ImageVerifierCode 换一换
格式:PDF , 页数:196 ,大小:3.99MB ,
资源ID:398724      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-398724.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(BS PD ISO IEC TS 33072-2016 Information technology Process assessment Process capability assessment model for information security management《信息技术 过程评定 信息安全管理的过程能力评估模型》.pdf)为本站会员(diecharacter305)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

BS PD ISO IEC TS 33072-2016 Information technology Process assessment Process capability assessment model for information security management《信息技术 过程评定 信息安全管理的过程能力评估模型》.pdf

1、PD ISO/IEC TS 33072:2016 Information technology Process assessment Process capability assessment model for information security management BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06PD ISO/IEC TS 33072:2016 PUBLISHED DOCUMENT National foreword This Published Do

2、cument is the UK implementation of ISO/IEC TS 33072:2016. The UK participation in its preparation was entrusted to Technical Committee IST/15, Software and systems engineering. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does no

3、t purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 93543 5 ICS 35.080 Compliance with a British Standard cannot confer immunity from legal o

4、bligations. This Published Document was published under the authority of the Standards Policy and Strategy Committee on 30 September 2016. Amendments/corrigenda issued since publication Date Text affected Information technology Process assessment Process capability assessment model for information s

5、ecurity management Technologies de linformation valuation des procds Modle dvaluation de la capacit des procds pour le management de la scurit de linformation ISO/IEC TS 33072 First edition 2016-07-15 Reference number ISO/IEC TS 33072:2016(E) TECHNICAL SPECIFICATION ISO/IEC 2016 Corrected version 20

6、16-09-01PD ISO/IEC TS 33072:2016 PUBLISHED DOCUMENT National foreword This Published Document is the UK implementation of ISO/IEC TS 33072:2016. The UK participation in its preparation was entrusted to Technical Committee IST/15, Software and systems engineering. A list of organizations represented

7、on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 93

8、543 5 ICS 35.080 Compliance with a British Standard cannot confer immunity from legal obligations. This Published Document was published under the authority of the Standards Policy and Strategy Committee on 30 September 2016. Amendments/corrigenda issued since publication Date Text affected Informat

9、ion technology Process assessment Process capability assessment model for information security management Technologies de linformation valuation des procds Modle dvaluation de la capacit des procds pour le management de la scurit de linformation ISO/IEC TS 33072 First edition 2016-07-15 Reference nu

10、mber ISO/IEC TS 33072:2016(E) TECHNICAL SPECIFICATION ISO/IEC 2016 Corrected version 2016-09-01ISO/IEC TS 33072:2016(E) ISO/IEC 2016 All rights reserved iii Contents Page Foreword . v Introduction vi 1 Scope 1 2 Normative references 1 3 Terms and definitions . 1 4 Overview of the Process Assessment

11、Model . 2 4.1 Introduction to Overview 2 4.2 Structure of the Process Assessment Model . 3 4.2.1 Processes . 3 4.2.2 Process dimension 4 4.2.3 Capability dimension 4 4.3 Assessment Indicators . 6 4.3.1 Process Capability Indicators 7 4.3.2 Process Performance Indicators . 8 4.4 Measuring process cap

12、ability 9 5 The process dimension and process performance indicators (Level 1) . 10 5.1 General . 10 5.2 ORG.1 Asset management . 11 5.3 TEC.01 Capacity management . 12 5.4 TEC.02 Change management . 13 5.5 COM.01 Communication management 13 5.6 TEC.03 Configuration management 14 5.7 COM.02 Document

13、ation management . 15 5.8 ORG.2 Equipment management 17 5.9 ORG.3 Human resource employment management 18 5.10 COM.03 Human resource management 19 5.11 COM.04 Improvement 20 5.12 TEC.04 Incident management 21 5.13 ORG.4 Infrastructure and work environment . 21 5.14 COM.05 Internal audit 22 5.15 TOP.

14、1 Leadership 23 5.16 COM.06 Management review 24 5.17 COM.07 Non-conformity management 25 5.18 COM.09 Operational implementation and control 26 5.19 COM.08 Operational planning 27 5.20 COM.10 Performance evaluation . 29 5.21 TEC.05 Product/service release . 30 5.22 TEC.08 Product/Service/System requ

15、irements 31 5.23 COM.11 Risk and opportunity management . 32 5.24 TEC.06 Service availability management 33 5.25 TEC.07 Service continuity management . 34 5.26 ORG.5 Supplier management . 34 5.27 TEC.09 Technical data preservation and recovery 35 6 Process capability indicators . 36 6.1 Introduction

16、 36 6.2 Process capability levels and process attributes 36 6.2.1 Process capability Level 0: Incomplete process . 36 6.2.2 Process capability Level 1: Performed process 36 6.2.3 Process capability Level 2: Managed process . 37 PD ISO/IEC TS 33072:2016 ISO/IEC TS 33072:2016(E) ii ISO/IEC 2016 All ri

17、ghts reserved iv vISO/IEC TS 33072:2016(E) iv ISO/IEC 2016 All rights reserved 6.2.4 Process capability Level 3: Established process 42 6.2.5 Process capability Level 4: Predictable process 46 6.2.6 Process capability Level 5: Innovating process 51 6.3 Related processes for process attributes 55 Ann

18、ex A (informative) Conformity of the process assessment model . 57 A.1 Introduction . 57 A.2 Requirements for process assessment models 57 A.2.1 Introduction . 57 A.2.2 Process assessment model scope . 57 A.2.3 Requirements for process assessment models 58 A.2.4 Assessment indicators 58 A.2.5 Mappin

19、g process assessment models to process reference models. 59 A.2.6 Expression of assessment results 61 Annex B (informative) Input and output characteristics 62 B.1 General . 62 B.2 Generic input and outputs . 63 B.3 Specific inputs and outputs . 67 Annex C (informative) Association between base prac

20、tices and ISO/IEC 27001 requirements 97 C.1 Associations of base practices with requirements . 98 C.2 Associations of requirements with base practices . 136 C.3 Base practices that have no associated requirements. 180 Bibliography . 183 PD ISO/IEC TS 33072:2016 ISO/IEC TS 33072:2016(E) iii ISO/IEC 2

21、016 All rights reserved 96 97 135 179 182ISO/IEC TS 33072:2016(E) ISO/IEC 2016 All rights reserved v Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies th

22、at are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other intern

23、ational organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its

24、further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directive

25、s). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in

26、 the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions r

27、elated to conformity assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html. The committee responsible for this document is ISO/IEC JTC 1, Information techn

28、ology, SC 7, Software and systems engineering. This corrected version of ISO/IEC 33072 incorporates the text that was not visible in Annex B, Table B.3, references 08-39 and 08-40, in the column entitled: “ Characteristics“. PD ISO/IEC TS 33072:2016 ISO/IEC TS 33072:2016(E) iv ISO/IEC 2016 All right

29、s reservedISO/IEC TS 33072:2016(E) vi ISO/IEC 2016 All rights reserved Introduction This Technical Specification provides an Information Security Management Process Assessment Model (PAM) for use in performing a conformant assessment of process capability in accordance with the requirements of ISO/I

30、EC 33002. It is structured in accordance with the requirements of ISO/IEC 33004 to reflect processes that enable implementation of ISO/IEC 27001. The scale for assessing the extent of achievement of process capability is based on ISO/IEC 33020. An integral part of conducting an assessment is to use

31、a PAM that is constructed for that purpose. A PAM is related to a Process Reference Model (PRM) and is conformant with ISO/IEC 33004. ISO/IEC 33002 identifies the minimum requirements for performing an assessment in order to ensure consistency and repeatability of the ratings. ISO/IEC 33002 addresse

32、s the assessment of process and the application of process assessment for improvement and capability determination. Results of conformant process assessments can be compared when the scopes of the assessments are considered to be similar. The requirements for process assessment defined in ISO/IEC 33

33、002 form a structure which: a) facilitates self-assessment; b) provides a basis for use in process improvement and capability determination; c) takes into account the context in which the assessed process is implemented; d) produces a process rating; e) addresses the ability of the process to achiev

34、e its purpose; f) is applicable across all application domains and sizes of organization; g) can provide an objective benchmark between organizations. The PRM defined in ISO/IEC TS 33052 has been used as the basis for the PAM in ISO/IEC TS 33072; the process measurement framework for process capabil

35、ity defined in ISO/IEC 33020 is the basis for the capability measurement scale. The relationship between ISO/IEC 24774, ISO/IEC 27001, ISO/IEC 3002, ISO/IEC 33004, ISO/IEC 33020, ISO/IEC TS 33052 and ISO/IEC TS 33072 is shown in Figure 1. PD ISO/IEC TS 33072:2016 ISO/IEC TS 33072:2016(E) v ISO/IEC 2

36、016 All rights reservedISO/IEC TS 33072:2016(E) ISO/IEC 2016 All rights reserved vii Figure 1 Relationships between relevant standards Any organisation can use processes with additional elements in order to suit it to the environment and circumstances. This PAM contains a set of indicators to be con

37、sidered when interpreting the intent of its PRM. It provides greater detail to indicate process performance and capability. The indicators can also be used when implementing a process improvement program or to help evaluate and select an assessment model, method, methodology or tools. This PAM embod

38、ies the core characteristics that could be expected of any PAM consistent with ISO/IEC 33004. Nevertheless any other PAMs meeting the requirements of ISO/IEC 33004 can be used in a conformant assessment. ISO/IEC 33072 has a similar structure to ISO/IEC 15504-5 and ISO/IEC 15504-6. It can be used in

39、conjunction with these process assessment models to support joint assessment of information security processes and system/software life cycle processes. Within this Technical Specification: Clause 4 provides a detailed description of the structure and key components of a PAM, which includes two dime

40、nsions: a process dimension and a capability dimension. Assessment indicators are introduced in this clause; Clause 5 addresses the process dimension. It uses process definitions from ISO/IEC TS 33052 to designate the PRM. The processes of the PRM are described in the PAM in terms of purpose and out

41、comes. The PAM expands the PRM process definitions by including a set of process performance indicators called base practices for each process. The PAM also defines a second set of indicators of process performance by associating inputs and outputs with each process. Clause 5 is also linked directly

42、 to Annex B, which defines the inputs/outputs characteristics; Clause 6 addresses the capability dimension. It duplicates the definitions of the capability levels and process attributes from ISO/IEC 33020, and expands each of the nine attributes through the inclusion of a set of generic practices. T

43、hese generic practices belong to a set of indicators of process capability, in association with generic resource indicators, and generic inputs/outputs indicators. Annex B is also linked directly to Clause 6 as it defines the inputs/outputs characteristics; ISO/IEC TR 24774 - Guidelines for process

44、definition ISO/IEC TS 33052 A process reference model for information security management ISO/IEC TS 33072 A process assessment model for information security management informs provides description of processes assessed by provides requirements ISO/IEC 33002 Requirements for performing process asse

45、ssment ISO/IEC 27001 Information Security management system requirements ISO/IEC 33004 Requirements for process reference, process assessment and maturity models ISO/IEC 33020 Process measurement framework for assessment of process capability ISO/IEC 33003 Requirements for process measurement framew

46、orks PD ISO/IEC TS 33072:2016 ISO/IEC TS 33072:2016(E) vi ISO/IEC 2016 All rights reservedISO/IEC TS 33072:2016(E) viii ISO/IEC 2016 All rights reserved Annex A provides a statement of conformance of the PAM to the requirements defined in ISO/IEC 33004; Annex B provides selected characteristics for

47、typical inputs/outputs to assist the assessor in evaluating the capability level of processes; Annex C contains three tables. Table C.1 identifies the base practices linked to requirements; Table C.2 identifies the requirements linked to base practices; and lastly, Table C.3 identifies the base prac

48、tices not linked to requirements. a Bibliography contains a list of informative references. PD ISO/IEC TS 33072:2016 ISO/IEC TS 33072:2016(E) vii ISO/IEC 2016 All rights reservedTECHNICAL SPECIFICATION ISO/IEC TS 33072:2016(E) ISO/IEC 2016 All rights reserved 1 Information technology Process assessm

49、ent Process capability assessment model for information security management 1 Scope This Technical Specification: defines a process assessment model (PAM) that meets the requirements of ISO/IEC 33004 and that supports the performance of an assessment of process capability by providing indicators for guidance on the interpretation of the process purposes and outcomes as defined in ISO/IEC TS 33052 and the process attributes as defined in ISO/IEC 33020; provides

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1