ISO IEC 27005:2011 pdfダウンロード

ISO IEC 27005:2011 pdfダウンロード。Information technology — Security techniques — Information security risk management
1 Scope
This International Standard provides guidelines for information security risk management.
This International Standard supports the general concepts specified in ISO/IEC 27001 and is designed toassist the satisfactory implementation of information security based on a risk management approach.
Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 andSO/IEC 27002 is important for a complete understanding of this International Standard.
This lnternational Standard is applicable to all types of organizations (e.q. commercial enterprisesgovernment agencies, non-profit organizations) which intend to manage risks that could compromise theorganization’s information security.
2 Normative references
The following referenced documents are indispensable for the application of this document. For datedreferences,only the edition cited applies. For undated references, the latest edition of the reterenceddocument (including any amendments)applies.
SO/IEC 27000Information technology – Security techniques – information security managementsystems -Overview and vocabulary
SOIEC 27001:2005,lnformation technology – Security techniques – Information security managementsystems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in lSO/IEC 27000 and the following apply
NOTEDifferences in definitions between ISOEC 27005:2008 and this nternational Standard are shown in Annex G3.1
consequence
outcome of an event (3.3) affecting objectives
[ISO Guide 73:2009]
NOTE 1 An event can lead to a range of consequences.
NOTE 2A consequence can be certain or uncertain and in the context of information security is usually negative
NOTE 3 Consequences can be expressed qualitatively or quantitatively.
NOTE 4Initial consequences can escalate through knock-on effects.
3.2
control
measure that is modifying risk (3.9)
[ISO Guide 73:2009]
NOTE 1 Controls for information security include any process, policy, procedure, guideline, practice or organizational structure, which can be administrative, technical, management, or legal in nature which modify information security risk.
NOTE 2 Controls may not always exert the intended or assumed modifying effect.
NOTE 3 Control is also used as a synonym for safeguard or countermeasure.
3.3
event
occurrence or change of a particular set of circumstances
[ISO Guide 73:2009]
NOTE 1 An event can be one or more occurrences, and can have several causes.
NOTE 2 An event can consist of something not happening.
NOTE 3 An event can sometimes be referred to as an ―incident‖ or ―accident‖.
3.4
external context
external environment in which the organization seeks to achieve its objectives
[ISO Guide 73:2009]
NOTE External context can include:
⎯ the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local;
⎯ key drivers and trends having impact on the objectives of the organization; and
⎯ relationships with, and perceptions and values of, external stakeholders.
3.5
internal context
internal environment in which the organization seeks to achieve its objectives
[ISO Guide 73:2009]
NOTE Internal context can include:
⎯ governance, organizational structure, roles and accountabilities;
⎯ policies, objectives, and the strategies that are in place to achieve them;
⎯ the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people,processes, systems and technologies);
⎯ information systems, information flows and decision-making processes (both formal and informal);
⎯ relationships with, and perceptions and values of, internal stakeholders;
⎯ the organization’s culture;
⎯ standards, guidelines and models adopted by the organization; and
⎯ form and extent of contractual relationships.