SIST ISO/IEC 27003:2011
(Main)Information technology - Security techniques - Information security management system implementation guidance
Information technology - Security techniques - Information security management system implementation guidance
ISO/IEC 27003:2010 focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes the process of ISMS specification and design from inception to the production of implementation plans. It describes the process of obtaining management approval to implement an ISMS, defines a project to implement an ISMS (referred to in ISO/IEC 27003:2010 as the ISMS project), and provides guidance on how to plan the ISMS project, resulting in a final ISMS project implementation plan.
Technologies de l'information - Techniques de sécurité - Lignes directrices pour la mise en oeuvre du système de management de la sécurité de l'information
Informacijska tehnologija - Varnostne tehnike - Smernice za izvedbo sistema upravljanja informacijske varnosti
Ta mednarodni standard se osredotoča na kritične vidike, potrebne za uspešno načrtovanje in izvedbo sistema upravljanja informacijske varnosti (ISMS) v skladu z ISO/IEC 27001:2005. Opisuje postopek specifikacije in načrtovanja ISMS od začetka do izdelave izvedbenih načrtov. Opisuje postopek pridobitve upravljalne odobritve za izvedbo ISMS, opredeljuje projekt izvedbe ISMS (ki se v tem mednarodnem standardu navaja kot projekt ISMS) in podaja navodilo o tem, kako načrtovati projekt ISMS, kateremu sledi končni izvedbeni načrt za projekt ISMS. Ta mednarodni standard uporabljajo organizacije, ki izvajajo ISMS. Velja za vse vrste organizacij (npr. trgovinska podjetja, vladne službe, neprofitne organizacije) vseh velikosti. Kompleksnost in tveganja vsake organizacije so edinstvena, zato bodo njene posebne zahteve spodbudile izvedbo ISMS. Manjše organizacije bodo ugotovile, da so dejavnosti, navedene v tem mednarodnem standardu, uporabne zanje in se lahko poenostavijo. Velike in kompleksne organizacije pa lahko ugotovijo, da je večplastna organiziranost oziroma sistem upravljanja, potreben za vodenje dejavnosti, v tem mednarodnem standardu učinkovit. Vendar se v obeh primerih ustrezne dejavnosti lahko načrtujejo z uporabo tega mednarodnega standarda. Ta mednarodni standard podaja priporočila in razlage; ne določa pa kakršnih koli zahtev. Ta mednarodni standard se uporablja skupaj z ISO/IEC 27001:2005 in ISO/IEC 27002:2005, vendar ni namenjen spreminjanju in/ali zmanjševanju zahtev, opredeljenih v ISO/IEC 27001:2005, ali priporočil, določenih v /IEC 27002:2005. Zahtevati skladnost s tem mednarodnim standardom ni primerno.
General Information
Relations
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 27003
First edition
2010-02-01
Information technology — Security
techniques — Information security
management system implementation
guidance
Technologies de l'information — Techniques de sécurité — Lignes
directrices pour la mise en œuvre du système de management de la
sécurité de l'information
Reference number
©
ISO/IEC 2010
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
© ISO/IEC 2010
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2010 – All rights reserved
Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Structure of this International Standard .2
4.1 General structure of clauses.2
4.2 General structure of a clause.3
4.3 Diagrams .3
5 Obtaining management approval for initiating an ISMS project .5
5.1 Overview of obtaining management approval for initiating an ISMS project .5
5.2 Clarify the organization’s priorities to develop an ISMS.7
5.3 Define the preliminary ISMS scope .9
5.4 Create the business case and the project plan for management approval.11
6 Defining ISMS scope, boundaries and ISMS policy.12
6.1 Overview of defining ISMS scope, boundaries and ISMS policy .12
6.2 Define organizational scope and boundaries.15
6.3 Define information communication technology (ICT) scope and boundaries .16
6.4 Define physical scope and boundaries.17
6.5 Integrate each scope and boundaries to obtain the ISMS scope and boundaries.18
6.6 Develop the ISMS policy and obtain approval from management .19
7 Conducting information security requirements analysis.20
7.1 Overview of conducting information security requirements analysis.20
7.2 Define information security requirements for the ISMS process.22
7.3 Identify assets within the ISMS scope .23
7.4 Conduct an information security assessment .24
8 Conducting risk assessment and planning risk treatment.25
8.1 Overview of conducting risk assessment and planning risk treatment .25
8.2 Conduct risk assessment.27
8.3 Select the control objectives and controls.28
8.4 Obtain management authorization for implementing and operating an ISMS.29
9 Designing the ISMS.30
9.1 Overview of designing the ISMS.30
9.2 Design organizational information security .33
9.3 Design ICT and physical information security .38
9.4 Design ISMS specific information security.40
9.5 Produce the final ISMS project plan .44
Annex A (informative) Checklist description .45
Annex B (informative) Roles and responsibilities for Information Security .51
Annex C (informative) Information about Internal Auditing .55
Annex D (informative) Structure of policies .57
Annex E (informative) Monitoring and measuring.62
Bibliography.68
© ISO/IEC 2010 – All rights reserved iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27003 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
iv © ISO/IEC 2010 – All rights reserved
Introduction
The purpose of this International Standard is to provide practical guidance in developing the implementation
plan for an Information Security Management System (ISMS) within an organization in accordance with
ISO/IEC 27001:2005. The actual implementation of an ISMS is generally executed as a project.
The process described within this International Standard has been designed to provide support of the
implementation of ISO/IEC 27001:2005; (relevant parts from Clauses 4, 5, and 7 inclusive) and document:
a) the preparation of beginning an ISMS implementation plan in an organization, defining the organizational
structure for the project, and gaining management approval,
b) the critical activities for the ISMS project and,
c) examples to achieve the requirements in ISO/IEC 27001:2005.
By using this International Standard the organization will be able to develop a process for information security
management, giving stakeholders the assurance that risks to information assets are continuously maintained
within acceptable information security bounds as defined by the organization.
This International Standard does not cover the operational activities and other ISMS activities, but covers the
concepts on how to design the activities which will result after the ISMS operations begin. The concept results
in the final ISMS project implementation plan. The actual execution of the organizational specific part of an
ISMS project is outside the scope of this International Standard.
The implementation of the ISMS project should be carried out using standard project management
methodologies (for more information please see ISO and ISO/IEC Standards addressing project
management).
© ISO/IEC 2010 – All rights reserved v
INTERNATIONAL STANDARD ISO/IEC 27003:2010(E)
Information technology — Security techniques — Information
security management system implementation guidance
1 Scope
This International Standard focuses on the critical aspects needed for successful design and implementation
of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes
the process of ISMS specification and design from inception to the production of implementation plans. It
describes the process of obtaining management approval to implement an ISMS, defines a project to
implement an ISMS (referred to in this International Standard as the ISMS project), and provides guidance on
how to plan the ISMS project, resulting in a final ISMS project implementation plan.
This International Standard is intended to be used by organizations implementing an ISMS. It is applicable to
all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations) of all
sizes. Each organization's complexity and risks are unique, and its specific requirements will drive the ISMS
implementation. Smaller organizations will find that the activities noted in this International Standard are
applicable to them and can be simplified. Large-scale or complex organizations might find that a layered
organization or management system is needed to manage the activities in this International Standard
effectively. However, in both cases, the relevant activities can be planned by applying this International
Standard.
This International Standard gives recommendations and explanations; it does not specify any requirements.
This International Standard is intended to be used in conjunction with ISO/IEC 27001:2005 and
ISO/IEC 27002:2005, but is not intended to modify and/or reduce the requirements specified in
ISO/IEC 27001:2005 or the recommendations provided in ISO/IEC 27002:2005. Claiming conformity to this
International Standard is not appropriate.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 27000:2009, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000:2009,
ISO/IEC 27001:2005 and the following apply.
3.1
ISMS project
structured activities undertaken by an organization to implement an ISMS
© ISO/IEC 2010 – All rights reserved 1
4 Structure of this International Standard
4.1 General structure of clauses
The implementation of an ISMS is an important activity and is generally executed as a project in an
organization. This document explains the ISMS implementation by focusing on the initiation, planning, and
definition of the project. The process of planning the ISMS final implementation contains five phases and each
phase is represented by a separate clause. All clauses have a similar structure, as described below. The five
phases are:
a) Obtaining management approval for initiating an ISMS project (Clause 5)
b) Defining ISMS S
...
SLOVENSKI STANDARD
01-marec-2011
Informacijska tehnologija - Varnostne tehnike - Smernice za izvedbo sistema
upravljanja informacijske varnosti
Information technology - Security techniques - Information security management system
implementation guidance
Technologies de l'information - Techniques de sécurité - Lignes directrices pour la mise
en oeuvre du système de management de la sécurité de l'information
Ta slovenski standard je istoveten z: ISO/IEC 27003:2010
ICS:
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
INTERNATIONAL ISO/IEC
STANDARD 27003
First edition
2010-02-01
Information technology — Security
techniques — Information security
management system implementation
guidance
Technologies de l'information — Techniques de sécurité — Lignes
directrices pour la mise en œuvre du système de management de la
sécurité de l'information
Reference number
©
ISO/IEC 2010
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
© ISO/IEC 2010
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2010 – All rights reserved
Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Structure of this International Standard .2
4.1 General structure of clauses.2
4.2 General structure of a clause.3
4.3 Diagrams .3
5 Obtaining management approval for initiating an ISMS project .5
5.1 Overview of obtaining management approval for initiating an ISMS project .5
5.2 Clarify the organization’s priorities to develop an ISMS.7
5.3 Define the preliminary ISMS scope .9
5.4 Create the business case and the project plan for management approval.11
6 Defining ISMS scope, boundaries and ISMS policy.12
6.1 Overview of defining ISMS scope, boundaries and ISMS policy .12
6.2 Define organizational scope and boundaries.15
6.3 Define information communication technology (ICT) scope and boundaries .16
6.4 Define physical scope and boundaries.17
6.5 Integrate each scope and boundaries to obtain the ISMS scope and boundaries.18
6.6 Develop the ISMS policy and obtain approval from management .19
7 Conducting information security requirements analysis.20
7.1 Overview of conducting information security requirements analysis.20
7.2 Define information security requirements for the ISMS process.22
7.3 Identify assets within the ISMS scope .23
7.4 Conduct an information security assessment .24
8 Conducting risk assessment and planning risk treatment.25
8.1 Overview of conducting risk assessment and planning risk treatment .25
8.2 Conduct risk assessment.27
8.3 Select the control objectives and controls.28
8.4 Obtain management authorization for implementing and operating an ISMS.29
9 Designing the ISMS.30
9.1 Overview of designing the ISMS.30
9.2 Design organizational information security .33
9.3 Design ICT and physical information security .38
9.4 Design ISMS specific information security.40
9.5 Produce the final ISMS project plan .44
Annex A (informative) Checklist description .45
Annex B (informative) Roles and responsibilities for Information Security .51
Annex C (informative) Information about Internal Auditing .55
Annex D (informative) Structure of policies .57
Annex E (informative) Monitoring and measuring.62
Bibliography.68
© ISO/IEC 2010 – All rights reserved iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27003 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
iv © ISO/IEC 2010 – All rights reserved
Introduction
The purpose of this International Standard is to provide practical guidance in developing the implementation
plan for an Information Security Management System (ISMS) within an organization in accordance with
ISO/IEC 27001:2005. The actual implementation of an ISMS is generally executed as a project.
The process described within this International Standard has been designed to provide support of the
implementation of ISO/IEC 27001:2005; (relevant parts from Clauses 4, 5, and 7 inclusive) and document:
a) the preparation of beginning an ISMS implementation plan in an organization, defining the organizational
structure for the project, and gaining management approval,
b) the critical activities for the ISMS project and,
c) examples to achieve the requirements in ISO/IEC 27001:2005.
By using this International Standard the organization will be able to develop a process for information security
management, giving stakeholders the assurance that risks to information assets are continuously maintained
within acceptable information security bounds as defined by the organization.
This International Standard does not cover the operational activities and other ISMS activities, but covers the
concepts on how to design the activities which will result after the ISMS operations begin. The concept results
in the final ISMS project implementation plan. The actual execution of the organizational specific part of an
ISMS project is outside the scope of this International Standard.
The implementation of the ISMS project should be carried out using standard project management
methodologies (for more information please see ISO and ISO/IEC Standards addressing project
management).
© ISO/IEC 2010 – All rights reserved v
INTERNATIONAL STANDARD ISO/IEC 27003:2010(E)
Information technology — Security techniques — Information
security management system implementation guidance
1 Scope
This International Standard focuses on the critical aspects needed for successful design and implementation
of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes
the process of ISMS specification and design from inception to the production of implementation plans. It
describes the process of obtaining management approval to implement an ISMS, defines a project to
implement an ISMS (referred to in this International Standard as the ISMS project), and provides guidance on
how to plan the ISMS project, resulting in a final ISMS project implementation plan.
This International Standard is intended to be used by organizations implementing an ISMS. It is applicable to
all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations) of all
sizes. Each organization's complexity and risks are unique, and its specific requirements will drive the ISMS
implementation. Smaller organizations will find that the activities noted in this International Standard are
applicable to them and can be simplified. Large-scale or complex organizations might find that a layered
organization or management system is needed to manage the activities in this International Standard
effectively. However, in both cases, the relevant activities can be planned by applying this International
Standard.
This International Standard gives recommendations and explanations; it does not specify any requirements.
This International Standard is intended to be used in conjunction with ISO/IEC 27001:2005 and
ISO/IEC 27002:2005, but is not intended to modify and/or reduce the requirements specified in
ISO/IEC 27001:2005 or the recommendations provided in ISO/IEC 27002:2005. Claiming conformity to this
International Standard is not appropriate.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 27000:2009, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27001
...
يس يإ يأ /وزـــيأ ةيلودلا ةيسايقلا ةفصاوملا
٢٧٠٠٣
ةيمسرلا ةمجرتلا
Official translation
Traduction officielle
نع يداشرا ليلد – نيمأتلا تاينقت– تامولعملا ايجولونكت
تامولعملا ايجولونكت نيمات ماظن قيبطت
Information technology — Security techniques — Information security
management system implementation guidance (E)
Technologies de l'information — Techniques de sécurité — Lignes
directrices pour la mise en œuvre du système de management de la
sécurité de l'information (F)
.( ii ةحفص يف ةمئاقلا رظنا ) ةمجرتلا ةقد تدمتعأ يتلا ISO يف ءاضعأ تائيھ١٠نع ةبانلإاب ةيمسر ةيبرع ةمجرتك ارسيوس ،فينج يف ISO ةيزكرملا ةناملأا يف تعبط
ىعجرملا مقرلا
ISO 27003/2010 (A)
ةيمسرلا ةمجرتلا
©ISO 2010
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
(هيونت) ةيلوئسم ءلاخإ
علاطلإا وأ فلملا اذھ ةعابط نكمي هنإف Adobe ـل صيخرتلا ةسايس بجومبو ، ةجمدُم طوطخ ىلع (PDF) فلملا اذھ يوتحي دق
ﱠ - فارطلأا لمحتت و . ليدعتلا هيف متي يذلا بوساحلا يف ةل ﱠمح ُم و ةصخرُمھيف ةجمدُملا طوطخلا نكت مل ام هليدعت متي لاأ ىلع ، هيلع
ةيلوئسم يأ لمحتت لا وزيلآلةماعلا ةيراتركسلا نأنيح يف،Adobe ـل صيخرتلا ةسايسب للاخلإا مدع ةيلوئسم - فلملا اذھ ليزنت دنع
. لاجملا اذھ لايح ةينوناق
. Adobe ـلا مظنل ةدحتملا ةكرشلل ةلجسم ةيراجت ةملاع Adobe ـلا دعت
، (PDF)فلمب ةقلعتملا ةماعلا تامولعملا نم فلملا اذھ ءاشنإ يف ةمدختسملا جماربلاب ةصاخلا ليصافتلا عيمج يلع لوصحلا نكمي
ةمظنملا ءاضعلأ امئلام فلملا اذھ مادختسا نوكي نأ يعوُر ثيح ،(PDF) ءاشنإ يف ةلخادلا تاريغتملا تن ﱢسُح دقف ةعابطلا لجلأو
.هاندأ لجسملا ناونعلا ىلع ةماعلا ةيراتركسلا غلابإ ىجرُي ، فلملا اذھب قلعتت ةلكشم يأ ثودح ةلاح يفو ، سييقتلل ةيلودلا
ةفصاوملا تدمتعأ يتلا ةيبرعلا سييقتلا تاھج
ندرلأا
ةيندرلأا سيياقملاو تافصاوملا ةسسؤم
تاراملإا
سيياقملاو تافصاوملل تاراملإا ةئيھ
رئازجلا
سييقتلل يرئازجلا دھعملا
ةيدوعسلا
سيياقملاو تافصاوملل ةيدوعسلا ةئيھلا
قارعلا
ةيعونلا ةرطيسلاو سييقتلل يزكرملا زاھجلا
تيوكلا
ةعانصلل ةماعلا ةئيھلا
نادوسلا
سيياقملاو تافصاوملل ةينادوسلا ةئيھلا
نميلا
ةدوجلا طبضو سيياقملاو تافصاوملل ةينميلا ةئيھلا
سنوت
ةيعانصلا ةيكلملاو تافصاوملل ىنطولا دھعملا
ايروس
ةيروسلا ةيبرعلا سيياقملاو تافصاوملا ةئيھ
ايبيل
ةيسايقلا ريياعملاو تافصاوملل ىنطولا زكرملا
رصم
ةدوجلاو تافصاوملل ةماعلا ةيرصملا ةئيھلا
رشنلاو عبطلا قوقح ةيامح ةقيثو
©٢٠١٠ وزيأ
ةليسو يأب وأ لكش يأب همادختسا وأ رادصلإا اذھ نم ءزج يأ جاتنإ ةداعإ زوجي لا ،كلذ فلاخ دري كل امو .ةظوفحم قوقحلا عيمج
دحا وأ هاندأ ناونعلا ىلع سييقتلل ةيلودلا ةمظنملا نم امإ يطخ نذإ نود ةقيقدلا ملافلأاو خسنلا كلذ يف امب ةيكيناكيم وأ ةينورتكلا
.ةبلاطلا ةھجلا ةلود يف سييقتلل ةيلودلا ةمظنملا يف ءاضعلأا تائيھلا
سييقتلل ةيلودلا ةمظنملا ةيكلم قوقح بتكم
٢٠ فينج Ch-1211 * ٥٦ :يديربلا زمرلا
٠٠٤١٢٢٧٤٩٠١١١ :فتاھ
٠٠٤١٢٢٧٤٩٠٩٤٧ :سكاف
copyright@iso.org :ينورتكلا ديرب
www.iso.org :ينورتكللاا عقوملا
٢٠١٦ يف ةيبرعلا ةخسنلارشن مت
ارسيوس يف رشنلا مت
ii © ISO 2010 ةظوفحم قوقحلا عيمج
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
ةحفصلا تايوتحملا
iv.ديھمت
v.ةمدقم
١. لاجملا ١
١. ةلمكملا عجارملا ٢
١. فيراعتلاو تاحلطصملا ٣
١ .ةيلودلا ةفصاوملا هذھ لكيھ ٤
١.ةفصاوملا هذھ دونبل ماعلا لكيھلا ١/٤
٣.ةفصاوملا دونب نم دنبل ماعلا لكيھلا ٢/٤
٤.( ةيطيطختلا) ةينايبلا تاموسرلا ٣/٤
٥. تامولعملا نيمأت ةرادإ ماظن عورشم ىف ءدبلل ةرادلإا دامتعا ىلع لوصحلا -٥
٥.ISMS ماظن عورشم ىف ءدبلل ةرادلإا دامتعا ىلع لوصحلا نع ةماع ةرظن١/٥
٩.تامولعملا نيمأت ةرادإ ماظن ءاشنلا ةأشنملا تايولوأ حاضيإ ٢/٥
١١. تامولعملا نيمأت ةرادإ ماظنل ىئدبملا لاجملا ديدحت ٣/٥
١٣. ةرادلإا ةقفاوم ىلع لوصحلل عورشملا ةطخو لامعلأا ةلاح ةسارد ءاشنإ ٤/٥
١٥. تامولعملا نيمأت ةرادإ ماظن ةسايسو دودحو لاجم فيرعت -٦
١٥.تامولعملا نيمأت ةرادإ ماظن ةسايسو ماظن دودحو لاجم فيرعت ىلع ةماع ةرظن ١/٦
١٨.ة يميظنتلا دودحلاو لاجملا ديدحت ٢/٦
١٩. (ICT) تلااصتلااو تامولعملا ايجولونكت دودحو لاجم فيرعت ٣/٦
٢٠.ةيداملا رصانعلا دودحو لاجم فيرعت ٤/٦
٢١.تامولعملا نيمأت ةرادإ ماظنل ةيلك دودحو ىلك لاجم ىلع لوصحلل دودحلا و تلااجملا لك جمد ٥/٦
٢٢. ةرادلإا دامتعا ىلع لوصحلاو تامولعملا نيمأت ةرادإ ماظن ةسايس ريوطت ٦/٦
٢١.تامولعملا نيمأت تابلطتم لليلحت ءارجإ -٧
٢١.تامولعملا نيمأت تابلطتمل ليلحت ءارجإىلع ةماع ةرظن ١/٧
٢٤. تامولعملا نيمأت ماظن ةيلمعل تامولعملا نيمأت تابلطتم فيرعت ٢/٧
٢٥.ISMS ماظن لاجم يف ةنمضتملا لوصلأا ديدحت ٣/٧
٢٦. تامولعملا نيمأتل مييقت ءارجإ ٤/٧
٢٧.اھتجلاعمل طيطختلاورطاخملا تاريدقت ءارجإ -٨
٢٧. اھتجلاعمل طيطختلاو رطاخملا تاريدقت ءارجإ ىلع ةماع ةرظن ١-٨
٢٩.رطاخملا مييقت ءارجإ ٢/٨
٣٢.طباوضلا رايتخاو طبضلا فادھأ رايتخا ٣/٨
٣٣.تامولعملا نيمأت ةرادإ ماظن ليغشتو ذيفنتل ةرادلإا ضيوفت ىلع لوصحلا ٤/٨
٣٤. تامولعملا ايجولونكت نيمأت ماظن ميمصت -٩
٣٤.تامولعملا نيمأت ةرادإ ماظن ميمصت ىلع ةماع ةرظن ١/٩
٣٤. ( ةأشنملا ىوتسم ىلع) ىميظنتلا تامولعملا نيمأت ميمصت ٢/٩
٤٢. يداملا تامولعملا نيمأتو تلااصتلااو تامولعملا ايجولونكت ميمصت ٣/٩
٤٣. تامولعملا نيمأتب صاخ تامولعم نيمأت ةرادإ ماظن ميمصت ٤/٩
٤٥. يئاھنلا تامولعملا ايجولونكت نيمأت ماظن عورشم ةطخ رادصا ٥/٩
٤٥.ققحتلا ةمئاق فصو (يتامولعم) أ قحلم
٤٨.تامولعملا نمأ تايلوؤسموراودأ (يتامولعم) ب قحلم
٥٢.ةيلخادلا ةعجارملا لوح تامولعم (يملاعإ) ج قحلم
٥٤.تاسايسلا لكيھ (يملاعإ) د قحلملا
٥٨.سايقلاو ةبقارملا (يملاعا) ـھ قحلم
iii © ISO 2010 ةظوفحم قوقحلا عيمج
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
ديھمت
يف يسايقلا ديحوتلل صصختم ماظن (IEC) ةينقتورھكلا ةيلودلا ةنجللاو (ISO) سييقتلل ةيلودلا ةمظنملا لكشت
تافصاوملادادعا ةيلمع يف IEC وأISO نيتمظنملا يف ءاضعلأا ةينطولا تائيھلا كراشتو.ملاعلا ءاحنأ عيمج
نواعتتو. ينفلا طاشنلا نم ةنيعم تلااجم عم لماعتلل ةينعملا ةمظنملا اھأشنت يتلا ةينفلا ناجللا للاخ نم ةيلودلا
تامظنملا لمعلا يف كراشي امك.كرتشملا مامتھلاا تاذ تلااجملا يف IEC و ISOنم لكل ةعباتلا ةينفلا ناجللا
دقف تامولعملا ايجولونكت لاجم يف .ISO , IEC. يتمظنمب ةلصلا تاذ ،ةيموكحلاريغواھنم ةيموكحلا ةيلودلا
.ISO\IEC JTC1. ةكرتشم ةينفةنجل ءاشنإبISO , IEC يتمظنم تماق
ءزجلا ،ISO / IECنم لاك نع ةرداصلا تاھيجوتلا يف ةدراولا حئاولل اقفو ةيلودلا تافصاوملا تغيص دقو
.يناثلا
ةطساوب هانبتملا ةيلودلا تافصاوملا عيراشم .ةيلودلا تافصاوملا دادعا يھ ةكرتشملا ةينفلا ةنجلل ةيساسلأا ةمھملا
تافصاومك عيراشملا هذھ رادصا بلطتي و .تيوصتلل ةينطولا تائيھلاٮلع اھعيزوت متي ةكرتشملا ةينفلا ةنجللا
.تيوصتلا اھل قحي يتلا ةينطولا تائيھلا نم لقلأا ىلع %٧٥ ةقفاوم ةيلود
ﻝـﻣﺣﺗﺗ نـﻟ و.عارـﺗﺧﻻا ةءارـﺑ قوـﻘﺣﻟ ﺔﻌـﺿﺎﺧ ﺔـﻘﻳﺛوﻟا ﻩذـﻫ رـﺻﺎﻧﻋ ضﻌﺑﻧوـﻛﺗ نأ ﺔـﻳﻟﺎﻣﺗﺣا ﻰـﻟإ ﻩﺎـﺑﺗﻧﻻا تﻔﻟ دوﻧ و
. ﺎﻬﻌﻳﻣﺟ وأ قوﻘﺣﻟا ﻩذﻫ نﻣﺎ ﻳأ دﻳدﺣﺗ ﺔﻳﻟوؤﺳﻣ(ISO) سﻳﻳﻘﺗﻠﻟ ﺔﻳﻟودﻟا ﺔﻣظﻧﻣﻟا
ّ
،ISO\IEC JTC1 ةكرت��شملا ة��ينفلا ةط� ة�� �نجللااھداد�ساوب �عام� ٢٧٠٠٣�ت ي� �سيإ يأ/وز� ة��يأ�يلودلا ةف��صاوملا
.تامولعملا ايجولونكت نيمأت تاينقت ،SC27 ةيعرفلا ةنجللا ، تامولعملا ايجولونكت
iv © ISO 2010 ةظوفحم قوقحلا عيمج
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
ةمدقم
نيمأت ةرادا ماظنل ةطخ ذيفنتو ريوطتل يلمع يداشرا ليلد ريفوت وھ ةيلودلا ةفصاوملا هذھ نم ضرغلا
. ٢٧٠٠١:٢٠٠٥ يس يإ يأ/ وزيأ ةيلودلا ةيسايقلا ةفصاوملا عم قفاوتي امب هأشنملا لخاد (ISMS) تامولعملا
.عورشمك ةماع ذفني (ISMS) نيمأتلا ماظنل يقيقحلا قيبطتلا
ةيلودلا ةيسايقلا ةفصاوملا ةيلودلا ةفصاوملا قيبطتل امعد رفوتل اھميمصت مت ةفصاوملا هذھ لخاد ةفصوملا ةيلمعلا
:دنتسملاو( ٧و٥و٤ دونبلا يف ةروصحم ةقلاعلا تاذ ءازجلأا) ؛٢٧٠٠١:٢٠٠٥ يس يإ يأ/ وزيأ
عورشملل يميظنتلا لكيھلا فرعت ،ةأشنملا يف ISMS تامولعملا نيمأت ةرادا ماظن قيبطت ةطخ تايادب دادعا (أ
.ةيرادلاا تاقفاوملا ىلع لوصحلاو
.(ISMS) نيمأتلا ةرادا ماظن عورشمل ةجرحلا ةطشنلأا (ب
.٢٧٠٠١:٢٠٠٥ يس يإ يأ/ وزيأ ةيلودلا ةيسايقلا ةفصاوملا تابلطتم قيقحتل ةلثمأ (ج
ىطعي امم ، ةيلودلا ةيسايقلا ةفصاوملا هذھ مادختساب تامولعملا نيمأت ةرادلإ ةيلمع ريوطت ةأشنملا عيطتست
نيمأت دودح لخاد ةرمتسم ةروصب اھرصح متي تامولعملا لوصأ رطاخم نأ نانئمطلاا ةلصلا تاذ تاھجلا
.ةأشنملا هفرعت امك لوبقم تامولعم
لب ، ىرخلأا ISMS نيمأتلا ةرادا ماظن ةطشنأو ةيليغشتلا ةطشنلأا ةيلودلا ةيسايقلا ةفصاوملا هذھ ىطغت لا
جتني ثيح .ISMS ماظنلا تايلمع ءدب دعب جتنتس يتلا ةطشنلأا هذھ ميمصت متي اھاسأ ىلع يتلا ميھافملا يطغت
.ISMS ماظن عورشم قيبطتل ةيئاھنلا ةطخلا نم موھفملا
v © ISO 2010 ةظوفحم قوقحلا عيمج
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
نع يداشرا ليلد – نيمأتلا تاينقت – تامولعملا ايجولونكت
تامولعملا ايجولونكت نيمات ماظن قيبطت
لاجملا .١
تامولعملا نمأ ةرادإ ماظن ذيفنتو ميمصت حاجنل ةمزلالا ةيويحلا بناوجلا ىلع ةيلودلا ةفصاوملا هذھ زكرت
نيمأت ةرادإ ماظن فيصوت تايلمع فصت ذإ .٢٠٠٥ :٢٧٠٠١ يس يإ يأ/ وزيأ ةفصاوملل اقفو (ISMS)
ذيفنتل ةرادلإا دامتعا ىلع لوصحلا ةيلمع فصت امك .ذيفنتلا ططخ جارخإ ىتح ةيادبلا نم هميمصتو تامولعملا
نيمأت ةرادإ ماظن عورشم ةفصاوملا هذھ ىف ىمسي ىذلا) هذيفنت عورشم عضتو .تامولعملا نيمأت ةرادإ ماظن
ذيفنتل ةيئاھن ةطخ ىلع ةياھنلا ىف لصحن ثيحب ،عورشملل طيطختلا ةيفيك نع تاداشرإ مدقتو ،(تامولعملا
.عورشملا
قبطنت .تامولعملا نيمأت ةرادلإ اماظن قبطت يتلا تآشنملا لبق نم مدختست نأ ةيلودلا ةفصاوملا هذھ نم دصقيو
ريغ تامظنملاو ،ةيموكحلا تائيھلا و ةيراجتلا تاسسؤملا لثم) اھعاونأ عيمجب تآشنملا ىلع ةفصاوملا هذھ
ةقيرط اھتابلطتم ةيصوصخ ددحت فوسو اھتاديقعتب ةدرفتم ةمظنم لك .اھماجحأ فلاتخا ىلعو (حبرلل ةفداھلا
هذھ ىف ةروكذملا ةطشنلأا نأ امجح رغصلأا تآشنملا دجتس انھ نمو .تامولعملا نيمأت ةردلإ اھماظن قيبطت
ىلإ ةجاحب اھنأ دجت دقف اديقعت رثكلأا وأ مجحلا ةريبكلا تآشنملا امأ .ةطسبم ةقيرطب ،اھيلع قبطنت ةفصاوملا
اتلك يفو .لاعف وحن ىلع ةيلودلا ةفصاوملا هذھ ةطشنأ ةرادلإ لصفنم ةرادإ ماظن وأ تاقبطلا ددعتميرادإ لكيھ
.ةيلودلا ةفصاوملا هذھ مادختساب ةلصلا تاذ ةطشنلأل طيطختلا نكمي ،نيتلاحلا
ابنج مدختست نأ ةفصاوملا هذھب دصقيو.تابلطتم ةيأ ددحت لاو ، احورشو تايصوت ةيلودلا ةفصاوملا هذھ مدقت
اھنم دوصقملا سيل نكلو ٢٠٠٥ :٢٧٠٠٢ يس يإ يأ/ وزيأ و ٢٠٠٥ :٢٧٠٠١ يس يإ يأ/ وزيأعم بنج ىلإ
يإ يأ/ وزيأ ىف ةدراولا تايصوتلا وأ٢٠٠٥ :٢٧٠٠١ يس يإ يأ/ وزيأ ىف ةدراولا تابلطتملا ضفخ وأ ليدعت
.ةفصاوملا هذھ عم قباطتلاب ءاعدلإا بسانملا ريغ نمو .٢٠٠٥ :٢٧٠٠٢ يس
ةيليمكتلا عجارملا .٢
ةروكذملا خسنلا قيبطت مزلي ةخرؤملا عجارملل ةبسنلاب . ةقيثولا هذھ قيبطتل ةيساسا ةيلاتلا ةيعجرملا قئاثولا ربتعت
:(تلايدعت ىا انمضتم) ةيعجرملا ةقيثولا نم رادصإ رخآ قيبطت مزلي هنإف ةخرؤملا ريغ عجارملل ةبسنلاب امأ
-تامولعملا ايجولونكت نيمات ماظن – نيمأتلا تاينقت – تامولعملا ايجولونكت ٢٠٠٩ :٢٧٠٠٠ يس يإ يأ/ وزيأ
.تادرفمو ةماع ةرظن
-تامولعملا ايجولونكت نيمات ماظن – نيمأتلا تاينقت – تامولعملا ايجولونكت٢٠٠٥ :٢٧٠٠١ يس يإ يأ/ وزيأ
.تابلطتملا
فيراعتلاو تاحلطصملا .٣
وزيأ و ٢٠٠٩ :٢٧٠٠٠ يس يإ يأ/ وزيأ ىف ةدراولا فيراعتلاو تاحلطصملا قبطت ةفصاوملا هذھ ضارغلأ
:يلاتلل ةفاضلإاب ٢٠٠٥ :٢٧٠٠١يس يإ يأ/
ISMS ماظن عورشم ١/٣
.ISMS تامولعملا نيمأت ةرادإ ماظن ذيفنتل ةأشنملا اھب موقت ةمظنم ةطشنأ
ةيلودلا ةفصاوملا هذھ لكيھ .٤
ةفصاوملا هذھ دونبل ماعلا لكيھلا١/٤
١ © ISO 2010 ةظوفحم قوقحلا عيمج
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
اذھ حرشي .ةأشنملا تاعورشم نم عورشمك امومع ذفنيو ، امھم اطاشن تامولعملا نيمأت ةرادإ ماظن ذيفنت دعي
طيطختلا ةيلمع نمضتت امك .عورشملل فيرعتلاو طيطختلاو ءدبلا ىلع زيكرتلاب (ISMS)ماظن ذيفنت دنتسملا
وھ امك ،لكيھلا سفن دونبلا لكلو .لاصفنم ادنب اھنم ةلحرم لك لثمت ، لحارم ةسمخ ماظنلل ىئاھنلا ذيفنتلل
: ىھ ةسمخلا لحارملاو . ىلي اميف فوصوم
(سماخلا دنبلا) تامولعملا نيمأت ةرادإ ماظن عورشم ىف ءدبلل ةرادلإا دامتعا ىلع لوصحلا (أ
(سداسلا دنبلا) ةسايسلاو ماظنلا لاجم ديدحت (ب
( عباسلا دنبلا) ةأشنملا ليلحتب مايقلا (ت
(نماثلا دنبلا) رطاخملا ةجلاعم ةطخو رطاخملا ريدقتبمايقلا (ث
(عساتلا دنبلا) تامولعملا نيمأت ةرادإ ماظن ميمصت (ج
تافصاوملا ىلإ ةراشلإا عم تامولعملا نيمأت ةرادإ ماظن عورشمل طيطختلل ةسمخلا لحارملا ١ لكشلا نيبي
.ةيسيئرلا تاجرخملا قئاثوو ISO/IEC ةيسايقلا
تابلطتمليلحتب مايقلا دودحو لاجم ديدحت دامتعا ىلع لوصحلا
ISMS ماظن ميمصت و رطاخملا ريدقتب مايقلا
ةسايسلاو ماظنلا عورشم ىف ءدبلل ةرادلإا
ةجلاعمل طيطختلا تامولعملا نيمأت
ISMS ماظن
رطاخملا
٩
٥
٨
٦
٧
نيمأت تابلطتم
دامتعاب يطخ راعشا ماظن دودحو لاجم
ءدبلل ةرادلإا دامتعا
ماظن ذيفنتل ةيئاھن ةطخ
تامولعملا
ماظن ذيفنتل ةرادلاا ISMS
ماظن عورشم ىف
ISMS
ISMS
ISMS
رطاخملا ةجلاعم ةطخ
ISMS ماظن ةسايس
تامولعملا لوصأ
قيبطتلا ةيناكما نايب نيمأت مييقت جئاتن
فادھأ ُانمضتم، تامولعملا
طباوضلاو طباوضلا
.ةراتخملا
ينمزلا طخلا
تام
...
SLOVENSKI SIST ISO/IEC 27003
STANDARD
marec 2011
Informacijska tehnologija – Varnostne tehnike – Smernice za izvedbo
sistema upravljanja informacijske varnosti
Information technology – Security techniques – Information security management
system implementation guidance
Technologies de l'information – Techniques de sécurité – Lignes directrices pour
la mise en oeuvre du système de management de la sécurité de l'information
Referenčna oznaka
ICS 35.040 SIST ISO/IEC 27003:2011 (sl)
Nadaljevanje na straneh 2 do 65
© 2014-03: Slovenski inštitut za standardizacijo. Razmnoževanje ali kopiranje celote ali delov tega standarda ni dovoljeno.
SIST ISO/IEC 27003 : 2011
NACIONALNI UVOD
Standard SIST ISO/IEC 27003 (sl), Informacijska tehnologija – Varnostne tehnike – Smernice za
izvedbo sistema upravljanja informacijske varnosti, 2011, ima status slovenskega standarda in je
istoveten mednarodnemu standardu ISO/IEC 27003 (en), Information technology – Security
techniques – Information security management system implementation guidance, 2010-02-01.
NACIONALNI PREDGOVOR
Mednarodni standard ISO/IEC 27003:2010 je pripravil pododbor združenega tehničnega odbora
Mednarodne organizacije za standardizacijo in Mednarodne elektrotehniške komisije ISO/IEC JTC
1/SC 27 Varnostne tehnike v informacijski tehnologiji.
Slovenski standard SIST ISO/IEC 27003:2011 je prevod mednarodnega standarda ISO/IEC
27003:2010. Slovenski standard SIST ISO/IEC 27003:2011 je pripravil tehnični odbor SIST/TC ITC
Informacijska tehnologija. V primeru spora glede besedila slovenskega prevoda je odločilen izvirni
mednarodni standard v angleškem jeziku.
Odločitev za izdajo tega standarda je dne 25. november 2010 sprejel SIST/TC ITC Informacijska
tehnologija.
ZVEZA Z NACIONALNIMI STANDARDI
SIST ISO/IEC 27000:2011 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Pregled in izrazoslovje
SIST ISO/IEC 27001:2005 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve (nadomeščen s SIST ISO/IEC
27001:2013)
OSNOVA ZA IZDAJO STANDARDA
– privzem standarda ISO/IEC 27003:2010
OPOMBI
– Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO/IEC
27003:2011 to pomeni “slovenski standard”.
– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
SIST ISO/IEC 27003 : 2011
Vsebina Stran
Predgovor .5
Uvod .6
1 Področje uporabe .7
2 Zveza s standardi .7
3 Izrazi in definicije .7
4 Struktura tega mednarodnega standarda.7
4.1 Splošna struktura poglavij .7
4.2 Splošna struktura točke.8
4.3 Diagrami .9
5 Pridobitev odobritve vodstva za uvedbo projekta SUIV .11
5.1 Pregled pridobivanja odobritve vodstva za uvedbo projekta SUIV .11
5.2 Razjasniti prioritete organizacije pri razvoju SUIV .13
5.3 Določiti izhodiščni obseg SUIV.15
5.3.1 Pripraviti izhodiščni obseg SUIV .15
5.3.2 Določiti vloge in odgovornosti za izhodiščni obseg SUIV.15
5.4 Ustvariti poslovni razlog in načrt projekta za odobritev vodstva .16
6 Opredelitev obsega in meja SUIV ter politike SUIV .18
6.1 Pregled opredelitve obsega in meja SUIV ter politike SUIV.18
6.2 Določiti organizacijski obseg in meje.20
6.3 Določiti obseg in meje informacijsko-komunikacijske tehnologije (IKT).21
6.4 Določiti fizični obseg in meje .22
6.5 Povezati vse obsege in meje za pridobitev obsega in meja SUIV .22
6.6 Pripraviti politiko SUIV in pridobiti odobritev vodstva .23
7 Izvedba analize zahtev informacijske varnosti .24
7.1 Pregled izvedbe analize zahtev informacijske varnosti.24
7.2 Določiti zahteve informacijske varnosti za proces SUIV .26
7.3 Prepoznati dobrine v obsegu SUIV .27
7.4 Izvesti ocenjevanje informacijske varnosti .27
8 Izvedba ocenjevanja tveganj in načrtovanje obravnavanja tveganj .29
8.1 Pregled izvedbe ocenjevanja tveganj in načrtovanja obravnave tveganj.29
8.2 Izvesti ocenjevanje tveganj .31
8.3 Izbrati cilje kontrol in kontrole .32
8.4 Pridobiti pooblastilo vodstva za izvedbo in delovanje SUIV.32
9 Snovanje SUIV .33
9.1 Pregled snovanja SUIV .33
9.2 Zasnovati organizacijsko informacijsko varnost .36
9.2.1 Zasnovati končno organizacijsko strukturo za informacijsko varnost .36
9.2.2 Zasnovati okvir dokumentacije SUIV.37
9.2.3 Zasnovati politiko informacijske varnosti.38
SIST ISO/IEC 27003 : 2011
9.2.4 Pripraviti standarde in postopke informacijske varnosti .39
9.3 Zasnovati informacijsko varnost IKT in fizično informacijsko varnost .40
9.4 Zasnovati informacijsko varnost, specifično za SUIV.42
9.4.1 Načrtovati vodstvene preglede.42
9.4.2 Zasnovati program ozaveščanja, usposabljanja in izobraževanja o informacijski varnosti .43
9.5 Pripraviti končni načrt projekta SUIV.45
Dodatek A (informativni): Opis kontrolnega seznama.46
Dodatek B (informativni): Vloge in odgovornosti v zvezi z informacijsko varnostjo .50
Dodatek C (informativni): Informacije o notranjem presojanju .54
Dodatek D (informativni): Struktura politik.56
Dodatek E (informativni): Spremljanje in merjenje .60
Literatura.65
SIST ISO/IEC 27003 : 2011
Predgovor
ISO (Mednarodna organizacija za standardizacijo) in IEC (Mednarodna elektrotehniška komisija)
tvorita specializiran sistem za svetovno standardizacijo. Nacionalni organi, ki so člani ISO ali IEC,
sodelujejo pri pripravi mednarodnih standardov prek tehničnih odborov, ki jih za obravnavanje
določenih strokovnih področij ustanovi ustrezna organizacija. Tehnični odbori ISO in IEC sodelujejo na
področjih skupnega interesa. Pri delu sodelujejo tudi druge mednarodne, vladne in nevladne
organizacije, povezane z ISO in IEC. Na področju informacijske tehnologije sta ISO in IEC vzpostavila
združeni tehnični odbor ISO/IEC JTC 1.
Osnutki mednarodnih standardov so pripravljeni v skladu s pravili iz 2. dela direktiv ISO/IEC.
Glavna naloga tehničnih odborov je priprava mednarodnih standardov. Osnutki mednarodnih
standardov, ki jih sprejmejo tehnični odbori, se pošljejo vsem članom v glasovanje. Za objavo
mednarodnega standarda je treba pridobiti soglasje najmanj 75 odstotkov članov, ki se udeležijo
glasovanja.
Opozoriti je treba na možnost, da so lahko nekateri elementi tega dokumenta predmet patentnih
pravic. ISO ne prevzema odgovornosti za identifikacijo nekaterih ali vseh takih patentnih pravic.
ISO/IEC 27003 je pripravil združeni tehnični odbor JTC ISO/IEC 1 Informacijska tehnologija, pododbor
SC 27 Varnostne tehnike IT.
SIST ISO/IEC 27003 : 2011
Uvod
Namen tega mednarodnega standarda je zagotoviti praktične napotke pri razvoju načrta izvedbe
upravljavskega sistema za informacijsko varnost (SUIV) v organizaciji v skladu z ISO/IEC 27001:2005.
Dejanska izvedba SUIV se v splošnem izvrši kot projekt.
Proces, opisan v tem mednarodnem standardu, je bil zasnovan, da zagotovi podporo izvajanju
ISO/IEC 27001:2005 (ustrezni deli iz točk 4, 5 in vključujoč 7), in dokumentira:
a) pripravo začetka načrta izvedbe SUIV v organizaciji, opredelitev organizacijske projektne
strukture in pridobivanje odobritve vodstva,
b) kritične aktivnosti za projekt SUIV in
c) primere za doseganje zahtev v ISO/IEC 27001:2005.
Z uporabo tega mednarodnega standarda bo organizacija sposobna razviti proces upravljanja
informacijske varnosti in dajati zainteresiranim strankam zagotovila, da so tveganja informacijskih
dobrin nenehno vzdrževana v okviru sprejemljivih meja informacijske varnosti, kot jih je opredelila
organizacija.
Ta mednarodni standard ne obravnava operativnih aktivnosti in drugih aktivnosti SUIV, zajema pa
koncepte, kako zasnovati aktivnosti, ki se bodo izvajale po začetku delovanja SUIV. Koncept se kaže
v končnem projektnem načrtu izvedbe SUIV. Dejanska izvršitev specifičnih delov projekta SUIV
organizacije je zunaj področja uporabe tega mednarodnega standarda.
Izvedba projekta SUIV naj se izvaja z uporabo standardnih metodologij projektnega vodenja (več
informacij je navedenih v standardih ISO in ISO/IEC v zvezi s projektnim vodenjem).
SIST ISO/IEC 27003 : 2011
Informacijska tehnologija – Varnostne tehnike – Smernice za izvedbo sistema
upravljanja informacijske varnosti
1 Področje uporabe
Ta mednarodni standard se osredotoča na kritične vidike, ki so potrebni za uspešno zasnovo in
izvedbo sistema upravljanja informacijske varnosti (SUIV) v skladu z ISO/IEC 27001:2005. Opisuje
proces specifikacije in zasnove SUIV od začetka do izvajanja načrtov. Opisuje proces pridobivanja
odobritve vodstva za izvedbo SUIV, definira projekt izvedbe SUIV (v tem standardu poimenovan
projekt SUIV) in ponuja napotke, kako načrtovati projekt SUIV, kar se odraža v dokončanem načrtu
izvedbe projekta SUIV.
Ta mednarodni standard naj bi uporabljale organizacije, ki uvajajo SUIV. Primeren je za vse vrste
organizacij (na primer podjetja, vladne agencije, nepridobitne organizacije) vseh velikosti.
Kompleksnost in tveganja vsake organizacije so edinstveni in njene specifične zahteve bodo vodile
izvedbo SUIV. Manjše organizacije bodo ugotovile, da so aktivnosti, navedene v tem mednarodnem
standardu, primerne zanje in da jih je mogoče poenostaviti. Velike in kompleksne organizacije bodo
lahko ugotovile, da sta za učinkovito upravljanje aktivnosti iz tega mednarodnega standarda potrebna
nivojska organiziranost ali nivojski sistem upravljanja. Vendar je v obeh primerih mogoče ustrezne
aktivnosti načrtovati z uporabo tega mednarodnega standarda.
Ta mednarodni standard podaja priporočila in pojasnila; ne določa nobenih zahtev. Ta mednarodni
standard je namenjen, da se uporablja skupaj z ISO/IEC 27001:2005 in ISO/IEC 27002:2005, ni pa
namenjen spreminjanju in/ali zmanjševanju zahtev, danih v ISO/IEC 27001:2005, ali priporočil, danih v
ISO/IEC 27002:2005. Trditve o skladnosti s tem mednarodnim standardom niso ustrezne.
2 Zveza s standardi
Naslednja dokumenta sta nujna za uporabo tega dokumenta. Pri datiranem sklicevanju velja samo
navedena izdaja. Pri nedatiranem sklicevanju velja zadnja izdaja dokumenta, na katerega se nanaša
sklic (vključno z morebitnimi dopolnitvami).
ISO/IEC 27000:2009 Infor
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.