ISO IEC 27005-2011Informationtechnology一Security.pdf
- 文档编号:14660648
- 上传时间:2023-06-25
- 格式:PDF
- 页数:77
- 大小:964.28KB
ISO IEC 27005-2011Informationtechnology一Security.pdf
《ISO IEC 27005-2011Informationtechnology一Security.pdf》由会员分享,可在线阅读,更多相关《ISO IEC 27005-2011Informationtechnology一Security.pdf(77页珍藏版)》请在冰点文库上搜索。
COPYRIGHTNOTICE&TERMSOFUSEFORISOSTANDARDSThisdocumentisthecopyrightofthePublisher.Allrightsreserved.Thecontractallowingyoutousethisdocumentcontainsthefollowingtermsofusewhichmustbefollowed:
-(a)ThismaterialisreproducedfromISOpublicationsunderInternationalOrganizationforStandardization(ISO)CopyrightLicensenumberSAIGLOBAL/MCEA/2008.Notforresale.NopartoftheseISOpublicationsmaybereproducedinanyform,electronicretrievalsystemorotherwise,exceptasallowedunderthecopyrightlawinthecountryofuse,orwiththepriorwrittenconsentofISO(Casepostale56,1211Geneva20,Switzerland,email:
copyrightiso.org)orISOsMembers.(b)Youmayreproduceinhardcopyonly,directlyfromthedocumentprovidedinelectronicmediaformat,allorpartofthedocumentforinternalpurposes,attheSite(s)designatedinyouragreement,providedsuchcopiesincludeacopyrightnotice,andaredatedanddestroyedafteruse,subjecttotheexceptionsdescribedinSection7.3(c)below(c)WhereyouhaveatenderrequirementoracontractagreementinwhichareproductionofanISOdocumentunderthissubscriptionisrequiredaspartofitsdocumentationforexternalsubmission,thenecessarypagesoftheISOpublication,ortheentirepublication,ifrequired,maybereproducedandsubmitted.(d)UndernocircumstancesmaycopiesofallorpartofanyISOpublication,takenfromthesubscriptionservice,beloaned,traded,ordistributedinanywayexceptassetforthin(b)and(c)above.(e)UndernocircumstanceareyoupermittedtoreproduceallorpartofanyISOpublicationcontainedinthesubscriptionserviceforexternaluseorforuseatanysiteorgroupofsites,exceptassetforthin(a)and(b)above.SAIGLOBALILIPublishing,IndexHouse,Ascot,Berks,SL57EU,UK:
+44(0)1344636300Fax:
+44(0)1344291194E-mail:
Web:
www.ili.co.ukReferencenumberISO/IEC27005:
2011(E)ISO/IEC2011INTERNATIONALSTANDARDISO/IEC27005Secondedition2011-06-01InformationtechnologySecuritytechniquesInformationsecurityriskmanagementTechnologiesdelinformationTechniquesdescuritGestiondesrisqueslislascuritdelinformationCopyrightedmateriallicensedtoDublinInstituteofTechnologybySAIGlobal(),downloadedon31Dec11byAnnMcSweeney.Nofurtherreproductionordistributionispermitted.Uncontrolledwhenprinted.CopyrightedmateriallicensedtoDublinInstituteofTechnologybySAIGlobal(),downloadedon31Dec11byAnnMcSweeney.Nofurtherreproductionordistributionispermitted.Uncontrolledwhenprinted.CopyrightedmateriallicensedtoDublinInstituteofTechnologybySAIGlobal(),downloadedon31Dec11byAnnMcSweeney.Nofurtherreproductionordistributionispermitted.Uncontrolledwhenprinted.ISO/IEC27005:
2011(E)COPYRIGHTPROTECTEDDOCUMENTISO/IEC2011Allrightsreserved.Unlessotherwisespecified,nopartofthispublicationmaybereproducedorutilizedinanyformorbyanymeans,electronicormechanical,includingphotocopyingandmicrofilm,withoutpermissioninwritingfromeitherISOattheaddressbeloworISOsmemberbodyinthecountryoftherequester.ISOcopyrightofficeCasepostale56CH-1211Geneva20Tel.+41227490111Fax+41227490947E-mailcopyrightiso.orgWebwww.iso.orgPublishedinSwitzerlandiiISO/IEC2011AllrightsreservedCopyrightedmateriallicensedtoDublinInstituteofTechnologybySAIGlobal(),downloadedon31Dec11byAnnMcSweeney.Nofurtherreproductionordistributionispermitted.Uncontrolledwhenprinted.CopyrightedmateriallicensedtoDublinInstituteofTechnologybySAIGlobal(),downloadedon31Dec11byAnnMcSweeney.Nofurtherreproductionordistributionispermitted.Uncontrolledwhenprinted.CopyrightedmateriallicensedtoDublinInstituteofTechnologybySAIGlobal(),downloadedon31Dec11byAnnMcSweeney.Nofurtherreproductionordistributionispermitted.Uncontrolledwhenprinted.ISO/IEC27005:
2011(E)ISO/IEC2011AllrightsreservediiiContentsPageForeword.vIntroduction.vi1Scope.12Normativereferences.13Termsanddefinitions.14StructureofthisInternationalStandard.55Background.66Overviewoftheinformationsecurityriskmanagementprocess.77Contextestablishment.107.1Generalconsiderations.107.2BasicCriteria.107.2.1Riskmanagementapproach.107.2.2Riskevaluationcriteria.107.2.3Impactcriteria.117.2.4Riskacceptancecriteria.117.3Scopeandboundaries.127.4Organizationforinformationsecurityriskmanagement.128Informationsecurityriskassessment.138.1Generaldescriptionofinformationsecurityriskassessment.138.2Riskidentification.138.2.1Introductiontoriskidentification.138.2.2Identificationofassets.148.2.3Identificationofthreats.148.2.4Identificationofexistingcontrols.158.2.5Identificationofvulnerabilities.158.2.6Identificationofconsequences.168.3Riskanalysis.178.3.1Riskanalysismethodologies.178.3.2Assessmentofconsequences.188.3.3Assessmentofincidentlikelihood.188.3.4Levelofriskdetermination.198.4Riskevaluation.199Informationsecurityrisktreatment.209.1Generaldescriptionofrisktreatment.20CopyrightedmateriallicensedtoDublinInstituteofTechnologybySAIGlobal(),downloadedon31Dec11byAnnMcSweeney.Nofurtherreproductionordistributionispermitted.Uncontrolledwhenprinted.CopyrightedmateriallicensedtoDublinInstituteofTechnologybySAIGlobal(),downloadedon31Dec11byAnnMcSweeney.Nofurtherreproductionordistributionispermitted.Uncontrolledwhenprinted.CopyrightedmateriallicensedtoDublinInstituteofTechnologybySAIGlobal(),downloadedon31Dec11byAnnMcSweeney.Nofurtherreproductionordistributionispermitted.Uncontrolledwhenprinted.ISO/IEC27005:
2011(E)ivISO/IEC2011Allrightsreserved9.2Riskmodification.229.3Riskretention.239.4Riskavoidance.239.5Risksharing.2310Informationsecurityriskacceptance.2411Informationsecurityriskcommunicationandconsultation.2412Informationsecurityriskmonitoringandreview.2512.1Monitoringandreviewofriskfactors.2512.2Riskmanagementmonitoring,reviewandimprovement.26AnnexA(informative)Definingthescopeandboundariesoftheinformationsecurityriskmanagementprocess.28A.1Studyoftheorganization.28A.2Listoftheconstraintsaffectingtheorganization.29A.3Listofthelegislativeandregulatoryreferencesapplicabletotheorganization.31A.4Listoftheconstraintsaffectingthescope.31AnnexB(informative)Identificationandvaluationofassetsandimpactassessment.33B.1Examplesofassetidentification.33B.1.1Theidentificationofprimaryassets.33B.1.2Listanddescriptionofsupportingassets.34B.2Assetvaluation.38B.3Impactassessment.41AnnexC(informative)Examplesoftypicalthreats.42AnnexD(informative)Vulnerabilitiesandmethodsforvulnerabilityassessment.45D.1Examplesofvulnerabilities.45D.2Methodsforassessmentoftechnicalvulnerabilities.48AnnexE(informative)Informationsecurityriskassessmentapproaches.50E.1High-levelinformationsecurityriskassessment.50E.2Detailedinformationsecurityriskassessment.51E.2.1Example1Matrixwithpredefinedvalues.52E.2.2Example2RankingofThreatsbyMeasuresofRisk.54E.2.3Example3Assessingavalueforthelikelihoodandthepossibleconsequencesofrisks.54AnnexF(informative)Constraintsforriskmodification.56AnnexG(informative)DifferencesindefinitionsbetweenISO/IEC27005:
2008andISO/IEC27005:
2011.58Bibliography.68CopyrightedmateriallicensedtoDublinInstituteofTechnologybySAIGlobal(),downloadedon31Dec11byAnnMcSweeney.Nofurtherreproductionordistributionispermitted.Uncontrolledwhenprinted.CopyrightedmateriallicensedtoDublinInstituteofTechnologybySAIGlobal(),downloadedon31Dec11byAnnMcSweeney.Nofurtherreproductionordistributionispermitted.Uncontrolledwhenprinted.CopyrightedmateriallicensedtoDublinInstituteofTechnologybySAIGlobal(),downloadedon31Dec11byAnnMcSweeney.Nofurtherreproductionordistributionispermitted.Uncontrolledwhenprinted.ISO/IEC27005:
2011(E)ISO/IEC2011AllrightsreservedvForewordISO(theInternationalOrganizationforStandardization)andIEC(theInternationalElectrotechnicalCommission)formthespecializedsystemforworldwidestandardization.NationalbodiesthataremembersofISOorIECparticipateinthedevelopmentofInternationalStandardsthroughtechnicalcommitteesestablishedbytherespectiveorganizationtodealwithparticularfieldsoftechnicalactivity.ISOandIECtechnicalcommitteescollaborateinfieldsofmutualinterest.Otherinternationalorganizations,governmentalandnon-governmental,inliaisonwithISOandIEC,alsotakepartinthework.Inthefieldofinformationtechnology,ISOandIEChaveestablishedajointtechnicalcommittee,ISO/IECJTC1.InternationalStandardsaredraftedinaccordancewiththerulesgivenintheISO/IECDirectives,Part2.ThemaintaskofthejointtechnicalcommitteeistoprepareInternationalStandards.DraftInternationalStandardsadoptedbythejointtechnicalcommitteearecirculatedtonationalbodiesforvoting.PublicationasanInternationalStandardrequiresapprovalbyatleast75%ofthenationalbodiescastingavote.Attentionisdrawntothepossibilitythatsomeoftheelementsofthisdocumentmaybethesubjectofpatentrights.ISOandIECshallnotbeheldresponsibleforidentifyinganyorallsuchpatentrights.ISO/IEC27005waspreparedbyJointTechnicalCommitteeISO/IECJTC1,Informationtechnology,SubcommitteeSC27,ITSecuritytechniques.Thissecondeditioncancelsandreplacesthefirstedition(ISO/IEC27005:
2008)whichhasbeentechnicallyrevised.CopyrightedmateriallicensedtoDublinInstituteofTechnologybySAIGlobal(),downloadedon31Dec11byAnnMcSweeney.Nofurtherreproductionordistributionispermitted.Uncontroll
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- ISO IEC 27005-2011Informationtechnology一Security 27005 2011 Informationtechnology Security
链接地址:https://www.bingdoc.com/p-14660648.html