1 Scope
This standard provides guidelines for information security risk management.
This standard supports the general concepts specified in GB/T 22080 and is designed to assist the satisfactory implementation of information security based on a risk management approach.
Knowledge of the concepts, models, processes and terminologies described in GB/T 22080 and GB/T 22081 is important for a complete understanding of this standard.
This standard is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization’s information security.
2 Normative References
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 22080-2008 Information Technology — Security Techniques — Information Security Management Systems — Requirements (ISO/IEC 27001:2005, IDT)
GB/T 22081-2008 Information Technology — Security Techniques — Code of Practice for Information Security Management (ISO/IEC 27002:2005, IDT)
3 Terms and Definitions
For the purposes of this document, the terms and definitions given in GB/T 22080-2008 and GB/T 22081-2008 and the following apply.
3.1
impact
adverse change to the level of business objectives achieved
3.2
information security risk
potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization
Note: It is measured in terms of a combination of the likelihood of an event and its consequence.
3.3
risk avoidance
decision not to become involved in, or action to withdraw from, a risk situation
[ISO/IEC Guide73:2002]
3.4
risk communication
exchange or sharing of information about risk between the decision-maker and other stakeholders
[ISO/IEC Guide73:2002]
3.5
risk estimation
process to assign values to the probability and consequences of a risk
[ISO/IEC Guide73:2002]
3.6
risk identification
process to find, list and characterize elements of risk
[ISO/IEC Guide73:2002]
3.7
risk reduction
actions taken to lessen the probability, negative consequences, or both, associated with a risk
[ISO/IEC Guide73:2002]
3.8
risk retention
acceptance of the burden of loss or benefit of gain from a particular risk
[ISO/IEC Guide73:2002]
Note: In the context of information security risks, only negative consequences (losses) are considered for risk retention.
3.9
risk transfer
sharing with another party the burden of loss or benefit of gain, for a risk
[ISO/IEC Guide73:2002]
Note: In the context of information security risks, only negative consequences (losses) are considered for risk transfer.
4 Structure of This Standard
This standard contains the description of the information security risk management process and its activities.
The background information is provided in Clause 5.
A general overview of the information security risk management process is given in Clause 6.
All information security risk management activities as presented in Clause 6 are subsequently described in the following clauses:
• Context establishment in Clause 7;
• Risk assessment in Clause 8;
• Risk treatment in Clause 9;
• Risk acceptance in Clause 10;
• Risk communication in Clause 11;
• Risk monitoring and review in Clause 12.
Foreword II
Introduction III
1 Scope
2 Normative References
3 Terms and Definitions
4 Structure of This Standard
5 Background
6 Overview of the Information Security Risk Management Process
7 Context Establishment
8 Information Security Risk Assessment
9 Information Security Risk Treatment
10 Information Security Risk Acceptance
11 Information Security Risk Communication
12 Information Security Risk Monitoring and Review
Annex A (Informative) Defining the Scope and Boundaries of the Information Security Risk Management Process
Annex B (Informative) Identification and Valuation of Assets and Impact Assessment
Annex C (Informative) Examples of Typical Threats
Annex D (Informative) Vulnerabilities and Methods for Vulnerability Assessment
Annex E (Informative) Information Security Risk Assessment Approaches
Annex F (Informative) Constraints for Risk Reduction
Bibliography