Main informations

Collections

National standards and national normative documents

Publication date

November 2010

Number of pages

69 p.

Reference

NF ISO/IEC 27005

ICS Codes

03.100.70 Management systems

35.030 IT Security

Classification index

Z74-225

Print number

1 - 11/10/2010

International kinship

ISO/IEC 27005:2008

Sumary

Information technology - Security techniques - Information security risk management

ISO/IEC 27005:2008 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2008. ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.

Standard replaced by (1)

NF ISO/IEC 27005

April 2013

Standard Cancelled

Information technology - Security techniques - Information security risk management

ISO/IEC 27005:2011 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2011. ISO/IEC 27005:2011 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.

Table of contents

Avant-propos
v
Introduction
vi
1 Domaine d'application
1
2 Références normatives
1
3 Termes et définitions
1
4 Structure de la présente Norme internationale
3
5 Contexte
3
6 Présentation générale du processus de gestion des risques en sécurité de l'information
4
7 Établissement du contexte
7
7.1 Considérations générales
7
7.2 Critères de base
7
7.3 Domaine d'application et limites
9
7.4 Organisation de la gestion des risques en sécurité de l'information
10
8 Appréciation des risques en sécurité de l'information
10
8.1 Description générale de l'appréciation des risques en sécurité de l'information
10
8.2 Analyse des risques
11
8.3 Évaluation du risque
18
9 Traitement des risques en sécurité de l'information
19
9.1 Description générale du traitement des risques
19
9.2 Réduction du risque
21
9.3 Maintien du risque
22
9.4 Refus du risque
23
9.5 Transfert du risque
23
10 Acceptation des risques en sécurité de l'information
23
11 Communication relative aux risques en sécurité de l'information
24
12 Surveillance et revue du risque en sécurité de l'information
25
12.1 Surveillance et revue des facteurs de risque
25
12.2 Surveillance, revue et amélioration de la gestion des risques
26
Annexe A (informative) Définition du domaine d'application et des limites du processus de gestion des risques en sécurité de l'information
28
A.1 Étude de l'organisation
28
A.2 Liste des contraintes affectant l'organisation
29
A.3 Liste des références législatives et réglementaires applicables à l'organisation
31
A.4 Liste des contraintes affectant le domaine d'application
31
Annexe B (informative) Identification et évaluation des actifs et appréciation des impacts
34
B.1 Exemples d'identification des actifs
34
B.2 Évaluation des actifs
40
B.3 Appréciation des impacts
43
Annexe C (informative) Exemples de menaces types
45
Annexe D (informative) Vulnérabilités et méthodes d'appréciation des vulnérabilités
47
D.1 Exemples de vulnérabilités
47
D.2 Méthodes d'appréciation des vulnérabilités techniques
50
Annexe E (informative) Approches d'appréciation des risques en sécurité de l'information
52
E.1 Appréciation des risques de haut niveau en sécurité de l'information
52
E.2 Appréciation détaillée des risques en sécurité de l'information
53
Annexe F (informative) Contraintes liées à la réduction du risque
59
Bibliographie
61

ZOOM ON ... the Requirements department

To comply with a standard, you need to quickly understand its issues in order to determine its impact on your activity.

The Requirements department helps you quickly locate within the normative text:
- mandatory clauses to satisfy,
- non-essential but useful clauses to know, such as permissions and recommendations.

The identification of these types of clauses is based on the document “ISO / IEC Directives, Part 2 - Principles and rules of structure and drafting of ISO documents ”as well as on a constantly enriched list of verbal forms.

With Requirements, quickly access the main part of the normative text!

With Requirements, quickly access the main part of the normative text!

Need to identify, monitor and decipher standards?

COBAZ is the simple and effective solution to meet the normative needs related to your activity, in France and abroad.

Available by subscription, CObaz is THE modular solution to compose according to your needs today and tomorrow. Quickly discover CObaz!

Request your free, no-obligation live demo

I discover COBAZ