Seguridad De Informacion

INTERNATIONAL STANDARD

ISO/IEC 27005
Second edition 2011-06-01

Information technology — Security techniques — Information security risk management
Technologies de l'information — Techniques de sécurité — Gestion des risques liés à la sécurité de l'information

Reference number ISO/IEC 27005:2011(E)

© ISO/IEC 2011

ISO/IEC 27005:2011(E)

COPYRIGHT PROTECTED DOCUMENT© ISO/IEC 2011 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 • CH-1211Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyright@iso.org Web www.iso.org Published in Switzerland

ii

© ISO/IEC 2011 – All rights reserved

ISO/IEC 27005:2011(E)

Contents

Page

Foreword .............................................................................................................................................................vIntroduction........................................................................................................................................................vi 1 2 3 4 5 6 7 7.1 7.2 7.2.1 7.2.2 7.2.3 7.2.4 7.3 7.4 8 8.1 8.2 8.2.1 8.2.2 8.2.3 8.2.4 8.2.5 8.2.6 8.3 8.3.1 8.3.2 8.3.3 8.3.4 8.4 9 9.1 Scope......................................................................................................................................................1 Normative references............................................................................................................................1 Terms and definitions ...........................................................................................................................1 Structure of thisInternational Standard .............................................................................................5 Background............................................................................................................................................6 Overview of the information security risk management process ....................................................7 Contextestablishment ........................................................................................................................10 General considerations.......................................................................................................................10 Basic Criteria.......................................................................................................................................10 Risk management approach ..............................................................................................................10 Risk evaluation criteria .......................................................................................................................10 Impact criteria......................................................................................................................................11 Risk acceptance criteria .....................................................................................................................11 Scope and boundaries ........................................................................................................................12Organization for information security risk management ................................................................12 Information security risk assessment...............................................................................................13 General description of information security risk assessment .......................................................13 Risk...