Iso 27000 2018 Standards For Information Security

lOMoARcPSD|35756705
ISO 27000 2018 - Standards for Information Security
Cyber Security (Indira Gandhi National Open University)
Escanea para abrir en Studocu
Studocu no está patrocinado ni avalado por ningún colegio o universidad.

Descargado por Carlos Lara López (lara_kidd5@hotmail.com)
lOMoARcPSD|35756705
I N TERNATIONAL ISO/IEC
S TANDARD 2 7000
Fifth editio n
2 0 1 8- 0 2
Information technology — Security

techniques — Information security
management systems — Overview and
vocabulary
Technologies de l'information — Techniques de sécurité — Systèmes

de management de la sécurité de l'information — Vue d'ensemble et
vocabulaire
Reference numb er
I SO /I EC 2 7 0 0 0 : 2 0 1 8 (E )
© I SO /I E C 2 0 1 8

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
COPYRIGHT PROTECTED DOCUMENT
© I SO /I EC 2 0 1 8
All rights reserved. Unless otherwise specified, or required in the context o f its implementation, no part o f this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country o f the requester.
ISO copyright o ffice
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www. iso .o rg
Published in Switzerland
ii © I SO /I E C 2 0 1 8 – All rights res erved

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
Contents Page
Foreword .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. iv
Introduction . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . v
1 Scope . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 1
2 Normative references . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 1
3 Terms and definitions . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 1

4 Information security management systems . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 1 1
4.1 General . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . 11
4.2 What is an ISMS? . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 11
4.2.1 Overview and principles . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . 11
4.2.2 Information . . . . . . .. . . . . . . . . .. . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. 12
4.2.3 Information security . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . . . . . . 12
4.2.4 Management . . . .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. 12
4.2.5 Management system . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . . . . . . 13

4.3 Process approach . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 13
4.4 Why an ISMS is important . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . 13
4.5 Establishing, monitoring, maintaining and improving an ISMS . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 14
4.5.1 Overview . . .. . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. 14
4.5.2 Identi fying information security requirements . . .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . 14
4.5.3 Assessing information security risks . . . .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 15
4.5.4 Treating information security risks . . . . . . .. . . . . . . . . .. . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . .. 15
4.5.5 Selecting and implementing controls . . .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 15
4.5.6 Monitor, maintain and improve the e ffectiveness o f the ISMS . . .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. 16
4.5.7 Continual improvement . .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . 16
4.6 ISMS critical success factors .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . 17
4.7 Benefits o f the ISMS family o f standards . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . 17
5 ISMS family of standards . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 1 8

5.1 General information . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . 18
5.2 Standard describing an overview and terminology: ISO/IEC 27000 (this document) .. . . . . . . . 19
5.3 Standards speci fying requirements . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . 19
5.3.1 ISO/IEC 27001 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 19
5.3.2 ISO/IEC 27006 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 20
5.3.3 ISO/IEC 27009 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 20
5.4 Standards describing general guidelines . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . 20
5.4.1 ISO/IEC 27002 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 20
5.4.2 ISO/IEC 27003 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 20
5.4.3 ISO/IEC 27004 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 21
5.4.4 ISO/IEC 27005 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 21
5.4.5 ISO/IEC 27007 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 21
5.4.6 ISO/IEC TR 27008 . . .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . 21
5.4.7 ISO/IEC 27013 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 22
5.4.8 ISO/IEC 27014 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 22
5.4.9 ISO/IEC TR 27016 . . .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . 22
5.4.10 ISO/IEC 27021 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 22
5.5 Standards describing sector-specific guidelines . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 23

5.5.1 ISO/IEC 27010 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 23
5.5.2 ISO/IEC 27011 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 23
5.5.3 ISO/IEC 27017 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 23
5.5.4 ISO/IEC 27018 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 24
5.5.5 ISO/IEC 27019 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 24
5.5.6 ISO 27799 .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 25
Bibliography . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . 2 6
© I SO /I E C 2 0 1 8 – All rights res erved iii

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation o f national standards
bodies (ISO member bodies). The work o f preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters o f
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the di fferent approval criteria needed for the
di fferent types o f ISO documents should be noted. This document was dra fted in accordance with the
editorial rules o f the ISO/IEC Directives, Part 2 (see www. iso . org/direc tives) .
Attention is drawn to the possibility that some o f the elements o f this document may be the subject o f
patent rights. ISO shall not be held responsible for identi fying any or all such patent rights. Details o f
any patent rights identified during the development o f the document will be in the Introduction and/or
on the ISO list o f patent declarations received (see www. iso . org/patents) .
Any trade name used in this document is in formation given for the convenience o f users and does not
constitute an endorsement.
For an explanation on the voluntary nature o f standards, the meaning o f ISO specific terms and
expressions related to con formity assessment, as well as in formation about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www. iso . org/ iso/foreword . htm l .
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, SC 27, IT
Security techniques.
This fi fth edition cancels and replaces the fourth edition (ISO/IEC 27000:2016), which has been
technically revised. The main changes compared to the previous edition are as follows:
— the Introduction has been reworded;
— some terms and definitions have been removed;
— Clause 3 has been aligned on the high-level structure for MSS;
— Clause 5 has been updated to reflect the changes in the standards concerned;
— Annexes A and B have been deleted.
iv © I SO /I E C 2 0 1 8 – All rights res erved

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
Introduction
0.1 O verview
I nternationa l Sta ndard s for management s ys tem s provide a mo del to fol low in s e tti ng up a nd
op erati ng a management s ys tem . T h i s mo del i ncor p orate s the fe atu re s on wh ich exp er ts i n the field
have re ache d a con s en s u s as b ei ng the i nternationa l s tate o f the a r t. I S O/I E C J TC 1/S C 2 7 mai ntai n s an
exp er t com m itte e de d ic ate d to the development o f i nternationa l management s ys tem s s tandard s for
i n formation s e c u rity, o ther wi s e known a s the I n formation S e c u rity M anagement s ys tem (I S M S ) fam i ly
o f s tandard s .
T h rough the u s e o f the I S M S fam i ly o f s ta ndard s , organ i z ation s c a n develop and i mplement a fra mework
for managi ng the s e c u rity o f thei r i n formation as s e ts , i nclud i ng fi na nc ia l i n formation, i ntel le c tua l
prop er ty, and employe e de ta i l s , or i n formation entru s te d to them b y c u s tomers or th i rd p ar tie s . T he s e
s tandard s c an a l s o b e u s e d to prep are for an i ndep endent a s s e s s ment o f thei r I S M S appl ie d to the
pro te c tion o f i n formation .
0. 2 Purpose of this document
T he I S M S fam i ly o f s tandard s i nclude s s ta nda rd s that:
a) defi ne re qu i rements for an I S M S a nd for tho s e cer ti fyi ng s uch s ys tem s;
b) provide d i re c t s upp or t, de tai le d gu idance a nd/or i nter pre tation for the overa l l pro ce s s to e s tabl i s h,
i mplement, ma i ntai n, and i mprove an I S M S;
c) add re s s s e c tor- s p e c i fic gu idel i ne s for I S M S; and
d) add re s s con form ity a s s e s s ment for ISMS .
0. 3 Content of this document
I n th i s do c u ment, the fol lowi ng verb a l form s are u s e d:
— “s ha l l” i nd ic ate s a re qu i rement;
— “s hou ld” i nd ic ate s a re com mendation;
— “may” i nd ic ate s a p erm i s s ion;
— “c an” i nd ic ate s a p o s s ibi l ity or a c ap abi l ity.
I n formation marke d as " NO T E " is for gu ida nce in unders ta nd i ng or clari fyi ng the as s o c iate d
re qu i rement. “No te s to entr y” u s e d i n C lau s e 3 provide add itiona l i n formation that s upp lements the
term i nolo gic a l data and c an contai n provi s ion s relati ng to the u s e o f a term .
© I SO /I E C 2 0 1 8 – All rights res erved v

lOMoARcPSD|35756705

lOMoARcPSD|35756705
INTERNATIONAL STANDARD ISO/IEC 2 7000: 2 01 8(E)
Information technology — Security techniques —

Information security management systems — Overview
and vocabulary
1 Scope
This document provides the overview o f in formation security management systems (ISMS). It also
provides terms and definitions commonly used in the ISMS family o f standards. This document is
applicable to all types and sizes o f organization (e.g. commercial enterprises, government agencies, not-
for-profit organizations).
The terms and definitions provided in this document

— cover commonly used terms and definitions in the ISMS family o f standards;
— do not cover all terms and definitions applied within the ISMS family o f standards; and
— do not limit the ISMS family o f standards in defining new terms for use.
2 Normative references
There are no normative re ferences in this document.
3 Terms and definitions

ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at http s://www. iso . org/obp
— IEC Electropedia: available at https://www.electropedia . org/
3 .1
access control
means to ensure that access to assets is authorized and restricted based on business and security
requirements (3.56 )
3.2
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized
use o f an asset
3.3
audit
systematic, independent and documented process (3.54) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: An internal audit is conducted by the organization itsel f, or by an external party on its behal f.
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
© I SO /I E C 2 0 1 8 – All rights res erved 1

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
3 .4
audit scope
extent and boundaries o f an audit (3.3 )
[SOURCE: ISO 19011:2011, 3.14, modified — Note 1 to entry has been deleted.]
3.5
authentication
provision o f assurance that a claimed characteristic o f an entity is correct
3 .6
authenticity
property that an entity is what it claims to be
3 .7
availability
property o f being accessible and usable on demand by an authorized entity
3.8
base measure
measure (3.42) defined in terms o f an attribute and the method for quanti fying it
Note 1 to entry: A base measure is functionally independent o f other measures.
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.3, modified — Note 2 to entry has been deleted.]
3 .9
competence
ability to apply knowledge and skills to achieve intended results
3 .10
confidentiality
property that in formation is not made available or disclosed to unauthorized individuals, entities, or
processes (3.54)
3 .11
conformity
fulfilment o f a requirement (3.56 )
3 .1 2
consequence
outcome o f an event (3.21) a ffecting objectives (3.49 )
Note 1 to entry: An event can lead to a range o f consequences.
Note 2 to entry: A consequence can be certain or uncertain and, in the context o f in formation security, is usually
negative.
Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 4 to entry: Initial consequences can escalate through knock-on e ffects.
[SOURCE: ISO Guide 73:2009, 3.6.1.3, modified — Note 2 to entry has been changed a fter “and”.]
3 .13
continual improvement
recurring activity to enhance performance (3.52 )
2 © I SO /I E C 2 0 1 8 – All rights res erved

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
3 .14
control
measure that is modi fying risk (3.61)
Note 1 to entry: Controls include any process (3.54), policy (3.53), device, practice, or other actions which modi fy
risk (3.61 ) .
Note 2 to entry: It is possible that controls not always exert the intended or assumed modi fying e ffect.
[SOURCE: ISO Guide 73:2009, 3.8.1.1 — Note 2 to entry has been changed.]
3 .15
control obj ective
statement describing what is to be achieved as a result o f implementing controls (3.14)
3 .16
correction
action to eliminate a detected nonconformity (3.47 )
3 .17
corrective action
action to eliminate the cause o f a nonconformity (3.47) and to prevent recurrence
3 .18
derived measure
measure (3.42) that is defined as a function o f two or more values o f base measures (3.8 )
3 .19
documented information
in formation required to be controlled and maintained by an organization (3.50) and the medium on
which it is contained
Note 1 to entry: Documented in formation can be in any format and media and from any source.
Note 2 to entry: Documented in formation can re fer to
— the management system ( 3.41), including related processes (3.54);
— in formation created in order for the organization (3.50) to operate (documentation);
— evidence o f results achieved (records).
3.20
effectiveness
extent to which planned activities are realized and planned results achieved
3 . 21
event
occurrence or change o f a particular set o f circumstances
Note 1 to entry: An event can be one or more occurrences, and can have several causes.
Note 2 to entry: An event can consist o f something not happening.
Note 3 to entry: An event can sometimes be re ferred to as an “incident” or “accident”.
[SOURCE: ISO Guide 73:2009, 3.5.1.3, modified — Note 4 to entry has been deleted.]

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
3.22
external context
externa l envi ronment i n wh ich the orga ni z ation s e eks to ach ieve its objectives (3 .49 )
N o te 1 to entr y: E x ter n a l conte x t c a n i nclude the fol lowi n g:
— the c u ltu ra l , s o c ia l , p ol itic a l , le ga l , re g u l ato r y, fi n a nc ia l , te ch nolo gic a l , e cono m ic, n atu ra l a nd co mp e titive
envi ron ment, whe ther i nter n atio n a l , n ation a l , re gio n a l o r lo c a l;
— ke y d ri vers a nd trend s h avi ng i mp ac t on the objectives of the organization ( 3 . 5 0) ;
— rel ation s h ip s with , a nd p ercep tio n s a nd va lue s o f, e x ter n a l stakeholders (3 . 3 7 ) .
[S O U RC E : I S O Gu ide 7 3 : 2 0 0 9, 3 . 3 .1 .1]
3.23
governance of information security
s ys tem by wh ich an organization’s (3 . 5 0 ) information security (3 . 2 8 ) ac tivitie s are d i re c te d and
control led
3.24
governing body
p ers on or group o f p e ople who are accou ntable for the performance ( 3 . 5 2 ) and con form ity o f the
organization (3 . 5 0 )
N o te 1 to entr y: T he gover n i ng b o dy c a n , i n s o me j u r i s d ic tion s , b e a b o a rd o f d i re c tors .
3 .25
indicator
measure (3 .42 ) that provide s a n e s ti mate or eva luation
3.26
information need
i n s ight ne ce s s ar y to ma nage objectives (3 .49) , go a l s , ri s ks and problem s
[S O U RC E : I S O/I E C/I E E E 1 59 3 9 : 2 017, 3 .1 2 ]
3 . 27
information processing facilities
any i n formation pro ce s s i ng s ys tem, s er vice or i n fra s truc tu re, or the phys ic a l lo c ation hou s i ng it
3.28
information security
pre s er vation o f confidentiality (3 .10) , integrity (3 . 3 6) and availability (3 .7 ) o f i n formation
N o te 1 to entr y: I n add ition , o ther prop er tie s , s uch a s authenticity ( 3 . 6 ) , accou ntab i l ity, non-repudiation ( 3 . 4 8) ,
a nd reliability (3 . 5 5 ) c a n a l s o b e i nvol ve d .
3.29
information security continuity
processes (3 . 5 4) a nd pro ce du re s for en s u ri ng conti nue d information security (3 . 2 8) op eration s
3.30
information security event
identi fie d o cc u rrence o f a s ys tem, s er vice or ne twork s tate i nd ic ati ng a p o s s ible bre ach o f information
s e c u rity (3 . 2 8 ) policy (3 . 5 3 ) or fa i lu re of controls (3 .14) , or a previou s ly u n known s ituation th at c an b e
s e c u rity releva nt
3 . 31
information security incident
s i ngle or a s erie s o f u nwa nte d or u ne xp e c te d information security events (3 . 3 0) th at h ave a s ign i fic a nt
prob abi l ity o f comprom i s i ng bu s i ne s s op eration s and th re aten i ng information security (3 . 2 8 )

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
3 . 32
information security incident management
set of processes (3.54) for detecting, reporting, assessing, responding to, dealing with, and learning
from information security incidents (3.31 )
3.33
information security management s ystem (ISMS) professional
person who establishes, implements, maintains and continuously improves one or more in formation
security management system processes (3.54)
3.34
information sharing community
group of organizations (3.50) that agree to share in formation
Note 1 to entry: An organization can be an individual.
3 . 35
information system
set o f applications, services, in formation technology assets, or other in formation-handling components
3.36
integrity
property o f accuracy and completeness
3 . 37
interested party (preferred term)
stakeholder (admitted term)
p erson or organization (3.50) that can a ffect, be a ffected by, or perceive itsel f to be a ffected by a decision
or activity
3.38
internal context
internal environment in which the organization (3.50) seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— governance, organizational structure, roles and accountabilities;
— policies ( 3.53), objectives ( 3.49), and the strategies that are in place to achieve them;
— the capabilities, understood in terms o f resources and knowledge (e.g. capital, time, people, processes (3.54),
systems and technologies);
— information systems (3.35), in formation flows and decision-making processes (both formal and in formal);
— relationships with, and perceptions and values o f, internal stakeholders (3.37);
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— f orm and extent o f contractual relationships.
[SOURCE: ISO Guide 73:2009, 3.3.1.2]
3.39
level of risk
magnitude o f a risk ( 3.61) expressed in terms o f the combination o f consequences (3.12) and their
likelihood (3.40 )
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — “or combination o f risks” has been deleted in the
definition.]

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
3 .40
likelihood
chance o f something happening
[SOURCE: ISO Guide 73:2009, 3.6.1.1, modified — Notes 1 and 2 to entry have been deleted.]
3 .41
management system
set o f interrelated or interacting elements o f an organization (3.50) to establish policies ( 3.53) and
objectives (3.49) and processes (3.54) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning
and operation.
Note 3 to entry: The scope o f a management system may include the whole o f the organization, specific and
identified functions o f the organization, specific and identified sections o f the organization, or one or more
functions across a group o f organizations.
3 .42
measure
variable to which a value is assigned as the result o f measurement (3.43 )
3 .43
measurement
process (3.54) to determine a value
3 .44
measurement function
algorithm or calculation per formed to combine two or more base measures (3.8 )
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.20]
3 .45
measurement method
logical sequence o f operations, described generically, used in quanti fying an attribute with respect to a
specified scale
Note 1 to entry: The type o f measurement method depends on the nature o f the operations used to quanti fy an
attribute (3.4). Two types can be distinguished:
— subjective: quantification involving human judgment; and

— objective: quantification based on numerical rules.
3 .46
monitoring
determining the status o f a system, a process (3.54) or an activity
Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.
3 .47
nonconformity
non- fulfilment o f a requirement (3.56 )
3 .48
non-repudiation
ability to prove the occurrence o f a claimed event (3.21) or action and its originating entities

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
3 .49
obj ective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to di fferent disciplines (such as financial, health and sa fety, and
environmental goals) and can apply at di fferent levels [such as strategic, organization-wide, project, product and
process ( 3.54)].
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an
operational criterion, as an in formation security objective or by the use o f other words with similar meaning (e.g.
aim, goal, or target).
Note 4 to entry: In the context o f in formation security management systems, in formation security objectives are
set by the organization, consistent with the in formation security policy, to achieve specific results.
3 . 50
organization
person or group o f people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.49 )
Note 1 to entry: The concept o f organization includes but is not limited to sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereo f, whether incorporated
or not, public or private.
3 . 51
outsource
make an arrangement where an external organization (3.50) per forms part o f an organization’s function
orprocess (3.54)
Note 1 to entry: An external organization is outside the scope o f the management system ( 3.41), although the
outs ource d func tion or pro ces s i s with i n the s cop e.
3 . 52
performance
measurable result
Note 1 to entry: Per formance can relate either to quantitative or qualitative findings.
Note 2 to entry: Per formance can relate to the management o f activities, processes (3.54), products (including
services), systems or organizations (3.50 ) .
3 . 53
policy
intentions and direction o f an organization (3.50), as formally expressed by its top management (3.75 )
3.54
process
set o f interrelated or interacting activities which trans forms inputs into outputs
3 . 55
reliability
property o f consistent intended behaviour and results
3.56
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and
interested parties that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, for example in documented in formation.

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
3 . 57
residual risk
risk (3.61) remaining a fter risk treatment (3.72 )
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risk can also be re ferred to as “retained risk”.
3.58
review
activity undertaken to determine the suitability, adequacy and effectiveness (3.20) o f the subject matter
to achieve established objectives (3.49 )
[SOURCE: ISO Guide 73:2009, 3.8.2.2, modified — Note 1 to entry has been deleted.]
3 . 59
review obj ect
specific item being reviewed
3 .60
review obj ective
statement describing what is to be achieved as a result o f a review (3.59 )
3 .61
risk
e ffect o f uncertainty on objectives (3.49 )
Note 1 to entry: An e ffect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, o f deficiency o f in formation related to, understanding or
knowledge o f, an event, its consequence, or likelihood.
Note 3 to entry: Risk is o ften characterized by re ference to potential “events” (as defined in ISO Guide 73:2009,
3.5.1.3) and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination o f these.
Note 4 to entry: Risk is o ften expressed in terms o f a combination o f the consequences o f an event (including
changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) o f occurrence.
Note 5 to entry: In the context o f in formation security management systems, in formation security risks can be
expressed as e ffect o f uncertainty on in formation security objectives.
Note 6 to entry: In formation security risk is associated with the potential that threats will exploit vulnerabilities
o f an in formation asset or group o f in formation assets and thereby cause harm to an organization.
3 .62
risk acceptance
in formed decision to take a particular risk (3.61)
Note 1 to entry: Risk acceptance can occur without risk treatment (3.72 ) or duri ng the process ( 3.54) o f risk
treatment.
Note 2 to entry: Accepted risks are subject to monitoring (3.46) and review (3.58 ) .
[SOURCE: ISO Guide 73:2009, 3.7.1.6]
3 .63
risk analysis
process (3.54) to comprehend the nature o f risk (3.61) and to determine the level of risk (3.39 )
Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.67) and decisions about risk treatment (3.72 ) .
Note 2 to entry: Risk analysis includes risk estimation.
[SOURCE: ISO Guide 73:2009, 3.6.1]

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
3 .6 4
risk assessment
overa l l process (3 . 5 4) of risk identification ( 3 . 6 8) , risk analysis (3 . 63 ) and risk evaluation ( 3 . 67 )
[S OU RC E : I S O Gu ide 7 3 : 2 0 0 9, 3 .4.1]
3 .65
risk communication and consultation
s e t o f conti nua l a nd iterati ve processes (3 . 5 4) that an orga ni z ation conduc ts to provide, sh are or ob tai n
i n formation, and to engage i n d i a lo gue with stakeholders (3 . 3 7 ) regard i ng the ma nagement o f risk (3 . 61)
N o te 1 to entr y: T he i n fo rm ation can rel ate to the e xi s tence , n atu re , for m , likelihood ( 3 . 41) , s ign i fic a nce ,
e va lu atio n , accep tab i l ity a nd tre atment o f r i s k.
No te 2 to entr y: C on s u ltation i s a two -way pro ces s o f i n forme d com mu n ication b etwe en an organization (3 . 5 0) and
its s takeholders on an is s ue prior to making a de ci s ion or de term in ing a di re c tion on that i s s ue . C on s u ltation is
— a process wh ich i mp ac ts o n a de c i s io n th rou gh i n fluence rather th a n p ower; a nd
— a n i nput to de c i s ion m a ki n g , no t j oi nt de c i s io n m a ki ng.
3 .66
risk criteria
term s o f re ference aga i n s t wh ich the s ign i fic ance o f risk (3 . 61) i s eva luate d
N o te 1 to entr y: Ri s k c riter i a a re b a s e d o n orga n i z ation a l ob j e c tive s , a nd external context ( 3 . 2 2 ) a nd internal

context (3 . 3 8 ) .
N o te 2 to entr y: Ri s k c r iter ia c a n b e der ive d fro m s ta nda rd s , l aws , policies (3 . 5 3 ) a nd o ther requirements (3 . 5 6 ) .
[S OU RC E : I S O Gu ide 7 3 : 2 0 0 9, 3 . 3 .1 . 3 ]
3 .67
risk evaluation
process ( 3 . 5 4) o f comp a ri ng the re s u lts o f risk analysis ( 3 . 6 3 ) with risk criteria ( 3 . 6 6 ) to determine
whether the risk (3 . 61) and/or its magn itude i s accep table or tolerable
N o te 1 to entr y: Ri s k e va lu ation a s s i s ts i n the de c i s io n ab out risk treatment ( 3 .7 2 ) .
[S OU RC E : I S O Gu ide 7 3 : 2 0 0 9, 3 .7.1]
3 .68
r i s k i d e n t i fi c a t i o n
process (3 . 5 4) o f fi nd i ng , re co gn i z i ng a nd de s c ribi ng risks (3 . 61)
N o te 1 to entr y: Ri s k identi fic ation i nvol ve s the identi fic ation o f r i s k s o u rce s , events (3 . 2 1) , thei r c au s e s a nd thei r
p o tenti a l consequences (3 .1 2 ) .
N o te 2 to entr y: Ri s k identi fic ation c a n i nvol ve h i s to r ic a l d ata, the ore tic a l a n a l ys i s , i n for me d a nd e xp er t o pi n io n s ,
a nd stakeholders’ ( 3 . 3 7 ) ne ed s .
[S OU RC E : I S O Gu ide 7 3 : 2 0 0 9, 3 . 5 .1]
3 .69
risk management
co ord i nate d ac tivitie s to d i re c t and control an organization ( 3 . 5 0) with re ga rd to risk (3 . 61)
[S OU RC E : I S O Gu ide 7 3 : 2 0 0 9, 2 .1]

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
3 .70
risk management process
s ys tematic appl ic ation o f ma nagement policies ( 3 . 5 3 ) , pro ce du re s and prac tice s to the ac tivitie s o f
com mun icati ng , con s u lti ng , e s tabl i sh i ng the conte xt and identi fyi ng , a na lys i ng , eva luati ng , tre ati ng ,
monitori ng and reviewi ng risk (3 . 61)
N o te 1 to entr y: I S O/I E C 2 70 0 5 u s e s the ter m “ process ” (3 . 5 4) to de s c r ib e ri s k m a n agement o vera l l . T he elements
with i n the risk management (3 . 69) pro ce s s a re re fer re d to a s “ac tivitie s ”.
[S O U RC E : I S O Gu ide 7 3 : 2 0 0 9, 3 .1 , mo d i fie d — No te 1 to entr y h as b e en adde d .]
3 .71
risk owner
p ers on or entity with the accou ntabi l ity and authority to manage a risk (3 . 61)
[S O U RC E : I S O Gu ide 7 3 : 2 0 0 9, 3 . 5 .1 . 5 ]
3 .72
risk treatment
process (3 . 5 4) to mo d i fy risk (3 . 61 )
N o te 1 to entr y: Ri s k tre atment c a n i nvo l ve:
— avo id i n g the r i s k b y de c id i ng no t to s ta r t o r conti nue with the ac tivity th at give s r i s e to the r i s k;
— ta ki ng o r i nc re a s i n g ri s k i n order to pu rs ue a n op p or tu n ity;
— remo vi ng the r i s k s o u rce;
— ch a n gi n g the likelihood (3 . 4 0) ;
— ch a n gi n g the consequences (3 .1 2 ) ;
— s h a r i ng the r i s k with a no ther p a r ty or p a r tie s (i nclud i ng contrac ts a nd r i s k fi n a nc i ng) ;
— re ta i n i n g the r i s k b y i n for me d cho ice .
N o te 2 to entr y: Ri s k tre atments th at de a l with ne gative con s e quence s a re s o me ti me s re fer re d to as “r i s k
m itigation”, “r i s k el i m i n atio n”, “r i s k pre ventio n” a nd “ri s k re duc tion”.
N o te 3 to entr y: Ri s k tre atment c a n c re ate new r i s ks or mo d i fy e xi s ti ng r i s ks .
[S O U RC E : I S O Gu ide 7 3 : 2 0 0 9 , 3 . 8 . 1 , mo d i fie d — “ de c i s io n” h a s b e e n re p l ac e d b y “c ho i c e ” i n N o te 1
to e ntr y.]
3 .73
security implementation standard
do c u ment s p e ci fyi ng authori ze d ways for re a l i z i ng s e c u rity
3 .74
threat
p o tentia l c au s e o f an u nwante d i nc ident, wh ich c a n re s u lt i n harm to a s ys tem or organization (3 . 5 0 )
3 .75
top management
p ers on or group o f p e ople who d i re c ts and control s a n organization ( 3 . 5 0) at the h ighe s t level
N o te 1 to entr y: Top m a n agement h a s the p ower to dele gate author ity a nd p rovide re s o u rce s with i n the
orga n i z atio n .
N o te 2 to entr y: I f the s cop e o f the management system ( 3 . 41) co vers o n l y p a r t o f a n orga n i z ation , then top
ma n agement re fers to tho s e who d i re c t a nd co ntro l th at p a r t o f the orga n i z ation .

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
Note 3 to entry: Top management is sometimes called executive management and can include Chie f Executive
O fficers, Chie f Financial O fficers, Chie f In formation O fficers, and similar roles.
3 .76
trusted information communication entity
autonomous organization ( 3.50) supporting in formation exchange within an information sharing
community (3.34)
3 .77
vulnerability
weakness o f an asset or control (3.14) that can be exploited by one or more threats (3.74)
4 Information security management systems
4.1 General
Organizations o f all types and sizes:

a) collect, process, store, and transmit in formation;
b) recognize that in formation, and related processes, systems, networks and people are important
assets for achieving organization objectives;
c) f ace a range o f risks that can a ffect the functioning o f assets; and
d) address their perceived risk exposure by implementing in formation security controls.
All in formation held and processed by an organization is subject to threats o f attack, error, nature (for
example, flood or fire), etc., and is subject to vulnerabilities inherent in its use. The term in formation
security is generally based on in formation being considered as an asset which has a value requiring
appropriate protection, for example, against the loss o f availability, confidentiality and integrity.
Enabling accurate and complete in formation to be available in a timely manner to those with an
authorized need is a catalyst for business e fficiency.
Protecting in formation assets through defining, achieving, maintaining, and improving in formation
security e ffectively is essential to enable an organization to achieve its objectives, and maintain and
enhance its legal compliance and image. These coordinated activities directing the implementation o f
suitable controls and treating unacceptable in formation security risks are generally known as elements
o f in formation security management.
As in formation security risks and the e ffectiveness o f controls change depending on shi fting
circumstances, organizations need to:
a) monitor and evaluate the e ffectiveness o f implemented controls and procedures;
b) identi fy emerging risks to be treated; and
c) select, implement and improve appropriate controls as needed.
To interrelate and coordinate such in formation security activities, each organization needs to establish
its policy and objectives for in formation security and achieve those objectives e ffectively by using a
management system.
4.2 What is an ISMS?
4.2 .1 Overview and principles
An ISMS consists o f the policies, procedures, guidelines, and associated resources and activities,
collectively managed by an organization, in the pursuit o f protecting its in formation assets. An ISMS is
a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
and improving an organization’s in formation security to achieve business objectives. It is based on a

risk assessment and the organization’s risk acceptance levels designed to e ffectively treat and manage
risks. Analysing requirements for the protection o f in formation assets and applying appropriate
controls to ensure the protection o f these in formation assets, as required, contributes to the success ful
implementation o f an ISMS. The following fundamental principles also contribute to the success ful
implementation o f an ISMS:
a) awareness o f the need for in formation security;
b) assignment o f responsibility for in formation security;
c) incorporating management commitment and the interests o f stakeholders;
d) enhancing societal values;
e) risk assessments determining appropriate controls to reach acceptable levels o f risk;
f ) security incorporated as an essential element o f in formation networks and systems;
g) active prevention and detection o f in formation security incidents;
h) ensuring a comprehensive approach to in formation security management;
i) continual reassessment o f in formation security and making o f modifications as appropriate.
4.2 .2 Information
In formation is an asset that, like other important business assets, is essential to an organization’s
business and, consequently, needs to be suitably protected. In formation can be stored in many forms,
including: digital form (e.g. data files stored on electronic or optical media), material form (e.g. on
paper), as well as unrepresented in formation in the form o f knowledge o f the employees. In formation
can be transmitted by various means including: courier, electronic or verbal communication. Whatever
form in formation takes, or the means by which it is transmitted, it always needs appropriate protection.
In many organizations, in formation is dependent on in formation and communications technology. This

technology is o ften an essential element in the organization and assists in facilitating the creation,
processing, storing, transmitting, protection and destruction o f in formation.
4.2 .3 Information security
In formation security ensures the confidentiality, availability and integrity o f in formation. In formation
security involves the application and management o f appropriate controls that involves consideration
o f a wide range o f threats, with the aim o f ensuring sustained business success and continuity, and
minimizing consequences o f in formation security incidents.
In formation security is achieved through the implementation o f an applicable set o f controls, selected
through the chosen risk management process and managed using an ISMS, including policies, processes,
procedures, organizational structures, so ftware and hardware to protect the identified in formation
assets. These controls need to be specified, implemented, monitored, reviewed and improved where
necessary, to ensure that the specific in formation security and business objectives o f the organization
are met. Relevant in formation security controls are expected to be seamlessly integrated with an
organization’s business processes.
4.2 .4 Management
Management involves activities to direct, control, and continually improve the organization within
appropriate structures. Management activities include the act, manner, or practice o f organizing,
handling, directing, supervising, and controlling resources. Management structures extend from one
person in a small organization to management hierarchies consisting o f many individuals in large
organizations.

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
In terms o f an ISMS, management involves the supervision and making o f decisions necessary to achieve
business objectives through the protection o f the organization’s in formation assets. Management o f
in formation security is expressed through the formulation and use o f in formation security policies,
procedures and guidelines, which are then applied throughout the organization by all individuals
associated with the organization.
4.2 .5 Management system
A management system uses a framework o f resources to achieve an organization’s objectives. The

management system includes organizational structure, policies, planning activities, responsibilities,
practices, procedures, processes and resources.
In terms o f in formation security, a management system allows an organization to:
a) satis fy the in formation security requirements o f customers and other stakeholders;
b) improve an organization’s plans and activities;
c) meet the organization’s in formation security objectives;
d) comply with regulations, legislation and industry mandates; and
e) manage in formation assets in an organized way that facilitates continual improvement and
adjustment to current organizational goals.
4.3 Process approach
Organizations need to identi fy and manage many activities in order to function e ffectively and
e fficiently. Any activity using resources needs to be managed to enable the trans formation o f inputs into
outputs using a set o f interrelated or interacting activities; this is also known as a process. The output
from one process can directly form the input to another process and generally this trans formation
is carried out under planned and controlled conditions. The application o f a system o f processes
within an organization, together with the identification and interactions o f these processes, and their
management, can be re ferred to as a “process approach”.
4.4 Why an ISMS is important
Risks associated with an organization’s in formation assets need to be addressed. Achieving in formation
security requires the management o f risk, and encompasses risks from physical, human and technology
related threats associated with all forms o f in formation within or used by the organization.
The adoption o f an ISMS is expected to be a strategic decision for an organization and it is necessary
that this decision is seamlessly integrated, scaled and updated in accordance with the needs o f the
organization.
The design and implementation o f an organization’s ISMS is influenced by the needs and objectives o f the
organization, the security requirements, the business processes employed and the size and structure
o f the organization. The design and operation o f an ISMS needs to reflect the interests and in formation
security requirements o f all o f the organization’s stakeholders including customers, suppliers, business
partners, shareholders and other relevant third parties.
In an interconnected world, in formation and related processes, systems, and networks constitute critical
business assets. Organizations and their in formation systems and networks face security threats from
a wide range o f sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire and
flood. Damage to in formation systems and networks caused by malicious code, computer hacking, and
denial o f service attacks have become more common, more ambitious, and increasingly sophisticated.
An ISMS is important to both public and private sector businesses. In any industry, an ISMS is an
enabler that supports e-business and is essential for risk management activities. The interconnection o f
public and private networks and the sharing o f in formation assets increase the di fficulty o f controlling

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
access to and handling o f in formation. In addition, the distribution o f mobile storage devices containing
in formation assets can weaken the e ffectiveness o f traditional controls. When organizations adopt
the ISMS family o f standards, the ability to apply consistent and mutually-recognizable in formation
security principles can be demonstrated to business partners and other interested parties.
In formation security is not always taken into account in the design and development o f in formation
systems. Further, in formation security is o ften thought o f as being a technical solution. However, the
in formation security that can be achieved through technical means is limited, and can be ine ffective
without being supported by appropriate management and procedures within the context o f an ISMS.
Integrating security into a functionally complete in formation system can be di fficult and costly. An ISMS
involves identi fying which controls are in place and requires care ful planning and attention to detail. As
an example, access controls, which can be technical (logical), physical, administrative (managerial) or a
combination, provide a means to ensure that access to in formation assets is authorized and restricted
based on the business and in formation security requirements.
The success ful adoption of an ISMS is important to protect in formation assets allowing an organization to:
a) achieve greater assurance that its in formation assets are adequately protected against threats on a
continual basis;
b) maintain a structured and comprehensive framework for identi fying and assessing in formation
security risks, selecting and applying applicable controls, and measuring and improving their
e ffectiveness;
c) continually improve its control environment; and
d) e ffectively achieve legal and regulatory compliance.
4.5 Establishing, monitoring, maintaining and improving an ISMS
4.5 .1 Overview
An organization needs to undertake the following steps in establishing, monitoring, maintaining and
improving its ISMS:
a) identi fy in formation assets and their associated in formation security requirements (see 4.5.2);
b) assess in formation security risks (see 4.5.3) and treat in formation security risks (see 4.5.4);
c) select and implement relevant controls to manage unacceptable risks (see 4.5.5);
d) monitor, maintain and improve the e ffectiveness o f controls associated with the organization’s
in formation assets (see 4.5.6 ) .
To ensure the ISMS is e ffectively protecting the organization’s in formation assets on an ongoing
basis, it is necessary that steps a) to d) be continually repeated to identi fy changes in risks or in the
organization’s strategies or business objectives.
4.5 .2 Identifying information security requirements
Within the overall strategy and business objectives o f the organization, its size and geographical spread,
in formation security requirements can be identified through an understanding o f the following:
a) identified in formation assets and their value;
b) business needs for in formation processing, storage and communication;
c) legal, regulatory, and contractual requirements.
Conducting a methodical assessment o f the risks associated with the organization’s in formation
assets involves analysing threats to in formation assets, vulnerabilities to and the likelihood o f a threat

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
materi a l i z i ng to i n formation a s s e ts , a nd the p o tentia l i mp ac t o f a ny i n formation s e c u rity i ncident
on i n formation as s e ts . T he e xp end iture on relevant control s i s e xp e c te d to b e prop or tionate to the
p ercei ve d bu s i ne s s i mp ac t o f the ri s k materia l i z i ng.
4.5 .3 Assessing information security risks
M a nagi ng i n formation s e c u rity ri s ks re qui re s a s u itable ri s k as s e s s ment and ri s k tre atment me tho d
wh ich ca n i nclude an e s ti mation o f the co s ts and b enefits , lega l re qui rements , the concern s of
s ta keholders , a nd o ther i nputs a nd variab le s as appropri ate .
Ri s k a s s e s s ment shou ld identi fy, quanti fy, and prioriti ze ri s ks aga i n s t criteria for ri sk accep tance
and obj e c tive s relevant to the organ i z ation . T he re s u lts s hou ld gu ide and de term i ne the appropri ate
management ac tion a nd prioritie s for managi ng i n formation s e c u rity ri sks a nd for i mplementi ng
control s s ele c te d to pro te c t agai n s t the s e ri s ks .
Ri s k as s e s s ment s hou ld i nclude:
— the s ys tematic appro ach o f e s ti mati ng the magn itude o f ri s ks (ri s k ana lys i s) ; a nd
— the pro ce s s o f comp ari ng the e s ti mate d ri s ks agai n s t ri s k criteri a to de term i ne the s ign i fic ance o f
the ri sks (ri s k eva luation) .
Ri s k as s e s s ment s hou ld b e p er forme d p erio d ic a l ly to add re s s ch ange s i n the i n formation s e c urity
re qu i rements a nd i n the ri s k s ituation, for example i n the as s e ts , th re ats , vu l nerabi l itie s , i mp ac ts , the
ri sk eva luation, and when s ign i fic ant change s o cc u r. T he s e ri s k as s e s s ments s hou ld b e u nder ta ken i n a
me tho d ic a l man ner cap able o f pro duc i ng comp arable a nd repro duc ible re s u lts .
T he i n formation s e c u rity ri s k a s s e s s ment s hou ld h ave a cle arly defi ne d s cop e i n order to b e e ffe c tive
and s hou ld i nclude rel ation sh ip s with ri s k as s e s s ments i n o ther are as , i f appropri ate .
I S O/I E C 2 70 0 5 provide s i n formation s e c u rity ri s k management gu ida nce, i nclud i ng advice on ri s k
as s e s s ment, ri s k tre atment, ri s k accep tance, ri s k rep or ti ng , ri s k mon itori ng and ri s k review. E xample s
o f ri sk a s s e s s ment me tho dolo gie s a re i nclude d a s wel l .
4.5 .4 Treating information security risks
B e fore con s ideri ng the tre atment o f a ri s k, the organ i z ation s hou ld defi ne criteri a for de term i n i ng
whe ther or no t ri s ks c an b e accep te d . Ri s ks c an b e accep te d i f, for exa mple, it i s a s s e s s e d that the ri s k
i s low or that the co s t o f tre atment i s no t co s t- e ffe c ti ve for the orga n i z ation . Such de c i s ion s shou ld b e
recorded.
For e ach o f the ri s ks identi fie d fol lowi ng the ri sk as s e s s ment, a ri s k tre atment de c i s ion ne e d s to b e
made . Po s s ible op tion s for ri sk tre atment i nclude the fol lowi ng:
a) applyi ng appropri ate control s to re duce the ri sks;
b) knowi ngly and obj e c tively accep ti ng ri s ks , provid i ng they cle a rly s ati s fy the organ i z ation’s p ol ic y
a nd criteri a for ri s k accep tance;
c) avoid i ng ri sks b y no t a l lowi ng ac tion s that wou ld c au s e the ri sks to o cc u r;
d) s ha ri ng the as s o c iate d ri s ks to o ther p ar tie s , for e xample i n s u rers or s uppl iers .
For tho s e ri s ks where the ri s k tre atment de ci s ion h as b e en to apply appropri ate control s , the s e control s
shou ld b e s ele c te d a nd i mplemente d .
4.5 .5 Selecting and implementing controls
O nce i n formation s e c u rity re qui rements have b e en identi fie d (s e e 4. 5 . 2 ) , i n formation s e c u rity ri s ks to
the identi fie d i n formation as s e ts h ave b e en de term i ne d and a s s e s s e d (s e e 4. 5 . 3 ) a nd de c i s ion s for the

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
treatment o f in formation security risks have been made (see 4.5.4), then selection and implementation
o f controls for risk reduction apply.
Controls should ensure that risks are reduced to an acceptable level taking the following into account:
a) requirements and constraints o f national and international legislation and regulations;
b) organizational objectives;
c) operational requirements and constraints;
d) their cost o f implementation and operation in relation to the risks being reduced, and remaining
proportional to the organization’s requirements and constraints;
e) their objectives to monitor, evaluate and improve the e fficiency and e ffectiveness o f in formation
security controls to support the organization’s aims. The selection and implementation o f controls
should be documented within a statement o f applicability to assist with compliance requirements;
f ) the need to balance the investment in implementation and operation o f controls against the loss
likely to result from in formation security incidents.
The controls specified in ISO/IEC 27002 are acknowledged as best practices applicable to most
organizations and readily tailored to accommodate organizations o f various sizes and complexities.
Other standards in the ISMS family o f standards provide guidance on the selection and application o f
ISO/IEC 27002 controls for the ISMS.
In formation security controls should be considered at the systems and projects requirements
specification and design stage. Failure to do so can result in additional costs and less e ffective
solutions, and, in the worst case, inability to achieve adequate security. Controls can be selected from
ISO/IEC 27002 or from other control sets. Alternatively, new controls can be designed to meet the
specific needs o f the organization. It is necessary to recognize the possibility that some controls not
be applicable to every in formation system or environment, and not be practicable for all organizations.
Sometimes, implementing a chosen set o f controls takes time and, during that time, the level o f risk can
be higher than can be tolerated on a long-term basis. Risk criteria should cover tolerability o f risks on
a short-term basis while controls are being implemented. Interested parties should be in formed o f the
levels o f risk that are estimated or anticipated at di fferent points in time as controls are progressively
implemented.
It should be kept in mind that no set o f controls can achieve complete in formation security. Additional
management actions should be implemented to monitor, evaluate and improve the e fficiency and
e ffectiveness o f in formation security controls to support the organization’s aims.
The selection and implementation o f controls should be documented within a statement o f applicability
to assist with compliance requirements.
4.5 .6 Monitor, maintain and improve the effectiveness of the ISMS
An organization needs to maintain and improve the ISMS through monitoring and assessing
per formance against organizational policies and objectives, and reporting the results to management
for review. This ISMS review checks that the ISMS includes specified controls that are suitable to treat
risks within the ISMS scope. Furthermore, based on the records o f these monitored areas, it provides
evidence o f verification and traceability o f corrective, preventive and improvement actions.
4.5 .7 Continual improvement
The aim o f continual improvement o f an ISMS is to increase the probability o f achieving objectives
concerning the preservation o f the confidentiality, availability and integrity o f in formation. The focus
o f continual improvement is seeking opportunities for improvement and not assuming that existing
management activities are good enough or as good as they can.

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
Ac tions for improvement include the fol lowing:
a) analysing and evaluating the existing situation to identi fy areas for improvement;
b) establishing the objectives for improvement;
c) searching for possible solutions to achieve the objectives;
d) evaluating these solutions and making a selection;
e) implementing the selected solution;
f ) measuring, veri fying, analysing and evaluating results o f the implementation to determine that the
objectives have been met;
g) ormalizing changes.
f
Results are reviewed, as necessary, to determine further opportunities for improvement. In this way,
improvement is a continual activity, i.e. actions are repeated frequently. Feedback from customers and
other interested parties, audits and review o f the in formation security management system can also be
used to identi fy opportunities for improvement.
4.6 ISMS critical success factors
A large number o f factors are critical to the success ful implementation o f an ISMS to allow an
organization to meet its business objectives. Examples o f critical success factors include the following:
a) in formation security policy, objectives, and activities aligned with objectives;
b) an approach and framework for designing, implementing, monitoring, maintaining, and improving
in formation security consistent with the organizational culture;
c) visible support and commitment from all levels o f management, especially top management;
d) an understanding o f in formation asset protection requirements achieved through the application
o f in formation security risk management (see ISO/IEC 27005);
e) an e ffective in formation security awareness, training and education programme, in forming all
employees and other relevant parties o f their in formation security obligations set forth in the
in formation security policies, standards, etc., and motivating them to act accordingly;
f ) an e ffective in formation security incident management process;
g) an e ffective business continuity management approach;
h) a measurement system used to evaluate per formance in in formation security management and
feedback suggestions for improvement.
An ISMS increases the likelihood o f an organization consistently achieving the critical success factors
required to protect its in formation assets.
4 . 7 B e n e fi ts o f th e I S M S f
a m i l y o f s ta n d a r d s
The benefits o f implementing an ISMS primarily result from a reduction in in formation security risks
(i.e. reducing the probability o f and/or impact caused by in formation security incidents). Specifically,
benefits realized for an organization to achieve sustainable success from the adoption o f the ISMS
family o f standards include the following:
a) a structured framework supporting the process o f speci fying, implementing, operating and
maintaining a comprehensive, cost-e ffective, value creating, integrated and aligned ISMS that
meets the organization’s needs across di fferent operations and sites;

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
b) a s s i s tance for management in con s i s tently ma nagi ng and op erati ng in a re s p on s ible man ner
thei r appro ach toward s i n formation s e c u rity ma nagement, with i n the contex t o f cor p orate ri sk
management and governance, i nclud i ng e duc ati ng and tra i n i ng bu s i ne s s and s ys tem owners on the
hol i s tic management o f i n formation s e c u rity;
c) promo tion o f glob a l ly accep te d, go o d i n formation s e c urity prac tice s i n a non-pre s c rip tive man ner,
gi vi ng organ i z ation s the latitude to adop t and i mprove relevant control s that s uit thei r s p e c i fic
c i rc u m s tance s and to mai ntai n them i n the face o f i nterna l and e xterna l ch ange s;
d) provi s ion o f a com mon l anguage and concep tua l b as i s for i n formation s e c u rity, ma ki ng it e a s ier to
place con fidence i n bu s i ne s s p ar tners with a compl ia nt I S M S , e s p e c ia l ly i f they re qu i re cer ti fic ation
aga i n s t I S O/I E C 2 70 01 b y a n accre d ite d cer ti fic ation b o dy;
e) i ncre as e i n s ta keholder tr u s t i n the orga ni z ation;
f) s ati s fyi ng s o cie ta l ne e d s and e xp e c tation s;
g) more e ffe c tive e conom ic ma nagement o f i n formation s e c u rity i nve s tments .
5 ISMS family of standards
5 .1 General information
T he ISMS fam i ly of s tandard s con s i s ts of i nter-relate d s tandard s , a l re ady publ i s he d or u nder
development, and contai n s a nu mb er o f s ign i fic a nt s tr uc tu ra l comp onents . T he s e comp onents a re
fo cused on:
— s tandard s de s c ribi ng I S M S re qui rements (I S O/I E C 2 70 01) ;
— cer ti fic ation b o dy re qu i rements ( I S O/I EC 2 70 0 6 ) for tho s e cer ti fyi ng con for m ity with
I S O/I E C 2 70 01 ; a nd
— add itiona l re qu i rement framework for s e c tor- s p e ci fic i mplementation s o f the I S M S (I S O/I E C 2 70 0 9) .
O ther do c u ments provide guidance for variou s as p e c ts o f an I S M S i mplementation, add re s s i ng a generic
pro ce s s a s wel l a s s e c tor- s p e ci fic gu idance .
Relation sh ip s b e twe en the I S M S fam i ly o f s tandard s a re i l lu s trate d i n Figure 1 .

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
Vocabulary standard -
Clause 5.2 27000
Requirement
standards - 27001 27006 27009
ISMS family of standards
Clause 5.3
27002 27003 27004 27005 27007 TR 27008

Guidelines standards
-
Clause 5.4 27013 27014 TR 27016 27021
Sector-speci?ic
guidelines standards - 27010 27011 27017 27018 27019
Clause 5.5
Control-speci?ic guidelines standards 2703x 2704x

(out of the scope of this document)
Figure 1 — ISMS family of standards relationships
E ach o f the I S M S fa m i ly s tandard s i s de s crib e d b elow b y its typ e (or role) with i n the I S M S fam i ly of
s tandard s a nd its re ference nu mb er.
5 .2 Standard describing an overview and terminology: ISO/IEC 2 7000 (this document)
Information technology — Security techniques — Information security management systems — Overview

and vocabulary
Scope: T h i s do c u ment provide s to organ i z ation s a nd i nd ividua l s:
a) a n over view o f the I S M S fa m i ly o f s tand ard s;
b) a n i ntro duc tion to i n formation s e c u rity management s ys tem s; and
c) term s and defi n ition s u s e d th roughout the I S M S fam i ly o f s ta ndard s .
Purpose: T h i s do c ument de s crib e s the fundamenta l s o f i n formation s e c u rity management s ys tem s ,
wh ich form the s ubj e c t o f the I S M S fam i ly o f s tandard s and defi ne s relate d term s .
5 .3 Standards specifying requirements
5 .3 .1 ISO/IEC 2 7001
Information technology — Security techniques — Information security management systems —

Requirements
Scope: T h i s do c ument s p e c i fie s the re qu i rements for e s tabl i sh i ng , i mplementi ng , op erati ng , mon itori n g ,
reviewi ng , mai ntai n i ng and i mprovi ng forma l i z e d i n formation s e c u rity management s ys tem s (I S M S )
with i n the conte xt o f the organ i z ation’s overa l l bu s i ne s s ri sks . It s p e ci fie s re qui rements for the
i mplementation o f i n formation s e c urity control s c u s tom i z e d to the ne e d s o f i nd i vidua l organ i z ation s
or p ar ts there o f. T h i s do c u ment c an b e u s e d b y a l l orga ni z ation s , regard le s s o f typ e, s i z e a nd natu re .

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
Purpose: ISO/IEC 27001 provides normative requirements for the development and operation o f
an ISMS, including a set o f controls for the control and mitigation o f the risks associated with the
in formation assets which the organization seeks to protect by operating its ISMS. Organizations
operating an ISMS may have its con formity audited and certified. The control objectives and controls
from ISO/IEC 27001:2013, Annex A shall be selected as part o f this ISMS process as appropriate to cover
the identified requirements. The control objectives and controls listed in ISO/IEC 27001:2013, Table A.1
are directly derived from and aligned with those listed in ISO/IEC 27002:2013, Clauses 5 to 18.
5 .3 .2 ISO/IEC 2 7006
In formation technology — Security techniques — Requirements for bodies providing audit and certification
of information security management systems
Scope: This document specifies requirements and provides guidance for bodies providing audit and
ISMS certification in accordance with ISO/IEC 27001, in addition to the requirements contained within
ISO/IEC 17021. It is primarily intended to support the accreditation o f certification bodies providing
ISMS certification according to ISO/IEC 27001.
The requirements contained in this document need to be demonstrated in terms o f competence and
reliability by anybody providing ISMS certification, and the guidance contained in this document
provides additional interpretation o f these requirements for anybody providing ISMS certification.
Purpose: ISO/IEC 27006 supplements ISO/IEC 17021 in providing the requirements by which
certification organizations are accredited, thus permitting these organizations to provide compliance
certifications consistently against the requirements set forth in ISO/IEC 27001.
5 .3 .3 ISO/IEC 2 7009
In formation technology — Security techniques — Sector-specific application o f ISO/IEC 27001 —

Requirements
Scope: This document defines the requirements for the use o f ISO/IEC 27001 in any specific sector
(field, application area or market sector). It explains how to include requirements additional to those
in ISO/IEC 27001, how to refine any o f the ISO/IEC 27001 requirements, and how to include controls or
control sets in addition to ISO/IEC 27001:2013, Annex A.
Purpose: ISO/IEC 27009 ensures that additional or refined requirements are not in conflict with the
requirements in ISO/IEC 27001.
5 .4 Standards describing general guidelines
5 .4.1 ISO/IEC 2 7002
In formation technology — Security techniques — Code o f practice for in formation security controls
Scope: This document provides a list o f commonly accepted control objectives and best practice
controls to be used as implementation guidance when selecting and implementing controls for achieving
in formation security.
Purpose: ISO/IEC 27002 provides guidance on the implementation o f in formation security controls.
Specifically, Clauses 5 to 18 provide specific implementation advice and guidance on best practice in
support o f the controls specified in ISO/IEC 27001:2013, A.5 to A.18.
5 .4.2 ISO/IEC 2 7003
Information technology — Security techniques — Information security management —Guidance
Scope: This document provides explanation and guidance on ISO/IEC 27001:2013.

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
Purpose: I S O/I E C 2 70 0 3 provide s a b ackgrou nd to the s ucce s s fu l i mplementation o f the ISMS in
accordance with I S O/I E C 2 70 01 .
5 .4.3 ISO/IEC 2 7004
Information technology — Security techniques — Information security management — Monitoring,

measurement, analysis and evaluation
Scope: T h i s do c u ment provide s gu idel i ne s i ntende d to a s s i s t organ i z ation s to eva luate the i n formation
s e c u rity p er formance a nd the e ffe c tivene s s of the ISMS in order to fu l fi l the re qu i rements of
I S O/I E C 2 70 01 : 2 01 3 , 9.1 . I t add re s s e s:
a) the mon itori ng a nd me a s u rement o f i n formation s e c urity p er formance;
b) the mon itori ng and me a s urement o f the e ffe c tivene s s o f a n i n formation s e c u rity management
s ys tem (I S M S ) i nclud i ng its pro ce s s e s and control s;
c) the ana lys i ng and the eva luati ng o f the re s u lts o f mon itori ng a nd me as u rement.
Purpose: I S O/I E C 2 70 0 4 provide s a fra mework a l lowi ng an as s e s s ment o f I S M S e ffe c tivene s s to b e
me as u re d and eva luate d i n accord ance with I S O/I E C 2 70 01 .
5 .4.4 ISO/IEC 2 7005
Information technology — Security techniques — Information security risk management
Scope: T h i s do c u ment provide s gu idel i ne s for i n formation s e c u rity ri s k management. T he appro ach
de s c rib e d with i n th i s do c u ment s upp or ts the genera l concep ts s p e c i fie d i n I S O/I E C 2 70 01 .
Purpose: I S O/I E C 2 70 0 5 provide s gu idance on i mplementi ng a pro ce s s - oriente d ri s k ma nagement
appro ach to assis t in s ati s fac tori ly i mplementi ng and fu l fi l l i ng the i n formation s e c u rity ri s k
management re qu i rements o f I S O/I E C 2 70 01 .
5 .4.5 ISO/IEC 2 7007
Information technology — Security techniques — Guidelines for information security management systems
auditing
Scope: This do c ument provide s gu idance on conduc ti ng ISMS aud its , as wel l as guidance on the
comp e tence o f i n formation s e c urity ma nagement s ys tem aud itors , i n add ition to the gu idance contai ne d
i n I S O 19 011 , wh ich i s appl ic able to management s ys tem s i n genera l .
Purpose: I S O/I E C 2 70 0 7 wi l l provide gu idance to orga n i z ation s ne e d i ng to conduc t i nterna l or
ex terna l aud its o f an I S M S or to manage an I S M S aud it pro gra m me agai n s t the re qu i rements s p e c i fie d
in I S O/I E C 2 70 01 .
5 .4.6 ISO/IEC TR 2 7008
Information technology — Security techniques — Guidelines for auditors on information security controls
Scope: T h i s do c u ment provide s guidance on reviewi ng the i mplementation and op eration o f control s ,
i nclud i ng te ch n ic a l compl ia nce che cki ng of i n formation s ys tem control s , in compl i ance with an
orga ni z ation’s e s tabl i she d i n formation s e c u rity s tandard s .
Purpose: T hi s do cument provides a fo cus on reviews o f in formation s ecurity controls , including checking
o f technical compliance, agains t an in formation s ecurity implementation s tandard, which i s es tabli shed
by the organi z ation. It do es not intend to provide any s p eci fic guidance on compliance checking regarding
meas urement, risk as ses s ment or audit o f an I SM S as s p eci fied in I SO/I EC 2 70 0 4, I SO/I EC 2 70 05 or
I SO/I EC 2 70 07, res p ec tively. T hi s do cumentis not i ntended for management s ys tems audits .

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
5 .4.7 ISO/IEC 2 701 3
Information technology — Security techniques — Guidance on the integrated implementation of

ISO/IEC 27001 and ISO/IEC 20000-1
Scope: This do c ument provide s guidance on the i ntegrate d i mplementation o f I S O/I E C 2 70 01 and
I S O/I E C 2 0 0 0 0 -1 for organ i z ation s th at are i ntend i ng to either:
a) i mplement I S O/I E C 2 70 01 when I S O/I E C 2 0 0 0 0 -1 i s a l re ady i mplemente d, or vice vers a;
b) i mplement b o th I S O/I E C 2 70 01 and I S O/I E C 2 0 0 0 0 -1 to ge ther;
c) i ntegrate exi s ti ng management s ys tem s b a s e d on I S O/I E C 2 70 01 and I S O/I E C 2 0 0 0 0 -1 .
This do c ument fo c u s e s e xclu s ively on the i ntegrate d i mplementation o f an i n formation s e c u rity
ma nagement s ys tem (I S M S ) as s p e c i fie d i n I S O/I E C 2 70 01 a nd a s er vice management s ys tem (S M S ) as
s p e c i fie d i n I S O/I E C 2 0 0 0 0 -1 .
I n prac tice, I S O/I E C 2 70 01 and I S O/I E C 2 0 0 0 0 -1 c a n a l s o b e i ntegrate d with o ther ma nagement s ys tem
s ta nda rd s , s uch as I S O 9 0 01 a nd I S O 14 0 01 .
Purpose: To provide organ i z ation s with a b e tter u nders tand i ng o f the ch arac teri s tics , s i m i l aritie s and
d i fference s o f I S O/I E C 2 70 01 a nd I S O/I E C 2 0 0 0 0 -1 to as s i s t i n the pla n ni ng o f a n i ntegrate d management
s ys tem that con form s to b o th I nternationa l Standard s .
5 .4.8 ISO/IEC 2 701 4
Information technology — Security techniques — Governance of information security
Scope: This do c u ment wi l l provide gu ida nce on pri nc iple s and pro ce s s e s for the governance of
i n formation s e c u rity, b y wh ich organ i z ation s c an eva luate, d i re c t a nd mon itor the management o f
i n formation s e c urity.
Purpose: I n formation s e c u rity h as b e come a key i s s ue for organ i z ation s . No t on ly a re there i ncre as i ng
re gu l ator y re qu i rements but a l s o the fai lu re o f a n organ i z ation’s i n formation s e c u rity me as u re s c an
have a d i re c t i mp ac t on an organ i z ation’s reputation . T here fore, govern i ng b o d ie s , a s p ar t o f thei r
governance re s p on s ibi l itie s , are i ncre a s i ngly re qu i re d to h ave overs ight o f i n formation s e c urity to
en s u re the obj e c ti ve s o f the organ i z ation are ach ieve d .
5 .4.9 ISO/IEC TR 2 701 6
Information technology — Security techniques — Information security management — Organizational

economics
Scope: This do c u ment provide s a me tho dolo g y a l lowi ng organ i z ation s to b e tter u nders tand
e conom ic a l ly how to more acc u rately va lue thei r identi fie d i n formation a s s e ts , va lue the p o tenti a l
ri s ks to tho s e i n formation a s s e ts , appre ci ate the va lue that i n formation pro te c tion control s del iver to
the s e i n formation a s s e ts , a nd de term i ne the op ti mu m level o f re s ou rce s to b e appl ie d i n s e c u ri ng the s e
i n formation a s s e ts .
Purpose: This do c u ment s upplements the ISMS fa m i ly o f s tanda rd s by overlayi ng an e conom ics
p ers p e c tive i n the pro te c tion o f an orga n i z ation’s i n formation as s e ts i n the conte xt o f the wider s o c ie ta l
envi ron ment i n wh ich an orga n i z ation op erate s and provid i ng guidance on how to apply orga n i z ationa l
e conom ics o f i n formation s e c u rity th rough the u s e o f mo del s a nd e xample s .
5 .4.1 0 ISO/IEC 2 702 1
In formation technology — Security techniques — In formation security management — Competence

requirements for information security management systems professionals

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
Scope: T h i s do c u ment s p e c i fie s the re qu i rements o f comp e tence for I S M S pro fe s s iona l s le ad i ng or
i nvolve d i n e s tabl i sh i ng , i mplementi ng , ma i nta i ni ng and conti nua l ly i mprovi ng one or more i n formation
s e c u rity ma nagement s ys tem pro ce s s e s th at con form s to I S O/I E C 2 70 01 : 2 01 3 .
Purpose: T h i s do c ument i s i ntende d for u s e b y:
a) i nd ividua l s who wou ld l i ke to demon s trate thei r comp e tence a s i n formation s e c u rity ma nagement
s ys tem (I S M S ) pro fe s s iona l s , or who wi sh to unders ta nd a nd accompl i sh the comp e tence re qu i re d
for worki ng i n th i s are a, a s wel l a s wi s h i ng to bro aden thei r knowle dge,
b) organ i z ation s s e eki ng p o tentia l I S M S pro fe s s iona l c and idate s to defi ne the comp e tence re qu i re d
for p o s ition s i n I S M S relate d role s ,
c) b o d ie s to develop cer ti fic ation for I S M S pro fe s s iona l s wh ich ne e d a b o dy o f knowle dge (B OK ) for
e xam i nation s ou rce s , and
d) organ i z ation s for e duc ation a nd trai n i ng , s uch as u n ivers itie s and vo c ationa l i n s titution s , to a l ign
thei r s yl l abu s e s a nd cou rs e s to the comp e tence re qu i rements for I S M S pro fe s s iona l s .
5 . 5 S ta n d a rd s d e s c r i b i n g s e c to r - s p e c i fi c g u i d e l i n e s
5 .5 .1 ISO/IEC 2 701 0
Information technology — Security techniques — Information security management for inter-sector and
inter-organizational communications
Scope: T his do c ument provide s gu idel i ne s in add ition to gu idance given in the I S O/I E C 2 70 0 0
fam i ly o f s tanda rd s for i mplementi ng i n formation s e c u rity ma nagement with i n i n formation sh ari ng
communities .
This do c u ment provide s control s a nd gu idance s p e ci fic a l ly rel ati ng to i n iti ati ng , i mplementi ng ,
mai ntai n i ng , and i mprovi ng i n formation s e c u rity in i nter- organ i z ationa l and i nter- s e c tor
com mu n ic ation s .
Purpose: T h i s do c u ment i s appl icable to a l l form s o f e xch ange a nd s hari ng o f s en s itive i n formation,
b o th publ ic a nd private, nationa l ly and i nternationa l ly, with i n the s a me i ndu s tr y or ma rke t s e c tor or
b e twe en s e c tors . I n p a r tic u l ar, it c an b e appl ic able to i n formation e xch ange s and sh ari ng rel ati ng to the
provi s ion, ma i ntenance a nd pro te c tion o f a n orga ni z ation’s or s tate’s c ritic a l i n fra s truc tu re .
5 .5 .2 ISO/IEC 2 701 1
In formation technology — Security techniques — Code o f practice for in formation security controls based
on ISO/IEC 27002 for telecommunications organizations
Scope: This do c ument provide s gu idel i ne s s upp or ti ng the i mplementation o f i n formation s e c u rity
control s i n tele com mu nic ation s orga ni z ation s .
Purpose: I S O/I E C 2 701 1 a l lows tele com mu n ic ation s organ i z ation s to me e t b as el i ne i n formation
s e c u rity ma nagement re qu i rements o f con fidentia l ity, i ntegrity, avai labi l ity and a ny o ther relevant
s e c u rity prop er ty.
5 .5 .3 ISO/IEC 2 701 7
In formation technology — Security techniques — Code o f practice for in formation security controls based
on ISO/IEC 27002 for cloud services
Scope: I S O/I E C 2 7017 give s gu idel i ne s for i n formation s e c u rity control s appl ic able to the provi s ion a nd
u s e o f cloud s er vice s b y provid i ng:
— add itiona l i mplementation guidance for releva nt control s s p e ci fie d i n I S O/I E C 2 70 02 ;

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
— additional controls with implementation guidance that specifically relate to cloud services.
Purpose: This document provides controls and implementation guidance for both cloud service
providers and cloud service customers.
5 .5 .4 ISO/IEC 2 701 8
In formation technology — Security techniques — Code o f practice for protection o f personally identifiable
information (PII) in public clouds acting as PII processors
Scope: ISO/IEC 27018 establishes commonly accepted control objectives, controls and guidelines for
implementing measures to protect personally identifiable in formation (PII) in accordance with the
privacy principles in ISO/IEC 29100 for the public cloud computing environment.
Purpose: This document is applicable to organizations, including public and private companies,
government entities and not- for-profit organizations, which provide in formation processing services
as PII processors via cloud computing under contract to other organizations. The guidelines in this
document can also be relevant to organizations acting as PII controllers. However, it is possible that PII
controllers be subject to additional PII protection legislation, regulations and obligations, not applying
to PII processors, and these are not covered in this document.
5 .5 .5 ISO/IEC 2 701 9
Information technology — Security techniques — In formation security controls for the energy utility
industry
Scope: This document provides guidance based on ISO/IEC 27002:2013 applied to process control
systems used by the energy utility industry for controlling and monitoring the production or generation,
transmission, storage and distribution o f electric power, gas, oil and heat, and for the control o f
associated supporting processes. This includes in particular the following:
— central and distributed process control, monitoring and automation technology as well as
in formation systems used for their operation, such as programming and parameterization devices;
— digital controllers and automation components such as control and field devices or programmable
logic controllers (PLCs), including digital sensor and actuator elements;
— all further supporting in formation systems used in the process control domain, e.g. for supplementary
data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting
and documentation purposes;
— communication technology used in the process control domain, e.g. networks, telemetry, telecontrol
applications and remote control technology;
— advanced metering in frastructure (AMI) components, e.g. smart meters;
— measurement devices, e.g. for emission values;
— digital protection and sa fety systems, e.g. protection relays, sa fety PLCs, emergency governor
mechanisms;
— energy management systems, e.g. o f distributed energy resources (DER), electric charging
in frastructures, in private households, residential buildings or industrial customer installations;
— distributed components o f smart grid environments, e.g. in energy grids, in private households,
residential buildings or industrial customer installations;
— all so ftware, firmware and applications installed on above -mentioned systems, e.g. DMS (distribution
management system) applications or OMS (outage management system);
— any premises housing the above-mentioned equipment and systems;

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
— remote maintenance systems for above-mentioned systems.

This document does not apply to the process control domain o f nuclear facilities. This domain is covered
by IEC 62645.
This document also includes a requirement to adapt the risk assessment and treatment processes
described in ISO/IEC 27001:2013 to the energy utility industry-sector–specific guidance provided in
this do cument.
Purpose: In addition to the security objectives and measures that are set forth in ISO/IEC 27002, this
document provides guidelines for systems used by energy utilities and energy suppliers on in formation
security controls which address further, special requirements.
5 .5 .6 ISO 2 7799
Health informatics — Information security management in health using ISO/IEC 27002
Scope: This document gives guidelines for organizational in formation security standards and
in formation security management practices including the selection, implementation and management
o f controls taking into consideration the organization’s in formation security risk environment(s).
This document provides implementation guidance for the controls described in ISO/IEC 27002
and supplements them where necessary, so that they can be e ffectively used for managing health
in formation security.
Purpose: ISO 27799 provides health organizations with an adaptation o f the ISO/IEC 27002 guidelines
unique to their industry sector which are additional to the guidance provided towards fulfilling the
requirements o f ISO/IEC 27001:2013, Annex A.

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
Bibliography
[1] I S O 9 0 0 0 : 2 01 5 , Quality management systems — Fundamentals and vocabulary
[2 ] I S O/ I E C / I E E E 1 5 9 3 9 : 2 0 17, Systems and software engineering — Measurement process
[3 ] Con formity assessment — Requirements for bodies providing audit and certification
I S O/ I E C 170 2 1 ,
of management systems
[4] I S O 19 0 1 1 : 2 0 1 1 , Guidelines for auditing management systems
[5 ] I S O/ I E C In formation technology — Service management — Part 1: Service

2 0 0 0 0 -1 : 2 0 1 1 ,
management system requirements
[6 ] Information technology — Security techniques — Information security management

I S O/ I E C 2 70 0 1 ,
systems — Requirements
[7 ] In formation technology — Security techniques — Code o f practice for in formation

I S O/ I E C 2 70 0 2 ,
security controls
[8 ] I S O/ I E C 2 70 0 3 , Information technology — Security techniques — Information security management

— Guidance
[9 ] I S O/ I E C Information technology — Security techniques — Information security

2 70 0 4 ,
management — Monitoring, measurement, analysis and evaluation
[1 0 ] I S O/ I E C 2 70 0 5 , Information technology — Security techniques — Information security risk

management
[1 1] I S O/ I E C Information technology — Security techniques — Requirements for bodies

2 70 0 6 ,
providing audit and certification o f in formation security management systems
[1 2 ] I S O/ I E C Information technology — Security techniques — Guidelines for information

2 70 0 7,
security management systems auditing
[1 3 ] I S O/ I E C TR Information technology — Security techniques — Guidelines for auditors on

2 70 0 8 ,
information security controls
[14] I S O/ I E C In formation technology — Security techniques — Sector-specific application o f

2 70 0 9,
ISO/IEC 27001 — Requirements
[1 5 ] Information technology — Security techniques — Information security management

I S O/ I E C 2 70 1 0 ,
for inter-sector and inter-organizational communications
[1 6 ] I S O/ I E C In formation technology — Security techniques — Code o f practice for in formation

2 70 1 1 ,
security controls based on ISO/IEC 27002 for telecommunications organizations
[1 7 ] I S O/ I E C Information technology — Security techniques — Guidance on the integrated

2 70 1 3 ,
implementation o f ISO/IEC 27001 and ISO/IEC 20000-1
[1 8 ] I S O/ I E C 2 70 14 , Information technology — Security techniques — Governance of information

security
[19 ] I S O/ I E C TRInformation technology — Security techniques — Information security

2 70 1 6 ,
management — Organizational economics
[2 0 ] I S O/ I E C In formation technology — Security techniques — Code o f practice for in formation

2 70 17,
security controls based on ISO/IEC 27002 for cloud services
[2 1] In formation technology — Security techniques — Code o f practice for protection o f

I S O/ I E C 2 70 1 8 ,
personally identifiable in formation (PII) in public clouds acting as PII processors

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
[2 2 ] I S O/I E C 2 7019, Information technology — Security techniques — Information security controls for
the energy utility industry
[2 3 ] In formation technology — Security techniques — Competence requirements for

I S O/I E C 2 702 1 ,
information security management systems professionals
[2 4] I S O 2 7 79 9, Health in formatics — In formation security management in health using ISO/IEC 27002
[2 5 ] I S O Guide 7 3 : 2 0 0 9, Risk management — Vocabulary

lOMoARcPSD|35756705
ISO/IEC 2 7000: 2 01 8(E)
ICS 01.040.35; 03.100.70; 35.030

Price based on 2 7 pages
© I SO /I EC 2 0 1 8 – All rights reserved

Iso 27000 2018 Standards For Information Security

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iso 27000 2018 Standards For Information Security

Uploaded by

Copyright:

Available Formats

lOMoARcPSD|35756705

ISO 27000 2018 - Standards for Information Security

Cyber Security (Indira Gandhi National Open University)

Escanea para abrir en Studocu

Studocu no está patrocinado ni avalado por ningún colegio o universidad.

Information technology — Security

Technologies de l'information — Techniques de sécurité — Systèmes

Descargado por Carlos Lara López (lara_kidd5@hotmail.com)

ISO/IEC 2 7000: 2 01 8(E)

COPYRIGHT PROTECTED DOCUMENT

ii © I SO /I E C 2 0 1 8 – All rights res erved

Descargado por Carlos Lara López (lara_kidd5@hotmail.com)

ISO/IEC 2 7000: 2 01 8(E)

4.2.1 Overview and principles . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . 11

4.7 Benefits o f the ISMS family o f standards . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . 17

5.4 Standards describing general guidelines . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . 20

5.5 Standards describing sector-specific guidelines . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 23

© I SO /I E C 2 0 1 8 – All rights res erved iii

Descargado por Carlos Lara López (lara_kidd5@hotmail.com)

ISO/IEC 2 7000: 2 01 8(E)

iv © I SO /I E C 2 0 1 8 – All rights res erved

Descargado por Carlos Lara López (lara_kidd5@hotmail.com)

ISO/IEC 2 7000: 2 01 8(E)

prop er ty, and employe e de ta i l s , or i n formation entru s te d to them b y c u s tomers or th i rd p ar tie s . T he s e

pro te c tion o f i n formation .

0. 2 Purpose of this document

T he I S M S fam i ly o f s tandard s i nclude s s ta nda rd s that:

a) defi ne re qu i rements for an I S M S a nd for tho s e cer ti fyi ng s uch s ys tem s;

i mplement, ma i ntai n, and i mprove an I S M S;

c) add re s s s e c tor- s p e c i fic gu idel i ne s for I S M S; and

d) add re s s con form ity a s s e s s ment for ISMS .

0. 3 Content of this document

I n th i s do c u ment, the fol lowi ng verb a l form s are u s e d:

— “s hou ld” i nd ic ate s a re com mendation;

— “may” i nd ic ate s a p erm i s s ion;

— “c an” i nd ic ate s a p o s s ibi l ity or a c ap abi l ity.

© I SO /I E C 2 0 1 8 – All rights res erved v

Descargado por Carlos Lara López (lara_kidd5@hotmail.com)

Descargado por Carlos Lara López (lara_kidd5@hotmail.com)

INTERNATIONAL STANDARD ISO/IEC 2 7000: 2 01 8(E)

Information technology — Security techniques —

The terms and definitions provided in this document

There are no normative re ferences in this document.

3 Terms and definitions

© I SO /I E C 2 0 1 8 – All rights res erved 1

Descargado por Carlos Lara López (lara_kidd5@hotmail.com)

ISO/IEC 2 7000: 2 01 8(E)

2 © I SO /I E C 2 0 1 8 – All rights res erved

Descargado por Carlos Lara López (lara_kidd5@hotmail.com)

ISO/IEC 2 7000: 2 01 8(E)

© I SO /I E C 2 0 1 8 – All rights res erved 3

Descargado por Carlos Lara López (lara_kidd5@hotmail.com)

ISO/IEC 2 7000: 2 01 8(E)

N o te 1 to entr y: E x ter n a l conte x t c a n i nclude the fol lowi n g:

envi ron ment, whe ther i nter n atio n a l , n ation a l , re gio n a l o r lo c a l;

— ke y d ri vers a nd trend s h avi ng i mp ac t on the objectives of the organization ( 3 . 5 0) ;

— rel ation s h ip s with , a nd p ercep tio n s a nd va lue s o f, e x ter n a l stakeholders (3 . 3 7 ) .

N o te 1 to entr y: T he gover n i ng b o dy c a n , i n s o me j u r i s d ic tion s , b e a b o a rd o f d i re c tors .

[S O U RC E : I S O/I E C/I E E E 1 59 3 9 : 2 017, 3 .1 2 ]

4 © I SO /I E C 2 0 1 8 – All rights res erved

Descargado por Carlos Lara López (lara_kidd5@hotmail.com)

ISO/IEC 2 7000: 2 01 8(E)