ISO_IEC_27000-2018.pdf

INTERNATIONALISO/IECSTANDARD27000Fifth edition2018-02Information technology-Securitytechniques-Information securitymanagement systems-Overview andvocabularyTechnologies de linformation-Techniques de securite-Systemesde management de la securite de linformation-Vue densemble etvocabulaireReference numberIEC1S0/1EC27000:2018(E)IS0/1EC20181S0/1EC27000:2018(E)COPYRIGHT PROTECTED DOCUMENTIS0/1EC2018All rights reserved.Unless otherwise specified,or required in the context of its implementation,no part of this publication maybe reproduced or utilized otherwise in any form or by any means,electronic or mechanical,including photocopying,or postingon the internet or an intranet,without prior written permission.Permission can be requested from either ISO at the addressbelow or ISOs member body in the country of the requester.ISO copyright officeCP 401.Ch.de Blandonnet 8CH-1214 Vernier,Geneva,SwitzerlandTel.+41227490111Fax+41227490947copyrightiso.orgwww.Iso.orgPublished in SwitzerlandISO/IEC 2018-All rights reserved0ACKY.MAIS0/1EC27000:2018(E)ContentsPageForeword.ivIntroductionScope12Normative references13Terms and definitionsInformation security management systems114.1General.114.2What is an ISMS?114.2.1Overview and principles114.2.2Information.124.2.3Information security124.2.4Management.124.2.5Management system134.3Process approach.134.4Why an ISMS is important.134.5Establishing,monitoring,maintaining and improving an ISMS144.5.1Overview.144.5.2Identifying information security requirements144.5.3Assessing information security risks154.5.4Treating information security risks.154.5.5Selecting and implementing controls154.5.6Monitor,maintain and improve the effectiveness of the ISMS164.5.7Continual improvement.164.6ISMS critical success factors174.7Benefits of the ISMS family of standards17ISMS family of standards185.1General information.185.2Standard describing an overview and terminology:ISO/IEC 27000(this document).195.3Standards specifying requirements.195.3.1ISO/IEC 27001195.3.2ISO/IEC 27006205.3.31S0/IEC27009205.4Standards describing general guidelines205.4.1ISO/IEC 27002205.4.2ISO/IEC 27003205.4.3ISO/IEC 27004215.4.4IS0/1EC27005215.4.5IS0/1EC27007215.4.6ISO/IEC TR 27008215.4.7ISO/IEC 27013.225.4.8ISO/IEC 270145.4.9ISO/IEC TR 27016225.4.10ISO/IEC 27021225.5Standards describing sector-specific guidelines235.5.1ISO/IEC 2701035.5.2ISO/IEC 27011235.5.3ISO/IEC 270175.5.4IS0/1EC27018245.5.5ISO/IEC 2701925.5.61S02779925Bibliography265e”50-rvdiAOEY MAIS0/1EC27000:2018(E)Introduction0.1 OverviewInternational Standards for management systems provide a model to follow in setting up andoperating a management system.This model incorporates the features on which experts in the fieldhave reached a consensus as being the international state of the art.ISO/IEC JTC 1/SC 27 maintains anexpert committee dedicated to the development of international management systems standards forinformation security,otherwise known as the Information Security Management system(ISMS)familyof standards.Through the use of the ISMS family of standards,organizations can develop and implement a frameworkfor managing the security of their information assets,including financial information,intellectualproperty,and employee details,or information entrusted to them by customers or third parties.Thesestandards can also be used to prepare for an independent assessment of their ISMS applied to theprotection of information.0.2 Purpose of this documentThe ISMS family of standards includes standards that:a)define requirements for an ISMS and for those certifying such systems;b)provide direct support,detailed guidance and/or interpretation for the overall process to establish,implement,maintain,and improve an ISMS;c)address sector-specific guidelines for ISMS;andd)address conformity assessment for ISMS.0.3 Content of this documentIn this document,the following verbal forms are used:shallindicates a requirement;shouldindicates a recommendation;-mayindicates a permission;-canindicates a possibility or a capability.Information marked as NOTEis for guidance in understanding or clarifying the associatedrequirement.Notes to entryused in Clause 3 provide additional information that supplements theterminological data and can contain provisions relating to the use of a term.ghts rserved0CKEY.MA