, recommandation, dispositif pratique ou organisation, qui peut être d’ordre administratif, technique, managérial
ou juridique et qui modifie le risque en sécurité de l’information.
NOTE 2 Une mesure de sécurité du risque n’aboutit pas toujours à la modification voulue ou supposée.
NOTE 3 Une mesure de sécurité du risque est également utilisée comme synonyme de protection ou contre-mesure.
3.3
événement
occurrence ou changement d’un ensemble particulier de circonstances
[Guide ISO 73:2009]
NOTE 1 Un événement peut être unique ou se reproduire, et peut avoir plusieurs causes.
NOTE 2 Un événement peut consister en quelque chose qui ne se produit pas.
NOTE 3 Il peut parfois être fait référence à un événement en tant qu’«incident» ou «accident».
3.4
contexte externe
environnement externe dans lequel l’organisation cherche à atteindre ses objectifs
[Guide ISO 73:2009]
NOTE Le contexte externe peut inclure:
 l’environnement culturel, social, politique, légal, réglementaire, financier, technologique, économique, naturel et
concurrentiel, au niveau international, national, régional ou local;
 les facteurs et tendances ayant un impact déterminant sur les objectifs de l’organisation; et
 les relations avec les parties prenantes externes, leurs perceptions et leurs valeurs.
3.5
contexte interne
environnement interne dans lequel l’organisation cherche à atteindre ses objectifs
[Guide ISO 73:2009]
NOTE Le contexte interne peut inclure:
 la gouvernance, l’organisation, les rôles et responsabilités;
 les politiques, les objectifs et les stratégies mises en place pour atteindre ces derniers;
2 © ISO/CEI 2011 – Tous droits réservés

---------------------- Page: 8 ----------------------
ISO/CEI 27005:2011(F)
 les capacités, en termes de ressources et de connaissances (par exemple capital, temps, personnels, processus,
systèmes et technologies);
 les systèmes d’information, les flux d’information et les processus de prise de décision (à la fois formels et informels);
 les relations avec les parties prenantes internes, ainsi que leurs perceptions et leurs valeurs;
 la culture de l’organisation;
 les normes, lignes directrices et modèles adoptés par l’organisation; et
 la forme et l’étendue des relations contractuelles.
3.6
niveau de risque
importance d’un risque (3.9), exprimée en termes de combinaison des conséquences (3.1) et de leur
vraisemblance (3.7)
[Guide ISO 73:2009]
3.7
vraisemblance
possibilité que quelque chose se produise
[Guide ISO 73:2009]
NOTE 1 Dans la terminologie de la gestion des risques, le mot «vraisemblance» est utilisé pour indiquer la possibilité
que quelque chose se produise, que cette possibilité soit définie, mesurée ou déterminée de façon objective ou subjective,
qualitative ou quantitative, et qu’elle soit décrite au moyen de termes généraux ou mathématiques (telles une probabilité
ou une fréquence sur une période donnée).
NOTE 2 Le terme anglais «likelihood» (vraisemblance) n’a pas d’équivalent direct dans certaines langues et c’est
souvent l’équivalent du terme «probability» (probabilité) qui est utilisé à la place. En anglais, cependant, le terme
«probability» (probabilité) est souvent limité à son interprétation mathématique. Par conséquent, dans la terminologie de
la gestion des risques, le terme «vraisemblance» est utilisé avec l’intention qu’il fasse l’objet d’une interprétation aussi
large que celle dont bénéficie le terme «probability» (probabilité) dans de nombreuses langues autres que l’anglais.
3.8
risque résiduel
risque (3.9) subsistant après le traitement des risques (3.17)
[Guide ISO 73:2009]
NOTE 1 Un risque résiduel peut inclure des risques non identifiés.
NOTE 2 Un risque résiduel peut également être appelé «risque maintenu».
3.9
risque
effet de l’incertitude sur l’atteinte des objectifs
[Guide ISO 73:2009]
NOTE 1 Un effet est un écart, positif et/ou négatif, par rapport à un attendu, positif et/ou négatif.
NOTE 2 Les objectifs peuvent avoir différents aspects (par exemple buts financiers, de santé et de sécurité, ou
environnementaux) et peuvent concerner différents niveaux (niveau stratégique, niveau d’un projet, d’un produit, d’un
processus ou d’une organisation toute entière).
NOTE 3 Un risque est souvent caractérisé en référence à des événements (3.3) et des conséquences (3.1) potentiels
ou à une combinaison des deux.
© ISO/CEI 2011 – Tous droits réservés 3

---------------------- Page: 9 ----------------------
ISO/CEI 27005:2011(F)
NOTE 4 Un risque en sécurité de l’information est souvent exprimé en termes de combinaison des conséquences d’un
événement de sécurité de l’information et de sa vraisemblance (3.9).
NOTE 5 L’incertitude est l’état, même partiel, de défaut d’information concernant la compréhension ou la connaissance
d’un événement, de ses conséquences ou de sa vraisemblance.
NOTE 6 Le risque en sécurité de l’information est associé à la possibilité que des menaces exploitent les vulnérabilités
d’une ressource d’information ou d’un groupe de ressources d’information et portent de ce fait préjudice à l’organisation.
3.10
analyse des risques
processus mis en œuvre pour comprendre la nature d’un risque et pour déterminer le niveau de risque (3.6)
[Guide ISO 73:2009]
NOTE 1 L’analyse des risques fournit la base de l’évaluation du risque et les décisions relatives au traitement des
risques.
NOTE 2 L’analyse des risques inclut l’estimation des risques.
3.11
appréciation des risques
ensemble du processus d’identification des risques (3.15), d’analyse des risques (3.10) et d’évaluation
du risque (3.14)
[Guide ISO 73:2009]
3.12
communication et concertation relatives aux risques
processus itératifs et continus mis en œuvre par une organisation afin de fournir, partager ou obtenir des
informations et d’engager un dialogue avec les parties prenantes (3.18) concernant la gestion des
risques (3.9)
[Guide ISO 73:2009]
NOTE 1 Ces informations peuvent concerner l’existence, la nature, la forme, la vraisemblance, l’importance,
l’évaluation, l’acceptabilité et le traitement des risques.
NOTE 2 La concertation est un processus de communication argumentée à double sens entre une organisation et ses
parties prenantes sur une question donnée avant de prendre une décision ou de déterminer une orientation concernant
ladite question. La concertation est:
 un processus dont l’effet sur une décision s’exerce par l’influence plutôt que par le pouvoir; et
 une contribution à une prise de décision, et non une prise de décision conjointe.
3.13
critères de risque
termes de référence vis-à-vis desquels le caractère significatif d’un risque (3.9) est évalué
[Guide ISO 73:2009]
NOTE 1 Les critères de risque sont fondés sur les objectifs de l’organisation ainsi que sur le contexte externe et
interne.
NOTE 2 Les critères de risque peuvent être issus de normes, de lois, de politiques et d’autres exigences.
3.14
évaluation du risque
processus de comparaison des résultats de l’analyse des risques (3.10) avec les critères de risque (3.13)
afin de déterminer si les risques et/ou leur importance sont acceptables ou tolérables
4 © ISO/CEI 2011 – Tous droits réservés

---------------------- Page: 10 ----------------------
ISO/CEI 27005:2011(F)
[Guide ISO 73:2009]
NOTE L’évaluation du risque aide à la prise de décision relative au traitement des risques.
3.15
identification des risques
processus de recherche, de reconnaissance et de description des risques
[Guide ISO 73:2009]
NOTE 1 L’identification des risques comprend l’identification des sources de risque, des événements, de leurs causes
et de leurs conséquences potentielles.
NOTE 2 L’identification des risques peut faire appel à des données historiques, des analyses théoriques, des avis
d’experts et autres personnes compétentes et tenir compte des besoins des parties prenantes.
3.16
gestion des risques
activités coordonnées dans le but de diriger et piloter une organisation en prenant en compte les risques
[Guide ISO 73:2009]
NOTE La présente Norme internationale utilise le terme «processus» pour décrire l’ensemble de la gestion des
risques. Les éléments internes au processus de gestion des risques sont désignés les «activités».
3.17
traitement des risques
processus destiné à modifier un risque
[Guide ISO 73:2009]
NOTE 1 Le traitement des risques peut inclure:
 un refus du risque en décidant de ne pas démarrer ou poursuivre l’activité porteuse du risque;
 la prise ou l’augmentation d’un risque afin de saisir une opportunité;
 l’élimination de la source de risque;
 une modification de la vraisemblance;
 une modification des conséquences;
 un partage du risque avec une ou plusieurs autres parties (incluant des contrats et un financement du risque); et
 un maintien du risque fondé sur une décision argumentée.
NOTE 2 Les traitements des risques portant sur les conséquences négatives sont parfois appelés «atténuation du
risque», «élimination du risque», «prévention du risque» et «réduction du risque».
NOTE 3 Le traitement des risques peut créer de nouveaux risques ou modifier des risques existants.
3.18
partie prenante
personne ou organisation susceptible d’affecter, d’être affectée ou de se sentir elle-même affectée par une
décision ou une activité
[Guide ISO 73:2009]
NOTE Un décideur peut être une partie prenante.
© ISO/CEI 2011 – Tous droits réservés 5

---------------------- Page: 11 ----------------------
ISO/CEI 27005:2011(F)
4 Structure de la présente Norme internationale
La présente Norme internationale contient la description du processus de gestion des risques en sécurité de
l'information, et la description de ses activités.
Les informations générales sont fournies dans l'Article 5.
Un aperçu général du processus de gestion des risques en sécurité de l'information est donné dans l'Article 6.
Toutes les activités liées à la gestion des risques en sécurité de l'information, telles que présentées
dans l'Article 6, sont ensuite décrites dans les articles suivants:
 établissement du contexte dans l'Article 7;
 appréciation des risques dans l'Article 8;
 traitement des risques dans l'Article 9;
 acceptation des risques dans l'Article 10;
 communication et concertation relatives aux risques dans l'Article 11;
 surveillance et revue du risque dans l'Article 12.
Des informations supplémentaires relatives aux activités de gestion des risques en sécurité de l'information
sont présentées dans les annexes. L'établissement du contexte est abordé dans l'Annexe A (Définition du
domaine d'application et des limites du processus de gestion des risques en sécurité de l'information).
L'identification, la valorisation des actifs et l'appréciation des impacts sont traitées dans l'Annexe B (Exemples
d'identification des actifs). L'Annexe C donne des xemples de menaces type et l'Annexe D traite des
vulnérabilités et des méthodes d’appréciation des vulnérabilités. Des exemples d'approches relatives à
l'appréciation des risques en sécurité de l'information sont présentés dans l'Annexe E.
Les contraintes liées à la réduction du risque sont traitées dans l'Annexe F.
Les différences de définitions entre l’ISO/CEI 27005:2008 et l’ISO/CEI 27005:2011 sont indiquées dans
l’Annexe G.
Toutes les activités liées à la gestion des risques, présentées dans les Articles 7 à 12, sont structurées de la
manière suivante:
Élément(s) d'entrée: Identifie toute information requise pour réaliser l'activité.
Action: Décrit l'activité.
Préconisations de mise en œuvre: Propose des préconisations pour réaliser l'action. Il se peut que certaines
préconisations ne soient pas adaptées à tous les cas, et que d'autres solutions pour réaliser l'action s'avèrent
préférables.
Élément(s) de sortie: Identifie toute information obtenue après la réalisation de l'activité.
5 Contexte
Une approche systématique de la gestion des risques en sécurité de l'information est nécessaire pour
identifier les besoins organisationnels concernant les exigences en matière de sécurité de l'information, et
pour créer un système de management de la sécurité de l'information (SMSI) efficace. Il convient que cette
approche soit adaptée à l'environnement de l'organisation, et soit notamment alignée sur la démarche
générale de gestion des risques de l'entreprise. Il convient que les efforts effectués en matière de sécurité
adressent les risques de manière efficace et opportune quand et lorsque cela est nécessaire. Il convient que
6 © ISO/CEI 2011 – Tous droits réservés

---------------------- Page: 12 ----------------------
ISO/CEI 27005:2011(F)
la gestion des risques en sécurité de l'information fasse partie intégrante de l'ensemble des activités de
management de la sécurité de l'information et qu'elle s'applique à la fois à la mise en œuvre et au
fonctionnement d'un SMSI.
Il convient que la gestion des risques en sécurité de l'information soit un processus continu. Il convient que ce
processus établisse le contexte externe et interne, apprécie les risques et les traite à l'aide d'un plan de
traitement des risques permettant de mettre en œuvre les recommandations et décisions. La gestion des
risques analyse les évènements susceptibles de se produire ainsi que leurs possibles conséquences avant de
décider de ce qui pourrait être fait, dans quels délais
...

S L O V E N S K I SIST ISO/IEC 27005

STANDARD
september 2011











Informacijska tehnologija – Varnostne tehnike – Obvladovanje
informacijskih varnostnih tveganj

Information technology – Security techniques – Information security risk
management


Technologies de l'information – Techniques de sécurité – Management du
risque de la sécurité de l'information
























Referenčna oznaka
ICS 35.040 SIST ISO/IEC 27005:2011 (sl)


Nadaljevanje na straneh 2 do 73



© 2015-06: Slovenski inštitut za standardizacijo. Razmnoževanje ali kopiranje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST ISO/IEC 27005 : 2011
NACIONALNI UVOD
Standard SIST ISO/IEC 27005 (sl), Informacijska tehnologija – Varnostne tehnike – Obvladovanje
informacijskih varnostnih tveganj, 2011, ima status slovenskega standarda in je istoveten
mednarodnemu standardu ISO/IEC 27005 (en), Information technology – Security techniques –
Information security risk, 2011-06.

NACIONALNI PREDGOVOR

Mednarodni standard ISO/IEC 27005:2011 je pripravil pododbor združenega tehničnega odbora
Mednarodne organizacije za standardizacijo in Mednarodne elektrotehniške komisije ISO/IEC JTC
1/SC 27 Varnostne tehnike v informacijski tehnologiji.

Slovenski standard SIST ISO/IEC 27005:2011 je prevod mednarodnega standarda ISO/IEC
27005:2011. Slovenski standard SIST ISO/IEC 27005:2011 je pripravil tehnični odbor SIST/TC ITC
Informacijska tehnologija. V primeru spora glede besedila slovenskega prevoda je odločilen izvirni
mednarodni standard v angleškem jeziku.

Odločitev za izdajo tega standarda je dne 2. junija 2011 sprejel SIST/TC ITC Informacijska
tehnologija.

ZVEZA Z NACIONALNIMI STANDARDI

S privzemom tega evropskega standarda veljajo za omejeni namen referenčnih standardov vsi
standardi, navedeni v izvirniku, razen tistih, ki so že sprejeti v nacionalno standardizacijo:

SIST ISO/IEC 27000:2011 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Pregled in izrazoslovje

SIST ISO/IEC 27001:2005 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve (zamenjan s SIST ISO/IEC 27001:2013)

OSNOVA ZA IZDAJO STANDARDA

– privzem standarda ISO/IEC 27005:2011

OPOMBI

– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.

– Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO/IEC
27005:2011 to pomeni “slovenski standard”.

2

---------------------- Page: 2 ----------------------

SIST ISO/IEC 27005 : 2011
Vsebina Stran
Predgovor . 5
Uvod . 6
1 Področje uporabe . 7
2 Zveza s standardi . 7
3 Izrazi in definicije . 7
4 Struktura tega mednarodnega standarda . 11
5 Ozadje . 12
6 Pregled procesa obvladovanja informacijskih varnostnih tveganj . 13
7 Vzpostavljanje konteksta . 16
7.1 Splošni opis . 16
7.2 Osnovni kriteriji . 16
7.2.1 Pristop k obvladovanju tveganja . 16
7.2.2 Kriteriji za vrednotenje tveganja . 16
7.2.3 Kriteriji vpliva . 17
7.2.4 Kriteriji za sprejetje tveganja . 17
7.3 Obseg in meje . 18
7.4 Organiziranost za obvladovanje informacijskih varnostnih tveganj . 18
8 Ocenjevanje informacijskih varnostnih tveganj . 19
8.1 Splošni opis ocenjevanja informacijskih varnostnih tveganj . 19
8.2 Prepoznavanje tveganja . 20
8.2.1 Uvod v prepoznavanje tveganja . 20
8.2.2 Prepoznavanje dobrin . 20
8.2.3 Prepoznavanje groženj . 20
8.2.4 Prepoznavanje obstoječih kontrol . 21
8.2.5 Prepoznavanje ranljivosti . 22
8.2.6 Prepoznavanje posledic . 22
8.3 Analiza tveganja . 23
8.3.1 Metodologije analize tveganja . 23
8.3.2 Ocenjevanje posledic . 24
8.3.3 Ocenjevanje verjetnosti incidenta . 25
8.3.4 Raven določanja tveganja . 25
8.4 Vrednotenje tveganja. 26
9 Obravnavanje informacijskega varnostnega tveganja . 27
9.1 Splošni opis obravnavanja tveganja . 27
9.2 Spreminjanje tveganja . 29
9.3 Zadrževanje tveganja . 30
9.4 Izogibanje tveganju . 30
9.5 Porazdelitev tveganja . 30
10 Sprejetje informacijskega varnostnega tveganja . 31
3

---------------------- Page: 3 ----------------------

SIST ISO/IEC 27005 : 2011
11 Obveščanje o informacijskem varnostnem tveganju in posvetovanje . 31
12 Spremljanje in pregled informacijskega varnostnega tveganja . 32
12.1 Spremljanje in pregled dejavnikov tveganja . 32
12.2 Spremljanje, pregled in izboljševanje obvladovanja tveganja . 33
Dodatek A (informativni): Opredelitev obsega in meja procesa obvladovanja informacijskih
varnostnih tveganj . 35
A.1 Študija organizacije . 35
A.2 Seznam omejitev, ki vplivajo na organizacijo. 36
A.3 Seznam zakonodajnih in regulativnih referenc, ki se uporabljajo za organizacijo . 37
A.4 Seznam omejitev, ki vplivajo na obseg . 38
Dodatek B (informativni): Prepoznavanje in vrednotenje dobrin ter ocenjevanje vplivov . 40
B.1 Primeri prepoznavanja dobrin . 40
B.1.1 Prepoznavanje osnovnih dobrin . 40
B.1.2 Seznam in opis podpornih dobrin . 41
B.2 Vrednotenje dobrin . 45
B.3 Ocenjevanje vpliva . 48
Dodatek C (informativni): Primeri tipičnih groženj . 50
Dodatek D (informativni): Ranljivosti in metode za ocenjevanje ranljivosti . 53
D.1 Primeri ranljivosti . 53
D.2 Metode za presojo tehnične ranljivosti . 56
Dodatek E (informativni): Pristopi ocenjevanja informacijskega varnostnega tveganja . 58
E.1 Ocenjevanje informacijskega varnostnega tveganja na visoki ravni . 58
E.2 Podrobnejše ocenjevanje informacijskega varnostnega tveganja . 59
E.2.1 1. primer: Matrika z vnaprej določenimi vrednostmi . 60
E.2.2 2. primer: Razvrstitev groženj z meritvami tveganja . 62
E.2.3 3. primer: Ocenjevanje vrednosti verjetnosti in možnih posledic tveganja . 62
Dodatek F (informativni): Omejitve pri spreminjanju tveganja . 64
Dodatek G (informativni): Razlike v definicijah med ISO/IEC 27005:2008 in ISO/IEC 27005:2011 . 66
Literatura. 73
4

---------------------- Page: 4 ----------------------

SIST ISO/IEC 27005 : 2011
Predgovor

ISO (Mednarodna organizacija za standardizacijo) in IEC (Mednarodna elektrotehniška komisija)
tvorita specializiran sistem za svetovno standardizacijo. Nacionalni organi, ki so člani ISO ali IEC,
sodelujejo pri pripravi mednarodnih standardov prek tehničnih odborov, ki jih za obravnavanje
določenih strokovnih področij ustanovi ustrezna organizacija. Tehnični odbori ISO in IEC sodelujejo na
področjih skupnega interesa. Pri delu sodelujejo tudi druge mednarodne, vladne in nevladne
organizacije, povezane z ISO in IEC. Na področju informacijske tehnologije sta ISO in IEC vzpostavila
združeni tehnični odbor ISO/IEC JTC 1.
Mednarodni standardi so pripravljeni v skladu s pravili iz 2. dela Direktiv ISO/IEC.
Glavna naloga združenega tehničnega odbora je priprava mednarodnih standardov. Osnutki
mednarodnih standardov, ki jih sprejme združeni tehnični odbor, se pošljejo nacionalnim organom v
glasovanje. Za objavo kot mednarodni standard je treba pridobiti soglasje najmanj 75 % glasov
glasujočih nacionalnih organov.
Opozoriti je treba na možnost, da je lahko nekaj elementov tega dokumenta predmet patentnih pravic.
ISO in IEC ne prevzemata odgovornosti za prepoznavanje katerih koli ali vseh takih patentnih pravic.
ISO/IEC 27005 je pripravil združeni tehnični odbor JTC ISO/IEC 1 Informacijska tehnologija, pododbor
SC 27 Varnostne tehnike IT.
Ta druga izdaja razveljavlja in nadomešča prvo izdajo (ISO/IEC 27005:2008), ki je bila tehnično
revidirana.

5

---------------------- Page: 5 ----------------------

SIST ISO/IEC 27005 : 2011
Uvod

Ta mednarodni standard zagotavlja smernice za obvladovanje informacijskih varnostnih tveganj v
organizaciji, pri čemer še zlasti podpira zahteve za upravljanje informacijske varnosti (SUIV) glede na
ISO/IEC 27001. Vendar pa ta mednarodni standard ne daje nobene posebne metode za obvladovanje
informacijskih varnostnih tveganj. Organizacija sama mora opredeliti svoj pristop k obvladovanju
tveganj, odvisno, na primer, od obsega SUIV, konteksta obvladovanja tveganja ali industrijske panoge.
V okviru, ki je opisan v tem mednarodnem standardu za izvedbo zahtev SUIV, je mogoče uporabiti
številne obstoječe metodologije.

Ta mednarodni standard je pomemben za vodje in zaposlene, ki delujejo na področju obvladovanja
informacijskih varnostnih tveganj v organizaciji, in kadar je to primerno, tudi za zunanje stranke, ki
podpirajo takšne dejavnosti.
6

---------------------- Page: 6 ----------------------

SIST ISO/IEC 27005 : 2011
Informacijska tehnologija – Varnostne tehnike – Obvladovanje informacijskih
varnostnih tveganj
1 Področje uporabe
Ta mednarodni standard zagotavlja smernice za obvladovanje informacijskih varnostnih tveganj.

Ta mednarodni standard podpira splošne koncepte, določene v ISO/IEC 27001, in je namenjen kot
pomoč pri zadovoljivem izvajanju informacijske varnosti, ki temelji na pristopu obvladovanja tveganj.

Poznavanje konceptov, modelov, procesov in terminologij, opisanih v ISO/IEC 27001 in ISO/IEC 27002,
je pomembno za popolno razumevanje tega mednarodnega standarda.

Ta mednarodni standard se uporablja za vse vrste organizacij (npr. trgovska podjetja, vladne agencije,
nepridobitne organizacije), ki nameravajo obvladovati tveganja, ki bi lahko ogrozila informacijsko
varnost organizacije.

2 Zveza s standardi

Za uporabo tega standarda so nujno potrebni naslednji navedeni dokumenti. Pri datiranih sklicevanjih se
uporablja zgolj navedena izdaja. Pri nedatiranih sklicevanjih se uporablja zadnja izdaja navedenega
dokumenta (vključno z dopolnili).

ISO/IEC 27000 Informacijska tehnologija – Varnostne tehnike – Sistemi za upravljanje
informacijske varnosti – Pregled in izrazoslovje

ISO/IEC 27001:2005 Informacijska tehnologija – Varnostne tehnike – Sistemi za upravljanje
informacijske varnosti – Zahteve

3 Izrazi in definicije

V tem dokumentu so uporabljeni izrazi in definicije, podani v ISO/IEC 27000, ter naslednji:

OPOMBA: Razlike v definicijah, podanih v ISO/IEC 27005:2008 in v tem mednarodnem standardu, so prikazane v dodatku G.

3.1
posledica
izid dogodka (3.3), ki vpliva na cilje

[ISO Vodilo 73:2009]

OPOMBA 1: Dogodek lahko povzroči vrsto posledic.
OPOMBA 2: Posledica je lahko določena ali nedoločena in v kontekstu informacijske varnosti je po navadi negativna.
OPOMBA 3: Posledice se lahko izražajo kakovostno ali količinsko.
OPOMBA 4: Začetne posledice se lahko stopnjujejo z učinkom verižne reakcije.

3.2
kontrola
ukrep, ki spreminja tveganje (3.9)

[ISO Vodilo 73:2009]
OPOMBA 1: Kontrole za informacijsko varnost vključujejo vsak proces, politiko, postopek, smernico, prakso ali organizacijsko
strukturo, ki so lahko upravne, tehnične, upravljavske ali pravne narave, ki spreminja informacijsko varnostno tveganje.
OPOMBA 2: Kontrole ne uveljavljajo vedno predvidenega ali nameravanega učinka spremembe.
7

---------------------- Page: 7 ----------------------

SIST ISO/IEC 27005 : 2011
OPOMBA 3: Kontrola se uporablja tudi kot sopomenka za zaščito ali protiukrep.

3.3
dogodek
pojav ali sprememba posameznega niza okoliščin

[ISO Vodilo 73:2009]

OPOMBA 1: Dogodek je lahko en ali več pojavov in ima lahko več vzrokov.
OPOMBA 2: Dogodek je lahko sestavljen tudi iz nečesa, kar se ne dogaja.
OPOMBA 3: Dogodek je lahko včasih poimenovan "incident" ali "nesreča".

3.4
zunanji kontekst
zunanje okolje, v katerem organizacija poskuša doseči svoje cilje

[ISO Vodilo 73:2009]

OPOMBA: Zunanji kontekst lahko vključuje:
– kulturno, socialno, politično, zakonodajno, regulativno, finančno, tehnološko, ekonomsko, naravno in
konkurenčno okolje, bodisi mednarodno, nacionalno, regionalno ali lokalno,
– ključne dejavnike in trende, ki vplivajo na cilje organizacije, in
– odnose z zunanjimi deležniki ter njihova dojemanja in vrednote.

3.5
notranji kontekst
notranje okolje, v katerem organizacija poskuša doseči svoje cilje

[ISO Vodilo 73:2009]

OPOMBA: Notranji kontekst lahko vključuje:
– upravljanje, organizacijsko strukturo, vloge in odgovornosti,
– politike in cilje ter strategije, vzpostavljene za njihovo doseganje,
– zmogljivosti, razumljene v pomenu virov in znanja (npr. kapital, čas, ljudje, procesi, sistemi in tehnologije),
– informacijske sisteme, informacijske tokove in procese odločanja (tako formalne kot neformalne),
– odnose z notranjimi deležniki ter njihova dojemanja in vrednote,
– kulturo organizacije,
– standarde, smernice in modele, ki jih je sprejela organizacija, ter
– obliko in obseg pogodbenih razmerij.

3.6
raven tveganja
velikost tveganja (3.9), izražena v kombinaciji posledic (3.1) in njihove verjetnosti (3.7)

[ISO Vodilo 73:2009]

3.7
verjetnost
možnost, da se nekaj dogaja

[ISO Vodilo 73:2009]

OPOMBA 1: V terminologiji obvladovanja tveganja se beseda "verjetnost" uporablja za sklicevanje na možnost, da se nekaj
dogaja, bodisi določeno, merjeno ali opredeljeno objektivno ali subjektivno, kakovostno ali količinsko, in opisano
z uporabo splošnih izrazov ali matematično (kot je verjetnost ali pogostost v določenem časovnem obdobju).
OPOMBA 2: Angleški izraz "likelihood" v nekaterih jezikih nima neposrednega enakovrednega izraza, ampak se pogosto
uporablja ekvivalent izraza "probability". Vendar pa se v angleškem jeziku "probability" pogosto razlaga restriktivno
8

---------------------- Page: 8 ----------------------

SIST ISO/IEC 27005 : 2011
kot matematični izraz. Zato se v terminologiji obvladovanja tveganja "likelihood" uporablja z namenom, da naj bi to
imelo enako široko razlago, kot jo ima izraz "probability" v številnih drugih jezikih razen v angleščini.
3.8
preostalo tveganje
tveganje (3.9), ki ostane po obravnavanju tveganja (3.17)

[ISO Vodilo 73:2009]

OPOMBA 1: Preostalo tveganje lahko vsebuje neprepoznano tveganje.
OPOMBA 2: Preostalo tveganje je lahko znano tudi kot "zadržano tveganje".

3.9
tveganje
učinek negotovosti na cilje

[ISO Vodilo 73:2009]

OPOMBA 1: Učinek je odstopanje od pričakovanega – pozitivno in/ali negativno.
OPOMBA 2: Cilji imajo lahko različne vidike (kot so finančni, v zvezi z zdravjem in varnostjo pri delu, informacijsko varnostjo
in okoljskimi cilji) in se lahko uporabljajo na različnih ravneh (kot so strateška raven, raven celotne organizacije
ter raven projektov, izdelkov in procesov).
OPOMBA 3: Tveganje je pogosto označeno glede na morebitne dogodke (3.3) in posledice (3.1) ali kombinacijo le-teh.
OPOMBA 4: Informacijsko varnostno tveganje je pogosto izraženo v pomenu kombinacije posledic informacijskega
varnostnega dogodka in povezane verjetnosti (3.7) pojava.
OPOMBA 5: Negotovost je stanje, tudi delno, pomanjkanja informacij, ki se nanašajo na razumevanje ali vedenje o dogodku,
njegovih posledicah ali verjetnosti.
OPOMBA 6: Informacijsko varnostno tveganje je povezano z možnostjo, da bodo grožnje izkoristile ranljivosti informacijskih
dobrin ali skupine informacijskih dobrin in s tem povzročile škodo organizaciji.

3.10
analiza tveganja
proces razumevanja narave tveganja in določitve ravni tveganja (3.6)

[ISO Vodilo 73:2009]

OPOMBA 1: Analiza tveganja je podlaga za vrednotenje tveganja in odločitve o obravnavanju tveganja.
OPOMBA 2: Analiza tveganja vključuje oceno tveganja.

3.11
ocenjevanje tveganja
celoten proces prepoznavanja tveganja (3.15), analize tveganja (3.10) in vrednotenja tveganja
(3.14)

[ISO Vodilo 73:2009]

3.12
obveščanje o tveganju in posvetovanje
stalni in ponovljivi procesi, ki jih organizacija vodi, da zagotavlja, deli ali pridobiva informacije in da
vodi dialog z deležniki (3.18) v zvezi z obvladovanjem tveganja (3.9)

[ISO Vodilo 73:2009]

OPOMBA 1: Informacije se lahko nanašajo na obstoj, naravo, obliko, verjetnost, pomen, vrednotenje, sprejemljivost in
obravnavanje tveganja.
OPOMBA 2: Posvetovanje je dvosmerni proces obveščanja med organizacijo in njenimi deležniki o določenem vprašanju
pred odločitvijo ali določitvijo usmeritve o tem vprašanju. Posvetovanje je:
9

---------------------- Page: 9 ----------------------

SIST ISO/IEC 27005 : 2011
– proces, ki vpliva na odločitev s pomočjo vplivanja in ne z uporabo moči, ter
– vhod za sprejemanje odločitev in ne skupno odločanje.

3.13
kriterij tveganja
področje delovanja, na podlagi katerega se vrednoti pomen tveganja (3.9)

[ISO Vodilo 73:2009]

OPOMBA 1: Kriteriji tveganja temeljijo na organizacijskih ciljih ter na zunanjem in notranjem kontekstu.
OPOMBA 2: Kriterije tveganja je mogoče izpeljati iz standardov, zakonov, politik in drugih zahtev.

3.14
vrednotenje tveganja
proces primerjanja rezultatov analize tveganja (3.10) s kriteriji tveganja (3.13), da se ugotovi, ali sta
tveganje in/ali njegova velikost sprejemljiva ali znosna

[ISO Vodilo 73:2009]

OPOMBA: Vrednotenje tveganja pomaga pri odločitvi o obravnavanju tveganja.

3.15
prepoznavanje tveganja
proces iskanja, spoznavanja in opisovanja tveganj

[ISO Vodilo 73:2009]

OPOMBA 1: Prepoznavanje tveganja vključuje prepoznavanje virov tveganja, dogodkov tveganja, njihovih vzrokov in možnih
posledic.
OPOMBA 2: Prepoznavanje tveganja lahko vključuje zgodovinske podatke, teoretične analize, mnenja poznavalcev in
strokovnjakov ter potrebe deležnikov.

3.16
obvladovanje tveganja
usklajene aktivnosti za usmerjanje in nadzorovanje organizacije v zvezi s tveganjem

[ISO Vodilo 73:2009]

OPOMBA: Ta mednarodni standard uporablja izraz "proces" za opis obvladovanja tveganja v celoti. Elementi v procesu
obvladovanja tveganja se imenujejo "aktivnosti".

3.17
obravnavanje tveganja
proces za spremembo tveganja

[ISO Vodilo 73:2009]

OPOMBA 1: Obravnavanje tveganja lahko vključuje:
– preprečevanje tveganja z odločitvijo, da se ne začne ali ne nadaljuje z aktivnostjo, ki povzroča tveganje,
– privzemanje ali povečanje tveganja, da bi se lahko zasledovale priložnosti,
– odstranitev vira tveganja,
– spreminjanje verjetnosti,
– spreminjanje posledic,
– delitev tveganja z drugo stranko ali strankami (vključno s pogodbami in financiranjem tveganj) in
– ohranjanje tveganja na podlagi utemeljene izbire.
OPOMBA 2: Obravnavanja tveganja, ki se ukvarjajo z negativnimi posledicami, se včasih označujejo kot "ublažitev tveganja",
"odpravljanje tveganja", "preprečevanje tveganja" in "zmanjšanje tveganja".
10

---------------------- Page: 10 ----------------------

SIST ISO/IEC 27005 : 2011
OPOMBA 3: Obravnavanje tveganja lahko ustvari nova tveganja ali spreminja obstoječa tveganja.

3.18
deležnik
oseba ali organizacija, ki lahko prizadene, je lahko prizadeta ali meni, da je prizadeta, z določeno
odločitvijo ali dejavnostjo
[ISO Vodilo 73:2009]

OPOMBA: Oseba, ki sprejema odločitve, je lahko deležnik.

4 Struktura tega mednarodnega standarda

Ta mednarodni standard vsebuje opis procesov obvladovanja informacijskih varnostnih tveganj in
njihovih aktivnosti.

Informacije o ozadju so podane v točki 5.

Splošni pregled postopkov obvladovanja informacijskih varnostnih tveganj je podan v točki 6.

Vse aktivnosti obvladovanja informacijskih varnostnih tveganj, predstavljene v točki 6, so opisane v
naslednjih točkah:
vzpostavljanje konteksta v točki 7,
–
ocenjevanje tveganj v točki 8,
–
obravnavanje tveganj v točki 9,
–
sprejetje tveganj v točki 10,
–
obveščanje o tveganjih v točki 11,
–
spremljanje in pregled tveganj v točki 12.
–

Dodatne informacije o aktivnostih obvladovanja informacijskih varnostnih tveganj so predstavljene v
dodatkih. Vzpostavljanje konteksta je podprto z dodatkom A (Opredelitev obsega in mej procesov
obvladovanja informacijskih varnostnih tveganj). Prepoznavanje in vrednotenje dobrin ter ocenjevanje
vplivov so obravnavana v dodatku B. Dodatek C navaja primere tipičnih groženj, v dodatku D pa so
obravnavane ranljivosti in metode za ocenjevanje ranljivosti. Primeri pristopov k ocenjevanju
informacijskih varnostnih tveganj so predstavljeni v dodatku E.

Omejitve za spremembo tveganj so predstavljene v dodatku F.

Razlike v definicijah med ISO/IEC 27005:2008 in ISO/IEC 27005:2011 so prikazane v dodatku G.

Vse aktivnosti obvladovanja tveganj, kot so prikazane v točkah od 7 do 12, so strukturirane na naslednji
način:

Vhodni podatki: Prepoznana je vsaka zahtevana informacija za izvajanje dejavnosti.

Ukrep: Opisana je aktivnost.

Napotki za izvajanje: Dani so napotki za izvajanje ukrepa. Nekateri od teh napotkov morda niso
ustrezni v vseh primerih in so lahko primernejši tudi drugi načini izvajanja ukrepa.

Izhodni podatki: Prepoznana je vsaka informacija, pridobljena po izvedeni aktivnosti.

11

---------------------- Page: 11 ----------------------

SIST ISO/IEC 27005 : 2011
5 Ozadje

Da se prepoznajo organizacijske potrebe glede zahtev informacijske varnosti in da se ustvari učinkovit
sistem upravljanja informacijske varnosti (SUIV), je potreben sistematičen pristop k obvladovanju
informacijskih varnostnih tveganj. Ta pristop naj bo primeren za okolje organizacije in zlasti naj bo
usklajen s celotnim obvladovanjem tveganj podjetja. Prizadevanja za varnost naj obravnavajo
tveganja učinkovito in pravočasno, kjerkoli in kadarkoli je potrebno. Obvladovanje informacijskih
varnostnih tveganj naj bo sestavni del vseh aktivnosti upravljanja informacijske varnosti in naj se
uporablja tako za uvajanje kot za tekoče delovanje SUIV.

Obvladovanje informacijskih varnostnih tveganj naj bo nenehen proces. Proces naj vzpostavi zunanji
in notranji kontekst, ocenjuje naj tveganja in naj jih obravnava z uporabo načrta za obravnavanje
tveganja za izvedbo priporočil in odločitev. Analize obvladovanja tveganj s stališča, kaj se lahko zgodi
in katere so lahko možne posledice, so potrebne pred odločitvijo, kaj naj se stori in kdaj, da se
zmanjšajo tveganja na sprejemljivo raven.

Obvladovanje informacijskih varnostnih tveganj naj prispeva k naslednjemu:
Tveganja so prepoznana.
–
Tveganja so ocenjena glede na njihove posledice na poslovanje in verjetnost njihovega pojava.
–
Verjetnost in posledice teh tveganj so posredovane in razumljene.
–
Prednostni vrstni red obravnavanja tveganj je vzpostavljen.
–
Prednostni vrstni red ukrepov za zmanjšanje tveganj je izdelan.
–
Deležniki sodelujejo pri odločanju o obvladovanju tveganj in so sproti obveščeni o stanju
–
obvladovanja tveganj.
Spremlja se uspešnost obravnavanja tveganj.
–
Tveganja in proces obvladovanja tveganj se redno spremljajo in pregledujejo.
–
Informacije se zajemajo za izboljšanje pristopa k obvladovanju tveganj.
–
Vodstvo in osebje se izobražujeta o tveganjih in sprejetih ukrepih za njihovo ublažitev.
–

Proces obvladovanja informacijskih varnostnih tveganj se lahko uporablja za organizacijo kot celoto, za
kateri koli ločeni del organizacije (npr. oddelek, fizično lokacijo, storitev), za kateri koli informacijski
sistem ali za obstoječe, načrtovane ali posebne vidike kontrol (npr. načrtovanje neprekinjenega
poslovanja).

12

---------------------- Page: 12 ----------------------

SIST ISO/IEC 27005 : 2011
6 Pregled procesa obvladovanja informacijskih varnostnih tveganj

Pogled z vrha na proces obvladovanja tveganj je specificiran v ISO 31000 in je prikazan na sliki 1.





VZPOSTAVITEV KONTEKSTA



OCENJEVANJE

TVEGANJA

IDENTIFIKACIJA TVEGANJA




ANALIZA TVEGANJA




OVREDNOTENJE TVEGANJA





OBRAVNAVANJE TVEGANJA


Slika 1
...

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Informacijska tehnologija - Varnostne tehnike - Upravljanje tveganj informacijske varnostiTechnologies de l'information - Techniques de sécurité - Management du risque de la sécurité de l'informationInformation technology - Security techniques - Information security risk management35.040Nabori znakov in kodiranje informacijCharacter sets and information codingICS:Ta slovenski standard je istoveten z:ISO/IEC FDIS 27005oSIST ISO/IEC FDIS 27005:2011en01-april-2011oSIST ISO/IEC FDIS 27005:2011SLOVENSKI
STANDARD



oSIST ISO/IEC FDIS 27005:2011



Please see the administrative notes on page iii
RECIPIENTS OF THIS DRAFT ARE INVITED TOSUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE AND TO PROVIDE SUPPORT-ING DOCUMENTATION. IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-LOGICAL, COMMERCIAL AND USER PURPOSES,DRAFT INTERNATIONAL STANDARDS MAY ONOCCASION HAVE TO BE CONSIDERED IN THELIGHT OF THEIR POTENTIAL TO BECOME STAN-DARDS TO WHICH REFERENCE MAY BE MADE INNATIONAL REGULATIONS.
Reference numberISO/IEC FDIS 27005:2011(E)© ISO/IEC 2011 FINAL DRAFT ISO/IEC JTC 1 Secretariat: ANSI Voting begins on: 2011-02-21 Voting terminates on: 2011-04-21
INTERNATIONAL STANDARD ISO/IECFDIS27005Information technology — Security techniques — Information security risk management Technologies de l'information — Techniques de sécurité —Gestion des risques liés à la sécurité de l'information
oSIST ISO/IEC FDIS 27005:2011



ISO/IEC FDIS 27005:2011(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
Copyright notice This ISO document is a Draft International Standard and is copyright-protected by ISO. Except as permitted under the applicable laws of the user's country, neither this ISO draft nor any extract from it may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, photocopying, recording or otherwise, without prior written permission being secured. Requests for permission to reproduce should be addressed to either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 • CH-1211 Geneva 20 Tel.
+ 41 22 749 01 11 Fax
+ 41 22 749 09 47 E-mail
copyright@iso.org Web
www.iso.org Reproduction may be subject to royalty payments or a licensing agreement. Violators may be prosecuted.
ii © ISO/IEC 2011 – All rights reserved
oSIST ISO/IEC FDIS 27005:2011



ISO/IEC FDIS 27005:2011(E) © ISO/IEC 2011 – All rights reserved iii Contents Page
Foreword.v Introduction.vi 1 Scope.1 2 Normative references.1 3 Terms and definitions.1 4 Structure of this International Standard.5 5 Background.6 6 Overview of the information security risk management process.7 7 Context establishment.10 7.1 General considerations.10 7.2 Basic Criteria.10 7.2.1 Risk management approach.10 7.2.2 Risk evaluation criteria.10 7.2.3 Impact criteria.11 7.2.4 Risk acceptance criteria.11 7.3 Scope and boundaries.12 7.4 Organization for information security risk management.12 8 Information security risk assessment.13 8.1 General description of information security risk assessment.13 8.2 Risk identification.13 8.2.1 Introduction to risk identification.13 8.2.2 Identification of assets.14 8.2.3 Identification of threats.14 8.2.4 Identification of existing controls.15 8.2.5 Identification of vulnerabilities.15 8.2.6 Identification of consequences.16 8.3 Risk analysis.17 8.3.1 Risk analysis methodologies.17 8.3.2 Assessment of consequences.18 8.3.3 Assessment of incident likelihood.18 8.3.4 Level of risk determination.19 8.4 Risk evaluation.19 9 Information security risk treatment.20 9.1 General description of risk treatment.20 9.2 Risk modification.22 9.3 Risk retention.23 9.4 Risk avoidance.23 9.5 Risk sharing.23 10 Information security risk acceptance.24 11 Information security risk communication and consultation.24 12 Information security risk monitoring and review.25 12.1 Monitoring and review of risk factors.25 12.2 Risk management monitoring, reviewing and improving.26 oSIST ISO/IEC FDIS 27005:2011



ISO/IEC FDIS 27005:2011(E) iv © ISO/IEC 2011 – All rights reserved Annex A (informative)
Defining the scope and boundaries of the information security risk management process.28 A.1 Study of the organization.28 A.2 List of the constraints affecting the organization.29 A.3 List of the legislative and regulatory references applicable to the organization.31 A.4 List of the constraints affecting the scope.31 Annex B (informative)
Identification and valuation of assets and impact assessment.33 B.1 Examples of asset identification.33 B.1.1 The identification of primary assets.33 B.1.2 List and description of supporting assets.34 B.2 Asset valuation.38 B.3 Impact assessment.41 Annex C (informative)
Examples of typical threats.42 Annex D (informative)
Vulnerabilities and methods for vulnerability assessment.45 D.1 Examples of vulnerabilities.45 D.2 Methods for assessment of technical vulnerabilities.48 Annex E (informative)
Information security risk assessment approaches.50 E.1 High-level information security risk assessment.50 E.2 Detailed information security risk assessment.51 E.2.1 Example 1 Matrix with predefined values.52 E.2.2 Example 2 Ranking of Threats by Measures of Risk.54 E.2.3 Example 3 Assessing a value for the likelihood and the possible consequences of risks.54 Annex F (informative)
Constraints for risk modification.56 Annex G (informative)
Differences in definitions between ISO/IEC 27005:2008 and ISO/IEC 27005:2011.58 Bibliography.68
oSIST ISO/IEC FDIS 27005:2011



ISO/IEC FDIS 27005:2011(E) © ISO/IEC 2011 – All rights reserved v Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27005 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. This second edition cancels and replaces the first edition (ISO/IEC 27005:2008) which has been technically revised.
oSIST ISO/IEC FDIS 27005:2011



ISO/IEC FDIS 27005:2011(E) vi © ISO/IEC 2011 – All rights reserved Introduction This International Standard provides guidelines for information security risk management in an organization, supporting in particular the requirements of an information security management (ISMS) according to ISO/IEC 27001. However, this International Standard does not provide any specific method for information security risk management. It is up to the organization to define their approach to risk management, depending for example on the scope of the ISMS, context of risk management, or industry sector. A number of existing methodologies can be used under the framework described in this International Standard to implement the requirements of an ISMS. This International Standard is relevant to managers and staff concerned with information security risk management within an organization and, where appropriate, external parties supporting such activities. oSIST ISO/IEC FDIS 27005:2011



FINAL DRAFT INTERNATIONAL STANDARD
ISO/IEC FDIS 27005:2011(E) © ISO/IEC 2011 – All rights reserved 1 Information technology — Security techniques — Information security risk management 1 Scope This International Standard provides guidelines for information security risk management. This International Standard supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this International Standard. This International Standard is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization’s information security. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary ISO/IEC 27001:2005, Information technology — Security techniques — Information security management systems — Requirements 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply. NOTE
Differences in definitions between ISO/IEC 27005:2008 and this International Standard are shown in Annex G. 3.1 consequence
outcome of an event (3.3) affecting objectives
[ISO Guide 73:2009] NOTE 1 An event can lead to a range of consequences. NOTE 2 A consequence can be certain or uncertain and in the context of information security is usually negative. NOTE 3 Consequences can be expressed qualitatively or quantitatively. NOTE 4 Initial consequences can escalate through knock-on effects. oSIST ISO/IEC FDIS 27005:2011



ISO/IEC FDIS 27005:2011(E) 2 © ISO/IEC 2011 – All rights reserved 3.2 control
measure that is modifying risk (3.9) [ISO Guide 73:2009]
NOTE 1 Controls for information security include any process, policy, procedure, guideline, practice or organizational structure, which can be administrative, technical, management, or legal in nature which modify information security risk. NOTE 2 Controls may not always exert the intended or assumed modifying effect. NOTE 3 Control is also used as a synonym for safeguard or countermeasure. 3.3 event
occurrence or change of a particular set of circumstances
[ISO Guide 73:2009] NOTE 1 An event can be one or more occurrences, and can have several causes. NOTE 2 An event can consist of something not happening. NOTE 3 An event can sometimes be referred to as an “incident” or “accident”. 3.4 external context
external environment in which the organization seeks to achieve its objectives
[ISO Guide 73:2009] NOTE External context can include:
⎯ the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local;
⎯ key drivers and trends having impact on the objectives of the organization; and
⎯ relationships with, and perceptions and values of, external stakeholders.
3.5 internal context
internal environment in which the organization seeks to achieve its objectives [ISO Guide 73:2009] NOTE Internal context can include:
⎯ governance, organizational structure, roles and accountabilities;
⎯ policies, objectives, and the strategies that are in place to achieve them;
⎯ the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);
⎯ information systems, information flows and decision-making processes (both formal and informal);
⎯ relationships with, and perceptions and values of, internal stakeholders;
⎯ the organization's culture;
⎯ standards, guidelines and models adopted by the organization; and
⎯ form and extent of contractual relationships.
oSIST ISO/IEC FDIS 27005:2011



ISO/IEC FDIS 27005:2011(E) © ISO/IEC 2011 – All rights reserved 3 3.6 level of risk
magnitude of a risk (3.9), expressed in terms of the combination of consequences (3.1) and their likelihood (3.7) [ISO Guide 73:2009] 3.7 likelihood
chance of something happening
[ISO Guide 73:2009] NOTE 1 In risk management terminology, the word “likelihood” is used to refer to the chance of something happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period).
NOTE 2 The English term “likelihood” does not have a direct equivalent in some languages; instead, the equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it should have the same broad interpretation as the term “probability” has in many languages other than English.
3.8 residual risk
risk (3.9) remaining after risk treatment (3.17) [ISO Guide 73:2009] NOTE 1 Residual risk can contain unidentified risk.
NOTE 2 Residual risk can also be known as “retained risk”.
3.9 risk effect of uncertainty on objectives
[ISO Guide 73:2009]
NOTE 1 An effect is a deviation from the expected — positive and/or negative. NOTE 2 Objectives can have different aspects (such as financial, health and safety, information security, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process). NOTE 3 Risk is often characterized by reference to potential events (3.3) and consequences (3.1), or a combination of these. NOTE 4 Information security risk is often expressed in terms of a combination of the consequences of an information security event and the associated likelihood (3.9) of occurrence. NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. NOTE 6 Information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organization.
3.10 risk analysis
process to comprehend the nature of risk and to determine the level of risk (3.6) [ISO Guide 73:2009] oSIST ISO/IEC FDIS 27005:2011



ISO/IEC FDIS 27005:2011(E) 4 © ISO/IEC 2011 – All rights reserved NOTE 1 Risk analysis provides the basis for risk evaluation and decisions about risk treatment. NOTE 2 Risk analysis includes risk estimation.
3.11 risk assessment overall process of risk identification (3.15), risk analysis (3.10) and risk evaluation (3.14) [ISO Guide 73:2009] 3.12 risk communication and consultation continual and iterative processes that an organization conducts to provide, share or obtain information, and to engage in dialogue with stakeholders (3.18) regarding the management of risk (3.9) [ISO Guide 73:2009] NOTE 1 The information can relate to the existence, nature, form, likelihood, significance, evaluation, acceptability and treatment of risk. NOTE 2 Consultation is a two-way process of informed communication between an organization and its stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is: ⎯ a process which impacts on a decision through influence rather than power; and ⎯ an input to decision making, not joint decision making. 3.13 risk criteria
terms of reference against which the significance of a risk (3.9) is evaluated
[ISO Guide 73:2009] NOTE 1 Risk criteria are based on organizational objectives, and external and internal context. NOTE 2 Risk criteria can be derived from standards, laws, policies and other requirements. 3.14 risk evaluation
process of comparing the results of risk analysis (3.10) with risk criteria (3.13) to determine whether the risk and/or its magnitude is acceptable or tolerable [ISO Guide 73:2009] NOTE Risk evaluation assists in the decision about risk treatment. 3.15 risk identification process of finding, recognizing and describing risks
[ISO Guide 73:2009] NOTE 1 Risk identification involves the identification of risk sources, events, their causes and their potential consequences. NOTE 2 Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders’ needs.
oSIST ISO/IEC FDIS 27005:2011



ISO/IEC FDIS 27005:2011(E) © ISO/IEC 2011 – All rights reserved 5 3.16 risk management coordinated activities to direct and control an organization with regard to risk [ISO Guide 73:2009] NOTE This International Standard uses the term ‘process’ to describe risk management overall. The elements within the risk management process are termed ‘activities’ 3.17 risk treatment process to modify risk
[ISO Guide 73:2009] NOTE 1 Risk treatment can involve:
⎯ avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
⎯ taking or increasing risk in order to pursue an opportunity;
⎯ removing the risk source;
⎯ changing the likelihood;
⎯ changing the consequences;
⎯ sharing the risk with another party or parties (including contracts and risk financing); and
⎯ retaining the risk by informed choice.
NOTE 2 Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
NOTE 3 Risk treatment can create new risks or modify existing risks. 3.18 stakeholder
person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity
[ISO Guide 73:2009] NOTE
A decision maker can be a stakeholder. 4 Structure of this International Standard This International Standard contains the description of the information security risk management process and its activities. The background information is provided in Clause 5. A general overview of the information security risk management process is given in Clause 6. All information security risk management activities as presented in Clause 6 are subsequently described in the following clauses: ƒ Context establishment in Clause 7, ƒ Risk assessment in Clause 8, ƒ Risk treatment in Clause 9, ƒ Risk acceptance in Clause 10, oSIST ISO/IEC FDIS 27005:2011



ISO/IEC FDIS 27005:2011(E) 6 © ISO/IEC 2011 – All rights reserved ƒ Risk communication in Clause 11, ƒ Risk monitoring and review in Clause 12. Additional information for information security risk management activities is presented in the annexes. The context establishment is supported by Annex A (Defining the scope and boundaries of the information security risk management process). Identification and valuation of assets and impact assessments are discussed in Annex B. Annex C gives examples of typical threats and Annex D discusses vulnerabilities and methods for vulnerability assessment. Examples of information security risk assessment approaches are presented in Annex E. Constraints for risk modification are presented in Annex F. Differences in definitions between ISO/IEC 27005:2008 and ISO/IEC 27005:2011 are shown in Annex G. All risk management activities as presented from Clause 7 to Clause 12 are structured as follows: Input: Identifies any required information to perform the activity. Action: Describes the activity. Implementation guidance: Provides guidance on performing the action. Some of this guidance may not be suitable in all cases and so other ways of performing the action may be more appropriate. Output: Identifies any information derived after performing the activity. 5 Background A systematic approach to information security risk management is necessary to identify organizational needs regarding information security requirements and to create an effective information security management system (ISMS). This approach should be suitable for the organization´s environment, and in particular should be aligned with overall enterprise risk management. Security efforts should address risks in an effective and timely manner where and when they are needed. Information security risk management should be an integral part of all information security management activities and should be applied both to the implementation and the ongoing operation of an ISMS. Information security risk management should be a continual process. The process should establish the external and internal context, assess the risks and treat the risks using a risk treatment plan to implement the recommendations and decisions. Risk management analyses what can happen and what the possible consequences can be, before deciding what should be done and when, to reduce the risk to an acceptable level. Information security risk management should contribute to the following: ƒ Risks being identified ƒ Risks being assessed in terms of their consequences to the business and the likelihood of their occurrence ƒ The likelihood and consequences of these risks being communicated and understood ƒ Priority order for risk treatment being established ƒ Priority for actions to reduce risks occurring ƒ Stakeholders being involved when risk management decisions are made and kept informed of the risk management status ƒ Effectiveness of risk treatment monitoring ƒ Risks and the risk management process being monitored and reviewed regularly oSIST ISO/IEC FDIS 27005:2011



ISO/IEC FDIS 27005:2011(E) © ISO/IEC 2011 – All rights reserved 7 ƒ Information being captured to improve the risk management approach ƒ Managers and staff being educated about the risks and the actions taken to mitigate them The information security risk management process can be applied to the organization as a whole, any
...