iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
SIST

SIST ISO/IEC 27005:2019

Information technology -- Security techniques -- Information security risk management

Information technology -- Security techniques -- Information security risk management

This document provides guidelines for information security risk management.
This document supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.
Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this document.
This document is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that can compromise the organization's information security.

Technologies de l'information -- Techniques de sécurité -- Gestion des risques liés à la sécurité de l'information

Le présent document contient des lignes directrices relatives à la gestion des risques en sécurité de l'information.
Le présent document appuie les concepts généraux énoncés dans l'ISO/IEC 27001; il est conçu pour aider à la mise en place de la sécurité de l'information basée sur une approche de gestion des risques.
Il est important de connaître les concepts, les modèles, les processus et les terminologies décrites dans l'ISO/IEC 27001 et l'ISO/IEC 27002 afin de bien comprendre le présent document.
Le présent document est applicable à tous types d'organismes (par exemple les entreprises commerciales, les agences gouvernementales, les organisations à but non lucratif) qui ont l'intention de gérer des risques susceptibles de compromettre la sécurité des informations de l'organisme.

Informacijska tehnologija - Varnostne tehnike - Obvladovanje informacijskih varnostnih tveganj

Ta dokument podaja smernice za obvladovanje informacijskih varnostnih tveganj.
Ta dokument podpira splošne koncepte, določene v standardu ISO/IEC 27001, in je namenjen kot pomoč pri zadovoljivem izvajanju informacijske varnosti na podlagi pristopa obvladovanja tveganja.
Poznavanje konceptov, modelov, procesov in izrazja, ki so opisani v standardih ISO/IEC 27001 in ISO/IEC 27002, je pomembno za popolno razumevanje tega dokumenta.
Ta dokument se uporablja za vse vrste organizacij (npr. komercialna podjetja, vladne agencije, neprofitne organizacije), ki nameravajo obvladovati tveganja, ki lahko ogrozijo informacijsko varnost organizacije.

General Information

Status
Published
Publication Date
27-Nov-2018
ICS
03.100.70 - Management systems
35.030 - IT Security
Technical Committee
ITC - Information technology
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
04-Oct-2018
Due Date
09-Dec-2018
Completion Date
28-Nov-2018
Ref Project
ISO/IEC 27005:2018 - Information technology — Security techniques — Information security risk management

Relations

Replaces
SIST ISO/IEC 27005:2011 - Information technology - Security techniques - Information security risk management
Effective Date
01-Nov-2018
Revised
SIST ISO/IEC 27005:2024 - Information security, cybersecurity and privacy protection - Guidance on managing information security risks
Effective Date
23-Apr-2020

Buy Standard

ISO/IEC 27005:2018 - Information technology — Security techniques — Information security risk management Released:7/9/2018ISO/IEC 27005:2018 - Information technology — Security techniques — Information security risk management Released:7/9/2018
PreviousNext
Standard
ISO/IEC 27005:2018 - Information technology — Security techniques — Information security risk management Released:7/9/2018
English language
56 pages
sale 15% off
Preview
sale 15% off
Preview
REDLINE ISO/IEC 27005:2018 - Information technology — Security techniques — Information security risk management Released:7/9/2018REDLINE ISO/IEC 27005:2018 - Information technology — Security techniques — Information security risk management Released:7/9/2018
PreviousNext
Standard
REDLINE ISO/IEC 27005:2018 - Information technology — Security techniques — Information security risk management Released:7/9/2018
English language
56 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/IEC 27005:2019 - BARVEISO/IEC 27005:2019 - BARVE
PreviousNext
Standard
ISO/IEC 27005:2019 - BARVE
English language
59 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
ISO/IEC 27005:2018 - Information technology -- Security techniques -- Information security risk managementISO/IEC 27005:2018 - Information technology -- Security techniques -- Information security risk management
PreviousNext
Standard
ISO/IEC 27005:2018 - Information technology -- Security techniques -- Information security risk management
English language
56 pages
sale 15% off
Preview
sale 15% off
Preview
REDLINE ISO/IEC 27005:2018 - Information technology -- Security techniques -- Information security risk managementREDLINE ISO/IEC 27005:2018 - Information technology -- Security techniques -- Information security risk management
PreviousNext
Standard
REDLINE ISO/IEC 27005:2018 - Information technology -- Security techniques -- Information security risk management
English language
56 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/IEC 27005:2018 - Technologies de l'information — Techniques de sécurité — Gestion des risques liés à la sécurité de l'information Released:7/9/2018ISO/IEC 27005:2018 - Technologies de l'information — Techniques de sécurité — Gestion des risques liés à la sécurité de l'information Released:7/9/2018
PreviousNext
Standard
ISO/IEC 27005:2018 - Technologies de l'information — Techniques de sécurité — Gestion des risques liés à la sécurité de l'information Released:7/9/2018
French language
57 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/IEC 27005:2018 - Technologies de l'information -- Techniques de sécurité -- Gestion des risques liés a la sécurité de l'informationISO/IEC 27005:2018 - Technologies de l'information -- Techniques de sécurité -- Gestion des risques liés a la sécurité de l'information
PreviousNext
Standard
ISO/IEC 27005:2018 - Technologies de l'information -- Techniques de sécurité -- Gestion des risques liés a la sécurité de l'information
French language
57 pages
sale 15% off
Preview
sale 15% off
Preview

Related Packages

ISO/IEC 27000 Information Technology Security Techniques Collection
ISO/IEC 27000 Information Technology Security Techniques Collection
11 documents
ISO/IEC 27001 / 27002 / 27005 / 27006 - IT Security Techniques Package
ISO/IEC 27001 / 27002 / 27005 / 27006 - IT Security Techniques Package
4 documents

Standards Content (Sample)


INTERNATIONAL ISO/IEC
STANDARD 27005
Third edition
2018-07
Information technology — Security
techniques — Information security
risk management
Technologies de l'information — Techniques de sécurité — Gestion
des risques liés à la sécurité de l'information
Reference number
©
ISO/IEC 2018
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Structure of this document . 1
5 Background . 2
6 Overview of the information security risk management process .3
7 Context establishment . 5
7.1 General considerations . 5
7.2 Basic criteria . 6
7.2.1 Risk management approach . 6
7.2.2 Risk evaluation criteria . 6
7.2.3 Impact criteria . 6
7.2.4 Risk acceptance criteria . 7
7.3 Scope and boundaries . 7
7.4 Organization for information security risk management . 8
8 Information security risk assessment . 8
8.1 General description of information security risk assessment . 8
8.2 Risk identification . 9
8.2.1 Introduction to risk identification . 9
8.2.2 Identification of assets . 9
8.2.3 Identification of threats .10
8.2.4 Identification of existing controls .10
8.2.5 Identification of vulnerabilities.11
8.2.6 Identification of consequences .12
8.3 Risk analysis .12
8.3.1 Risk analysis methodologies.12
8.3.2 Assessment of consequences .13
8.3.3 Assessment of incident likelihood .14
8.3.4 Level of risk determination .15
8.4 Risk evaluation .15
9 Information security risk treatment .16
9.1 General description of risk treatment .16
9.2 Risk modification .18
9.3 Risk retention .19
9.4 Risk avoidance .19
9.5 Risk sharing .19
10 Information security risk acceptance .20
11 Information security risk communication and consultation .20
12 Information security risk monitoring and review .21
12.1 Monitoring and review of risk factors .21
12.2 Risk management monitoring, review and improvement .22
Annex A (informative) Defining the scope and boundaries of the information security risk
management process .24
Annex B (informative) Identification and valuation of assets and impact assessment .28
Annex C (informative) Examples of typical threats .37
© ISO/IEC 2018 – All rights reserved iii

Annex D (informative) Vulnerabilities and methods for vulnerability assessment.41
Annex E (informative) Information security risk assessment approaches .45
Annex F (informative) Constraints for risk modification .51
Bibliography .53
iv © ISO/IEC 2018 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
This third edition cancels and replaces the second edition (ISO/IEC 27005:2011) which has been
technically revised. The main changes from the previous edition are as follows:
— all direct references to the ISO/IEC 27001:2005 have been removed;
— clear information has been added that this document does not contain direct guidance on the
implementation of the ISMS requirements specified in ISO/IEC 27001 (see Introduction);
— ISO/IEC 27001:2005 has been removed from Clause 2;
— ISO/IEC 27001 has been added to the Bibliography;
— Annex G and all references to it have been removed;
— editorial changes have been made accordingly.
© ISO/IEC 2018 – All rights reserved v

Introduction
This document provides guidelines for information security risk management in an organization.
However, this document does not provide any specific method for information security risk management.
It is up to the organization to define their approach to risk management, depending for example on
the scope of an information security management system (ISMS), context of risk management, or
industry sector. A number of existing methodologies can be used under the framework described in
this document to implement the requirements of an ISMS. This document is based on the asset, threat
and vulnerability risk identification method that is no longer required by ISO/IEC 27001. There are
some other approaches that can be used.
This document does not contain direct guidance on the implementation of the ISMS requirements given
in ISO/IEC 27001.
This document is relevant to managers and staff concerned with information security risk management
within an organization and, where appropriate, external parties supporting such activities.
vi © ISO/IEC 2018 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 27005:2018(E)
Information technology — Security techniques —
Information security risk management
1 Scope
This document provides guidelines for information securit
...


INTERNATIONAL ISO/IEC
STANDARD 27005
Redline version
compares Third edition to
Second edition
Information technology — Security
techniques — Information security
risk management
Technologies de l'information — Techniques de sécurité — Gestion
des risques liés à la sécurité de l'information
Reference number
ISO/IEC 27005:redline:2018(E)
©
ISO/IEC 2018
ISO/IEC 27005:redline:2018(E)
IMPORTANT — PLEASE NOTE
This is a mark-up copy and uses the following colour coding:
Text example 1 — indicates added text (in green)
Text example 2 — indicates removed text (in red)
— indicates added graphic figure
— indicates removed graphic figure
1.x . — Heading numbers containg modifications are highlighted in yellow in
the Table of Contents
DISCLAIMER
This Redline version provides you with a quick and easy way to compare the main changes
between this edition of the standard and its previous edition. It doesn’t capture all single
changes such as punctuation but highlights the modifications providing customers with
the most valuable information. Therefore it is important to note that this Redline version is
not the official ISO standard and that the users must consult with the clean version of the
standard, which is the official standard, for implementation purposes.
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

ISO/IEC 27005:redline:2018(E)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Structure of this International Standard document . 5
5 Background . 6
6 Overview of the information security risk management process .7
7 Context establishment .11
7.1 General considerations .11
7.2 Basic criteria .11
7.2.1 Risk management approach .11
7.2.2 Risk evaluation criteria .12
7.2.3 Impact criteria .12
7.2.4 Risk acceptance criteria .12
7.3 Scope and boundaries .13
7.4 Organization for information security risk management .14
8 Information security risk assessment .14
8.1 General description of information security risk assessment .14
8.2 Risk identification .15
8.2.1 Introduction to risk identification .15
8.2.2 Identification of assets .15
8.2.3 Identification of threats .16
8.2.4 Identification of existing controls .16
8.2.5 Identification of vulnerabilities.17
8.2.6 Identification of consequences .18
8.3 Risk analysis .18
8.3.1 Risk analysis methodologies.18
8.3.2 Assessment of consequences .20
8.3.3 Assessment of incident likelihood .21
8.3.4 Level of risk determination .21
8.4 Risk evaluation .22
9 Information security risk treatment .23
9.1 General description of risk treatment .23
9.2 Risk modification .25
9.3 Risk retention .26
9.4 Risk avoidance .26
9.5 Risk sharing .26
10 Information security risk acceptance .27
11 Information security risk communication and consultation .27
12 Information security risk monitoring and review .28
12.1 Monitoring and review of risk factors .28
12.2 Risk management monitoring, review and improvement .29
Annex A (informative) Defining the scope and boundaries of the information security risk
management process .31
Annex B (informative) Identification and valuation of assets and impact assessment .37
Annex C (informative) Examples of typical threats .53
© ISO/IEC 2018 – All rights reserved iii

ISO/IEC 27005:redline:2018(E)
Annex D (informative) Vulnerabilities and methods for vulnerability assessment.58
Annex E (informative) Information security risk assessment approaches .64
Annex F (informative) Constraints for risk modification .71
Annex G (informative) Differences in definitions between ISO/IEC 27005:2008 and ISO/
IEC 27005:2011 .75
Bibliography .84
iv © ISO/IEC 2018 – All rights reserved

ISO/IEC 27005:redline:2018(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards areThe procedures used to develop this document and those intended for
its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different
approval criteria needed for the different types of document should be noted. This document was
drafted in accordance with the rules given ineditorial rules of the ISO/IEC Directives, Part 2 (see www
.iso .org/directives).
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies
casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
ISO/IEC 27005This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information
technology, Subcommittee SC 27, IT Security techniques.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
This secondthird edition cancels and replaces the firstsecond edition (ISO/IEC 27005:20082011) which
has been technically revised. The main changes from the previous edition are as follows:
— all direct references to the ISO/IEC 27001:2005 have been removed;
— clear information has been added that this document does not contain direct guidance on the
implementation of the ISMS requirements specified in ISO/IEC 27001 (see Introduction);
— ISO/IEC 27001:2005 has been removed from Clause 2;
— ISO/IEC 27001 has been added to
...


SLOVENSKI STANDARD
01-januar-2019
1DGRPHãþD
SIST ISO/IEC 27005:2011
Informacijska tehnologija - Varnostne tehnike - Obvladovanje informacijskih
varnostnih tveganj
Information technology -- Security techniques -- Information security risk management
Technologies de l'information -- Techniques de sécurité -- Gestion des risques liés à la
sécurité de l'information
Ta slovenski standard je istoveten z: ISO/IEC 27005:2018
ICS:
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

INTERNATIONAL ISO/IEC
STANDARD 27005
Third edition
2018-07
Information technology — Security
techniques — Information security
risk management
Technologies de l'information — Techniques de sécurité — Gestion
des risques liés à la sécurité de l'information
Reference number
©
ISO/IEC 2018
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Structure of this document . 1
5 Background . 2
6 Overview of the information security risk management process .3
7 Context establishment . 5
7.1 General considerations . 5
7.2 Basic criteria . 6
7.2.1 Risk management approach . 6
7.2.2 Risk evaluation criteria . 6
7.2.3 Impact criteria . 6
7.2.4 Risk acceptance criteria . 7
7.3 Scope and boundaries . 7
7.4 Organization for information security risk management . 8
8 Information security risk assessment . 8
8.1 General description of information security risk assessment . 8
8.2 Risk identification . 9
8.2.1 Introduction to risk identification . 9
8.2.2 Identification of assets . 9
8.2.3 Identification of threats .10
8.2.4 Identification of existing controls .10
8.2.5 Identification of vulnerabilities.11
8.2.6 Identification of consequences .12
8.3 Risk analysis .12
8.3.1 Risk analysis methodologies.12
8.3.2 Assessment of consequences .13
8.3.3 Assessment of incident likelihood .14
8.3.4 Level of risk determination .15
8.4 Risk evaluation .15
9 Information security risk treatment .16
9.1 General description of risk treatment .16
9.2 Risk modification .18
9.3 Risk retention .19
9.4 Risk avoidance .19
9.5 Risk sharing .19
10 Information security risk acceptance .20
11 Information security risk communication and consultation .20
12 Information security risk monitoring and review .21
12.1 Monitoring and review of risk factors .21
12.2 Risk management monitoring, review and improvement .22
Annex A (informative) Defining the scope and boundaries of the information security risk
management process .24
Annex B (informative) Identification and valuation of assets and impact assessment .28
Annex C (informative) Examples of typical threats .37
© ISO/IEC 2018 – All rights reserved iii

Annex D (informative) Vulnerabilities and methods for vulnerability assessment.41
Annex E (informative) Information security risk assessment approaches .45
Annex F (informative) Constraints for risk modification .51
Bibliography .53
iv © ISO/IEC 2018 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
This third edition cancels and replaces the second edition (ISO/IEC 27005:2011) which has been
technically revised. The main changes from the previous edition are as follows:
— all direct references to the ISO/IEC 27001:2005 have been removed;
— clear information has been added that this document does not contain direct guidance on the
implementation of the ISMS requirements specified in ISO/IEC 27001 (see Introduction);
— ISO/IEC 27001:2005 has been removed from Clause 2;
— ISO/IEC 27001 has been added to the Bibliography;
— Annex G and all references to it have been removed;
— editorial changes have been made accordingly.
© ISO/IEC 2018 – All rights reserved v

Introduction
This document provides guidelines for information security risk management in an organization.
However, this document does not provide any specific method for information security risk management.
It is up to the organization to define their approach to risk management, depending for example on
the scope of an information security management system (ISMS),
...


INTERNATIONAL ISO/IEC
STANDARD 27005
Third edition
2018-07
Information technology — Security
techniques — Information security
risk management
Technologies de l'information — Techniques de sécurité — Gestion
des risques liés à la sécurité de l'information
Reference number
©
ISO/IEC 2018
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Structure of this document . 1
5 Background . 2
6 Overview of the information security risk management process .3
7 Context establishment . 5
7.1 General considerations . 5
7.2 Basic criteria . 6
7.2.1 Risk management approach . 6
7.2.2 Risk evaluation criteria . 6
7.2.3 Impact criteria . 6
7.2.4 Risk acceptance criteria . 7
7.3 Scope and boundaries . 7
7.4 Organization for information security risk management . 8
8 Information security risk assessment . 8
8.1 General description of information security risk assessment . 8
8.2 Risk identification . 9
8.2.1 Introduction to risk identification . 9
8.2.2 Identification of assets . 9
8.2.3 Identification of threats .10
8.2.4 Identification of existing controls .10
8.2.5 Identification of vulnerabilities.11
8.2.6 Identification of consequences .12
8.3 Risk analysis .12
8.3.1 Risk analysis methodologies.12
8.3.2 Assessment of consequences .13
8.3.3 Assessment of incident likelihood .14
8.3.4 Level of risk determination .15
8.4 Risk evaluation .15
9 Information security risk treatment .16
9.1 General description of risk treatment .16
9.2 Risk modification .18
9.3 Risk retention .19
9.4 Risk avoidance .19
9.5 Risk sharing .19
10 Information security risk acceptance .20
11 Information security risk communication and consultation .20
12 Information security risk monitoring and review .21
12.1 Monitoring and review of risk factors .21
12.2 Risk management monitoring, review and improvement .22
Annex A (informative) Defining the scope and boundaries of the information security risk
management process .24
Annex B (informative) Identification and valuation of assets and impact assessment .28
Annex C (informative) Examples of typical threats .37
© ISO/IEC 2018 – All rights reserved iii

Annex D (informative) Vulnerabilities and methods for vulnerability assessment.41
Annex E (informative) Information security risk assessment approaches .45
Annex F (informative) Constraints for risk modification .51
Bibliography .53
iv © ISO/IEC 2018 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
This third edition cancels and replaces the second edition (ISO/IEC 27005:2011) which has been
technically revised. The main changes from the previous edition are as follows:
— all direct references to the ISO/IEC 27001:2005 have been removed;
— clear information has been added that this document does not contain direct guidance on the
implementation of the ISMS requirements specified in ISO/IEC 27001 (see Introduction);
— ISO/IEC 27001:2005 has been removed from Clause 2;
— ISO/IEC 27001 has been added to the Bibliography;
— Annex G and all references to it have been removed;
— editorial changes have been made accordingly.
© ISO/IEC 2018 – All rights reserved v

Introduction
This document provides guidelines for information security risk management in an organization.
However, this document does not provide any specific method for information security risk management.
It is up to the organization to define their approach to risk management, depending for example on
the scope of an information security management system (ISMS), context of risk management, or
industry sector. A number of existing methodologies can be used under the framework described in
this document to implement the requirements of an ISMS. This document is based on the asset, threat
and vulnerability risk identification method that is no longer required by ISO/IEC 27001. There are
some other approaches that can be used.
This document does not contain direct guidance on the implementation of the ISMS requirements given
in ISO/IEC 27001.
This document is relevant to managers and staff concerned with information security risk management
within an organization and, where appropriate, external parties supporting such activities.
vi © ISO/IEC 2018 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 27005:2018(E)
Information technology — Security techniques —
Information security risk management
1 Scope
This document provides guidelines for information securit
...


INTERNATIONAL ISO/IEC
STANDARD 27005
Redline version
compares Third edition to
Second edition
Information technology — Security
techniques — Information security
risk management
Technologies de l'information — Techniques de sécurité — Gestion
des risques liés à la sécurité de l'information
Reference number
ISO/IEC 27005:redline:2018(E)
©
ISO/IEC 2018
ISO/IEC 27005:redline:2018(E)
IMPORTANT — PLEASE NOTE
This is a mark-up copy and uses the following colour coding:
Text example 1 — indicates added text (in green)
Text example 2 — indicates removed text (in red)
— indicates added graphic figure
— indicates removed graphic figure
1.x . — Heading numbers containg modifications are highlighted in yellow in
the Table of Contents
DISCLAIMER
This Redline version provides you with a quick and easy way to compare the main changes
between this edition of the standard and its previous edition. It doesn’t capture all single
changes such as punctuation but highlights the modifications providing customers with
the most valuable information. Therefore it is important to note that this Redline version is
not the official ISO standard and that the users must consult with the clean version of the
standard, which is the official standard, for implementation purposes.
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

ISO/IEC 27005:redline:2018(E)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Structure of this International Standard document . 5
5 Background . 6
6 Overview of the information security risk management process .7
7 Context establishment .11
7.1 General considerations .11
7.2 Basic criteria .11
7.2.1 Risk management approach .11
7.2.2 Risk evaluation criteria .12
7.2.3 Impact criteria .12
7.2.4 Risk acceptance criteria .12
7.3 Scope and boundaries .13
7.4 Organization for information security risk management .14
8 Information security risk assessment .14
8.1 General description of information security risk assessment .14
8.2 Risk identification .15
8.2.1 Introduction to risk identification .15
8.2.2 Identification of assets .15
8.2.3 Identification of threats .16
8.2.4 Identification of existing controls .16
8.2.5 Identification of vulnerabilities.17
8.2.6 Identification of consequences .18
8.3 Risk analysis .18
8.3.1 Risk analysis methodologies.18
8.3.2 Assessment of consequences .20
8.3.3 Assessment of incident likelihood .21
8.3.4 Level of risk determination .21
8.4 Risk evaluation .22
9 Information security risk treatment .23
9.1 General description of risk treatment .23
9.2 Risk modification .25
9.3 Risk retention .26
9.4 Risk avoidance .26
9.5 Risk sharing .26
10 Information security risk acceptance .27
11 Information security risk communication and consultation .27
12 Information security risk monitoring and review .28
12.1 Monitoring and review of risk factors .28
12.2 Risk management monitoring, review and improvement .29
Annex A (informative) Defining the scope and boundaries of the information security risk
management process .31
Annex B (informative) Identification and valuation of assets and impact assessment .37
Annex C (informative) Examples of typical threats .53
© ISO/IEC 2018 – All rights reserved iii

ISO/IEC 27005:redline:2018(E)
Annex D (informative) Vulnerabilities and methods for vulnerability assessment.58
Annex E (informative) Information security risk assessment approaches .64
Annex F (informative) Constraints for risk modification .71
Annex G (informative) Differences in definitions between ISO/IEC 27005:2008 and ISO/
IEC 27005:2011 .75
Bibliography .84
iv © ISO/IEC 2018 – All rights reserved

ISO/IEC 27005:redline:2018(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards areThe procedures used to develop this document and those intended for
its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different
approval criteria needed for the different types of document should be noted. This document was
drafted in accordance with the rules given ineditorial rules of the ISO/IEC Directives, Part 2 (see www
.iso .org/directives).
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies
casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
ISO/IEC 27005This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information
technology, Subcommittee SC 27, IT Security techniques.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
This secondthird edition cancels and replaces the firstsecond edition (ISO/IEC 27005:20082011) which
has been technically revised. The main changes from the previous edition are as follows:
— all direct references to the ISO/IEC 27001:2005 have been removed;
— clear information has been added that this document does not contain direct guidance on the
implementation of the ISMS requirements specified in ISO/IEC 27001 (see Introduction);
— ISO/IEC 27001:2005 has been removed from Clause 2;
— ISO/IEC 27001 has been added to
...


NORME ISO/IEC
INTERNATIONALE 27005
Troisième édition
2018-07
Technologies de l'information —
Techniques de sécurité — Gestion
des risques liés à la sécurité de
l'information
Information technology — Security techniques — Information
security risk management
Numéro de référence
©
ISO/IEC 2018
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO/IEC 2018
Tous droits réservés. Sauf prescription différente ou nécessité dans le contexte de sa mise en œuvre, aucune partie de cette
publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique,
y compris la photocopie, ou la diffusion sur l’internet ou sur un intranet, sans autorisation écrite préalable. Une autorisation peut
être demandée à l’ISO à l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Genève
Tél.: +41 22 749 01 11
Fax: +41 22 749 09 47
E-mail: copyright@iso.org
Web: www.iso.org
Publié en Suisse
ii © ISO/IEC 2018 – Tous droits réservés

Sommaire Page
Avant-propos .v
Introduction .vi
1 Domaine d'application . 1
2 Références normatives . 1
3 Termes et définitions . 1
4 Structure du présent document . 1
5 Contexte . 2
6 Présentation générale du processus de gestion des risques en sécurité de l'information .3
7 Établissement du contexte . 6
7.1 Considérations générales . 6
7.2 Critères de base . 6
7.2.1 Approche de gestion des risques . 6
7.2.2 Critères d'évaluation du risque . 7
7.2.3 Critères d'impact . 7
7.2.4 Critères d'acceptation des risques . 7
7.3 Domaine d'application et limites . 8
7.4 Organisation de la gestion des risques en sécurité de l'information . 9
8 Appréciation des risques en sécurité de l'information . 9
8.1 Description générale de l'appréciation des risques en sécurité de l'information . 9
8.2 Identification des risques .10
8.2.1 Introduction à l'identification des risques .10
8.2.2 Identification des actifs .10
8.2.3 Identification des menaces .11
8.2.4 Identification des mesures de sécurité existantes .11
8.2.5 Identification des vulnérabilités .12
8.2.6 Identification des conséquences .13
8.3 Analyse des risques .14
8.3.1 Méthodologies d'analyse des risques .14
8.3.2 Appréciation des conséquences .15
8.3.3 Appréciation de la vraisemblance d'un incident .16
8.3.4 Estimation du niveau des risques .16
8.4 Évaluation des risques.17
9 Traitement des risques en sécurité de l'information .17
9.1 Description générale du traitement des risques.17
9.2 Réduction du risque .19
9.3 Maintien des risques .20
9.4 Refus des risques .21
9.5 Partage des risques .21
10 Acceptation des risques en sécurité de l'information .21
11 Communication et concertation relatives aux risques en sécurité de l'information .22
12 Surveillance et réexamen des risques en sécurité de l'information .23
12.1 Surveillance et réexamen des facteurs de risque .23
12.2 Surveillance, réexamen et amélioration de la gestion des risques .24
Annexe A (informative) Définition du domaine d'application et des limites du processus de
gestion des risques en sécurité de l'information .26
Annexe B (informative) Identification et valorisation des actifs et appréciation des impacts.31
Annexe C (informative) Exemples de menaces types .40
© ISO/IEC 2018 – Tous droits réservés iii

Annexe D (informative) Vulnérabilités et méthodes d'appréciation des vulnérabilités .44
Annexe E (informative) Approches d'appréciation des risques en sécurité de l'information .49
Annexe F (informative) Contraintes liées à la réduction du risque .55
Bibliographie .57
iv © ISO/IEC 2018 – Tous droits réservés

Avant-propos
L'ISO (Organisation internationale de normalisation) et l’IEC (Commission électrotechnique
internationale) forment le système spécialisé de la normalisation mondiale. Les organismes
nationaux membres de l'ISO ou de l’IEC participent au développement de Normes internationales
par l'intermédiaire des comités techniques créés par l'organisation concernée afin de s'occuper des
domaines particuliers de l'activité technique. Les comités techniques de l'ISO et de l’IEC collaborent
dans des domaines d'intérêt commun. D'autres organisations internationales, gouvernementales et non
gouvernementales, en liaison avec l'ISO et l’IEC, participent également aux travaux. Dans le domaine
des technologies de l'information, l'ISO et l’IEC ont créé un comité technique mixte, l'ISO/IEC JTC 1.
Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont
décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier, de prendre note des différents
critères d'approbation requis pour les différents types de documents ISO. Le présent document a été
rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2 (voir www
.iso .org/directives).
L'attention est attirée sur le fait que certains des éléments du présent document peuvent faire l'objet
de droits de propriété intellectuelle ou de droits analogues. L'ISO et l’IEC ne sauraient être tenues pour
responsables de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails
concernant les références aux droits de propriété intellectuelle ou autres droits analogues identifiés
lors de l'élaboration du document sont indiqués dans l'Introduction et/ou dans la liste des déclarations
de brevets reçues par l'ISO (voir www .iso .org/brevets).
Les appellations commerciales éventuellement mentionnées dans le présent document sont données
pour information, par souci de commodité, à l’intention des utilisateurs et ne sauraient constituer un
engagement.
Pour une explication de la nature volontaire des normes, la signification des termes et expressions
spécifiques de l'ISO liés à l'évaluation de la conformité, ou pour toute information au sujet de l'adhésion
de l'ISO aux principes de l’Organisation mondiale du commerce (OMC) concernant les obstacles
techniques au commerce (OTC), voir www .iso .org/avant -propos.
Le présent document a été élaboré par le comité technique ISO/IEC JTC 1, Technologies de l'information,
sous-comité SC 27, Techniques de sécurité des technologies de l'information.
Il convient que l’utilisateur adresse tout retour d’information ou toute question concernant le présent
document à l’organisme national de normalisation de son pays. Une liste exhaustive desdits organismes
se trouve à l’adresse www .iso .org/fr/members .html.
Cette troisième édition annule et remplace la deuxième édition (ISO/IEC 27005:2011) qui a fait l'objet
d'une révision technique.
Les principales modifications par rapport à l’édition précédente sont les suivantes:
— toutes les références directes à l’ISO/IEC 27001:2005 ont été supprimées;
— une information claire a été ajoutée, stipulant que le présent document ne contient pas de
préconisations directes concernant la mise en œuvre des exigences du SMSI spécifiées dans l’ISO/
IEC 27001 (voir Introduction);
— l’ISO/IEC 27001:2005 a été supprimée de l’Article 2;
— l’ISO/IEC 27001 a été ajoutée à la Bibliographie;
— l’Annexe G et toutes les références à cette Annexe ont été supprimées;
— des modifications éditoriales ont été effectuées en conséquence.
© ISO/IEC 2018 – Tous droits réservés v

Introduction
Le présent document contient des lignes directrices relatives à la gestion des risques en sécurité de
l'information dans un organisme. Cependant, le présent document ne fournit aucune méthodologie
spécifique à la gestion des risques en sécurité de l'information. Il est du ressort de chaque organisme de
définir son approche de la gestion des risques, en fonction, par exemple, du périmètre d’un système de
management de la sécurité de l’information (SMSI), de ce qui existe dans l'organisme dans le domaine de
la gestion des risques, ou encore de son secteur industriel. Plusieurs méthodologies existantes peuvent
être utilisées en cohérence avec le cadre décrit dans le présent document pour appliquer les exigences
du SMSI. Le présent document est fondé sur la méthode d’identification des risques liés à des actifs, des
menaces et des vulnérabilités, qui n’est plus exigée par l’ISO/IEC 27001; il existe d’autres approches qui
peuvent être utilisées.
Le présent document ne contient pas de préconisations directes concernant la mise en œuvre des
exigences du SMSI spécifiées dans l’ISO/IEC 27001.
Le présent document s'adresse aux responsables et aux personnels concernés par la gestion des risques
en sécurité de l'information au sein d
...


NORME ISO/IEC
INTERNATIONALE 27005
Troisième édition
2018-07
Technologies de l'information —
Techniques de sécurité — Gestion
des risques liés à la sécurité de
l'information
Information technology — Security techniques — Information
security risk management
Numéro de référence
©
ISO/IEC 2018
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO/IEC 2018
Tous droits réservés. Sauf prescription différente ou nécessité dans le contexte de sa mise en œuvre, aucune partie de cette
publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique,
y compris la photocopie, ou la diffusion sur l’internet ou sur un intranet, sans autorisation écrite préalable. Une autorisation peut
être demandée à l’ISO à l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Genève
Tél.: +41 22 749 01 11
Fax: +41 22 749 09 47
E-mail: copyright@iso.org
Web: www.iso.org
Publié en Suisse
ii © ISO/IEC 2018 – Tous droits réservés

Sommaire Page
Avant-propos .v
Introduction .vi
1 Domaine d'application . 1
2 Références normatives . 1
3 Termes et définitions . 1
4 Structure du présent document . 1
5 Contexte . 2
6 Présentation générale du processus de gestion des risques en sécurité de l'information .3
7 Établissement du contexte . 6
7.1 Considérations générales . 6
7.2 Critères de base . 6
7.2.1 Approche de gestion des risques . 6
7.2.2 Critères d'évaluation du risque . 7
7.2.3 Critères d'impact . 7
7.2.4 Critères d'acceptation des risques . 7
7.3 Domaine d'application et limites . 8
7.4 Organisation de la gestion des risques en sécurité de l'information . 9
8 Appréciation des risques en sécurité de l'information . 9
8.1 Description générale de l'appréciation des risques en sécurité de l'information . 9
8.2 Identification des risques .10
8.2.1 Introduction à l'identification des risques .10
8.2.2 Identification des actifs .10
8.2.3 Identification des menaces .11
8.2.4 Identification des mesures de sécurité existantes .11
8.2.5 Identification des vulnérabilités .12
8.2.6 Identification des conséquences .13
8.3 Analyse des risques .14
8.3.1 Méthodologies d'analyse des risques .14
8.3.2 Appréciation des conséquences .15
8.3.3 Appréciation de la vraisemblance d'un incident .16
8.3.4 Estimation du niveau des risques .16
8.4 Évaluation des risques.17
9 Traitement des risques en sécurité de l'information .17
9.1 Description générale du traitement des risques.17
9.2 Réduction du risque .19
9.3 Maintien des risques .20
9.4 Refus des risques .21
9.5 Partage des risques .21
10 Acceptation des risques en sécurité de l'information .21
11 Communication et concertation relatives aux risques en sécurité de l'information .22
12 Surveillance et réexamen des risques en sécurité de l'information .23
12.1 Surveillance et réexamen des facteurs de risque .23
12.2 Surveillance, réexamen et amélioration de la gestion des risques .24
Annexe A (informative) Définition du domaine d'application et des limites du processus de
gestion des risques en sécurité de l'information .26
Annexe B (informative) Identification et valorisation des actifs et appréciation des impacts.31
Annexe C (informative) Exemples de menaces types .40
© ISO/IEC 2018 – Tous droits réservés iii

Annexe D (informative) Vulnérabilités et méthodes d'appréciation des vulnérabilités .44
Annexe E (informative) Approches d'appréciation des risques en sécurité de l'information .49
Annexe F (informative) Contraintes liées à la réduction du risque .55
Bibliographie .57
iv © ISO/IEC 2018 – Tous droits réservés

Avant-propos
L'ISO (Organisation internationale de normalisation) et l’IEC (Commission électrotechnique
internationale) forment le système spécialisé de la normalisation mondiale. Les organismes
nationaux membres de l'ISO ou de l’IEC participent au développement de Normes internationales
par l'intermédiaire des comités techniques créés par l'organisation concernée afin de s'occuper des
domaines particuliers de l'activité technique. Les comités techniques de l'ISO et de l’IEC collaborent
dans des domaines d'intérêt commun. D'autres organisations internationales, gouvernementales et non
gouvernementales, en liaison avec l'ISO et l’IEC, participent également aux travaux. Dans le domaine
des technologies de l'information, l'ISO et l’IEC ont créé un comité technique mixte, l'ISO/IEC JTC 1.
Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont
décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier, de prendre note des différents
critères d'approbation requis pour les différents types de documents ISO. Le présent document a été
rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2 (voir www
.iso .org/directives).
L'attention est attirée sur le fait que certains des éléments du présent document peuvent faire l'objet
de droits de propriété intellectuelle ou de droits analogues. L'ISO et l’IEC ne sauraient être tenues pour
responsables de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails
concernant les références aux droits de propriété intellectuelle ou autres droits analogues identifiés
lors de l'élaboration du document sont indiqués dans l'Introduction et/ou dans la liste des déclarations
de brevets reçues par l'ISO (voir www .iso .org/brevets).
Les appellations commerciales éventuellement mentionnées dans le présent document sont données
pour information, par souci de commodité, à l’intention des utilisateurs et ne sauraient constituer un
engagement.
Pour une explication de la nature volontaire des normes, la signification des termes et expressions
spécifiques de l'ISO liés à l'évaluation de la conformité, ou pour toute information au sujet de l'adhésion
de l'ISO aux principes de l’Organisation mondiale du commerce (OMC) concernant les obstacles
techniques au commerce (OTC), voir www .iso .org/avant -propos.
Le présent document a été élaboré par le comité technique ISO/IEC JTC 1, Technologies de l'information,
sous-comité SC 27, Techniques de sécurité des technologies de l'information.
Il convient que l’utilisateur adresse tout retour d’information ou toute question concernant le présent
document à l’organisme national de normalisation de son pays. Une liste exhaustive desdits organismes
se trouve à l’adresse www .iso .org/fr/members .html.
Cette troisième édition annule et remplace la deuxième édition (ISO/IEC 27005:2011) qui a fait l'objet
d'une révision technique.
Les principales modifications par rapport à l’édition précédente sont les suivantes:
— toutes les références directes à l’ISO/IEC 27001:2005 ont été supprimées;
— une information claire a été ajoutée, stipulant que le présent document ne contient pas de
préconisations directes concernant la mise en œuvre des exigences du SMSI spécifiées dans l’ISO/
IEC 27001 (voir Introduction);
— l’ISO/IEC 27001:2005 a été supprimée de l’Article 2;
— l’ISO/IEC 27001 a été ajoutée à la Bibliographie;
— l’Annexe G et toutes les références à cette Annexe ont été supprimées;
— des modifications éditoriales ont été effectuées en conséquence.
© ISO/IEC 2018 – Tous droits réservés v

Introduction
Le présent document contient des lignes directrices relatives à la gestion des risques en sécurité de
l'information dans un organisme. Cependant, le présent document ne fournit aucune méthodologie
spécifique à la gestion des risques en sécurité de l'information. Il est du ressort de chaque organisme de
définir son approche de la gestion des risques, en fonction, par exemple, du périmètre d’un système de
management de la sécurité de l’information (SMSI), de ce qui existe dans l'organisme dans le domaine de
la gestion des risques, ou encore de son secteur industriel. Plusieurs méthodologies existantes peuvent
être utilisées en cohérence avec le cadre décrit dans le présent document pour appliquer les exigences
du SMSI. Le présent document est fondé sur la méthode d’identification des risques liés à des actifs, des
menaces et des vulnérabilités, qui n’est plus exigée par l’ISO/IEC 27001; il existe d’autres approches qui
peuvent être utilisées.
Le présent document ne contient pas de préconisations directes concernant la mise en œuvre des
exigences du SMSI spécifiées dans l’ISO/IEC 27001.
Le présent document s'adresse aux responsables et aux personnels concernés par la gestion des risques
en sécurité de l'information au sein d
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

SIST
SIST EN ISO/IEC 27001:2023/A1:2025(Amendment)
Information security, cybersecurity and privacy protection - Information security management systems - Requirements - Amendment 1: Climate action changes (ISO/IEC 27001:2022/Amd 1:2024)
EN ISO/IEC 27001:2023/A1:2024
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27005:2024(Main)
Information security, cybersecurity and privacy protection - Guidance on managing information security risks (ISO/IEC 27005:2022)
EN ISO/IEC 27005:2024

This document provides guidance to assist organizations to:
—    fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
—    perform information security risk management activities, specifically information security risk assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.

  • Standard
    71 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    71 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST ISO/IEC 27005:2024(Main)
Information security, cybersecurity and privacy protection - Guidance on managing information security risks
ISO/IEC 27005:2022

This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.

  • Standard
    68 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    62 pages
    English language
    sale 15% off
  • Standard
    66 pages
    French language
    sale 15% off
SIST
SIST EN ISO/IEC 27001:2023(Main)
Information security, cybersecurity and privacy protection - Information security management systems - Requirements (ISO/IEC 27001:2022)
EN ISO/IEC 27001:2023

This document specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations, regardless of type, size or nature. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization claims conformity to this document.

  • Standard
    27 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    27 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard – translation
    26 pages
    Slovenian language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27002:2022(Main)
Information security, cybersecurity and privacy protection - Information security controls (ISO/IEC 27002:2022)
EN ISO/IEC 27002:2022

This document provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations:
a) within the context of an information security management system (ISMS) based on ISO/IEC27001;
b) for implementing information security controls based on internationally recognized best practices;
c) for developing organization-specific information security management guidelines.

  • Standard
    164 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27007:2022(Main)
Information security, cybersecurity and privacy protection - Guidelines for information security management systems auditing (ISO/IEC 27007:2020)
EN ISO/IEC 27007:2022

This document provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011.
This document is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.

  • Standard
    48 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    48 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27017:2021(Main)
Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services (ISO/IEC 27017:2015)
EN ISO/IEC 27017:2021

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
- additional implementation guidance for relevant controls specified in ISO/IEC 27002;
- additional controls with implementation guidance that specifically relate to cloud services.
This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.

  • Standard
    44 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27011:2020(Main)
Information technology - Security techniques - Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations (ISO/IEC 27011:2016)
EN ISO/IEC 27011:2020

The scope of this Recommendation | ISO/IEC 27011:2016 is to define guidelines supporting the implementation of information security controls in telecommunications organizations.
The adoption of this Recommendation | ISO/IEC 27011:2016 will allow telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant security property.

  • Standard
    41 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27019:2020(Main)
Information technology - Security techniques - Information security controls for the energy utility industry (ISO/IEC 27019:2017, Corrected version 2019-08)
EN ISO/IEC 27019:2020

ISO/IEC 27019:2017 provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following:
-      central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices;
-      digital controllers and automation components such as control and field devices or Programmable Logic Controllers (PLCs), including digital sensor and actuator elements;
-      all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes;
-      communication technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote control technology;
-      Advanced Metering Infrastructure (AMI) components, e.g. smart meters;
-      measurement devices, e.g. for emission values;
-      digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor mechanisms;
-      energy management systems, e.g. of Distributed Energy Resources (DER), electric charging infrastructures, in private households, residential buildings or industrial customer installations;
-      distributed components of smart grid environments, e.g. in energy grids, in private households, residential buildings or industrial customer installations;
-      all software, firmware and applications installed on above-mentioned systems, e.g. DMS (Distribution Management System) applications or OMS (Outage Management System);
-      any premises housing the above-mentioned equipment and systems;
-      remote maintenance systems for above-mentioned systems.
ISO/IEC 27019:2017 does not apply to the process control domain of nuclear facilities. This domain is covered by IEC 62645.
ISO/IEC 27019:2017 also includes a requirement to adapt the risk assessment and treatment processes described in ISO/IEC 27001:2013 to the energy utility industry-sector?specific guidance provided in this document.

  • Standard
    46 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    46 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27000:2020(Main)
Information technology - Security techniques - Information security management systems - Overview and vocabulary (ISO/IEC 27000:2018)
EN ISO/IEC 27000:2020

EN ISO/IEC 27000 provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards.

  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard – translation
    36 pages
    Slovenian language
    sale 10% off
    e-Library read for
    1 day