BS ISO IEC 27005 pdf download Information technology — Security techniques — Information security risk management
1Scope
This International Standard provides guidelines for information security risk management.
This International Standard supports the general concepts specified in lSOIEC 27001 and is designed tassist the satisfactory implementation of information security based on a risk management approach.
Knowledge of the concepts,models,processes and terminologies described in ISOIEC 27001 ancISOIEC 27002 is important for a complete understanding of this international Standard.
This International Standard is applicable to all types of organizations (e.g. commercial enterprisesgovernment agencies,non-profit organizations) which intend to manage risks that could compromise thorganization’s information security.
2Normative references
The following referenced documents are indispensable for the application of this document. For datecreferences,only the edition cited applies. For undated references, the latest edition of the referencedocument (including any amendments) applies.
ISO/EC 27000,Information technology – Security techniques — Information security managemensystems-Overview and vocabulary
ISO/IEC 27001:2005,Information technology — Security techniques — Information security managemensystems— Requirements
3Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply.NOTE Differences in definitions between lSOIEC 27005:2008 and this International Standard are shown in Annex G.3.1
consequence
outcome of an event (3.3) affecting objectives[ISO Guide 73:2009]
NOTE 1 An event can lead to a range of consequences.
NOTE2 A consequence can be certain or uncertain and in the context of information security is usually negative.NOTE3 Consequences can be expressed qualitatively or quantitatively.
NOTE 4 Initial consequences can escalate through knock-on effects.
3.2
control
measure that is modifying risk (3.9)
[ISO Guide 73:2009]
NOTE 1 Controls for information security include any process, policy, procedure, guideline, practice or organizational structure, which can be administrative, technical, management, or legal in nature which modify information security risk.
NOTE 2 Controls may not always exert the intended or assumed modifying effect.
NOTE 3 Control is also used as a synonym for safeguard or countermeasure.
3.3
event
occurrence or change of a particular set of circumstances
[ISO Guide 73:2009]
NOTE 1 An event can be one or more occurrences, and can have several causes.
NOTE 2 An event can consist of something not happening.
NOTE 3 An event can sometimes be referred to as an ―incident‖ or ―accident‖.
3.4
external context
external environment in which the organization seeks to achieve its objectives
[ISO Guide 73:2009]
NOTE External context can include:
⎯ the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local;
⎯ key drivers and trends having impact on the objectives of the organization; and
⎯ relationships with, and perceptions and values of, external stakeholders.
www.freestandardsintroduction.com