Iso 27003 2017

I N TERNATIONAL ISO/IEC
S TANDARD 2 7003
Second editio n
2 0 1 7- 0 3
Information technology — Security

techniques — Information security
management systems — Guidance
Technologies de l’information — Techniques de sécurité --Systèmes de

management de la sécurité de l’information — Lignes directrices
Reference numb er
I SO /I EC 2 7 0 0 3 : 2 0 1 7 (E )
© I SO /I E C 2 0 1 7
ISO/IEC 2 7003 : 2 01 7(E)
COPYRIGHT PROTECTED DOCUMENT
© I SO /I EC 2 0 1 7 , Publis hed in Switzerland
All rights reserved. Unless otherwise specified, no part o f this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country o f
the reques ter.
ISO copyright o ffice

Ch. de B lando nnet 8 • CP 40 1
CH -1 2 1 4 Vernier, Geneva, Switzerland
Tel. + 41 2 2 749 0 1 1 1
Fax + 41 2 2 7 49 0 9 47
copyright@iso.org
www. iso .o rg
ii © I SO /I E C 2 0 1 7 – All rights res erved

ISO/IEC 2 7003 : 2 01 7(E)
Contents Page
Foreword .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. iv
Introduction . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . v
1 Scope . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 1
2 Normative references . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 1
3 Terms and definitions . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 1

4 Context of the organization . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . 1
4.1 Understanding the organization and its context . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . 1
4.2 Understanding the needs and expectations of interested p arties . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . 3
4. 3 D etermining the s co p e o f the in fo rmatio n s ecurity management sys tem . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 4
4. 4 I n fo rmatio n s ecurity management sys tem .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 6
5 Leadership . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 6
5 .1 Leadership and commitment . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . 6
5 .2 Po licy . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . 8
5 .3 O rganizational roles, resp onsibilities and authorities . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. 9
6 Planning . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . 1 0
6.1 Actions to address risks and op portunities . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. 1 0
6.1 .1 General . . . . . . .. . . . . . . . . .. .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 1 0
6.1 .2 I n fo rmatio n s ecurity ris k as s es s ment . .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 1 2
6.1 .3 I n fo rmatio n s ecurity ris k treatment . . . . . .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 1 5
6.2 I n fo rmatio n s ecurity o b j ectives and p lanning to achieve them . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 1 8
7 Support . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . 2 1
7 .1 Resources . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . 2 1
7 .2 C ompetence . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 2 2
7 .3 Awareness . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . 2 3
7 .4 C ommunication . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. 2 4
7 .5 D ocumented information . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . 2 5
7 .5 .1 General . . . . . . .. . . . . . . . . .. .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 2 5
7 .5 .2 C reating and updating . . . .. . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 2 7
7 .5 .3 C ontrol of documented information . . . . .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. 2 8
8 Operation . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . 2 9
8 .1 O perational planning and control . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 2 9
8.2 I n fo rmatio n s ecurity ris k as s es s ment.. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . 3 1
8.3 I n fo rmatio n s ecurity ris k treatment . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . 3 1
9 Performance evaluation . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 3 2
9.1 M o nito ring, meas urement, analys is and evaluatio n . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . 3 2
9 .2 I nternal audit . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 3 3
9 .3 M anagement review . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 3 6
10 Improvement . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 3 7
1 0.1 N o nco n fo rmity and co rrective actio n .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . 3 7
1 0 .2 C ontinual imp rovement . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . 40
Annex A (informative) Policy framework . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . 42
Bibliography . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . 45
© I SO /I E C 2 0 1 7 – All rights res erved iii

ISO/IEC 2 7003 : 2 01 7(E)
Foreword
I SO (the I nternational O rgani zation for Standardiz ation) and I E C (the I nternational E lec trotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
memb ers of I S O or I E C p ar ticip ate in the development of I nternational Standards through technical
committees established by the respective organization to deal with particular fields o f technical
activity. ISO and IEC technical committees collaborate in fields o f mutual interest. Other international
organi zation s , governmental and non- governmental, in l iaison with I SO and I E C , al so take p ar t in the
work. In the field o f in formation technology, ISO and IEC have established a joint technical committee,
I SO/I EC J TC 1 .
T he procedures used to develop this do cument and those intended for its fur ther maintenance are
describ ed in the I S O/I EC D irec tives , Par t 1 . I n p ar ticu lar the di fferent approval criteria needed for
the di fferent types o f document should be noted. This document was dra fted in accordance with the
editorial ru les of the I SO/I E C D irec tives , Par t 2 (see www. iso . org/direc tives) .
Attention is drawn to the possibility that some o f the elements o f this document may be the subject
o f patent rights. ISO and IEC shall not be held responsible for identi fying any or all such patent
rights. Details o f any patent rights identified during the development o f the document will be in the
I ntro duc tion and/or on the I S O lis t of p atent declarations received (see www. iso . org/p atents) .
Any trade name used in this document is in formation given for the convenience o f users and does not
cons titute an endorsement.
For an explanation on the voluntary nature o f standards, the meaning o f ISO specific terms and
expressions related to con formity assessment, as well as in formation about ISO’s adherence to the
World Trade O rgani zation ( WTO) principles in the Technical B arriers to Trade ( TB T ) see the fol lowing
URL: www. iso . org/ iso/foreword . htm l .
This document was prepared by ISO/IEC JTC 1, Information technology, Sub comm ittee S C 2 7, IT Security
techniques.
This second edition o f ISO/IEC 27003 cancels and replaces the first edition (ISO/IEC 27003:2010), o f
which it cons titutes a m inor revis ion .
T he main changes comp ared to the previous edition are as fol lows:
— the scop e and title have b een changed to cover explanation of, and guidance on the requirements of,
I SO/I E C 2 70 01 : 2 01 3 rather than the previous edition (I SO/I EC 2 70 01 : 2 0 0 5 ) ;
— the s truc ture is now aligned to the s truc ture of I SO/I E C 2 70 01 : 2 01 3 to make it eas ier for the user to
use it together with I S O/I EC 2 70 01 : 2 01 3 ;
— the previous edition had a project approach with a sequence o f activities. This edition instead
provides guidance on the requirements regardless o f the order in which they are implemented.
iv © I SO /I E C 2 0 1 7 – All rights res erved

ISO/IEC 2 7003 : 2 01 7(E)
Introduction
This document provides guidance on the requirements for an in formation security management system
(ISMS) as specified in ISO/IEC 27001 and provides recommendations (‘should’), possibilities (‘can’)
and permissions (‘may’) in relation to them. It is not the intention o f this document to provide general
guidance on all aspects o f in formation security.
C lauses 4 to 10 of this do cument mirror the s truc ture of I SO/I E C 2 70 01 : 2 01 3 .
This document does not add any new requirements for an ISMS and its related terms and definitions.
Organizations should re fer to ISO/IEC 27001 and ISO/IEC 27000 for requirements and definitions.
O rganiz ations implementing an I S M S are under no obl igation to obser ve the guidance in this do cument.
An I SM S emphas izes the imp or tance of the fol lowing phases:
— understanding the organization’s needs and the necessity for establishing in formation security
policy and in formation security objectives;
— assessing the organization’s risks related to in formation security;
— implementing and operating in formation security processes, controls and other measures to
tre at r i s ks;
— monitoring and reviewing the p erformance and effec tivenes s of the I SM S; and
— prac tis ing continual improvement.
An ISMS, similar to any other type o f management system, includes the following key components:
a) policy;
b) persons with defined responsibilities;
c) management pro ces ses related to:
1) policy establishment;
2) awarenes s and comp etence provis ion;
3) planning;
4) implementation;
5) op eration;
6) p erformance as ses s ment;
7) management review; and
8) improvement; and
d) documented information .
An ISMS has additional key components such as:

e) in formation security risk assessment; and
f ) in formation security risk treatment, including determination and implementation o f controls.
This document is generic and intended to be applicable to all organizations, regardless o f type, size or
nature. The organization should identi fy which part o f this guidance applies to it in accordance with its
specific organizational context (see ISO/IEC 27001:2013, Clause 4).
© I SO /I E C 2 0 1 7 – All rights res erved v

ISO/IEC 2 7003 : 2 01 7(E)
For exa mp le, s ome gu ida nce c a n b e more s u ite d to large organ i z ation s , but for ver y s ma l l organ i z ation s
(e . g. with fewer than 10 p ers on s) s ome o f the guidance c a n b e u n ne ce s s ar y or i nappropriate .
T he descrip tions of C lauses 4 to10 are s truc tured as fol lows:
— Required activity : pre s ents key ac tivitie s re qu i re d i n the corre s p ond i ng s ub clau s e o f I S O/I E C 2 70 01 ;
— E xplanation : e xplai n s what the re qui rements o f I S O/I E C 2 70 01 i mp ly;
— Guidance : provide s more de tai le d or s upp or tive i n formation to i mplement “re qu i re d ac tivity”
including examples for implementation; and
— O ther information : provides fur ther information that can b e cons idered.
I SO/I EC 2 70 03 , I SO/I EC 2 70 0 4 and I SO/I E C 2 70 0 5 form a set of documents s upp or ting and providing
guidance on I SO/I E C 2 70 01 : 2 01 3 . Among these do cuments , I S O/I EC 2 70 03 is a b as ic and comprehens ive
document that provides guidance for al l the requirements of I SO/I E C 2 70 01 , but it do es not have
de tai le d de s c rip tion s re gard i ng “mon itori ng , me as u rement, ana lys i s and eva luation” a nd i n formation
s e c u rity ri sk ma nagement. I S O/I E C 2 70 0 4 a nd I S O/I E C 2 70 0 5 fo c u s on s p e ci fic contents and give more
de tai le d gu ida nce on “mon itori ng , me a s u rement, a na lys i s and eva luation” a nd i n formation s e c u rity
risk management.
T here are several expl icit references to do cumented information in I SO/I EC 2 70 01 . Never theles s , an
organ i z ation c an re ta i n add itiona l do c u mente d i n formation that it de term i ne s as ne ce s s ar y for the
e ffe c tivene s s o f its management s ys tem a s p a r t o f its re s p on s e to I S O/I E C 2 70 01 : 2 01 3 , 7. 5 .1 b) . I n the s e
ca s e s , th i s do c u ment u s e s the ph ras e “D o c umente d i n formation on th i s ac tivity and its outcome i s
ma ndator y on ly i n the form and to the ex tent that the orga n i z ation de term i ne s a s ne ce s s a r y for the
e ffe c tivene s s o f its management s ys tem (s e e I S O/I E C 2 70 01 : 2 01 3 , 7. 5 .1 b) ) .”
vi © I SO /I E C 2 0 1 7 – All rights res erved

INTERNATIONAL STANDARD ISO/IEC 2 7003 : 2 01 7(E)
Information technology — Security techniques —

Information security management systems — Guidance
1 Scope
T his do cument provides explanation and guidance on I S O/I EC 2 70 01 : 2 01 3 .
2 Normative references
The following documents are re ferred to in the text in such a way that some or all o f their content
constitutes requirements o f this document. For dated re ferences, only the edition cited applies. For
undated re ferences, the latest edition o f the re ferenced document (including any amendments) applies.
I S O/I E C 2 70 0 0 : 2 016 , Information technology — Security techniques — Information security management
systems — Overview and vocabulary
I S O/I E C 2 70 01 : 2 01 3 , Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions

For the purposes o f this document, the terms and definitions given in ISO/IEC 27000:2016 apply.
I S O and I E C maintain term inological datab ases for use in s tandardiz ation at the fol lowing addres ses:
— I EC E lec trop edia: avai lable at http:// www. elec trop edia . org/
— I SO O nl ine brows ing platform: avai lable at http:// www. iso . org/obp
4 Context of the organization
4.1 Understanding the organization and its context
Required activity
T he organi zation determines external and internal is s ues relevant to its purp ose and affec ting its
ability to achieve the intended outcome(s) o f the in formation security management system (ISMS).
E xplanation
As an integral function o f the ISMS, the organization continually analyses itsel f and the world
surrounding it. This analysis is concerned with external and internal issues that in some way a ffect
in formation security and how in formation security can be managed, and that are relevant to the
organization’s objectives.
Analysis o f these issues has three purposes:
— unders tanding the context in order to decide the scop e of the I SM S;
— analysing the context in order to determine risks and opportunities; and

— en s uring that the I SM S is adap ted to changing external and internal is s ues .
© I SO /I E C 2 0 1 7 – All rights res erved 1

ISO/IEC 2 7003 : 2 01 7(E)
E xternal is s ues are those outs ide of the organiz ation’s control . T his is often referred to as the
organization’s environment. Analysing this environment can include the following aspects:
a) so cial and cultural;
b) political, legal, normative and regulatory;

c) financial and macroeconomic;
d) technological;
e) natural; and
f) comp etitive.
These aspects o f the organization’s environment continually present issues that a ffect in formation
security and how in formation security can be managed. The relevant external issues depend on the
organization’s specific priorities and situation.
For example, external issues for a specific organization can include:
g) the legal impl ications of us ing an outsourced I T ser vice (legal as p ec t) ;
h) characteristics o f the nature in terms o f possibility o f disasters such as fire, flood and earthquakes
(natural as p ec t) ;
i) technical advances o f hacking tools and use o f cryptography (technological aspect); and
j) the general demand for the organization’s services (social, cultural or financial aspects).
Internal issues are subject to the organization’s control. Analysing the internal issues can include the
fol lowing as p ec ts:
k) the organi z ation’s cu lture;
l) policies, objectives, and the strategies to achieve them;

m) governance, organi z ational s truc ture, roles and res p ons ibi lities;
n) standards, guidelines and models adopted by the organization;

o) contractual relationships that can directly a ffect the organization’s processes included in the scope
of the I SM S;
p) pro ces ses and pro cedures;
q) the capabilities, in terms o f resources and knowledge (e.g. capital, time, persons, processes, systems
and technologies) ;
r) physical in frastructure and environment;

s) in formation systems, in formation flows and decision making processes (both formal and
i n formal) ; and
t) previous audits and previous risk as ses s ment res ults .
The results o f this activity are used in 4. 3 , 6 .1 and 9. 3 .

Guidance
B ased on an unders tanding of the organiz ation’s purp ose (e. g. referring to its mis s ion s tatement or
bus ines s plan) as wel l as the intended outcome(s) of the organiz ation’s I SM S , the organi z ation shou ld:
— review the external environment to identi fy relevant external issues; and
2 © I SO /I E C 2 0 1 7 – All rights res erved

ISO/IEC 2 7003 : 2 01 7(E)
— review the internal aspects to identi fy relevant internal issues.

In order to identi fy relevant issues, the following question can be asked: How does a certain category
o f issues (see a) to t) above) a ffect in formation security objectives? Three examples o f internal issues
serve as an illustration by:
E xample 1 on governance and organiz ational s truc ture (see item m)) : When es tabl ishing an I SM S ,
already existing governance and organizational structures should be taken into account. As an
example, the organi zation can model the s truc ture of its I SM S b as ed on the s truc ture of other exis ting
management systems, and can combine common functions, such as management review and auditing.
Example 2 on policy, objectives and strategies (see item l)): An analysis o f existing policies, objectives
and strategies, can indicate what the organization intends to achieve and how the in formation security
objectives can be aligned with business objectives to ensure success ful outcomes.
Example 3 on in formation systems and in formation flows (see item s)): When determining internal
issues, the organization should identi fy, at a su fficient level o f detail, the in formation flows between its
various in formation systems.
As both the external and the internal issues will change over time, the issues and their influence on the
scope, constraints and requirements o f the ISMS should be reviewed regularly.
Documented in formation on this activity and its outcome is mandatory only in the form and to the
extent that the organization determines as necessary for the e ffectiveness o f its management system
(s ee I SO/I E C 2 70 01 : 2 01 3 , 7. 5 .1 b)) .
O ther information
In ISO/IEC 27000, the definition o f “organization” has a note which states that: “The concept o f
organization includes but is not limited to sole-trader, company, corporation, firm, enterprise, authority,
partnership, charity or institution, or part or combination thereo f, whether incorporated or not, public
or private.” Some o f these examples are whole legal entities, whilst others are not.
T here are four cases:
1) the organization is a legal or administrative entity (e.g. sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution whether incorporated or not, public or
private) ;
2) the organization is a subset o f a legal or administrative entity (e.g. part o f a company, corporation,
enterprise) ;
3) the organiz ation is a set of a legal or adminis trative entities (e. g. a consor tium of sole-traders , larger
companies, corporations, firms); and

4) the organi z ation is a set of s ub sets of legal or adminis trative entities (e. g. club s , trade as so ciations) .
4.2 Understanding the needs and expectations of interested parties
Required activity
T he organiz ation determines interes ted p ar ties relevant to the I SM S and their requirements relevant to
in formation security.
E xplanation
Interested party is a defined term (see ISO/IEC 27000:2016, 2.41) that re fers to persons or organizations
that can a ffect, be a ffected by, or perceive themselves to be a ffected by a decision or activity o f the
organi z ation. I nteres ted p ar ties can b e found b oth outs ide and ins ide the organiz ation and can have
specific needs, expectations and requirements for the organization’s in formation security.

ISO/IEC 2 7003 : 2 01 7(E)
E xternal interes ted p ar ties can include:
a) regu lators and legislators;
b) shareholders including owners and inves tors;
c) s uppliers including s ub contrac tors , cons ultants , and outsourcing p ar tners;
d) i ndu s tr y a s s o ci ation s;
e) comp etitors;
f) cus tomers and cons umers; and
g) ac tivis t groups .
I nternal interes ted p ar ties can include:
h) decis ion makers including top management;
i) pro ce s s owners , s ys tem owners , and i n formation owners;
j) s upp or t func tion s s uch as I T or Hu man Re s ou rce s;
k) employe e s and u s ers; and
l) i n formation s e c u rity pro fe s s iona l s .
T he re s u lts o f th i s ac tivity are u s e d i n 4. 3 and 6 .1 .
Guidance
T he fol lowing s tep s should b e taken:
— identi fy ex terna l i ntere s te d p a r tie s;
— identi fy i nterna l i ntere s te d p ar tie s; and
— identi fy re qu i rements o f i ntere s te d p ar tie s .
As the needs , exp ec tations and requirement of interes ted p ar ties change over time, these changes and
thei r i n fluence on the s cop e, con s trai nts a nd re qu i rements o f the I S M S s hou ld b e reviewe d regu la rly.
D o c u mente d i n formation on th i s ac tivity and its outcome i s ma ndator y on ly i n the form and to the
extent the organ i z ation de term i ne s as ne ce s s ar y for the e ffe c tivene s s o f its management s ys tem (s e e
I SO/I EC 2 70 01 : 2 01 3 , 7. 5 .1 b)) .
O ther information
No other information .
4.3 Determining the scope of the information security management system
Required activity
T he organ i z ation de term i ne s the b oundarie s and appl ic abi l ity o f the I S M S to e s tabl i sh its s cop e .
E xplanation
T he s cop e defi ne s where a nd for wh at exac tly the I S M S i s appl ic able and where a nd for what it i s no t.
E s tabl i s h i ng the s cop e i s there fore a key ac tivity that de term i ne s the ne ce s s ar y fou ndation for a l l o ther
ac tivities in the implementation of the I SM S . For ins tance, risk as ses s ment and risk treatment, including
the determination of control s , wi l l not pro duce valid res u lts without having a precise unders tanding of

ISO/IEC 2 7003 : 2 01 7(E)
where exactly the ISMS is applicable. Precise knowledge o f the boundaries and applicability o f the ISMS
and the interfaces and dep endencies b etween the organi zation and other organi zations is critical as
well. Any later modifications o f the scope can result in considerable additional e ffort and costs.
T he fol lowing fac tors can affec t the determination of the scop e:
a) the external and internal is s ues describ ed in 4.1 ;
b) the interes ted p ar ties and their requirements that are determined according to
I SO/I EC 2 70 01 : 2 01 3¸4. 2 ;
c) the readines s of the bus ines s ac tivities to b e included as p ar t of I SM S coverage;
d) all support functions, i.e. functions that are necessary to support these business activities (e.g.
human resources management; IT services and so ftware applications; facility management o f
buildings, physical zones, essential services and utilities); and

e) al l func tions that are outsourced either to other p ar ts within the organiz ation or to indep endent
s uppl iers .
The scope o f an ISMS can be very di fferent from one implementation to another. For instance, the scope
can include:
— one or more specific processes;

— one or more specific functions;
— one or more specific services;
— one or more specific sections or locations;
— an entire legal entity; and
— an entire administrative entity and one or more o f its suppliers.
Guidance
To es tabl ish the scop e of an I SM S , a mu lti-s tep approach can b e fol lowed:
f ) determine the preliminary scope: this activity should be conducted by a small, but representative
group of management representatives;
g) determine the refined scope: the functional units within and outside the preliminary scope should
be reviewed, possibly followed by inclusion or exclusion o f some o f these functional units to reduce
the number o f inter faces along the boundaries. When refining the preliminary scope, all support
functions should be considered that are necessary to support the business activities included in
the scop e;
h) determine the final scope: the refined scope should be evaluated by all management within the
refined scope. I f necessary, it should be adjusted and then precisely described; and
i) approval o f the scope: the documented in formation describing the scope should be formally
approved by top management.
T he organiz ation should al so cons ider ac tivities with imp ac t on the I SM S or ac tivities that are
outsourced, either to other p ar ts within the organiz ation or to indep endent s uppl iers . For s uch
activities, inter faces (physical, technical and organizational) and their influence on the scope should be
identified.
D o cumented information describing the scop e shou ld include:
j) the organizational scope, boundaries and inter faces;

ISO/IEC 2 7003 : 2 01 7(E)
k) the i n formation a nd com mun ic ation te ch nolo g y s cop e, b ou nda rie s and i nter face s; and
l) the phys ic a l s cop e, b ou nda rie s and i nter face s .
O ther information
4.4 Information security management system
Required activity
T he organ i z ation e s tab l i s he s , i mplements , mai ntai n s a nd conti nua l ly i mprove s the I S M S .
E xplanation
I SO/I EC 2 70 01 : 2 01 3 , 4.4 s tates the central requirement for es tablishing, implementing, maintaining
and conti nua l ly i mprovi ng a n I S M S . Wh i le the o ther p ar ts o f I S O/I E C 2 70 01 de s crib e the re qu i re d
elements of an I SM S , 4.4 mandates the organi z ation to ens ure that al l required elements are met in
order to e s tabl i sh, i mplement, mai nta i n and conti nua l ly i mprove the I S M S .
Guidance
No s p e ci fic gu idance .
O ther information
5 Leadership
5 .1 Leadership and commitment
Required activity
Top management demons trates leadership and comm itment with res p ec t to the I S M S .
E xplanation
Leadership and commitment are es s ential for an effec tive I SM S .
Top ma nagement i s defi ne d (s e e I S O/I E C 2 70 0 0) a s a p ers on or group o f p e ople who d i re c ts and control s
the orga n i z ation o f the I S M S at the h ighe s t level, i . e . top ma nagement h as the overa l l re s p on s ibi l ity
for the I S M S . T h i s me a n s that top ma nagement d i re c ts the I S M S i n a s i m i l ar way to o ther a re a s i n the
organ i z ation, for e xample the way budge ts are a l lo c ate d a nd mon itore d . Top ma nagement c an delegate
authority in the organ i z ation and provide re s ou rce s for ac tua l ly p er form i ng ac tivitie s rel ate d to
i n formation s e c urity and the I S M S , but it s ti l l re tai n s overa l l re s p on s ibi l ity.
As an example, the organiz ation implementing and op erating the I SM S can b e a bus ines s unit within
a larger organi zation . I n this case, top management is the p erson or group of p eople that direc ts and
controls that bus ines s unit.
Top management also p ar ticip ates in management review (see 9. 3 ) and promotes continual
improvement (see 10 . 2 ) .
Guidance
Top management shou ld provide leadership and show commitment through the fol lowing:
a) top management shou ld en s ure that the i n formation s e c u rity p ol ic y a nd the i n formation s e c u rity
obj e c tive s a re e s tabl i she d and are comp atible with the s trate gic d i re c tion o f the orga n i z ation;

ISO/IEC 2 7003 : 2 01 7(E)
b) top management shou ld ens ure that I SM S requirements and controls are integrated into the
organ i z ation’s pro ce s s e s . How th i s i s ach ieve d shou ld b e ta i lore d to the s p e ci fic contex t o f the
organi zation . For example, an organi z ation that has des ignated proces s owners can delegate the
re s p on s ibi l ity to i mplement appl ic able re qui rements to the s e p ers on s or group o f p e ople . Top
management s upp or t can al so b e needed to overcome organi zational res is tance to changes in
proces ses and controls;
c) top management shou ld en s u re the avai labi l ity o f re s ource s for a n e ffe c tive I S M S . T he re s ou rce s
are needed for the es tabl ishment of the I SM S , its implementation, maintenance and improvement,
a s wel l a s for i mplementi ng i n formation s e c u rity control s . Re s ou rce s ne e de d for the I S M S i nclude:
1) fi na nci a l re s ou rce s;
2) p ersonnel;
3) faci l ities; and
4) technical infras truc ture.
T he ne e de d re s ource s dep end on the organ i z ation’s contex t, s uch a s the s i z e, the comple xity, a nd
internal and external requirements . T he management review shou ld provide in formation that
indicates whether the resources are adequate for the organi zation;
d) top management s hou ld com mu n ic ate the ne e d for i n formation s e c u rity ma nagement in the
organ i z ation a nd the ne e d to con form to I S M S re qui rements . T h i s c an b e done by givi ng prac tic a l
e xample s th at i l lu s trate wh at the ac tua l ne e d is in the conte xt o f the orga n i z ation and by
com mu n ic ati ng i n formation s e c u rity re qu i rements;
e) top management should ens ure that the I SM S achieves its intended outcome(s) by s upp orting the
implementation of all in formation security management proces ses , and in particular through
reques ting and reviewing reports on the s tatus and effectiveness of the I SM S (see 5 . 3 b)) . Such reports
can be derived from measurements (see 6 . 2 b) and 9.1 a)) , management reviews and audit reports .
Top management can also set per formance obj ec tives for key personnel involved with the I SM S;
f) top ma nagement s hou ld d i re c t and s upp or t p ers on s i n the orga ni z ation d i re c tly i nvolve d with
i n formation s e c u rity and the I S M S . Fai l i ng to do th i s c an have a negative i mp ac t on the e ffe c tivene s s
of the I SM S . Feedb ack from top management can include how planned ac tivities are aligned to the
s trategic needs for the organi zation and al so for prioritiz ing different ac tivities in the I SM S;
g) top ma nagement s hou ld as s e s s re s ou rce ne e d s du ri ng management reviews a nd s e t obj e c tive s for

continual improvement and for monitoring effec tivenes s of planned ac tivities; and
h) top management shou ld s upp or t p ersons to whom roles and res p ons ibil ities relating to information
s e c u rity ma nagement have b e en as s igne d, s o that they a re mo tivate d and able to d i re c t and s upp or t
i n formation s e c u rity ac tivitie s with i n thei r are a .
I n cases where the organi zation implementing and op erating an I SM S is p ar t of a larger organiz ation,
le aders h ip and com m itment c an b e i mprove d by engagement with the p ers on or group o f p e ople that
control s a nd d i re c ts the la rger orga n i z ation . I f they u nders tand wh at i s i nvolve d i n i mplementi ng an
I S M S , they ca n provide s upp or t for top management with i n the I S M S s cop e and help them provide
leadership and demon s trate commitment to the I S M S . For example, if interes ted p ar ties outs ide the
s cop e o f the I S M S are engage d i n de c i s ion ma ki ng concern i ng i n formation s e c u rity obj e c tive s a nd ri s k
criteri a and a re kep t awa re o f i n formation s e c u rity outcome s pro duce d b y the I S M S , thei r de ci s ion s
regarding resource al lo cations can b e aligned to the requirements of the I SM S .
O ther information
No other in formation.

ISO/IEC 2 7003 : 2 01 7(E)
5 .2 Policy
Required activity
Top management establishes an in formation security policy.

E xplanation
The in formation security policy describes the strategic importance o f the ISMS for the organization
and is available as documented in formation. The policy directs in formation security activities in the
organi zation .
The policy states what the needs for in formation security are in the actual context o f the organization.
Guidance
The in formation security policy should contain brie f, high level statements o f intent and direction
concerning in formation security. It can be specific to the scope o f an ISMS, or can have wider coverage.
All other policies, procedures, activities and objectives related to in formation security should be
aligned to the in formation security policy.
The in formation security policy should reflect the organization’s business situation, culture, issues and
concerns relating to in formation security. The extent o f the in formation security policy should be in
accordance with the purp ose and culture of the organi zation and shou ld seek a b alance b etween ease
o f reading and completeness. It is important that users o f the policy can identi fy themselves with the
strategic direction o f the policy.
The in formation security policy can either include in formation security objectives for the organization
or describe the framework for how in formation security objectives are set (i.e. who sets them for
the ISMS and how they should be deployed within the scope o f the ISMS). For example, in very large
organizations, high level objectives should be set by the top management o f the entire organization,
then, according to a framework established in the in formation security policy, the objectives should be
detailed in a way to give a sense o f direction to all interested parties.
The in formation security policy should contain a clear statement from the top management on its
commitment to satis fy in formation security related requirements.
The in formation security policy should contain a clear statement that top management supports
continual improvement in all activities. It is important to state this principle in the policy, so that
p ersons within the scop e of the I S M S are aware of it.
The in formation security policy should be communicated to all persons within the scope o f the ISMS.
There fore, its format and language should be appropriate so that it is easily understandable by all
recipients .
Top management should decide to which interested parties the policy should be communicated. The
in formation security policy can be written in such a way that it is possible to communicate it to relevant
external interes ted p ar ties outs ide of the organiz ation . E xamples of s uch external interes ted p ar ties
are customers, suppliers, contractors, subcontractors and regulators. I f the in formation security policy
is made available to external interested parties, it should not include confidential in formation.
The in formation security policy may either be a separate standalone policy or included in a
comprehensive policy, which covers multiple management system topics within the organization (e.g.
quality, environment and in formation security).
The in formation security policy should be available as documented in formation. The requirements in
ISO/IEC 27001 do not imply any specific form for this documented in formation, and there fore is up to
the organi zation to decide what form is mos t appropriate. I f the organi zation has a s tandard template
or policies, the form o f the in formation security policy should use this template.
f

ISO/IEC 2 7003 : 2 01 7(E)
O ther information
Further in formation on policies related to in formation security can be found in ISO/IEC 27002.
Further in formation about the relationship between the in formation security policy and other policies
in a policy framework can be found in Annex A.
5 .3 Organizational roles, responsibilities and authorities
Required activity
Top management ensures that responsibilities and authorities for roles relevant to in formation security
are as s igned and communicated throughout the organi z ation.
E xplanation
Top management ensures that roles and responsibilities as well as the necessary authorities relevant to
in formation security are assigned and communicated.
T he purp os e of this requirement is to as s ign res p ons ibi l ities and authorities to ens ure conformance of
the I SM S with the requirements of I SO/I EC 2 70 01 , and to en s ure rep or ting on the p erformance of the
I SM S to the top management.
Guidance
Top management should regularly ensure that the responsibilities and authorities for the ISMS are
assigned so that the management system fulfils the requirements stated in ISO/IEC 27001. Top
management does not need to assign all roles, responsibilities and authorities, but it should adequately
delegate authority to do this. Top management should approve major roles, responsibilities and
authorities of the I SM S .
Responsibilities and authorities related to in formation security activities should be assigned. Activities
include:
a) co ordinating the es tablishment, implementation, maintenance, p erformance rep or ting, and
improvement of the I SM S;
b) advising on in formation security risk assessment and treatment;

c) designing in formation security processes and systems;
d) setting standards concerning determination, configuration and operation o f in formation security
controls;
e) managing in formation security incidents; and

f) reviewing and auditing the I SM S .
Beyond the roles specifically related to in formation security, relevant in formation security
res p ons ibi lities and authorities should be included within other roles . For example, information
security responsibilities can be incorporated in the roles o f:

g) in formation owners;
h) proces s owners;
i) as set owners (e. g. application or infras truc ture owners) ;
j) risk owners;
k) in formation security coordinating functions or persons (this particular role is normally a
s upp or ting role in the I SM S ) ;

ISO/IEC 2 7003 : 2 01 7(E)
l) proj e c t managers;
m) l ine managers; and
n) information users .
D o c u mente d i n formation on th i s ac tivity and its outcome i s ma ndator y on ly i n the form and to the
extent the organ i z ation de term i ne s as ne ce s s ar y for the e ffe c tivene s s o f its management s ys tem (s e e
I SO/I EC 2 70 01 : 2 01 3 , 7. 5 .1 b)) .
O ther information
6 Planning
6.1 Actions to address risks and opportunities
6.1 .1 General
O verview
I S O/I E C 2 70 01 : 2 01 3 , 6 .1 i s concerne d with the pla n ni ng o f ac tion s to add re s s a l l typ e s o f ri s ks and
opp or tunities that are relevant to the I SM S . T his includes risk as ses s ment and planning for risk
treatment.
T he s truc ture of I S O/I E C 2 70 01 s ub divides risks into two categories during planning:
a) risks and opp or tunities relevant to the intended outcome(s) of the I SM S as a whole; and
b) i n formation s e c u rity ri s ks that relate to the lo s s o f con fidenti a l ity, i ntegrity and avai labi l ity o f
information within the scop e of the I SM S .
T he fi rs t c ategor y s hou ld b e ha nd le d i n accordance with re qu i rements s p e c i fie d i n I S O/I E C 2 70 01 : 2 01 3 ,
6 .1 .1 ( genera l) . Ri sks th at fa l l i nto th i s c ate gor y c an b e ri s ks relati ng to the I S M S its el f, the I S M S s cop e
defi n ition, top management’s com m itment to i n formation s e c u rity, re s ou rce s for op erati ng the I S M S ,
e tc . O pp or tu n itie s th at fa l l i nto th i s c ate gor y c a n b e opp or tu n itie s rel ati ng to the outcome(s) o f the
I S M S , the com merci a l va lue o f a n I S M S , the e ffic ienc y o f op erati ng I S M S pro ce s s e s and i n formation
s e c u rity control s , e tc .
T he s e cond c ategor y con s i s ts o f a l l ri s ks that d i re c tly relate to the lo s s o f con fidenti a l ity, i ntegrity and
ava i labi l ity o f i n formation with i n the s cop e o f the I S M S . T he s e ri s ks s hou ld b e hand le d i n accordance
with 6 .1 . 2 (i n formation s e c u rity ri sk a s s e s s ment) and 6 .1 . 3 (i n formation s e c u rity ri s k tre atment) .
O rga ni z ation s may cho o s e to u s e d i fferent te ch n ique s for e ach c ategor y.
T he s ub divis ion of requirements for addres s ing risks can b e explained as fol lows:
— it encou rage s comp atibi l ity with o ther management s ys tem s s tanda rd s for tho s e organ i z ation s
th at h ave i nte grate d management s ys tem s for d i fferent a s p e c ts l i ke qua l ity, envi ronment and
i n formation s e c u rity;
— it re qu i re s th at the organ i z ation defi ne s a nd appl ie s comple te and de ta i le d pro ce s s e s for i n formation
s e c urity ri s k as s e s s ment a nd tre atment; and
— it empha s i z e s that i n formation s e c urity ri s k management i s the core element o f a n I S M S .
I S O/I E C 2 70 01 : 2 01 3 , 6 .1 .1 u s e s the expre s s ion s ‘de term i ne the ri s ks and opp or tu n itie s ’ and ‘add re s s
the s e ri s ks and opp or tu n itie s ’. T he word “de term i ne” c a n b e con s idere d to b e e qu iva lent to the word
“as s e s s ” u s e d i n I S O/I E C 2 70 01 : 2 01 3 , 6 .1 . 2 (i . e . identi fy, a na lys e and eva luate) . Si m i larly, the word
“add re s s ” c a n b e con s idere d e qu iva lent to the word “tre at” u s e d i n I S O/I E C 2 70 01 : 2 01 3 , 6 .1 . 3 .

ISO/IEC 2 7003 : 2 01 7(E)
Required activity
When planning for the I SM S , the organi zation determ ines the risks and opp or tunities cons idering
is s ues referred to in 4.1 and requirements referred to in 4. 2 .
E xplanation
For risks and opp or tunities relevant to the intended outcome(s) of the I SM S , the organi z ation
determines them b ased on internal and external i s s ues (see 4.1) and requirements from interes ted
p ar ties (see 4. 2 ) . T hen the organi zation plans its I SM S to:
a) en s u re th at i ntende d outcome s are del ivere d by the I S M S , e . g. that the i n formation s e c u rity ri s ks
are known to the risk owners and treated to an accep table level;
b) prevent or reduce undes ired effec ts of risks relevant to the intended outcome(s) of the I SM S; and
c) achieve continual improvement (see 10 . 2 ) , e. g. through appropriate mechanis m s to detec t
and correc t weaknes ses in the management proces ses or taking opp or tunities for improving
i n formation s e c u rity.
Risks connec ted to a) ab ove cou ld b e unclear pro ces ses and res p ons ibi lities , p o or awarenes s among
employe e s , p o or engagement from management, e tc . Ri s ks con ne c te d to b) ab ove cou ld b e p o or ri s k
management or p oor awarenes s of risks . Risks connec ted to c) ab ove could b e p o or management of the
I SM S do cumentation and pro ces ses .
When an organiz ation purs ues opp or tunities in its ac tivities , these ac tivities then affec t the context
of the organi zation (I S O/I E C 2 70 01 : 2 01 3 , 4.1) or the needs and exp ec tations of interes ted p ar ties
(I S O/I EC 2 70 01 : 2 01 3 , 4. 2 ) , and can change the risks to the organi zation . E xamples of s uch opp or tunities
c an b e: fo c u s i ng its bu s i ne s s on s ome are as o f pro duc ts or s er vice s , e s tabl i s h i ng ma rke ti ng s trateg y for
some geographical regions , or exp anding bus ines s p ar tnership s with other organiz ations .
O pp or tunities al so exis t in continual improvements of the I SM S pro ces ses and do cumentation, along
with eva luation o f the i ntende d outcome s del ivere d b y the ISMS . For exa mple, con s ideration of a
relatively new I S M S o ften re s u lts i n identi fic ation o f opp or tun itie s to refi ni ng pro ce s s e s b y cl ari fyi ng
interfaces , reducing adminis trative overhead, el iminating p ar ts of proces ses that are not cos t effec tive,
b y refi n i ng do c umentation and i ntro duci ng new i n formation te ch nolo g y.
T he planning in 6 .1 .1 includes the determination of:
d) ac tions to addres s the risks and opp or tunities; and
e) the way to:
1) integrate and implement these ac tions into the I SM S pro ces ses; and
2) evaluate the effec tivenes s of these ac tions .
Guidance
T he organi zation shou ld:
f) determine risks and opp or tunities that can affec t the achievement of the go al s describ ed in a) , b)
and c) , cons idering the is s ues referred to in 4.1 and the requirements referred to in 4. 2 ; and
g) develop a plan to implement the determ ined ac tions and to evaluate the effec tivenes s of those
ac tion s; ac tion s shou ld be plan ne d con s ideri ng i ntegration o f i n formation s e c u rity pro ce s s e s
a nd do c u mentation i n e xi s ti ng s truc ture s; a l l the s e ac tion s a re l i n ke d with i n formation s e c u rity
obj e c tive s (6 . 2 ) aga i n s t wh ich the i n formation s e c u rity ri s ks a re a s s e s s e d a nd tre ate d (s e e 6 .1 . 2
and 6 .1 . 3 ) .
T he genera l re qu i rement to conti nua l ly i mprove the ISMS s tate d in I S O/I E C 2 70 01 : 2 01 3 , 10 . 2 is
s upp or te d b y the re qu i rement to ach ieve conti nua l i mprovement given i n 6 .1 .1 with o ther relevant
requirements of I SO/I E C 2 70 01 : 2 01 3 , 5 .1 g) , 5 . 2 d) , 9.1 , 9. 2 and 9. 3 .

ISO/IEC 2 7003 : 2 01 7(E)
T he ac tions required in 6 .1 .1 can b e di fferent for s trategical, tac tical and op erational level s , for different
sites, or for di fferent services or systems.

S everal appro aches can b e taken to meet the requirements of 6 .1 .1 , two of which are:
— cons idering risks and opp or tunities as so ciated with planning, implementing and op erating the
ISMS separately from in formation security risks; and

— considering all risks simultaneously.
An organization that is integrating an ISMS into an established management system can find that the
requirements o f 6.1.1 are met by the organization’s existing business planning methodology. Where
this is the case, care should be taken to veri fy that the methodology covers all the requirements o f 6.1.1.
extent the organization determines as necessary for the e ffectiveness o f its management system (see
I SO/I EC 2 70 01 : 2 01 3 , 7. 5 .1 b)) .
O ther information
Fur ther in formation ab out risk management can b e found in I S O 3 10 0 0 .
NOTE The term “risk” is defined as the “e ffect o f uncertainty on objectives” (see ISO/IEC 27000:2016, 2.68).
6.1 .2 Information security risk assessment
Required activity
The organization defines and applies an in formation security risk assessment process.
E xplanation
The organization defines an in formation security risk assessment process that:

a) es tabl ishes and maintain s:
1) the risk accep tance criteria; and
2) criteria for performing in formation security risk assessments, which can include criteria for
assessing the consequence and likelihood, and rules for the determination of the level of risk; and
b) ensures that repeated in formation security risk assessments produce consistent, valid and
comp arable res u lts .
The in formation security risk assessment process is then defined along the following sub-processes:
c) identification o f in formation security risks:
1) identi fy risks associated with the loss o f confidentiality, integrity and availability for
information within the scop e of the I SM S; and
2) identi fy the risk owners associated with these risks, i.e. identi fy and appoint persons with the
appropriate authority and responsibility for managing identified risks.
d) analysis o f the in formation security risks:
1) assess the potential consequences in case the identified risks materialize, e.g. direct business
impacts such as monetary loss or indirect business impacts such as damage in reputation.
As ses s ed consequences can b e rep or ted with quantitative or qualitative values;
2) assess the realistic likelihood o f occurrence o f the identified risks, with quantitative (i.e.
probability or frequency) or qualitative values; and

ISO/IEC 2 7003 : 2 01 7(E)
3) determine the levels o f identified risk as a predefined combination o f assessed consequences

and as s es sed li kel iho ods; and
e) evaluation o f the in formation security risks:

1) compare the results o f risk analysis with the risk acceptance criteria established be fore; and
2) prioritize the analysed risks for risk treatment, i.e. determine urgency o f treatment for risks
that are cons idered as unaccep table, and sequence if several risks need treatment.
The in formation security risk assessment process is then applied.

All steps o f the in formation security risk assessment process (6.1.2 a) to e)) as well as the results o f its
application are retained by the organization as documented in formation.
Guidance
Guidance on es tabl ishing risk criteria (6 .1 . 2 a))
The in formation security risk criteria should be established considering the context o f the organization
and requirements o f interested parties and should be defined in accordance with top management’s
risk preferences and risk p ercep tions on one hand and shou ld al low for a feas ible and appropriate risk
management pro ces s on the other hand.
The in formation security risk criteria should be established in connection with the intended outcome(s)
of the I SM S .
According to ISO/IEC 27001:2013, 6.1.2 a), criteria concerning in formation security risk assessment
that cons ider the as ses s ment of l i keli ho o d and consequences shou ld b e es tablished. Fur ther, risk
accep tance criteria should b e es tabl ished.
A fter establishing criteria for assessing consequences and likelihoods o f in formation security
ri sks , the organ i z ation shou ld a l s o e s tab l i sh a metho d for combi n i ng them i n order to deter m i ne a
level o f risk. Consequences and likelihoods may be expressed in a qualitative, quantitative or semi-
qu antitative man ner.
Risk accep tance criteria relates to risk as ses s ment (in its evaluation phase, when the organi zation
should unders tand i f a risk is accep table or not) , and risk treatment ac tivities (when the organi z ation
should understand i f the proposed risk treatment is su fficient to reach an acceptable level o f risk).
Risk acceptance criteria can be based on a maximum level o f acceptable risks, on cost-benefits
considerations , or on consequences for the organiz ation .
The risk acceptance criteria should be approved by the responsible management.

Guidance on pro ducing cons is tent, valid and comp arable as ses s ment res u lts (6 .1 . 2 b))
The risk assessment process should be based on methods and tools designed in su fficient detail so that
it leads to cons is tent, val id and comp arable res u lts .
Whatever the chosen method, the in formation security risk assessment process should ensure that:
— al l risks , at the needed level of detai l, are cons idered;
— its results are consistent and reproducible (i.e. the identification o f risks, their analysis and their
evaluation can be understood by a third party and results are the same when di fferent persons
as ses s the risks in the s ame context) ; and
— the res u lts of rep eated risk as s es s ments are comp arable (i. e. it is p os s ible to unders tand i f the level s
of risk are increased or decreased) .
Inconsistencies or discrepancies in the results when the whole or part o f the in formation security risk
as ses s ment proces s is rep eated can indicate that the chosen risk as ses s ment metho d is not adequate.

ISO/IEC 2 7003 : 2 01 7(E)
Gu ida nce on identi fic ation o f i n formation s e c u rity ri s ks (6 .1 . 2 c) )
Ri s k identi fic ation is the pro ce s s o f fi nd i ng , re co gni z i ng and de s cribi ng ri s ks . This i nvolve s the
identi fication o f ri sk s ou rce s , events , thei r cau s e s a nd thei r p o tenti a l con s e quence s .
T he ai m o f ri s k identi fic ation i s to generate a comprehen s ive l i s t o f ri s ks b a s e d on tho s e events that
m ight c re ate, en ha nce, prevent, degrade, accelerate or delay the ach ievement o f i n formation s e c u rity
obj e c tive s .
Two appro ache s a re com mon ly u s e d for the identi fic ation o f i n formation s e c urity ri s ks:
— event-b as e d appro ach: con s iders ri sk s ou rce s i n a generic way. E vents con s idere d c an have happ ene d
i n the p a s t or c an b e antic ip ate d for the futu re . I n the fi rs t c a s e they c an i nvolve h i s toric a l data, i n
the s e cond ca s e they c an b e b a s e d on the ore tic a l ana lys i s and e xp er t opi n ion s; a nd
— appro ach b a s e d on identi fic ation o f a s s e ts , th re ats , and vu l nerabi l itie s: con s iders two d i fferent typ e s
of risk sources: as sets with their intrins ic vu lnerabi lities , and threats . Potential events cons idered
here a re ways a s to how th re ats cou ld e xploit a cer tai n vu l nerabi l ity o f an as s e t to i mp ac t the
orga n i z ation’s obj e c ti ve s .
B oth appro aches are cons is tent with the principles and generic guidel ines on risk as s es s ment in
I SO 3 10 0 0 .
O ther appro ache s o f ri s k identi fic ation may b e us e d i f they have proven a s i m i lar prac tic a l u s e fu l ne s s
and i f they c an en s ure the re qu i rements i n 6 .1 . 2 b) .
NO TE T he ap pro ach b a s e d on a s s e ts , th re ats , a nd vu l nerab i l itie s cor re s p o nd s to the i n for m ation s e c u r ity
ri s k identi fic atio n app ro ach b y, a nd comp atib le with , the re qu i rements i n I S O/I E C 2 70 01 to en s u re th at pre viou s
i nve s tments i n r i s k identi fic atio n a re no t lo s t.
I t i s no t re com mende d that the ri s k identi fic ation b e to o de ta i le d i n the fi rs t c ycle o f ri s k as s e s s ment.
H avi ng a h igh level but cle a r pic tu re o f the i n formation s e c u rity ri sks i s far b e tter than havi ng no
pic ture at al l .
Gu ida nce on ana lys i s o f the i n formation s e c u rity ri sks (6 .1 . 2 d) )
Ri s k a na lys i s has the obj e c tive to de term i ne the level o f the ri s k.
I SO 3 10 0 0 is referenced in I SO/I EC 2 70 01 as a general mo del . I SO/I E C 2 70 01 requires that for each
identi fie d ri sk the ri sk ana lys i s i s b a s e d on a s s e s s i ng the con s e quence s re s u lti ng from the ri sk and
as ses s ing the l i keli ho o d of those con sequences occurring to determine a level of risk.
Te ch n ique s for ri sk a na lys i s b a s e d on con s e quence s a nd l i kel i ho o d c an b e:
1) qua l itative, u s i ng a s ca le o f qua l i fyi ng attribute s (e . g. h igh, me d iu m, low) ;
2) quantitative, u s i ng a s c a le with numeric a l va lue s (e . g. mone tar y co s t, fre quenc y or prob abi l ity o f
o ccurrence) ; or
3) semi- quantitative, us ing qualitative scales with as s igned values .
Whatever te ch n ique for ri s k ana lys i s i s u s e d, its level o f obj e c tivity shou ld b e con s idere d .
T here are s evera l me tho d s for a na lys i ng the ri s ks . T he two appro ache s mentione d (event b as e d
appro ach a nd appro ach b a s e d on identi fic ation o f a s s e ts , th re ats , and vu l nerabi l itie s) c an b e s u itable
for i n formation s e c u rity ri s k a na lys i s . Ri sk identi fic ation a nd a na lys i s pro ce s s e s c a n b e mo s t e ffe c tive
when carried out with the help of exp er ts in the relevant risks under discus s ion .

ISO/IEC 2 7003 : 2 01 7(E)
Guidance on evaluation o f the in formation security risks (6.1.2 e))

Evaluation o f analysed risks involves using the organization’s decision making processes to compare the
as ses sed level of risk for each risk with the pre- determined accep tance criteria in order to determine
the risk treatment op tions .
This final step o f the risk assessment verifies whether the risks that have been analysed in the previous
steps can be accepted according to the acceptance criteria defined under 6.1.2 a), or need further
treatment. T he s tep in 6 .1 . 2 d) delivers in formation ab out the magnitude of the risk but no im mediate
in formation about the urgency o f implementing risk treatment options. Depending on the circumstances
in which risks occur, they can have di fferent priorities for treatment. There fore, the output o f this step
should be a list o f risks in priority order. It is use ful to retain further in formation about these risks from
the risk identification and risk analysis steps to support decisions for risk treatment.
O ther information
ISO/IEC 27005 provides guidance for per forming in formation security risk assessments.
6.1 .3 Information security risk treatment
Required activity
The organization defines and applies an in formation security risk treatment process.
E xplanation
In formation security risk treatment is the overall process o f selecting risk treatment options,
determining appropriate controls to implement s uch op tions , formu lating a risk treatment plan and
obtaining approval o f the risk treatment plan by the risk owner(s).

All steps o f the in formation security risk treatment process (6.1.3 a) to f)) as well as the results o f its
application are retained by the organization as documented in formation.
Guidance
Guidance on in formation security risk treatment options (6.1.3 a))

Risk treatment op tions are:
a) avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk or
by removing the risk source (e.g. closing an e-commerce portal);
b) taking additional risk or increasing risk in order to pursue a business opportunity (e.g. opening an
e- commerce p or tal) ;
c) modi fying the risk by changing the likelihood (e.g. reducing vulnerabilities) or the consequences
(e.g. diversi fying assets) or both;
d) sharing the risk with other parties by insurance, sub-contracting or risk financing; and
e) retaining the risk based on the risk acceptance criteria or by in formed decision (e.g. maintaining
the exis ting e- commerce p or tal as it is) .
Each individual risk should be treated in line with in formation security objectives by one or more o f
these op tion s , in order to meet risk accep tance criteria.
Guidance on determining necessary controls (6.1.3 b))

Special attention should be given to the determination o f the necessary in formation security controls.
Any control should be determined based on in formation security risks previously assessed. I f an
organization has a poor in formation security risk assessment, it has a poor foundation for its choice o f
in formation security controls.

ISO/IEC 2 7003 : 2 01 7(E)
Appropriate control determination ens ures:
f ) all necessary controls are included, and no unnecessary controls are chosen; and
g) the design o f necessary controls satisfies an appropriate breadth and depth.
As a consequence o f a poor choice o f controls, the proposed in formation security risk treatment can be:
h) ineffec tive; or
i) ine fficient and there fore inappropriately expensive.

To ensure that in formation security risk treatment is e ffective and e fficient, it is there fore important
to be able to demonstrate the relationship from the necessary controls back to the results o f the risk
as ses s ment and risk treatment pro ces ses .
It can be necessary to use multiple controls to achieve the required treatment o f the in formation
security risk. For example, i f the option to change the consequences o f a particular event is chosen,
it may require controls to e ffect prompt detection o f the event as well as controls to respond to and
recover from the event.
When determining control s , the organiz ation shou ld al so take into account control s needed for
services from outside suppliers o f e.g. applications, processes and functions. Typically, these controls
are mandated by entering in formation security requirements in the agreements with these suppliers,
including ways to get in formation about to which extent these requirements are met (e.g. right o f audit).
There may be situations where the organization wishes to determine and describe detailed controls as
being part o f its own ISMS even though the controls are carried out by outside suppliers. Independently
o f the approach taken, the organization always should consider controls needed at their suppliers when
determining controls for its I SM S .
Guidance on comp aring controls with those in I SO/I E C 2 70 01 : 2 01 3 , Annex A (6 .1 . 3 c))
ISO/IEC 27001:2013, Annex A contains a comprehensive list o f control objectives and controls. Users o f
this do cument are direc ted to the generic representation of controls in I SO/I EC 2 70 01 : 2 01 3 , Annex A
to ensure that no necessary controls are overlooked. Comparison with ISO/IEC 27001:2013, Annex A
can also identi fy alternative controls to those determined in 6.1.3 b) which can be more e ffective at
modi fying in formation security risk.
Control objectives are implicitly included in the controls chosen. The control objectives and controls
listed in ISO/IEC 27001:2013, Annex A are not exhaustive and additional control objectives and controls
shou ld b e added as needed.
Not every control within ISO/IEC 27001:2013, Annex A needs to be included. Any control within
ISO/IEC 27001:2013, Annex A that does not contribute to modi fying risk should be excluded and
justification for the exclusion should be given.
Guidance on producing a Statement o f Applicability (SoA) (6.1.3 d))
T he S oA contains:
— all necessary controls (as determined in 6.1.3 b) and 6.1.3 c)) and, for each control:
— the justification for the control’s inclusion; and
— whether the control is implemented or not (e.g. fully implemented, in progress, not yet
s tar te d) ; and
— the justification for excluding any o f the controls in ISO/IEC 27001: 2013, Annex A.
Justification for including a control in part relies on the e ffect o f the control in modi fying an in formation
security risk. A re ference to in formation security risk assessment results and the in formation security
risk treatment plan should be su fficient, along with the in formation security risk modification expected
by the implementation o f necessary controls.
ISO/IEC 2 7003 : 2 01 7(E)
Justification for excluding a control contained within ISO/IEC 27001:2013, Annex A can include the
fol lowing:
— it has been determined that the control is not necessary to implement the chosen in formation
security risk treatment option(s);
— the control is not applicable b ecause it is outs ide the scop e of the I SM S (e. g. I SO/I E C 2 70 01 : 2 01 3 ,
A.14.2.7 Outsourced development is not applicable i f all the organization’s system development is
p erformed in-house) ; and
— it is obviated by a custom control (e.g. in ISO/IEC 27001:2013, A.8.3.1 management o f removable

media cou ld b e excluded i f a cus tom control prevents the use of removable media) .
NO TE A c us tom control i s a control no t i ncluded i n I S O/I E C 2 70 01 : 2 01 3 , An nex A.
A useful S oA can b e pro duced as a table containing al l 114 controls of I SO/I E C 2 70 01 : 2 01 3 , Annex A
along the rows plus rows with the additional control s that are not mentioned in I SO/I E C 2 70 01 : 2 01 3 ,
Annex A, i f needed. One column o f the table can indicate whether a control is necessary to implement
the risk treatment option(s) or can be excluded. A next column can contain the justification for inclusion
or exclus ion of a control . A las t column of the table can indicate the current implementation s tatus of
the control. Further columns can be used, such as for details not required by ISO/IEC 27001 but usually
usefu l for s ub sequent reviews; thes e detai l s can b e a more detailed descrip tion of how the control is
implemented or a cros s-reference to a more detailed descrip tion and do cumented information or
p olicies relevant for implementing the control .
Although it is not a specific requirement o f ISO/IEC 27001, organizations can find it use ful to include
res p ons ibi lities for the op eration of each control included in the S oA.
Guidance on formulating an in formation security risk treatment plan (6.1.3 e))

ISO/IEC 27001 does not speci fy a structure or content for the in formation security risk treatment
plan . However, the plan shou ld b e formu lated from the outputs of 6 .1 . 3 a) to c) . T hus the plan shou ld
do cument for each treated risk:
— s elec ted treatment op tion(s) ;
— necessary control(s); and

— implementation s tatus .
O ther usefu l content can include:
— risk owner(s) ; and
— exp ec ted res idual risk after the implementation of ac tions .
I f any action is required by the risk treatment plan, then it should be planned indicating responsibilities
and deadl ines (see al so 6 . 2 ); such an action plan can be represented by a list o f these actions.
A use ful in formation security risk treatment plan can be designed as a table sorted by risks identified
during the risk as ses s ment, showing al l the determined controls . As an example, there can b e columns
in this table which indicate the names of the p ersons res p ons ible for providing the control s . Fur ther
columns can indicate the date of implementation of the control, information ab out how the control (or a
pro ces s) is intended to op erate and a column ab out the target implementation s tatus .
As an example for p ar t of the risk treatment proces s , cons ider the theft of a mobile phone. T he
consequences are loss o f availability and potential undesirable disclosure o f in formation. I f the
as ses s ment of the risk showed that the level of risk is out of accep tance, the organiz ation can decide to
change the li kel iho od, or change the consequences of the risk.

ISO/IEC 2 7003 : 2 01 7(E)
To change the li kel iho od of los s or theft of a mobi le phone, the organiz ation can determ ine that a
suitable control is to oblige employees through a mobile device policy to take care o f mobile phones and
periodically check for loss.
To change the consequence of los s or theft of a mobi le phone, the organiz ation can determine control s
s uch as:
— an incident management proces s so users can rep or t the los s;
— a Mobile D evice M anagement (M DM ) solution to delete the content of the phone if los t; and
— a b ackup plan of mobi le devices for recovering the phone’s content.
When preparing its SoA (6.1.3 d)), the organization can include its chosen controls (mobile device policy
and MDM), justi fying their inclusion based on their e ffect o f changing the likelihood and consequences
of mobi le phone los s or theft, res ulting in reduced res idual risk.
C omp aring thes e controls with those l is ted in I SO/I EC 2 70 01 : 2 01 3 , Annex A (6 .1 . 3 c)) , it can b e seen
that the mobile device policy is aligned with ISO/IEC 27001:2013, A.6.2.1, but the MDM control does not
directly align and should be considered as an additional custom control. I f MDM and other controls are
determined as necessary control(s) in an organization’s in formation security risk treatment plan, they
shou ld b e included in the S oA (see “Guidance on pro ducing an S oA (6 .1 . 3 d)) .
I f the organi zation wants to fur ther reduce the risk, it can cons ider from I SO/I E C 2 70 01 : 2 01 3 , A.9.1 .1
(access control policy) that it lacked control o f access to mobile phones and modi fy its mobile device
policy to mandate the use o f PINs on all mobile phones. This should then be a further control to change
the con sequences of los s or theft of mobi le phones .
When formulating its in formation security risk treatment plan (6.1.3 e)), the organization should then
include actions to implement mobile device policy and MDM and assign responsibilities and time frames.
Guidance on ob taining risk owners ’ approval (6 .1 . 3 f))
When the in formation security risk treatment plan is formulated, the organization should obtain the
authorization from the risk owners. Such authorization should be based on defined risk acceptance
criteria or justified concession i f there is any deviance from them.
T hrough its management proces ses the organi z ation shou ld record the risk owner’s accep tance of the
res idual risk and management approval of the plan.
As an example, this risk owner’s approval can be documented by amending the risk treatment plan
described under guidance on 6.1.3 e) by columns indicating the e ffectiveness o f the control, the residual
risk, and the risk owner ’s approval .
O ther information
Fur ther in formation on risk treatment can b e found in I S O/I E C 2 70 0 5 and I S O 3 10 0 0 .
6.2 Information security obj ectives and planning to achieve them
Required activity
The organization establishes in formation security objectives and plans to achieve them at relevant
func tions and level s .

ISO/IEC 2 7003 : 2 01 7(E)
E xplanation
I n formation s e c u rity obj e c tive s help to i mplement s trategic go a l s o f a n organ i z ation a s wel l as to
i mplement the i n formation s e c u rity p ol ic y. T hereb y, obj e c tive s i n an I S M S are the i n formation s e c u rity
obj e c tive s for con fidenti a l ity, i nte grity and avai labi l ity o f i n formation . I n formation s e c u rity obj e c tive s
a l s o help to s p e ci fy and me a s ure the p er formance o f i n formation s e c u rity control s and pro ce s s e s , i n
accordance with the i n formation s e c u rity p ol ic y (s e e 5 . 2 ) .
T he organ i z ation pl an s , e s tabl i she s and i s s ue s i n formation s e c u rity obj e c tive s to relevant fu nc tion s
and levels .
Re qu i rements i n I S O/I E C 2 70 01 concern i ng i n formation s e c u rity obj e c tive s apply to a l l i n formation
s e c u rity obj e c tive s . I f the i n formation s e c u rity p ol ic y contai n s obj e c tive s , then tho s e obj e c tive s are
re qu i re d to me e t the c riteria i n 6 . 2 . I f the p ol ic y contai n s a fra mework for s e tti ng obj e c tive s , then the
obj e c tive s pro duce d b y that fra mework a re re qu i re d to me e t the re qu i rements o f 6 . 2 .
Re qu i rements to be ta ken i nto accou nt when e s tabl i s h i ng obj e c tive s are tho s e de term i ne d when
unders tanding the organis ation and its context (see 4.1) as wel l as the needs and exp ec tations of
interes ted p ar ties (see 4. 2 ) .
T he res u lts from risk as ses s ments and risk treatments are used as input to the on- going review of
obj e c tive s to en s u re th at they remai n appropri ate to the ci rc u m s tance s o f a n orga n i z ation .
I n formation s e c urity obj e c tive s are i nputs for ri s k a s s e s s ment: ri sk accep ta nce criteria and c riteri a
for p er form i ng i n formation s e c u rity ri sk as s e s s ments (s e e 6 .1 . 2 ) take into account these in formation
s e c u rity obj e c ti ve s and thu s en s u re th at level s o f ri s k a re a l igne d with them .
I n formation s e c u rity obj e c tive s as p er I S O/I E C 2 70 01 are:
a) con s i s tent with the i n formation s e c u rity p ol ic y;
b) meas urable if prac ticable; this means that it is imp or tant to b e able to determine whether or not an
obj e c ti ve h as b e en me t;
c) con ne c te d to appl ic able i n formation s e c u rity re qui rements , and re s u lts from ri s k a s s e s s ment a nd
risk treatment;
d) communicated; and
e) up dated as appropriate.
T he organ i z ation re ta i n s do c u mente d i n formation on the i n formation s e c u rity obj e c tive s .
When plan n i ng how to ach ieve its i n formation s e c u rity obj e c tive s , the organ i z ation de term i ne s:
f) what wil l b e done;
g) what resources wi l l b e required;
h) who wi l l b e res p ons ible;
i) when it wi l l b e completed; and
j) how the re s u lts wi l l b e eva luate d .
T he ab ove re qu i rement concern i ng plan n i ng i s generic a nd appl ic able to o ther pla n s re qu i re d by
I S O/I E C 2 70 01 . Plans to cons ider for an I SM S include:
— plans for improving the I SM S as describ ed in 6 .1 .1 and 8 .1 ;
— pl an s for tre ati ng identi fie d ri s ks as de s crib e d i n 6 .1 . 3 and 8 . 3 ; and

ISO/IEC 2 7003 : 2 01 7(E)
— any other plans that are found necessary for e ffective operation (e.g. plans for developing
comp etence and increas ing awarenes s , communication, p erformance evaluation, internal audits
and management reviews) .
Guidance
The in formation security policy should state the in formation security objectives or provide a framework
for setting the objectives.
In formation security objectives can be expressed in various ways. The expression should be suitable to
meet the requirement of b eing meas urable (i f prac ticable) (I S O/I EC 2 70 01 : 2 01 3 , 6 . 2 b)) .
For example, in formation security objectives can be expressed in terms o f:

— numerical values with their limits, e.g. “not go over a certain limit”, and “reach level 4”;
— the targets for measurements o f in formation security per formance;
— the targets for meas urements of the effec tivenes s of the I SM S (see 9.1) ;
— compliance with I SO/I E C 2 70 01 ;
— compliance with I SM S pro cedures;
— the need to complete ac tions and plans; and
— risk criteria to b e met.
T he fol lowing guidance applies to the bu l lets addres sed in the explanation:
— see a) above. The in formation security policy specifies the requirements for in formation security
in an organization. All other specific requirements set for relevant functions and levels should be
consistent with them. I f the in formation security policy has in formation security objectives, then
any other specific in formation security objective should be linked to the ones in the in formation
security policy. I f the in formation security policy only provides the framework for setting objectives,
then that framework should be followed and should ensure that more specific objectives are linked
to the more generic ones;
— see b) above. Not every objective can be measurable, but making objectives measurable supports
achievement and improvement. It is highly desirable to be able to describe, qualitatively or
quantitatively, the degree to which an objective has been met. For example, to guide priorities for
additional e ffort i f objectives are not met, or to provide insights into opportunities for improved
e ffectiveness i f objectives are exceeded. It should be possible to understand whether they have
been achieved or not, how achievement o f objectives is determined, and whether it is possible to
determine the degree o f achievement o f objectives using quantitative measurements. Quantitative
descriptions o f objective attainment should speci fy how associated measurement is done. It may not
be possible to quantitatively determine the degree o f attainment o f all objectives. ISO/IEC 27001
requires objectives to be measurable i f practicable;
— see c) above. In formation security objectives should be aligned with in formation security needs;
for this reason, risk as ses s ment and treatment res u lts shou ld b e used as inputs when setting
in formation security objectives;

— see d) above. In formation security objectives should be communicated to relevant internal interested
parties o f the organization. They may also be communicated to external interested parties, e.g.
customers, stakeholders, to the extent they need to know and are a ffected by the in formation
security objectives; and
— see e) above. When in formation security needs change over time, related in formation security
objectives should be updated accordingly. Their update should be communicated as required in d),
to internal and external interes ted p ar ties as appropriate.

ISO/IEC 2 7003 : 2 01 7(E)
T he organ i z ation shou ld plan how to ach ieve its i n formation s e c u rity obj e c tive s . T he orga n i s ation may
u s e a ny me tho dolo g y or me chan i s m it cho o s e s to plan for the ach ievement o f its i n formation s e c u rity
obj e c tive s . T here may b e a s i ngle i n formation s e c u rity pla n, one or more proj e c t pla n s , or ac tion s
i nclude d i n o ther organ i s ationa l p lan s . Whatever form plan n i ng ta ke s , the re s u lti ng pla n s shou ld defi ne
as a m i n i mu m (s e e f) to j ) ab ove) :
— the ac tivities to b e done;
— the required resources to b e committed to execute the ac tivities;
— the res p ons ibi lities;
— the timel ines and miles tones of ac tivities; and
— the me tho d s and me a s u rements to eva luate whe ther the re s u lts ach ieve obj e c tive s , wh ich i nclude s
timing of s uch evaluations .
I S O/I E C 2 70 01 re qu i re s organ i z ation s to re tai n do c u mente d i n formation on the i n formation s e c urity
obj e c tive s . Such do c u mente d i n formation c an i nclude:
— plans , ac tions , resources , res p ons ibi lities , dead lines and evaluation metho ds; and
— re qu i rements , ta sks , re s ou rce s , re s p on s ibi l itie s , eva luation fre quenc y and me tho d s .
O ther information
7 Support
7.1 Resources
Required activity
T he organi z ation determines and provides the resources for es tablishing, implementing, maintaining
and conti nua l ly i mprovi ng the I S M S .
E xplanation
Re s ou rce s are fu nda menta l to p er form any ki nd o f ac tivity. C ate gorie s o f re s ou rce s c an i nclude:
a) p ersons to drive and op erate the ac tivities;
b) time to p erform ac tivities and time to al low res u lts to settle down b efore making a new s tep;
c) fi na nci a l re s ou rce s to acqu i re, develop a nd i mplement wh at i s ne e de d;
d) information to s upp or t decis ions , meas ure p erformance of ac tions , and improve knowledge; and
e) i n fras tr uc tu re a nd o ther me an s that c an be acqu i re d or bu i lt, s uch as te ch nolo g y, to ol s a nd
materi a l s , rega rd le s s o f whe ther they a re pro duc ts o f i n formation te ch nolo g y or no t.
T hese resources are to b e kep t aligned with the needs of the I SM S and hence are to b e adap ted when
required.
Guidance
f) e s ti mate the re s ou rce s ne e de d for a l l the ac tivitie s relate d to the I S M S i n term s o f quantity a nd
qua l ity (c ap ac itie s and c ap abi l itie s) ;
g) acquire the resources as needed;

ISO/IEC 2 7003 : 2 01 7(E)
h) provide the resources;
i) maintain the resources across the whole ISMS processes and specific activities; and
j) review the provided resources against the needs o f the ISMS, and adjust them as required.
extent that the organization determines as necessary for the e ffectiveness o f its management system
(see I SO/I EC 2 70 01 : 2 01 3 , 7. 5 .1 b)) .
O ther information
7.2 Competence
Required activity
The organization determines the competence o f persons needed for in formation security per formance,
and ens ures that the p ersons are comp etent.
E xplanation
Competence is the ability to apply knowledge and skills to achieve intended results. It is influenced by
knowledge, exp erience and wisdom .
Competence can be specific (e.g. about technology or specific management areas such as risk
management) or general (e. g. soft ski l ls , trus twor thines s , and b as ic technological and managerial
subjects).
C omp etence relates to p ersons that work under control of the organi z ation. T his means that comp etence
should be managed for persons that are employees o f the organization and for other people as needed.
Acquisition o f higher or new competence and skills can be achieved both internally and externally
through exp erience, training (e. g. courses , seminars and workshop s) , mentoring, hiring or contrac ting
external p ersons .
For competence that is only temporarily needed – for a specific activity or for a short period o f time,
e.g. to cover unexpected temporary shortage o f internal personnel – organizations can hire or contract
external resources, whose competence is to be described and verified.
Guidance
T he organiz ation shou ld:
a) determine the exp ec ted comp etence for each role within the I SM S and decide if it needs to b e
documented (e.g. in a job description);

b) as s ign the roles within the I SM S (see 5 . 3 ) to persons with the required competence either by:
1) identi fying persons within the organization who have the competence (based e.g. on their
education, experience, or certifications);
2) planni ng and implementi ng ac tion s to have p ersons within the organ i z ation ob tain the
comp etence (e. g. through provis ion of trai ning, mentoring, reas s ign ment of current
employees); or
3) engaging new p ersons who have the comp etence (e. g. through hiring or contrac ting) ;
c) evaluate the effec tivenes s of ac tions in b) ab ove;
E X AM PLE 1 C on s ider i f p ers ons have acqui re d comp etence a fter the trai ni ng.

ISO/IEC 2 7003 : 2 01 7(E)
EXAMPLE 2 Analyse the competence o f newly hired or contracted persons some time a fter their
arriva l i n the organi z ation .
EXAMPLE 3 Veri fy i f the plan for acquiring new persons has been completed as expected.
d) veri fy that the persons are competent for their roles; and
e) ensure that the competence evolves over time as necessary and that it meets expectations.
Appropriate do cumented information is required as evidence of comp etence. T he organiz ation should
there fore retain documentation about the necessary competence a ffecting in formation security
per formance and how this competence is met by relevant persons.
O ther information
7.3 Awareness
Required activity
The persons doing work under the organization’s control are made aware o f the in formation security
policy, their contribution to the e ffectiveness o f the ISMS, benefits o f improved in formation security
p erformance and implications of not conforming to the requirements of the I SM S .
E xplanation
Awareness o f persons working under the organization’s control re fers to having the necessary
understanding and motivation about what is expected o f them with regard to in formation security.
Awarenes s concerns p ersons who have to know, unders tand, accep t and:
a) support the objectives stated in the in formation security policy; and

b) ollow the rules to correctly per form their daily tasks in support o f in formation security.
f
Additionally, the persons doing work under the organization’s control also need to know, understand
and accep t the implications of not con forming with the I SM S requirements . I mpl ications can b e negative
consequences for in formation security or repercussions for the person.

These persons need to be aware that an in formation security policy exists and where to find in formation
about it. Many sta ff in an organization do not need to know the detailed content o f the policy. Instead,
they should know, understand, accept and implement the in formation security objectives and
requirements derived from the policy that a ffect their job role. These requirements can be included in
the standards or procedures they are expected to follow to do their job.
Guidance
c) prepare a programme with the specific messages focused on each audience (e.g. internal and
external p ersons) ;
d) include in formation security needs and expectations within awareness and training materials on
other topics to place in formation security needs into relevant operational contexts;
e) prep are a plan to communicate mes s ages at planned inter val s;
f ) veri fy the knowledge and understanding o f messages both at the end o f an awareness session and
at random b etween s es s ions; and
g) veri fy whether persons act according to the communicated messages and use examples o f ’good’
and ’ b ad’ b ehaviour to rein force the mes s age.

ISO/IEC 2 7003 : 2 01 7(E)
I SO/I EC 2 70 01 : 2 01 3 , 7. 5 .1 b)) .
O ther information
Further in formation on awareness in the field o f in formation security can be found in

I SO/I EC 2 70 02 : 2 01 3 , 7. 2 . 2 .
7.4 Communication
Required activity
T he organiz ation determines the needs for internal and external communications related to the I SM S .
E xplanation
Communication is a key process within an ISMS. Adequate communication is necessary with internal
and external interes ted p ar ties (see 4. 2 ) .
C ommunication can be b etween internal interes ted p ar ties at al l level s of the organi z ation or
b etween the organi zation and external interes ted p ar ties . C om munication can b e initiated within the
organization or by an external interested party.

O rgani z ations need to determine:
— which content needs to be communicated, e.g. in formation security policies, objectives, procedures,
their changes, knowledge on in formation security risks, requirements to suppliers and feedback on
the in formation security per formance;
— the preferred or op timal p oint in time for communication ac tivities;
— who is to b e involved in communication ac tivities , and which is the target audience of each
com munication effor t;
— who is to initiate communication activities, e.g. specific content can require communication to be
initiated by a specific person or organization; and
— which proces ses are driving or initiating communication ac tivities , and which pro ces ses are
targeted or a ffected by communication activities.

Communication can take place regularly or as needs arise. It can be either proactive or reactive.
Guidance
C ommunication relies on pro ces ses , channel s and protocols . T hes e shou ld b e chosen to ens ure the
communicated message is integrally received, correctly understood and, when relevant, acted upon
appropriately.
O rgani z ations shou ld determine which content needs to b e communicated, s uch as:
a) plans and res u lts of risk management to interes ted p ar ties as needed and appropriate, in the
identification, analysis, evaluation, and treatment o f the risks;

b) in formation security objectives;
c) achieved in formation security objectives including those that can support their position in
the market (e.g. ISO/IEC 27001 certificate granted; claiming con formance with personal data
protec tion laws) ;
d) incidents or crises, where transparency is o ften key to preserve and increase trust and confidence
in the organization’s capability to manage its in formation security and deal with unexpected
s ituations;

ISO/IEC 2 7003 : 2 01 7(E)
e) role s , re s p on s ibi l itie s and authority;
f) i n formation excha nge d b e twe en func tion s and role s as re qu i re d b y the I S M S ’s pro ce s s e s;
g) changes to the I SM S;
h) o ther matters identi fie d b y reviewi ng the control s and pro ce s s e s with i n the s cop e o f the I S M S;
i) matters (e . g. i ncident or c ri s i s no ti fic ation) that re qui re com mu n ic ation to regu lator y b o d ie s or
other interes ted p ar ties; and
j) re que s ts or o ther com mu n ic ation s from e xterna l p a r tie s s uch a s c u s tomers , p o tenti a l c u s tomers ,
users of ser vices and authorities .
T he organ i z ation shou ld identi fy the re qu i rements for com mu n ic ation on relevant i s s ue s:
k) who i s a l lowe d to com mun icate ex terna l ly and i nterna l ly (e . g. i n s p e c ia l c as e s s uch a s a data bre ach) ,
a l lo c ati ng to s p e c i fic role s with the appropri ate authority. For exa mple, o ffici a l com mun ication
o fficers c an b e defi ne d with the appropri ate authority. T hey cou ld b e a pub l ic relation s o fficer for
e xterna l com mu n ic ation and a s e c u rity o fficer for i nterna l com mu n ic ation;
l) the triggers or fre quenc y o f com mu n ic ation (e . g. for com mun ic ation o f a n event, the trigger i s the
identi fic ation o f the event) ;
m) the contents o f me s s age s for key i ntere s te d p ar tie s (e . g. c u s tomers , regu lators , genera l pub l ic,
imp or tant internal users) b ased on high level imp ac t scenarios . C ommunication can b e more
e ffe c tive i f b a s e d on me s s age s prep are d and pre - approve d b y an appropriate level o f ma nagement
a s p ar t o f a com mu n ic ation pl an, the i nc ident re s p on s e pla n or the bu s i ne s s conti nu ity plan;
n) the intended recipients of the communication; in some cases , a l is t should b e maintained (e. g. for
communicating changes to s er vices or cris is) ;
o) the communication means and channel s . C ommunication should use dedicated means and channels ,
to ma ke s u re th at the me s s age i s o ffic ia l a nd b e a rs the appropri ate authority. C om mu n ic ation
chan nel s s hou ld add re s s any ne e d s for the pro te c tion o f the con fidentia l ity and i nte grity o f the
in formation trans mitted; and
p) the de s igne d pro ce s s and the me tho d to en s u re me s s age s are s ent and h ave b e en corre c tly re ceive d
and unders too d.
C om mu n ic ation s hou ld b e cla s s i fie d and hand le d accord i ng to the organ i z ation’s re qu i rements .
D o c umente d i n formation on th i s ac tivity a nd its outcome i s mand ator y on ly i n the form and to the
ex tent the orga ni z ation de term i ne s a s ne ce s s a r y for the e ffe c tivene s s o f its management s ys tem (s e e
I S O/I E C 2 70 01 : 2 01 3 , 7. 5 .1 b)) .
O ther information
7.5 Documented information
7.5 .1 General
Required activity
T he organ i z ation i nclude s do c u mente d i n formation i n the I S M S as d i re c tly re qu i re d b y I S O/I E C 2 70 01 ,
as wel l as de term i ne d by the organ i z ation a s b ei ng ne ce s s a r y for the e ffe c tivene s s o f the I S M S .

ISO/IEC 2 7003 : 2 01 7(E)
E xplanation
D o c u mente d i n formation is ne e de d to defi ne and com mu n ic ate i n formation s e c u rity obj e c tive s ,
p ol ic y, gu idel i ne s , i n s truc tion s , control s , pro ce s s e s , pro ce du re s , a nd what p ers on s or group s o f p e ople
are e xp e c te d to do and how they a re e xp e c te d to b eh ave . D o c u mente d i n formation i s a l s o ne e de d
for aud its o f the ISMS and to mai ntai n a s table ISMS when p ers on s i n key role s ch ange . Fu r ther,
do cumented information is needed for recording ac tions , decis ions and outcome(s) of I SM S pro ces ses
and i n formation s e c u rity control s .
D ocumented information can contain:
— i n formation ab out i n formation s e c urity obj e c tive s , ri sks , re qu i rements and s tandard s;
— information ab out proces ses and pro cedures to b e fol lowed; and
— records of the input (e. g. for management reviews) and the outcomes of proces ses (including plans
and outcomes of op erational ac tivities) .
T here are ma ny ac tivitie s with i n the I S M S that pro duce do c u mente d i n formation th at i s u s e d, mo s t o f
the ti me, a s an i nput for a no ther ac tivity.
I S O/I E C 2 70 01 re qu i re s a s e t o f mandator y do c u mente d i n formation and conta i n s a genera l re qu i rement
that add itiona l do c u mente d i n formation i s re qu i re d i f it i s ne ce s s a r y for the e ffe c tivene s s o f the I S M S .
T he amount of do cumented information needed is often related to the s ize of the organi zation .
I n to ta l, the mandator y and add itiona l do c u mente d i n formation conta i n s s u fficient i n formation to
a l low the p er formance eva luation re qui rements s p e ci fie d i n C lause 9 to b e carried out.
Guidance
T he organ i z ation s hou ld de term i ne what do c u mente d i n formation is ne ce s s ar y for en s u ri ng
e ffe c tivene s s o f its I S M S i n add ition to ma ndator y do c u mente d i n formation re qu i re d b y I S O/I E C 2 70 01 .
T he do c u mente d i n formation shou ld b e there to fit the pu rp o s e . Fac tua l and ‘to the p oi nt’ i n formation
is what is needed.
E xample s o f do c u mente d i n formation th at c a n b e de term i ne d b y the organ i z ation to b e ne ce s s ar y for

ens uring effec tivenes s of its I SM S are:
— the res u lts of the context es tablishment (see C laus e 4) ;
— the roles , res p ons ibi lities and authorities (see C laus e 5 ) ;
— rep or ts of the different phases of the risk management (s ee C lause 6) ;
— resources determined and provided (see 7.1) ;
— the exp ec ted comp etence (see 7. 2 ) ;
— plans and res ults of awarenes s ac tivities (see 7. 3 ) ;
— plans and res ults of communication ac tivities (see 7.4) ;
— do c u mente d i n formation o f e xterna l origi n that i s ne ce s s a r y for the I S M S (s e e 7. 5 . 3 ) ;
— pro ces s to control do cumented information (see 7. 5 . 3 ) ;
— p ol ic ie s , r u le s and d i re c tive s for d i re c ti ng a nd op erati ng i n formation s e c u rity ac tivitie s;
— pro ces ses and procedures us ed to implement, maintain and improve the I SM S and the overal l
i n formation s e c u rity s tatu s (s e e C lause 9) ;
— ac tion plans; and

ISO/IEC 2 7003 : 2 01 7(E)
— evidence of the res u lts of I SM S pro ces s es (e. g. incident management, acces s control, information
s e c u rity conti nuity, e qu ipment ma i ntenance, e tc .) .
D o cumented information can b e of internal or external origin .
O ther information
I f the organ i z ation wa nts to manage its do c umente d i n formation i n a do c ument management s ys tem,
this can b e built according to the requirements in I SO 3 03 01 .
7.5 .2 Creating and updating
Required activity
When creating and up dating do cumented information, the organi z ation ens ures its appropriate
identi fic ation and de s crip tion, format and me d i a, a nd review a nd approva l .
E xplanation
T he organ i z ation identi fie s i n de ta i l how the do c u mente d i n formation i s b e s t s truc tu re d and defi ne s a
s uitable do cumentation appro ach.
Review a nd approva l b y appropriate management en s u re s that the do c u mente d i n formation i s corre c t,
s uitable for the purp ose, and in an adequate form and detai l for the intended audience. Regu lar reviews
en s ure conti nue d s u itabi l ity and ade quac y o f do c u mente d i n formation .
Guidance
D o c umente d i n formation may b e re tai ne d i n a ny form, e . g. trad itiona l do c u ments (i n b o th p ap er a nd
elec tronic form) , web p ages , datab ases , computer logs , computer generated rep or ts , audio and video.
M ore over, do c u mente d i n formation may con s i s t o f s p e ci fic ation s o f i ntent (e . g. the i n formation s e c urity
p ol ic y) or re cord s o f p er forma nce (e . g. the re s u lts o f an aud it) or a m i xtu re o f b o th . T he fol lowi ng
gu idance appl ie s d i re c tly to trad itiona l do c uments and shou ld be i nterpre te d appropri ately when
applied to other form s of do cumented information.
O rgan i z ation s shou ld cre ate a s tr uc tu re d do c u mente d i n formation l ibrar y, l i n ki ng d i fferent p ar ts o f
do c u mente d i n formation b y:
a) determining the s truc ture of the do cumented information framework;
b) determining the s tandard s truc ture of the do cumented information;
c) provid i ng template s for d i fferent typ e s o f do c u mente d i n formation;
d) determining the res p ons ibil ities for prep aring, approving, publishing and managing the
documented information; and
e) de term i n i ng a nd do c u menti ng the revi s ion a nd approva l pro ce s s to en s u re conti nua l s u itabi l ity
a nd ade quac y.
O rgan i z ation s shou ld defi ne a do c umentation appro ach th at i nclude s com mon attribute s o f ever y
do c u ment, wh ich a l low cle ar and u n ique identi fic ation . T he s e attribute s u s ua l ly i nclude do c u ment
typ e (e . g. p ol ic y, d i re c tive, r u le, gu idel i ne, pla n, form, pro ce s s or pro ce dure) , the pu rp o s e and s cop e,
title, date o f publ ic ation, clas s i fic ation, re ference nu mb er, vers ion numb er, a nd a revi s ion h i s tor y. T he
identi fic ation o f the author and the p ers on(s) c u rrently re s p on s ible for the do c u ment, its appl ic ation
and evolution, a s wel l a s the approver(s) or approva l authority s hou ld b e i nclude d .
Format re qu i rements c an i nclude defi n ition o f s uitable do c u mentation la nguage s , fi le formats , s o ftware
vers ion for worki ng with them and graph ic a l content. M e d ia re qu i rements defi ne on wh ich phys ic a l
and elec tronic media the information shou ld b e avai lable.
Statements and writi ng s tyle shou ld b e tai lore d to the aud ience a nd s cop e o f the do c u mentation .

ISO/IEC 2 7003 : 2 01 7(E)
D uplication of information in do cumented information shou ld b e avoided and cros s-references used
rather than repl icating the s ame in formation in di fferent do cuments .
The documentation approach should ensure timely review o f the documented in formation and that
all documentation changes are subject to approval. Suitable review criteria can be timing related (e.g.
ma ximum time p erio ds b etween document reviews) or content related. Approval criteria should b e
defined, which ensures that the documented in formation is correct, suitable for the purpose, and in an
adequate form and detai l for the intended audience.
O ther information
7.5 .3 Control of documented information
Required activity
The organization manages documented in formation throughout its li fecycle and makes it available
where and when needed.
E xplanation
O nce approved, the do cumented information is communicated to its intended audience. D o cumented
in formation is available where and when it is needed, while preserving its integrity, confidentiality, and
relevance throughout the whole li fecycle.
Note that activities described “as applicable” in ISO/IEC 27001:2013, 7.5.3 need to be per formed i f they
can b e p erformed and are usefu l, cons idering the organiz ation’s needs and exp ec tation s .
Guidance
A structured documented in formation library can be used to facilitate access to documented

in formation.
All o f the documented in formation should be classified (see ISO/IEC 27001:2013, A.8.2.1) in accordance
with the organization’s classification scheme. Documented in formation should be protected and
handled in accordance with its classification level (see ISO/IEC 27001:2013, A.8.2.3).
A change management process for documented in formation should ensure that only authorised persons
have the right to change and distribute it as needed through appropriate and predefined means.
Documented in formation should be protected to ensure it keeps its validity and authenticity.
D ocumented in formation shou ld b e dis tributed and made avai lable to authorized interes ted p ar ties .
For this , the organi zation shou ld es tabl ish who are the relevant interes ted p ar ties for each do cumented
in formation (or groups of documented in formation) , and the means to use for dis tribution, acces s ,
retrieval and use (e. g. a web s ite with appropriate acces s control mechanis ms) . T he dis tribution should
comply with any requirements related to protecting and handling o f classified in formation.
T he organi zation shou ld es tablish the appropriate retention p eriod for do cumented information
according to its intended validity and other relevant requirements. The organization should ensure that
in formation is legible throughout its retention period (e.g. using formats that can be read by available
so ftware, or veri fying that paper is not corrupted).
T he organiz ation should es tablish what to do with documented information after its retention p eriod
has expired.
T he organi zation shou ld al so manage do cumented information of external origin (i . e. from cus tomers ,
partners, suppliers, regulatory bodies, etc.).

I SO/I EC 2 70 01 : 2 01 3 , 7. 5 .1 b)) .

ISO/IEC 2 7003 : 2 01 7(E)
O ther information
8 Operation
8.1 Operational planning and control
Required activity
T he organ i z ation pla n s , i mplements a nd control s the pro ce s s e s to me e t its i n formation s e c u rity
re qu i rements and to ach ieve its i n formation s e c u rity obj e c tive s .
T he organ i z ation ke ep s do c umente d i n formation a s ne ce s s a r y to h ave con fidence that pro ce s s e s are
carried out as planned.
T he organi zation controls planned changes and reviews the consequences of unintended changes , and
en s ure s that outs ource d pro ce s s e s a re identi fie d, defi ne d and control le d .
E xplanation
T he pro ce s s e s that an orga ni z ation u s e s to me e t its i n formation s e c u rity re qu i rements are pla nne d,
and once i mplemente d, they a re control le d , p ar tic u la rly when change s are re qu i re d .
B ui lding on the planning of the I SM S (see 6 .1 and 6 . 2 ) , the organ i z ation p er form s the ne ce s s ar y
op erationa l pl an n i ng and ac tivitie s to i mplement the pro ce s s e s ne e de d to fu l fi l the i n formation s e c u rity
requirements .
P ro ce s s e s to me e t i n formation s e c u rity re qui rements i nclude:
a) I SM S proces ses (e. g. management review, internal audit) ; and
b) pro ce s s e s re qu i re d for i mplementi ng the i n formation s e c u rity ri sk tre atment plan .
I mplementation of plans res u lts in op erated and control led proces ses .
T he orga n i z ation u lti mately rema i n s re s p on s ible for pla n n i ng and control l i ng any outs ou rce d pro ce s s e s
i n order to ach ieve its i n formation s e c u rity obj e c tive s . T hu s the organ i z ation ne e d s to:
c) de term i ne outs ou rce d pro ce s s e s con s ideri ng the i n formation s e c urity ri sks relate d to the
outsourcing; and
d) en s ure that outsourced pro ces ses are control led (i . e. planned, monitored and reviewed) in a
ma n ner that provide s a s s u rance that they op erate as i ntende d (a l s o con s ideri ng i n formation
s e c u rity obj e c tive s and the i n formation s e c u rity ri sk tre atment pla n) .
After the implementation is completed, the proces ses are managed, monitored and reviewed to
en s ure that they conti nue to fu l fi l the re qui rements de term i ne d a fter u nders tand i ng the ne e d s a nd
exp ec tations of interes ted p ar ties (see 4. 2 ) .
C ha nge s o f the I S M S i n op eration ca n b e either plan ne d or they o cc u r u ni ntende d . Whenever the
orga ni z ation ma ke s ch ange s to the I S M S (a s a re s u lt o f plan n i ng or u n i ntentiona l ly) , it as s e s s e s the
p o tenti a l con s e quence s o f the cha nge s to control a ny advers e e ffe c ts .
T he orga n i z ation can ge t con fidence ab out the e ffe c tivene s s of the i mplementation of pl an s by
do cumenting ac tivities and us ing doc umented in formation as input to the p erformance evaluation
pro ce s s e s s p e ci fie d in C laus e 9. T he organiz ation therefore es tablishes the required do cumented
information to keep .

ISO/IEC 2 7003 : 2 01 7(E)
Guidance
T he pro ce s s e s that have b e en defi ne d a s a re s u lt o f the pla n ni ng de s crib e d i n C laus e 6 shou ld b e
i mplemente d, op erate d and veri fie d th roughout the organ i z ation . T he fol lowi ng shou ld b e con s idere d
and implemented:
e) pro ce s s e s th at are s p e ci fic for the management o f i n formation s e c u rity (s uch a s ri sk management,
i ncident m anagement, conti nuity management, i nterna l aud its , management reviews) ;
f) p ro ce s s e s em a n ati ng from i n for m atio n s e c u r ity co ntrol s in the i n fo rm atio n s e c u rity risk
tre atment plan;
g) rep or ti ng s truc tu re s (contents , fre quenc y, format, re s p on s ibi l itie s , e tc .) with i n the i n formation
s e c urity are a, for example i nc ident rep or ts , rep or ts on me as u ri ng the fu l fi l ment o f i n formation
s e c urity obj e c tive s , rep or ts on p er forme d ac tivitie s; and
h) me e ti ng s tr uc tu re s (fre quenc y, p ar tic ip ants , pur p o s e and authori z ation) with i n the i n formation
s e c urity are a . I n formation s e c u rity ac tivitie s s hou ld be co - ord i nate d b y repre s entative s from
d i fferent p ar ts o f the organ i z ation with releva nt role s and j ob fu nc tion s for e ffe c tive ma nagement
o f the i n formation s e c u rity are a .
For planned changes , the organi zation should:
i) plan their implementation and as s ign tasks , res p ons ibi lities , dead lines and resources;
j) i mplement ch ange s accord i ng to the plan;
k) mon itor thei r i mplementation to con fi rm th at they are i mplemente d accord i ng to the pla n; and
l) col le c t and re ta i n do c u mente d i n formation on the e xe c ution o f the change s as evidence that they
have b een carried out as planned (e. g. with res p ons ibil ities , deadl ines , effec tivenes s evaluations) .
For obs er ved unintended changes , the organiz ation shou ld:
m) review their con sequences;
n) de term i ne whe ther a ny advers e e ffe c ts have a l re ady o cc u rre d or c an o cc u r i n the futu re;
o) pla n and i mplement ac tion s to m itigate a ny advers e e ffe c ts a s ne ce s s ar y; a nd
p) col lec t and retain do cumented in formation on unintended changes and ac tions taken to mitigate
adverse effec ts .
I f p ar t of the organi zation’s func tions or proces ses are outsourced to s uppliers , the organiz ation shou ld:
q) determine al l outsourcing relationship s;
r) es tabl ish appropriate interfaces to the s uppliers;
s) add re s s i n formation s e c urity relate d i s s ue s i n the s uppl ier agre ements;
t) mon itor a nd review the s uppl ier s er vice s to en s u re that they a re op erate d as i ntende d and
a s s o ci ate d i n formation s e c u rity ri sks me e t the ri s k accep tance c riteria o f the orga n i z ation; a nd
u) manage ch ange s to the s uppl ier s er vice s a s ne ce s s ar y.
O ther information

ISO/IEC 2 7003 : 2 01 7(E)
8.2 Information security risk assessment
Required activity
The organization per forms in formation security risk assessments and retains documented in formation
on their res ults .
E xplanation
When per forming in formation security risk assessments, the organization executes the process
defined in 6 .1 . 2 . These assessments are either executed according to a schedule defined in advance,
or in response to significant changes or in formation security incidents. The results o f the in formation
security risk assessments are retained in documented in formation as evidence that the process in 6 .1 . 2
has been per formed as defined.
Documented in formation from in formation security risk assessments is essential for in formation
security risk treatment and is valuable for per formance evaluation (see C laus e 9) .
Guidance
Organizations should have a plan for conducting scheduled in formation security risk assessments.
When any significant changes o f the ISMS (or its context) or in formation security incidents have
o ccurred, the organiz ation shou ld determine:
a) which o f these changes or incidents require an additional in formation security risk assessment; and
b) how these as ses s ments are triggered.
The level o f detail o f the risk identification should be refined step by step in further iterations o f the
in formation security risk assessment in the context o f the continual improvement o f the ISMS. A broad
in formation security risk assessment should be per formed at least once a year.
O ther information
ISO/IEC 27005 provides guidance for per forming in formation security risk assessments.
8.3 Information security risk treatment
Required activity
The organization implements the in formation security risk treatment plan and retains documented
in formation on the results o f the in formation security treatment.
E xplanation
In order to treat in formation security risks, the organization needs to carry out the in formation security
risk treatment process defined in 6 .1 . 3 . D uring op eration of the I SM S , whenever the risk as ses s ment
is up dated according to 8 . 2 , the organiz ation then appl ies the risk treatment according to 6 .1 . 3 and
up dates the risk treatment plan. T he up dated risk treatment plan is again implemented.
The results o f the in formation security risk treatment are retained in documented in formation as
evidence that the pro ces s in 6 .1 . 3 has been per formed as defined.
Guidance
The in formation security risk treatment process should be per formed a fter each iteration o f the
in formation security assessment process in 8 . 2 or when the implementation of the risk treatment plan
or p ar ts of it fai l s .
The progress o f implementation o f the in formation security risk treatment plan should be driven and
monitored by this activity.

ISO/IEC 2 7003 : 2 01 7(E)
O ther information
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
Required activity
The organization evaluates the in formation security per formance and the e ffectiveness o f the ISMS.
E xplanation
The objective o f monitoring and measurement is to help the organization to judge whether the intended
outcome o f in formation security activities including risk assessment and treatment is achieved as
planned.
Monitoring determines the status o f a system, a process or an activity, whilst measurement is a process
to determine a value. T hus monitoring can b e achieved through a s ucces s ion of s imi lar meas urements
over some time p erio d.
For monitoring and meas urement, the organi z ation es tabl ishes:
a) what to monitor and meas ure;
b) who monitors and meas ures , and when; and
c) metho ds to b e used so as to pro duce val id res u lts (i . e. comp arable and repro ducible) .
For analysis and evaluation, the organization establishes:

d) who analyses and evaluates the results from monitoring and measurement, and when; and
e) metho ds to b e used so as to pro duce val id res u lts .
T here are two as p ec ts of evaluation:
f ) evaluating the in formation security per formance, for determining whether the organization is
doing as exp ec ted, which includes determ ining how wel l the proces ses within the I SM S meet their
specifications; and
g) evaluating the effec tivenes s of the I SM S , for determining whether or not the organi zation is doing
the right things, which includes determining the extent to which in formation security objectives
are achieved.
Note that as “as applicable” (ISO/IEC 27001:2013, 9.1, b)) means that i f methods for monitoring,
measurement, analysis and evaluation can be determined, they need to be determined.
Guidance
A good practice is to define the ‘in formation need’ when planning the monitoring, measurement,
analysis and evaluation. An in formation need is usually expressed as a high level in formation security
question or statement that helps the organization evaluate in formation security per formance and ISMS
e ffectiveness. In other words, monitoring and measurement should be undertaken to achieve a defined
in formation need.
Care should be taken when determining the attributes to be measured. It is impracticable, costly and
counterproductive to measure too many, or the wrong attributes. Besides the costs o f measuring,
analysing and evaluating numerous attributes, there is a possibility that key issues could be obscured
or mis sed altogether.

ISO/IEC 2 7003 : 2 01 7(E)
There are two generic types o f measurements:

h) performance measurements , which expres s the planned res u lts in terms of the charac teris tics
o f the planned activity, such as head counts, milestone accomplishment, or the degree to which
in formation security controls are implemented; and
i) effectiveness measurements , which expres s the effec t that reali zation of the planned ac tivities
has on the organization’s in formation security objectives.
It can be appropriate to identi fy and assign distinctive roles to those participating in the monitoring,
measurement, analysis and evaluation. Those roles can be measurement client, measurement planner,
measurement reviewer, in formation owner, in formation collector, in formation analyst and in formation
communicator of input or output of evaluation (see I SO/I EC 2 70 0 4: 2 016 , 6 . 5 ) .
The responsibilities for monitoring and measurement and those for analysis and evaluation are o ften
as s igned to sep arate p ersons whom different comp etence is required.
O ther information
Monitoring, measurement, analysis and evaluation is critical to the success o f an e ffective ISMS. There
are a number o f clauses in ISO/IEC 27001 that explicitly require determination o f the e ffectiveness o f
some ac tivities . For example, I SO/I EC 2 70 01 : 2 01 3 , 6 .1 .1 e) , 7. 2 c) or 10 .1 d) .
Fur ther information can be found in I S O/I EC 2 70 0 4, which provides guidance on meeting the
requirements of I S O/I EC 2 70 01 : 2 01 3 , 9.1 . I n p ar ticu lar, it exp ands on al l of the concep ts mentioned
ab ove, s uch as roles and res p ons ibi l ities , and form s , and gives numerous examples .
9.2 Internal audit
Required activity
The organization conducts internal audits to provide in formation on con formity o f the ISMS to the
requirements .
E xplanation
Evaluating an ISMS at planned intervals by means o f internal audits provides assurance o f the status
o f the ISMS to top management. Auditing is characterized by a number o f principles: integrity; fair
presentation; due pro fessional care; confidentiality; independence; and evidence-based approach (see
I S O 19 011) .
I nternal audits provide in formation on whether the I SM S conform s to the organi zation’s own
requirements for its I SM S as wel l as to the requirements in I SO/I E C 2 70 01 . T he organi zation’s own
requirements include:
a) requirements stated in the in formation security policy and procedures;

b) requirements produced by the framework for setting in formation security objectives, including
outcomes of the risk treatment pro ces s;
c) legal and contrac tual requirements; and
d) requirements on the do cumented information .
Auditors also evaluate whether the ISMS is e ffectively implemented and maintained.
An audit programme describes the overall framework for a set o f audits, planned for specific time
frames and directed towards specific purposes. This is di fferent from an audit plan, which describes
the activities and arrangements for a specific audit. Audit criteria are a set o f policies, procedures
or requirements used as a reference agains t which audit evidence is comp ared, i . e. the audit criteria
describ e what the auditor exp ec ts to b e in place.

ISO/IEC 2 7003 : 2 01 7(E)
An internal audit can identi fy noncon formities, risks and opportunities. Noncon formities are managed
according to requirements in 10 .1 . Risks and opp or tunities are managed according to requirements in
4.1 and 6 .1 .
T he organi zation is required to retain documented in formation ab out audit programme(s) and audit
res u lts .
Guidance
M anaging an audit programme
An audit programme defines the structure and responsibilities for planning, conducting, reporting
and fol lowing up on individual audit ac tivities . As s uch it should en s ure that audits conduc ted are
appropriate, have the right scop e, m inimi ze the imp ac t on the op erations of the organiz ation and
maintain the necessary quality o f audits. An audit programme should also ensure the competence o f
audit teams , appropriate maintenance of audit records , and the monitoring and review of the op erations ,
risks and effec tivenes s of audits . Fur ther, an audit programme shou ld ens ure that the I SM S (i . e. al l
relevant processes, functions and controls) is audited within a specified time frame. Finally, an audit
programme should include documented in formation about types, duration, locations, and schedule o f
the audits .
The extent and frequency o f internal audits should be based on the size and nature o f the organization
as well as on the nature, functionality, complexity and the level o f maturity o f the ISMS (risk-based
auditing) .
T he effec tivenes s of the implemented controls shou ld b e examined within the scop e of internal audits .
An audit programme should be designed to ensure coverage o f all necessary controls and should
include evaluation o f the e ffectiveness o f selected controls over time. Key controls (according to the
audit programme) should be included in every audit whereas controls implemented to manage lower
risks may be audited less frequently.
T he audit programme shou ld al so con s ider that pro ces ses and controls shou ld have b een in op eration
for some time to enable evaluation of s uitable evidence.
Internal audits concerning an ISMS can be per formed e ffectively as a part o f, or in collaboration with,
other internal audits of the organi z ation. T he audit programme can include audits related to one or
more management system standards, conducted either separately or in combination.

An audit programme shou ld include do cumented information ab out: audit criteria, audit metho ds ,
selection o f audit teams, processes for handling confidentiality, in formation security, health and sa fety
provis ions for auditors , and other s imi lar matters .
C omp etence and evaluation of auditors
Regarding comp etence and evaluation of auditors , the organi zation shou ld:
e) identi fy competence requirements for its auditors;

f) selec t internal or external auditors with the appropriate comp etence;
g) have a pro ces s in place for monitoring the p erformance of auditors and audit teams; and
h) include personnel on internal audit teams that have appropriate sector specific and in formation
security knowledge.
Auditors should be selected considering that they should be competent, independent, and adequately
trained.
Selecting internal auditors can be di fficult for smaller companies. I f the necessary resources and
competence are not available internally, external auditors should be appointed. When organizations
use external auditors, they should ensure that they have acquired enough knowledge about the context
o f the organization. This in formation should be supplied by internal sta ff.

ISO/IEC 2 7003 : 2 01 7(E)
Organizations should consider that internal employees acting as internal auditors can be able to
per form detailed audits considering the organization’s context, but may not have enough knowledge
ab out p erforming audits .
O rganiz ations should then recogni ze charac teris tics and p otential shor tcomings of internal vers us
external auditors and establish suitable audit teams with the necessary knowledge and competence.
Performing the audit
When p erform ing the audit, the audit team leader shou ld prep are an audit plan cons idering res u lts of
previous audits and the need to follow up on previously reported noncon formities and unacceptable
risks . T he audit plan should b e retained as do cumented information and shou ld include criteria, scop e
and metho ds of the audit.
T he audit team should review:
— adequacy and e ffectiveness o f processes and determined controls;

— fulfilment o f in formation security objectives;
— compliance with requirements defined in ISO/IEC 27001:2013, Clauses 4 to 10;
— compliance with the organization’s own in formation security requirements;
— consistency o f the Statement o f Applicability against the outcome o f the in formation security risk
treatment pro ces s;
— consistency o f the actual in formation security risk treatment plan with the identified assessed risks
and the risk accep tance criteria;
— relevance (considering organization’s size and complexity) o f management review inputs and
outputs; and
— imp ac ts of management review outputs (including improvement needs) on the organi zation .
The extent and reliability o f available monitoring over the e ffectiveness o f controls as produced by
the I SM S (see 9.1 ) may allow the auditors to reduce their own evaluation e fforts, provided they have
confirmed the e ffectiveness o f the measurement methods.

I f the outcome of the audit includes nonconformities , the auditee should prep are an ac tion plan for each
noncon formity to be agreed with the audit team leader. A follow-up action plan typically includes:
i) description o f the detected noncon formity;
j) description o f the cause(s) o f noncon formity;
k) descrip tion of shor t term correc tion and longer term correc tive ac tion to eliminate a detec ted
noncon formity within a defined time frame; and

l) the p ersons res p ons ible for implementing the plan .
Audit rep or ts , with audit res u lts , shou ld b e dis tributed to top management.
Results o f the previous audits should be reviewed and the audit programme adjusted to better manage
areas experiencing higher risks due to noncon formity.
O ther information
Fur ther information can be found in ISO 19 011 , which provides general guidance on auditing
management systems, including the principles o f auditing, managing an audit programme and
conducting management system audits. It also provides guidance on the evaluation o f competence o f
p ersons or group of p eople involved in the audit, including the p erson managing the audit programme,
auditors and audit teams .

ISO/IEC 2 7003 : 2 01 7(E)
Al so, in addition to the guidance contained in I SO 19 011 , fur ther information can b e found in:
a) I SO/I E C 2 70 07
1)
, which provides specific guidance on managing an ISMS audit programme, on
conduc ting the audits , and on the comp etence of I SM S auditors; and
b) I SO/I E C 2 70 0 8 1) , which provides guidance on assessing in formation security controls.
9.3 Management review
Required activity
Top management reviews the I SM S at planned inter vals .
E xplanation
The purpose o f management review is to ensure the continuing suitability, adequacy and e ffectiveness
o f the ISMS. Suitability re fers to continuing alignment with the organization’s objectives. Adequacy
and effec tivenes s refer to a s uitable des ign and organi z ational emb edding of the I SM S , as wel l as the
e ffective implementation o f processes and controls that are driven by the ISMS.
O veral l, management review is a pro ces s carried out at various level s in the organi zation . T hese
activities could vary from daily, weekly, or monthly organizational unit meetings to simple discussions
o f reports. Top management is ultimately responsible for management review, with inputs from all
level s in the organi zation .
Guidance
Top management should require and regularly review reporting o f the per formance o f the ISMS.
There are many ways in which management can review the ISMS, such as receiving and reviewing
measurements and reports, electronic communication, verbal updates. Key inputs are the results
o f the in formation security measurements as described in 9.1 and the res u lts of the internal audits
describ ed in 9. 2 and risk as ses s ment res ults and risk treatment plan s tatus . When reviewing the
results o f in formation security risk assessment and status o f the in formation security risk treatment
plan, management should confirm that residual risks meet risk acceptance criteria, and that the risk
treatment plan addres ses al l relevant risks and their risk treatment op tions .
All aspects o f the ISMS should be reviewed by management at planned intervals, at least yearly, by
setting up s uitable schedu les and agenda item s in management meetings . New or les s mature I SM S s
should be reviewed more frequently by management to drive increased e ffectiveness.

T he agenda of the management review shou ld addres s the fol lowing topics:
a) s tatus of ac tions from previous management reviews;
b) changes in external and internal is s ues (see 4.1) that are relevant to the I SM S;
c) feedback on the in formation security per formance, including trends, in:

1) nonconformities and correc tive ac tions;
2) monitoring and meas urement res u lts;
3) audit res u lts; and
4) fulfilment o f in formation security objectives.

d) feedb ack from interes ted p ar ties , including s ugges tions for improvement, reques ts for change and
complaints;
1) Second edition under prep aratio n.

ISO/IEC 2 7003 : 2 01 7(E)
e) results o f in formation security risk assessment(s) and status o f in formation security risk treatment
plan; and
f ) opportunities for continual improvement, including e fficiency improvements o f both the ISMS and
in formation security controls.
Inputs to the management review should be at the appropriate level o f detail, according to the objectives
es tablished for the management involved in the review. For example, top management should evaluate
only a summary o f all items, according to the in formation security objectives or high level objectives.
T he outputs from the management review pro ces s shou ld include decis ions related to continual
improvement opportunities and any needs for changes to the ISMS. They can also include evidence o f
decis ions regarding:
g) changes o f the in formation security policy and objectives, e.g. driven by changes in external and
internal is s ues and requirements of interes ted p ar ties;
h) changes o f the risk acceptance criteria and the criteria for per forming in formation security risk
as ses s ments (see 6 .1 . 2 ) ;
i) actions, i f needed, following assessment o f in formation security per formance;

j) changes o f resources or budget for the ISMS;
k) updated in formation security risk treatment plan or Statement o f Applicability; and
l) necessary improvements o f monitoring and measurement activities.
D o cumented in formation from management reviews is required. I t should b e retained to demons trate
that cons ideration has b een given to (at leas t) al l the areas l is ted in I SO/I E C 2 70 01 , even where it is
decided that no action is necessary.

When several management reviews are done at di fferent levels o f the organization, then they should be
lin ked to each other in an appropriate manner.
O ther information
1 0 Improvement
1 0.1 Nonconformity and corrective action
Required activity
T he organi zation reac ts to nonconformities , evaluates them and takes correc tions as wel l as correc tive
ac tions if needed.
E xplanation
A noncon formity is a non- fulfilment o f a requirement o f the ISMS. Requirements are needs or
expectations that are stated, implied or obligatory. There are several types o f noncon formities such as:
a) failure to fulfil a requirement (completely or partially) o f ISO/IEC 27001 in the ISMS;
b) failure to correctly implement or con form to a requirement, rule or control stated by the ISMS; and
c) partial or total failure to comply with legal, contractual or agreed customer requirements.
Noncon formities can b e for example:
d) persons not behaving as expected by procedures and policies;

ISO/IEC 2 7003 : 2 01 7(E)
e) s uppliers not providing agreed pro duc ts or ser vices;
f ) projects not delivering expected outcomes; and

g) control s not op erating according to des ign .
Noncon formities can be recognised by:

h) deficiencies o f activities per formed in the scope o f the management system;
i) ine ffective controls that are not remediated appropriately;
j) analysis o f in formation security incidents, showing the non- fulfilment o f a requirement o f the ISMS;
k) complaints from cus tomers;
l) aler ts from users or s uppliers;
m) monitoring and meas urement res u lts not meeting accep tance criteria; and
n) objectives not achieved.

Corrections aim to address the noncon formity immediately and deal with its consequences
(I SO/I EC 2 70 01 : 2 01 3 , 10 .1 a)) .
Corrective actions aim to eliminate the cause o f a noncon formity and to prevent recurrence
(I SO/I EC 2 70 01 : 2 01 3 , 10 .1 b) to g)) .
Note that as “as applicable” (ISO/IEC 27001:2013, 10.1 a)) means that i f an action to control and correct
a noncon formity can be taken, then it needs to be taken.
Guidance
In formation security incidents do not necessarily imply that a noncon formity exists, but they can be an
indicator o f a noncon formity. Internal and external audit and customer complaints are other important
sources that help in identi fying noncon formities.
The reaction to the noncon formity should be based on a defined handling process. The process should
include:
— identi fying the extent and impact o f the noncon formity;

— deciding on the corrections in order to limit the impact o f the noncon formity. Corrections can include
s witching to previous , fai l s afe or other appropriate s tates . C are shou ld b e taken that correc tions do
not make the s ituation worse;
— communicating with relevant p ersonnel to ens ure that correc tions are carried out;
— carrying out corrections as decided;

— monitoring the s ituation to ens ure that correc tions have had the intended effec t and have not
pro duced unintended s ide- effec ts;
— acting further to correct the noncon formity i f it is still not remediated; and
— communicating with other relevant interes ted p ar ties , as appropriate.
As an overall result, the handling process should lead to a managed status regarding the noncon formity
and the associated consequences. However, corrections alone will not necessarily prevent recurrence
o f the noncon formity.

ISO/IEC 2 7003 : 2 01 7(E)
C orrec tive ac tions can o ccur after, or in p aral lel with, correc tions . T he fol lowing proces s s tep s shou ld
b e taken:
1. decide i f there is a need to carry out a corrective action, in accordance with established criteria
(e.g. impact o f the noncon formity, repetitiveness);
2. review o f the noncon formity, considering:
— i f s imi lar nonconformities have b een recorded;
— all the consequences and side-e ffects caused by the noncon formity; and
— the correc tions taken .
3. per form an in-depth cause analysis o f the noncon formity, considering:

— what went wrong, the specific trigger or situation which led to the noncon formity (e.g. mistakes
determined by persons, methods, processes or procedures, hardware or so ftware tools, wrong
meas urements , environment) ; and
— patterns and criteria that may help to identi fy similar situations in the future.
4. per form an analysis o f potential consequences on the ISMS, considering:
— whether similar noncon formities exist in other areas, e.g. by using the patterns and criteria
found during the cause analysis; and
— whether other areas match the identified patterns or criteria, so that it is only a matter o f time
be fore a similar noncon formity occurs.
5. determine actions needed to correct the cause, evaluating i f they are proportionate to the
consequences and impact o f the noncon formity, and checking they do not have side-e ffects which
may lead to other noncon formities or significant new in formation security risks;
6. plan the corrective actions, giving priority, i f possible, to areas where there are higher likelihood
o f recurrence and more significant consequences o f the noncon formity. Planning should include a
res p ons ible p erson for a correc tive ac tion and a deadl ine for implementation;
7. implement the correc tive ac tions according to the plan; and
8. assess the corrective actions to determine whether they have actually handled the cause o f the
noncon formity, and whether it has prevented related noncon formities from occurring. This
as ses s ment shou ld b e imp ar tial, evidence-b ased and do cumented. I t shou ld al so b e communicated
to the appropriate roles and interes ted p ar ties .
As a res u lt of correc tions and correc tive ac tions , it is p os s ible that new opp or tunities for improvement
are identified. These should be treated accordingly (see 10 . 2 ) .

Su fficient documented in formation is required to be retained to demonstrate that the organization
has acted appropriately to address the noncon formity and has dealt with the related consequences.
All significant steps o f noncon formity management (starting from discovery and corrections) and, i f
started, corrective action management (cause analysis, review, decision about the implementation o f
ac tions , review and change decis ions made for the I SM S itsel f) shou ld b e documented. T he do cumented
information is also required to include evidence as to whether or not ac tions taken have achieved the
intended effec ts .
S ome organiz ations maintain regis ters for tracking noncon formities and correc tive ac tion s . T here
can b e more than one regis ter (for example, one for each func tional area or pro ces s) and on different
media (paper, file, application, etc.). I f this is the case, then they should be established and controlled
as documented in formation and they should allow a comprehensive review o f all noncon formities and
correc tive ac tion s for ens uring the correc t evaluation of the need for ac tions .
O ther information

ISO/IEC 2 7003 : 2 01 7(E)
ISO/IEC 27001 does not explicitly state any requirements for “preventive action”. This is because one
o f the key purposes o f a formal management system is to act as a preventive tool. Consequently, the
common text used in ISO management system standards requires an assessment o f the organization’s
“external and internal issues that are relevant to its purpose and that a ffect its ability to achieve the
intended outcome(s)” in 4.1 , and to “determine the risks and opp or tunities that need to b e addres sed to:
as s ure the I SM S can achieve its intended outcome(s) ; prevent, or reduce, undes ired effec ts; and achieve
continual improvement.” in 6 .1 . T hese two s ets of requirements are cons idered to cover the concep t of
“preventive action”, and also to take a wider view that looks at risks and opportunities.
1 0.2 Continual improvement
Required activity
The organization continually improves the suitability, adequacy and e ffectiveness o f the ISMS.
E xplanation
Organizations and their contexts are never static. In addition, the risks to in formation systems, and
the ways in which they can be compromised, are evolving rapidly. Finally, no ISMS is per fect; there is
always a way in which it can be improved, even i f the organization and its context are not changing.
As an example of improvements not l inked with nonconformities or risks , the as ses s ment of an
element o f the ISMS (in terms o f suitability, adequacy and e ffectiveness) can show that it exceeds ISMS
requirements or lacks e fficiency. I f it does, then there can be an opportunity to improve the ISMS by
changing the as ses sed element.
A systematic approach using continual improvement will lead to a more e ffective ISMS, which
will improve the organization’s in formation security. In formation security management leads the
organi zation’s op erational ac tivities in order to avoid b eing to o reac tive, i . e. that mos t of the resources
are used for finding problems and addressing these problems. The ISMS is working systematically
through continual improvement so that the organi zation can have a more proac tive approach. Top
management can set objectives for continual improvement, e.g. through measurements o f e ffectiveness,
cost, or process maturity.
As a cons equence, the organi zation treats its I SM S as an evolving, learning, l iving p ar t of bus ines s
operations. In order for the ISMS to keep up with changes, it is regularly evaluated with regard to its
fitness for purpose, e ffectiveness, and alignment to the organization’s objectives. Nothing is to be taken
for granted, and nothing is to be considered as ‘o ff limits’ simply because it was good enough at the time
it was implemented.
Guidance
C ontinual improvement of the I SM S shou ld entai l that the I SM S itsel f and al l of its elements are as ses sed
cons idering internal and external is s ues (4.1) , requirements of the interes ted p ar ties (4. 2 ) and res ults
of p erformance evaluation (C lause 9 ). The assessment should include an analysis o f:

a) suitability o f the ISMS, considering i f the external and internal issues, requirements o f the
interested parties, established in formation security objectives and identified in formation security
risks are properly addressed through planning and implementation o f the ISMS and in formation
security controls;
b) adequacy o f the ISMS, considering i f the ISMS processes and in formation security controls are
comp atible with the organiz ation’s overal l purp os es , ac tivities and pro ces s es; and
c) effec tivenes s of the I SM S , cons idering i f the intended outcome(s) of the I SM S are achieved, the
requirements o f the interested parties are met, in formation security risks are managed to meet
in formation security objectives, noncon formities are managed, while resources needed for
the es tablishment, implementation, maintenance and continual improvement of the I SM S are
com mens urate with thos e res u lts .

ISO/IEC 2 7003 : 2 01 7(E)
T he a s s e s s ment c an a l s o i nclude an ana lys i s o f the e ffic ienc y o f the I S M S and its elements , con s ideri ng
i f thei r u s e o f re s ou rce s i s appropriate, i f there i s a ri s k that the lack o f e fficienc y c an le ad to lo s s o f
e ffe c tivene s s or i f there are opp or tu n itie s for i nc re a s i ng e fficienc y.
I mprovement opp or tu n itie s c an a l s o b e identi fie d when managi ng noncon form itie s a nd corre c tive
ac tions .
O nce opp or tu n itie s for i mprovement a re identi fie d, the organ i z ation shou ld , accord i ng to 6 .1 .1 :
d) eva luate them to e s tab l i s h whe ther they a re wor th pu rs u i ng;
e) determine the changes to the I SM S and its elements in order to achieve the improvement;
f) pl an a nd i mplement the ac tion s to add re s s the opp or tu n itie s en s u ri ng that b enefits are re a l i s e d,
and nonconformities do not o ccur; and
g) evaluate the effec tivenes s of the ac tions .
T hese ac tions shou ld b e cons idered as a s ub set of ac tions to addres s risks and opp or tunities describ ed
in 6 .1 .1 .
O ther information

ISO/IEC 2 7003 : 2 01 7(E)
Annex A
(informative)
Policy framework
A n ne x A p ro vide s g u id a nce on the s tr uc tu re o f do c u mentatio n th at i nclude s the i n fo r m atio n
security policy.
In general, a policy is a statement o f intentions and direction o f an organization as formally expressed
by its top management (see ISO/IEC 27000:2016, 2.84).
The content o f a policy guides actions and decisions concerning the topic o f the policy.
An organization can have a number o f policies; one for each o f the activity areas that is important to
the organi z ation. S ome p ol icies are indep endent of each other, whi le other p olicies have a hierarchical
relationship .
Typically, an organization has a general policy, e.g. code o f conduct, at the highest level o f the policy
hierarchy. The general policy is supported by other policies addressing di fferent topics and can be
applicable to specific areas or functions o f the organization. The in formation security policy is one o f
these specific policies.
The in formation security policy is supported by a range o f topic-specific policies related to aspects o f
in formation security. A number o f these are discussed in ISO/IEC 27002, for example the in formation
security policy can be supported by policies concerning access control, in formation classification (and
handling), physical and environmental security, end user oriented topics, amongst others. Additional
layers o f policies may be added. This arrangement is shown in Figure A.1 . Note that some organi zations
use other terms for topic-specific policy documents, such as “standards”, “directives” or “rules”.
Figure A.1 — Policy hierarchy
ISO/IEC 27001 requires organizations to have an in formation security policy. It does not, however
speci fy any particular relationship between this policy and other policies o f the organization.

ISO/IEC 2 7003 : 2 01 7(E)
T he content o f p ol icie s i s b as e d on the contex t i n wh ich an organ i z ation op erate s . Sp e ci fic a l ly, the
fol lowi ng s hou ld b e con s idere d when developi ng a ny p ol ic y with i n the p ol ic y framework:
1. the ai m s and obj e c tive s o f the orga n i z ation;
2. s trategie s adop te d to ach ieve the organ i z ation’s obj e c tive s;
3. the s tr uc tu re a nd pro ce s s e s adop te d b y the organ i z ation;
4. a i m s and obj e c tive s a s s o ci ate d with the topic o f the p ol ic y;
5. the requirements of related higher level p ol icies; and
6. the ta rge t group to b e d i re c te d b y the p ol ic y.
T his is shown in Figure A. 2 .
Figure A. 2 — Inputs to the development of a policy
Policies can have the fol lowing s truc ture:
a) Adminis trative – p ol ic y title, vers ion, publ ic ation/va l id ity d ate s , cha nge h i s tor y, owner(s) a nd
approver(s) , clas s i fic ation, i ntende d aud ience e tc . ;
b) Pol ic y s u m mar y – a one or two sentence over view. ( T his can sometimes b e merged with the
intro duc tion .) ;
c) I ntro duc tion – a brie f expla nation o f the topic o f the p ol ic y;
d) S cop e – de s c rib e s tho s e p ar ts or ac tivitie s o f an orga n i z ation th at are a ffe c te d b y the p ol ic y. I f
relevant, the s cop e cl au s e l i s ts o ther p ol icie s that a re s upp or te d by the p ol ic y;
e) O bj e c tive s – de s c rib e s the i ntent o f the p ol ic y;
f) P rinciples – de s c rib e s the ru le s concerni ng ac tion s and de ci s ion s for ach ievi ng the obj e c tive s . I n
s ome c a s e s , it c a n b e u s e fu l to identi fy the key pro ce s s e s as s o c iate d with the topic o f the p ol ic y a nd
then the ru les for op erating the pro ces ses;
g) Res p ons ibi lities – describ es who is res p ons ible for ac tions to meet the requirements of the
p ol ic y. I n s ome c as e s , th i s c an i nclude a de s crip tion o f orga n i z ationa l a rrangements a s wel l a s the
re s p on s ibi l itie s and authority o f p ers on s with de s ignate d role s;

ISO/IEC 2 7003 : 2 01 7(E)
h) Key outcome s – de s c rib e s the bu s i ne s s outcome s i f the obj e c tive s are me t. I n s ome c a s e s , th i s c an
b e merge d with the obj e c tive s;
i) Related p olicies – de s crib e s o ther p ol icie s relevant to the ach ievement o f the obj e c ti ve s , u s ua l ly by
provid i ng add itiona l de tai l concern i ng s p e c i fic topic s; and
j) Pol ic y re qu i rements – de s crib e s the de tai le d re qui rements o f the p ol ic y.
Pol ic y content c an b e organ i ze d i n a va rie ty o f ways . For example , organ i z ation s that place empha s i s
on role s and re s p on s ibi l itie s may s i mpl i fy the de s crip tion o f obj e c tive s , and apply the pri nc iple s
s p e c i fic a l ly to the de s c rip tion o f re s p on s ibi l itie s .

ISO/IEC 2 7003 : 2 01 7(E)
Bibliography
[1] I SO 19 011 , Guidelines for auditing management systems
[2 ] I SO/I E C 2 70 02 : 2 01 3 , Information technology — Security techniques — Code of practice for
information security controls
[3 ] 2 70 03 : 2 010 , Information technology — Security techniques — Information security

I SO/I E C
management system implementation guidance
[4] I SO/I E C 2 70 0 4: 2 016 , Information technology — Security techniques — Information security
management — Monitoring, measurement, analysis and evaluation
[5 ] I SO/I E C 2 70 0 5 , Information technology — Security techniques — Information security risk

management
, Information technology — Security techniques — Guidelines for information

2)
[6] I SO/I E C 2 70 07
security management systems auditing
[7 ] I SO/I E C/ TS Information technology — Security techniques — Guidelines for the

2 70 0 8 2 ) ,
assessment of information security controls
[8] I SO 3 03 01 , Information and documentation — Management systems for records — Requirements
[9] I SO 3 10 0 0 , Risk management — Principles and guidelines
2) Under preparation.

ISO/IEC 2 7003 : 2 01 7(E)
ICS 03.100.70; 35.030

Price b as ed o n 45 pages
© I SO /I EC 2 0 1 7 – All rights reserved

Iso 27003 2017

Uploaded by

Copyright:

Available Formats

You might also like

Iso 27003 2017

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iso 27003 2017

Uploaded by

Copyright:

Available Formats

I N TERNATIONAL ISO/IEC

Information technology — Security

Technologies de l’information — Techniques de sécurité --Systèmes de

COPYRIGHT PROTECTED DOCUMENT

© I SO /I EC 2 0 1 7 , Publis hed in Switzerland

ISO copyright o ffice

CH -1 2 1 4 Vernier, Geneva, Switzerland

ii © I SO /I E C 2 0 1 7 – All rights res erved

4.2 Understanding the needs and expectations of interested p arties . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . 3

4. 3 D etermining the s co p e o f the in fo rmatio n s ecurity management sys tem . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 4

4. 4 I n fo rmatio n s ecurity management sys tem .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 6

5 .3 O rganizational roles, resp onsibilities and authorities . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. 9

6.1 .2 I n fo rmatio n s ecurity ris k as s es s ment . .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 1 2

6.1 .3 I n fo rmatio n s ecurity ris k treatment . . . . . .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 1 5

6.2 I n fo rmatio n s ecurity o b j ectives and p lanning to achieve them . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 1 8

7 .5 .3 C ontrol of documented information . . . . .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. 2 8

8.2 I n fo rmatio n s ecurity ris k as s es s ment.. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . 3 1

8.3 I n fo rmatio n s ecurity ris k treatment . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . 3 1

© I SO /I E C 2 0 1 7 – All rights res erved iii

URL: www. iso . org/ iso/foreword . htm l .

I SO/I E C 2 70 01 : 2 01 3 rather than the previous edition (I SO/I EC 2 70 01 : 2 0 0 5 ) ;

use it together with I S O/I EC 2 70 01 : 2 01 3 ;

iv © I SO /I E C 2 0 1 7 – All rights res erved

An I SM S emphas izes the imp or tance of the fol lowing phases:

— prac tis ing continual improvement.

6) p erformance as ses s ment;

7) management review; and

An ISMS has additional key components such as:

© I SO /I E C 2 0 1 7 – All rights res erved v

(e . g. with fewer than 10 p ers on s) s ome o f the guidance c a n b e u n ne ce s s ar y or i nappropriate .

T he descrip tions of C lauses 4 to10 are s truc tured as fol lows:

— E xplanation : e xplai n s what the re qui rements o f I S O/I E C 2 70 01 i mp ly;

including examples for implementation; and

guidance on I SO/I E C 2 70 01 : 2 01 3 . Among these do cuments , I S O/I EC 2 70 03 is a b as ic and comprehens ive

s e c u rity ri sk ma nagement. I S O/I E C 2 70 0 4 a nd I S O/I E C 2 70 0 5 fo c u s on s p e ci fic contents and give more

e ffe c tivene s s o f its management s ys tem a s p a r t o f its re s p on s e to I S O/I E C 2 70 01 : 2 01 3 , 7. 5 .1 b) . I n the s e

ca s e s , th i s do c u ment u s e s the ph ras e “D o c umente d i n formation on th i s ac tivity and its outcome i s

e ffe c tivene s s o f its management s ys tem (s e e I S O/I E C 2 70 01 : 2 01 3 , 7. 5 .1 b) ) .”

vi © I SO /I E C 2 0 1 7 – All rights res erved

Information technology — Security techniques —

T his do cument provides explanation and guidance on I S O/I EC 2 70 01 : 2 01 3 .

systems — Overview and vocabulary

I S O/I E C 2 70 01 : 2 01 3 , Information technology — Security techniques — Information security management

3 Terms and definitions

4 Context of the organization

4.1 Understanding the organization and its context

— analysing the context in order to determine risks and opportunities; and

© I SO /I E C 2 0 1 7 – All rights res erved 1

b) political, legal, normative and regulatory;

k) the organi z ation’s cu lture;

l) policies, objectives, and the strategies to achieve them;

n) standards, guidelines and models adopted by the organization;

p) pro ces ses and pro cedures;

r) physical in frastructure and environment;

t) previous audits and previous risk as ses s ment res ults .

The results o f this activity are used in 4. 3 , 6 .1 and 9. 3 .

— review the external environment to identi fy relevant external issues; and

2 © I SO /I E C 2 0 1 7 – All rights res erved