AS/NZS ISO/IEC 27005:2012
AS/NZS ISO/IEC 27005:2012
Australian/New Zealand Standard™ Information technology—Security techniques—Information security risk management (ISO/IEC 27005:2011, MOD)
AS/NZS ISO/IEC 27005:2012 This Joint Australian/New Zealand Standard was prepared by Joint Technical Committee IT-012, Information Security. It was approved on behalf of the Council of Standards Australia on 13 June 2012 and on behalf of the Council of Standards New Zealand on 18 June 2012. This Standard was published on 29 June 2012.
The following are represented on Committee IT-012: Attorney General’s Department Australia Post Australian Association of Permanent Building Societies Australian Chamber of Commerce and Industry Australian Government Information Management Office Australian Industry Group Australian Information Industry Association Australian Payments Clearing Association Certification Forum of Australia Consumers Federation of Australia Council of Small Business Organisations of Australia Department of Defence Department of Social Welfare, New Zealand Government Communication Security Bureau, New Zealand Internet Industry Association National ICT Australia New Zealand Defence Force NSW Police Force Reserve Bank of Australia
Keeping Standards up-to-date Standards are living documents which reflect progress in science, technology and systems. To maintain their currency, all Standards are periodically reviewed, and new editions are published. Between editions, amendments may be issued. Standards may also be withdrawn. It is important that readers assure themselves they are using a current Standard, which should include any amendments which may have been published since the Standard was purchased. Detailed information about joint Australian/New Zealand Standards can be found by visiting the Standards Web Shop at www.saiglobal.com.au or Standards New Zealand web site at www.standards.co.nz and looking up the relevant Standard in the on-line catalogue. For more frequent listings or notification of revisions, amendments and withdrawals, Standards Australia and Standards New Zealand offer a number of update options. For information about these services, users should contact their respective national Standards organization. We also welcome suggestions for improvement in our Standards, and especially encourage readers to notify us immediately of any apparent inaccuracies or ambiguities. Please address your comments to the Chief Executive of either Standards Australia or Standards New Zealand at the address shown on the back cover.
This Standard was issued in draft form for comment as DR AS/NZS ISO/IEC 27005.
AS/NZS ISO/IEC 27005:2012
Australian/New Zealand Standard™ Information technology—Security techniques—Information security risk management (ISO/IEC 27005:2011, MOD)
Originated as HB 231:2000. Previous edition HB 231:2004. Jointly revised and redesignated as AS/NZS ISO/IEC 27005:2012.
COPYRIGHT © Standards Australia Limited/Standards New Zealand All rights are reserved. No part of this work may be reproduced or copied in any form or by any means, electronic or mechanical, including photocopying, without the written permission of the publisher, unless otherwise permitted under the Copyright Act 1968 (Australia) or the Copyright Act 1994 (New Zealand). Jointly published by SAI Global Limited under licence from Standards Australia Limited, GPO Box 476, Sydney, NSW 2001 and by Standards New Zealand, Private Bag 2439, Wellington 6140.
ISBN 978 1 74342 192 5
AS/NZS ISO/IEC 27005:2012
ii
PREFACE This Standard was prepared by the Joint Standards Australia/Standards New Zealand Committee IT-012, Information Security to supersede HB 231:2004, Information security risk management guidelines. The objective of this Standard is to endorse this important Standard as applicable for Australian use. This Standard is an adoption with national modifications and has been reproduced from ISO/IEC 27005:2011, Information technology—Security techniques—Information security risk management and has been varied as indicated to take account of Australian/New Zealand conditions. The modifications are specified in Appendix ZZ. This Standard contains all the normative requirements of ISO/IEC 27005:2011. It differs from ISO/IEC 27005:2011 as follows: (a)
Informative Annex E (Information security risk assessment approaches) has been removed from the source text because the Committee considers that it is potentially misleading. Appendix ZZ specifies a replacement Annex E in which more comprehensive guidance on the topic of risk assessment is indicated by reference to IEC/ISO 31010.
(b)
Consequential editorial changes have been made consistent with the deletion of Annex E.
As this Standard is reproduced from an International Standard, the following applies: (i)
Its number appears on the cover and title page while the International Standard number appears only on the cover.
(ii)
In the source text ‘this International Standard’ should read ‘this Australian/New Zealand Standard’.
(iii) A full point substitutes for a comma when referring to a decimal marker. References to International Standards should be replaced by references to Australian or Australian/New Zealand Standards, as follows: Reference to International Standard
Australian/New Zealand Standard
ISO/IEC 27000 Information technology—Security techniques—Information security management systems—Overview and vocabulary
AS/NZS ISO/IEC —
27001
27001
Information technology—Security techniques—Information security management systems—Requirements
Information technology—Security techniques—Information security management systems—Requirements
The terms ‘normative’ and ‘informative’ have been used in this Standard to define the application of the annex or appendix to which they apply. A ‘normative’ annex or appendix is an integral part of a Standard, whereas an ‘informative’ annex or appendix is only for information and guidance.
AS/NZS ISO/IEC 27005:2012
Contents
iii
Page
CONTENTS Foreword .............................................................................................................................................................v Introduction........................................................................................................................................................vi 1
Scope ......................................................................................................................................................1
2
Normative references............................................................................................................................1
3
Terms and definitions ...........................................................................................................................1
4
Structure of this International Standard .............................................................................................5
5
Background............................................................................................................................................6
6
Overview of the information security risk management process ....................................................7
7
Context establishment ........................................................................................................................10
7.1
General considerations.......................................................................................................................10
7.2
Basic Criteria .......................................................................................................................................10
7.2.1
Risk management approach ..............................................................................................................10
7.2.2
Risk evaluation criteria .......................................................................................................................10
7.2.3
Impact criteria ......................................................................................................................................11
7.2.4
Risk acceptance criteria .....................................................................................................................11
7.3
Scope and boundaries ........................................................................................................................12
7.4
Organization for information security risk management ................................................................12
8
Information security risk assessment...............................................................................................13
8.1
General description of information security risk assessment .......................................................13
8.2
Risk identification................................................................................................................................13
8.2.1
Introduction to risk identification ......................................................................................................13
8.2.2
Identification of assets........................................................................................................................14
8.2.3
Identification of threats.......................................................................................................................14
8.2.4
Identification of existing controls......................................................................................................15
8.2.5
Identification of vulnerabilities ..........................................................................................................15
8.2.6
Identification of consequences..........................................................................................................16
8.3
Risk analysis........................................................................................................................................17
8.3.1
Risk analysis methodologies .............................................................................................................17
8.3.2
Assessment of consequences...........................................................................................................18
8.3.3
Assessment of incident likelihood ....................................................................................................18
8.3.4
Level of risk determination.................................................................................................................19
8.4
Risk evaluation ....................................................................................................................................19
9
Information security risk treatment ...................................................................................................20
9.1
General description of risk treatment ...............................................................................................20
© ISO/IEC 2011 – All rights reserved
iii
AS/NZS ISO/IEC 27005:2012
iv
ISO/IEC 27005:2011(E) Page 9.2
Risk modification .................................................................................................................................22
9.3
Risk retention .......................................................................................................................................23
9.4
Risk avoidance.....................................................................................................................................23
9.5
Risk sharing .........................................................................................................................................23
10
Information security risk acceptance ................................................................................................24
11
Information security risk communication and consultation ...........................................................24
12
Information security risk monitoring and review .............................................................................25
12.1
Monitoring and review of risk factors................................................................................................25
12.2
Risk management monitoring, review and improvement................................................................26
Annex A (informative) Defining the scope and boundaries of the information security risk management process ..........................................................................................................................28 A.1 Study of the organization....................................................................................................................28 A.2 List of the constraints affecting the organization ............................................................................29 A.3 List of the legislative and regulatory references applicable to the organization..........................31 A.4 List of the constraints affecting the scope .......................................................................................31 Annex B (informative) Identification and valuation of assets and impact assessment.............................33 B.1 Examples of asset identification ........................................................................................................33 B.1.1 The identification of primary assets ..................................................................................................33 B.1.2 List and description of supporting assets ........................................................................................34 B.2 Asset valuation ....................................................................................................................................38 B.3 Impact assessment..............................................................................................................................41 Annex C (informative) Examples of typical threats .......................................................................................42 Annex D (informative) Vulnerabilities and methods for vulnerability assessment ....................................45 D.1 Examples of vulnerabilities ................................................................................................................45 D.2 Methods for assessment of technical vulnerabilities ......................................................................48 Annex E (informative) Information security risk assessment approaches .................................................50 E.1 High-level information security risk assessment.............................................................................50 E.2 Detailed information security risk assessment ................................................................................51 E.2.1 Example 1 Matrix with predefined values .........................................................................................52 E.2.2 Example 2 Ranking of Threats by Measures of Risk .......................................................................54 E.2.3 Example 3 Assessing a value for the likelihood and the possible consequences of risks .........54 Annex F (informative) Constraints for risk modification...............................................................................56 Annex G (informative) Differences in definitions between ISO/IEC 27005:2008 and ISO/IEC 27005:2011............................................................................................................................................58 Bibliography ......................................................................................................................................................68
ISO/IEC 27005:2011(E)
AS/NZS ISO/IEC 27005:2012
Introduction
v
INTRODUCTION
This International Standard provides guidelines for information security risk management in an organization, supporting in particular the requirements of an information security management (ISMS) according to ISO/IEC 27001. However, this International Standard does not provide any specific method for information security risk management. It is up to the organization to define their approach to risk management, depending for example on the scope of the ISMS, context of risk management, or industry sector. A number of existing methodologies can be used under the framework described in this International Standard to implement the requirements of an ISMS. This International Standard is relevant to managers and staff concerned with information security risk management within an organization and, where appropriate, external parties supporting such activities.
vi
© ISO/IEC 2011 – All rights reserved
AS/NZS ISO/IEC 27005:2012
vi
NOTES
AS/NZS ISO/IEC 27005:2012
1
AUSTRALIAN/NEW ZEALAND STANDARD
Information technology — Security techniques — Information Information techniques—Information security security risktechnology—Security management risk management (ISO/IEC 27005:2011, MOD)
1
Scope
This International Standard provides guidelines for information security risk management. This International Standard supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this International Standard. This International Standard is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization’s information security.
2
Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary ISO/IEC 27001:2005, Information technology — Security techniques — Information security management systems — Requirements
3
Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply. NOTE
Differences in definitions between ISO/IEC 27005:2008 and this International Standard are shown in Annex G.
3.1 consequence outcome of an event (3.3) affecting objectives [ISO Guide 73:2009] NOTE 1
An event can lead to a range of consequences.
NOTE 2
A consequence can be certain or uncertain and in the context of information security is usually negative.
NOTE 3
Consequences can be expressed qualitatively or quantitatively.
NOTE 4
Initial consequences can escalate through knock-on effects.
1
© ISO/IEC 2011 – All rights reserved
COPYRIGHT
AS/NZS ISO/IEC 27005:2012 Information technology - Security techniques - Information security risk management This is a free sample only. Purchase the full publication here: http://shop.standards.co.nz/catalog/27005%3A2012%28AS%7CNZS+ISO%7CIEC%29/view Or contact Standards New Zealand using one of the following methods. Freephone: Phone: Fax: Email
0800 782 632 (New Zealand) +64 4 498 5990 +64 4 498 5994
[email protected]
