ISO-IEC-27005-2018.pdf

INTERNATIONALISO/IECSTANDARD27005Third edition2018-07Information technology-Securitytechniques-Information securityrisk managementTechnologies de Iinformation-Techniques de securite-Gestiondes risques lies a la securite de linformationReference numberIEC1S0/1EC27005:2018(E)1S0/1EC2018Not for Resal,07/18/2018 02-25:28 MOTIS0/IEC27005:2018E)COPYRIGHT PROTECTED DOCUMENTIS0/1EC2018All rights reserved.Unless otherwise specified,or required in the context of its implementation,no part of this publication maybe reproduced or utilized otherwise in any form or by any means,electronic or mechanical,including photocopying or postingon the internet or an intranet,without prior written permission.Permission can be requested from either ISO at the addressbelow or ISOs member body in the country of the requester.IS0 copyright officeCP 401.Ch.de Blandonnet 8CH-1214 Vernier,GenevaPhone:+41227490111Fax+41227490947Email:copyrightiso.orgWebsite:www.iso.orgPublished in SwitzerlandISO/IEC 2018-All rights reservedNot for Resale,07/18/2018 02-25:28 MDTIS0/1EC27005:2018E)ContentsPageForeword.VIntroduction1Scope12Normative references23Terms and definitions14Structure of this document1SBackground26Overview of the information security risk management process37Context establishment.57.1General considerations7.2Basic criteria.67.2.1Risk management approach67.2.2Risk evaluation criteria67.2.3Impact criteria67.2.4Risk acceptance criteria7.3Scope and boundaries.77.4Organization for information security risk managementPInformation security risk assessment.8.1General description of information security risk assessment88.2Risk identification.8.2.1Introduction to risk identification98.2.2Identification of assets_98.2.3Identification of threats108.2.4Identification of existing controls108.2.5Identification of vulnerabilities.118.2.6Identification of consequences128.3Risk analysis.128.3.1Risk analysis methodologies.128.3.2Assessment of consequences138.3.3Assessment of incident likelihood148.3.4Level of risk determination.158.4Risk evaluation.159Information security risk treatment.169.1General description of risk treatment169.2Risk modification189.3Risk retention.99.4Risk avoidance199.5Risk sharing.1910Information security risk acceptance2011Information security risk communication and consultation.2012Information security risk monitoring and review2112.1 Monitoring and review of risk factors2112.2 Risk management monitoring,review and improvement.22Annex A(informative)Defining the scope and boundaries of the information security riskmanagement process.24Annex B(informative)Identification and valuation of assets and impact assessment28Annex C(informative)Examples of typical threats.37All rights reserved进Na色Rsa鱼，071201m02Z8MDTIS0/IEC27005:2018EAnnex D(informative)Vulnerabilities and methods for vulnerability assessment.41Annex E(informative)Information security risk assessment approaches.45Annex F(informative)Constraints for risk modification.51Bibliography53a”watwwIS0/IEC 2018-All rights reservedNa包Raak,07I18201a022益28MDTIS0/1EC27005:2018E)ForewordISO(the International Organization for Standardization)and IEC(the International ElectrotechnicalCommission)form the specialized system for worldwide standardization.National bodies that aremembers of ISO or IEC participate in the development of International Standards through technicalcommittees established by the respective organization to deal with particular fields of technicalactivity.ISO and IEC technical committees collaborate in fields of mutual interest.Other internationalorganizations,governmental and non-governmental,in liaison with ISO and IEC,also take part in thework.In the field of information technology,ISO and IEC have established a joint technical committee,ISO/IEC ITC 1.The procedures used to develop this document and those intended for its further maintenance aredescribed in the ISO/IEC Directives,Part 1.In particular the different approval criteria needed forthe different types of document should be noted.This document was drafted in accordance with theeditorial rules of the ISO/IEC Directives,Part 2(see www.iso org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subjectof patent rights.ISO and IEC shall not be held responsible for identifying any or all such patentrights.Details of any patent rights identified during the development of the document will be in theIntroduction and/or on the ISO list of patent declarations received(see www.iso,org/patents).Any trade name used in this document is information given for the convenience of users and does notconstitute an endorsement.For an explanation on the voluntary nature of standards,the meaning of ISO specific terms andexpressions related to conformity assessment,as well as information about ISOs adherence to theiWorld Trade Organization(WTO)principles in the Technical Barriers to Trade(TBT)see the followingURL:www.iso.org/iso/foreword.html.This document was prepared by Technical Committee ISO/IEC JTC 1,Information technology,?Subcommittee SC 27,IT Security techniques.Any feedback or questions on this document should be directed to the users national standards body.Acomplete listing of these bodies can be found at www.iso.org/members.html.This third edition cancels and replaces the second edition(ISO/IEC 27005:2011)which has beentechnically revised.The main changes from the previous edition are as follows:-all direct references to the ISO/IEC 27001:2005 have been removed;clear information has been added that this document does not contain direct guidance on theimplementation of the ISMS requirements specified in ISO/IEC 27001(see Introduction);ISO/IEC 27001:2005 has been removed from Clause 2;ISO/IEC 27001 has been added to the Bibliography;Annex G and all references to it have been removed;editorial changes have been made accordingly.All rights reservedNot for Resal,07/18/201802-25:28 MDT