ISO/IEC 27005:2011英文版BS|So/EC27005:201so/EC27005:2011E9.2 Risk modification229. 3 Risk retention面BB1面面9.4Risk avoidance9.5 Risk sharing10 Information security risk acceptance..2411Information security risk communication and consultation2412Information security ris k monitoring and review2512.1 Monitoring and review of risk factors2512.2 Risk management monitoring, review and improvement.....26Annex A(informative )Defining the scope and boundaries of the information security riskmanagement processA1 Study of the organization..28A2 List of the constraints affecting the organization..A3 List of the legislative and regulatory references applicable to the organization31A.4List of the constraints affecting the scopeAnnex B (informative) Identification and valuation of assets and impact assessment量国面面国33B. 1 Examples of asset identification33B.1.1 The identification of primary assets330m-0szB12 List and description of supporting assets……………34B.2 Asset va| uation.…38B3 Impact assessment............n41Annex C (informative)Examples of typical threats42Annex D (informative) Vulnerabilities and methods for vulnerability assessment.....D1 Examples of vulnerabilities45D2 Methods for assessment of technical vulnerabilitiesn…48Annex E(informative)Information security risk assessment approaches50E.1 High-level information security risk assessment.………50E2 Detailed information security risk assessment...-.............E22 Example2 Ranking of Threats by Measures of RisK.………51E.2.1 Example 1 Matrix with predefined values52E.2.3 Example 3 Assessing a value for the likelihood and the possible consequences of risks... 54Annex F(informative) Constraints for risk modification..面56Annex G(informative) Differences in definitions between ISO/EC 27005: 2008 and ISo/EC27005:201158Bibliography68O ISO/EC 2011-All rights reservedBS ISO/EC27005:2011ISO/EC27005:2011(EForewordIso(the International Organization for Standardization) and Ec(the International ElectrotechnicalCommission) form the specialized system for worldwide standardization. National bodies that are members ofISo or EC participate in the development of International Standards through technical committeesestablished by the respective organization to deal with particular fields of technical activity. ISO and IECtechnical committees collaborate in fields of mutual interest. Other international organizations, governmentaland non-governmental, in liaison with ISo and IEC, also take part in the work. In the field of informationtechnology, ISO and IEC have established a joint technical committee, ISONEC JTC 1International Standards are drafted in accordance with the rules given in the ISo/EC Directives, Part 2The main task of the joint technical committee is to prepare International Standards. Draft InternationalStandards adopted by the joint technical committee are circulated to national bodies for voting. Publication asan International Standard requires approval by at least 75 of the national bodies casting a voteAttention is drawn to the possibility that some of the elements of this document may be the subject of patentrights. Iso and iEC shall not be held responsible for identifying any or all such patent rights0m-0szISO/EC 27005 was prepared by Joint Technical Committee ISO/EC JTC 1, Information technologySubcommittee SC 27, / T Security techniquesThis second edition cancels and replaces the first edition(ISO/EC 27005: 2008)which has been technicallyrevisedO ISO/EC 2011-All rights reservedBS|So/EC27005:201so/EC27005:2011EIntroductionThis International Standard provides guidelines for information security risk management in an organizationsupporting in particular the requirements of an information security management(ISMS) according toISO/EC 27001. However, this International Standard does not provide any specific method for informationsecurity risk management. It is up to the organization to define their approach to risk management, dependingfor example on the scope of the ISMS, context of risk management, or industry sector. A number of existingmethodologies can be used under the framework described in this International Standard to implement therequirements of an ISMSThis International Standard is relevant to managers and staff concerned with information security riskmanagement within an organization and, where appropriate, external parties supporting such activities0m-0szO ISO/EC 2011-All rights reservedBS ISO/EC27005:2011INTERNATIONAL STANDARDISO/EC27005:2011(EInformation technology- Security techniques-Informationsecurity risk management1 ScopeThis International Standard provides guidelines for information security risk managementThis International standard supports the general concepts specified in iso/EC 27001 and is designed toassist the satisfactory implementation of information security based on a risk management approachKnowledge of the concepts, models, processes and terminologies described in ISo/EC 27001 andISO/EC 27002 is important for a complete understanding of this International StandardThis International Standard is applicable to all types of organizations (e.g. commercial enterprises,0m-0szgovernment agencies, non-profit organizations)which intend to manage risks that could compromise theorganizations information securit2 Normative referencesmThe following referenced documents are indispensable for the application of this document. For datedreferences, only the edition cited applies. For undated references, the latest edition of the referenceddocument(including any amendments) appliesISO/EC 27000, Information technology Security techniques Information security managementsystems-Overview and vocabularyISO/EC 27001: 2005, Information technology Security techniques Information security managementsystems- Requirements3 Terms and definitionsFor the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following applyNOTE Differences in definitions between iso/ec 27005: 2008 and this international standard are shown in Annex g3.1consequenceoutcome of an event( 3.3)affecting objectivesISO Guide 73: 2009NOTE 1 An event can lead to a range of consequencesNoTE 2 A consequence can be certain or uncertain and in the context of information security is usually negativenOtE 3 Consequences can be expressed qualitatively or quantitativelyNOTE 4 Initial consequences can escalate through knock-on effectsO ISO/EC 2011-All rights reservedBS|So/EC27005:201so/EC27005:2011E32controlmeasure that is modifying risk(3.9)[SO Guide 73: 2009structure, which can be administrative, technical, management, or legal in nature which modify information security InalNOTE 1 Controls for information security include any process, policy, procedure, guideline, practice or organizatiNOTE 2 Controls may not always exert the intended or assumed modifying effectNOTE 3 Control is also used as a synonym for safeguard or countermeasure3.3eventoccurrence or change of a particular set of circumstances[So Guide 73: 2009noTE 1 An event can be one or more occurrences and can have several causesNOTE 2 An event can consist of something not happening0m-0szNOTE 3 An event can sometimes be referred to as an"incident or accident3.4external contextexternal environment in which the organization seeks to achieve its objectives[ISO Guide 73: 2009NOTE External context can includethe cultural, social, political, legal, regulatory, financial, technological, economic, natural andcompetitive environment, whether international, national, regional or localkey drivers and trends having impact on the objectives of the organization; andrelationships with, and perceptions and values of, external stakeholders3.5internal contextnternal environment in which the organization seeks to achieve its objectives[SO Guide 73: 2009N○TEInternal context can includegovernance, organizational structure, roles and accountabilities;policies, objectives, and the strategies that are in place to achieve themthe capabilities, understood in terms of resources and knowledge (e.g. capital, time, peopleprocesses, systems and technologies):information systems, information flows and decision-making processes(both formal and informal);relationships with, and perceptions and values of, internal stakeholdersthe organizations culturestandards, guidelines and models adopted by the organization; andform and extent of contractual relationshipO ISO/EC 2011-All rights reservedBS|SO/EC27005:2011ISO/EC27005:2011(E)3.6level of riskmagnitude of a risk(3. 9), expressed in terms of the combination of consequences (3. 1)and their likelihood(3.7)[ISO Guide 73: 2009]3.7likelihoodchance of something happening[ISo Guide 73: 2009]NOTE 1 In risk management terminology, the word "likelihood"is used to refer to the chance of something happeningwhether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described usinggeneral terms or mathematically(such as a probability or a frequency over a given time period)NOTE2 The English term"likelihood" does not have a direct equivalent in some languages; instead, the equivalent ofthe term "probability is often used. However, in English, "probability"is often narrowly interpreted as a mathematical termTherefore, in risk management terminology, "likelihood" is used with the intent that it should have the same broadinterpretation as the term "probability has in many languages other than English3.80m-0szresidual riskrisk (3. 9)remaining after risk treatment (3. 17)[ISO Guide 73: 2009NOTE 1 Residual risk can contain unidentified riskNoTE 2 Residual risk can also be known as"retained risk3.9riskeffect of uncertainty on objectives[ISO Guide 73: 20091NOTE 1 An effect is a deviation from the expected -positive and/or negativeOTE 2 Objectives can have different aspects (such as financial, health and safety, information security, andenvironmental goals)and can apply at different levels (such as strategic, organization-wide, project, product and processnote 3 Risk is often characterized by reference to potential events(3.3 )and consequences(3.1), or a combination otheseNoTE 4 Information security risk is often expressed in terms of a combination of the consequences of an informationsecurity event and the associated likelihood(3. 9)of occurrenceNOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, anevent, its consequence, or likelihoodNotE 6 Information security risk is associated with the potential that threats will exploit vulnerabilities of an informationasset or group of information assets and thereby cause harm to an organization.3.10risk analysisrocess to comprehend the nature of risk and to determine the level of risk (3.6)[SO Guide 73: 2009O ISO/EC 2011-All rights reservedBS|So/EC27005:201so/EC27005:2011ENoTE 1 Risk analysis provides the basis for risk evaluation and decisions about risk treatmentNoTE 2 Risk analysis includes risk estimation3.11risk assessmentoverall process of risk identification(3. 15), risk analysis(3.10)and risk evaluation (3.14)[So Guide 73: 20093.12risk communication and consultationcontinual and iterative processes that an organization conducts to provide, share or obtain information, and toengage in dialogue with stakeholders( 3.18)regarding the management of risk(3. 9)[So Guide 73: 2009]NoTE 1 The information can relate to the existence, nature, form, likelihood, significance, evaluation, acceptability andtreatment of riskNOTE 2 Consultation is a two-way process of informed communication between an organization and its stakeholderson an issue prior to making a decision or determining a direction on that issue. Consultation is0m-0sza process which impacts on a decision through influence rather than power; andan input to decision making, not joint decision making3.13risk criteriaterms of reference against which the significance of a risk (3. 9)is evaluated[So Guide 73: 2009]NOTE 1 Risk criteria are based on organizational objectives, and external and internal contextNOTE 2 Risk criteria can be derived from standards, laws, policies and other requirements3.14risk evaluationprocess of comparing the results of risk analysis(3.10)with risk criteria(3. 13)to determine whether the riskand/or its magnitude is acceptable or tolerable[SO Guide 73: 2009]NOTERisk evaluation assists in the decision about risk treatment3.15risk identificationprocess of finding, recognizing and describing risks[ISO Guide 73: 2009]NOTE 1 Risk identification involves the identification of risk sources, events their causes and their potentialconsequences.NOTE 2 Risk identification can involve historical data, theoretical analysis, informed and expert opinions, andstakeholders needsO ISO/EC 2011-All rights reservedBS|SO/EC27005:2011ISO/EC27005:2011(E)3.16risk managementcoordinated activities to direct and control an organization with regard to risk[ SO Guide73:2009]NOTEThis International Standard uses the term process to describe risk management overall. The elements withirthe risk management process are termed'activities3.17risk treatmentprocess to modify risk[ISO Guide 73: 2009NOTE 1 Risk treatment can inyolyeavoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;taking or increasing risk in order to pursue an opportunityremoving the risk sourcechanging the likelihood0m9changing the consequencessharing the risk with another party or parties(including contracts and risk financing); andretaining the risk by informed choiceNOTE 2 Risk treatments that deal with negative consequences are sometimes referred to as risk mitigation","riskelimination"," risk prevention"and" risk reductionNOtE3 Risk treatment can create new risks or modify existing risks3.18stakeholderperson or organization that can affect, be affected by, or perceive themselves to be affected by a decision oractivit[ISO Guide 73: 2009NOTEa decision maker can be a stakeholder4 Structure of this International standardThis International Standard contains the description of the information security risk management process andits activitiesThe background information is provided in Clause 5a general overview of the information security risk management process is given in clause 6All information security risk management activities as presented in Clause 6 are subsequently described in thefollowing clausesContext establishment in clause 7Risk assessment in Clause 8Risk treatment in Clause 9O ISO/EC 2011-All rights reserved