ImageVerifierCode 换一换
格式:PDF , 页数:24 ,大小:625.33KB ,
资源ID:685228      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-685228.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(DIN ISO IEC 27000-2011 Information technology - Security techniques - Information security management systems - Overview and vocabulary (ISO IEC 27000 2009)《信息技术 安全技术 信息安全管理系统 总论和词.pdf)为本站会员(confusegate185)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

DIN ISO IEC 27000-2011 Information technology - Security techniques - Information security management systems - Overview and vocabulary (ISO IEC 27000 2009)《信息技术 安全技术 信息安全管理系统 总论和词.pdf

1、July 2011 Translation by DIN-Sprachendienst.English price group 13No part of this translation may be reproduced without prior permission ofDIN Deutsches Institut fr Normung e. V., Berlin. Beuth Verlag GmbH, 10772 Berlin, Germany,has the exclusive right of sale for German Standards (DIN-Normen).ICS 0

2、1.040.35; 35.040!$sA|“1803089www.din.deDDIN ISO/IEC 27000Information technology Security techniques Information security management systems Overview and vocabulary (ISO/IEC 27000:2009)English translation of DIN ISO/IEC 27000:2011-07Informationstechnik IT-Sicherheitsverfahren Informationssicherheits-

3、Managementsysteme berblick und Terminologie(ISO/IEC 27000:2009)Englische bersetzung von DIN ISO/IEC 27000:2011-07Technologies de linformation Techniques de scurit Systmes de gestion de la scurit des informations Vue densemble et vocabulaire (ISO/CEI 27000:2009)Traduction anglaise de DIN ISO/IEC 2700

4、0:2011-07www.beuth.deDocument comprises pagesIn case of doubt, the German-language original shall be considered authoritative.2406.11 Contents Page National foreword .3 National Annex NA (informative) Bibliography.3 0 Introduction4 0.1 Overview.4 0.2 ISMS family of standards 4 0.3 Purpose of this In

5、ternational Standard .5 1 Scope 6 2 Terms and definitions6 3 Information security management systems11 3.1 Introduction11 3.2 What is an ISMS?.12 3.3 Process approach13 3.4 Why an ISMS is important.14 3.5 Establishing, monitoring, maintaining and improving an ISMS .15 3.6 ISMS critical success facto

6、rs .16 3.7 Benefits of the ISMS family of standards 16 4 ISMS family of standards 17 4.1 General information.17 4.2 Standards describing an overview and terminology .18 4.3 Standards specifying requirements.18 4.4 Standards describing general guidelines19 4.5 Standards describing sector-specific gui

7、delines.20 Annex A (informative) Verbal forms for the expression of provisions.21 Annex B (informative) Categorized terms.22 Bibliography 24 2 DIN ISO/IEC 27000:2011-07 National foreword This standard has been prepared by Joint Technical Committee ISO/IEC JTC 1 “Information technology”, Subcommittee

8、 SC 27 “IT Security techniques”. The responsible German body involved in its preparation was the Normenausschuss Informationstechnik und Anwendungen (Information Technology and selected IT Applications Standards Committee), Working Committee NA 043-01-27 AA IT-Sicherheitsverfahren. Attention is draw

9、n to the possibility that some of the elements of this document may be the subject of patent rights. DIN shall not be held responsible for identifying any or all such patent rights. ISO 9000 DIN EN ISO 9000 ISO/IEC 17021 DIN ISO/IEC 17021 ISO 19011 DIN EN ISO 19011 ISO/IEC 27001 DIN ISO/IEC 27001 IS

10、O/IEC 27002 DIN ISO/IEC 27002 ISO 27799 DIN EN ISO 27799 National Annex NA (informative) Bibliography DIN EN ISO 9000, Quality management systems Fundamentals and vocabulary DIN EN ISO/IEC 17021, Conformity assessment Requirements for bodies providing audit and certification of management systems DI

11、N EN ISO 19011 Guidelines for quality and/or environmental management systems auditing DIN ISO/IEC 27001, Information technology Security techniques Information security management systems Requirements DIN ISO/IEC 27002, Information technology Security techniques Code of practice for information sec

12、urity management DIN EN ISO 27799, Health informatics Information security management in health using ISO/IEC 27002 3 DIN ISO/IEC 27000:2011-07 The DIN Standards corresponding to the International Standards referred to in this document are as follows: 0 Introduction 0.1 Overview International Standa

13、rds for management systems provide a model to follow in setting up and operating a management system. This model incorporates the features on which experts in the field have reached a consensus as being the international state of the art. ISO/IEC JTC 1 SC 27 maintains an expert committee dedicated t

14、o the development of international management systems standards for information security, otherwise known as the Information Security Management System (ISMS) family of standards. Through the use of the ISMS family of standards, organizations can develop and implement a framework for managing the se

15、curity of their information assets and prepare for an independent assessment of their ISMS applied to the protection of information, such as financial information, intellectual property, and employee details, or information entrusted to them by customers or third parties. 0.2 ISMS family of standard

16、s The ISMS family of standards1)is intended to assist organizations of all types and sizes to implement and operate an ISMS. The ISMS family of standards consists of the following International Standards, under the general title Information technology Security techniques: ISO/IEC 27000:2009, Informa

17、tion security management systems Overview and vocabulary ISO/IEC 27001:2005, Information security management systems Requirements ISO/IEC 27002:2005, Code of practice for information security management ISO/IEC 27003, Information security management system implementation guidance ISO/IEC 27004, Info

18、rmation security management Measurement ISO/IEC 27005:2008, Information security risk management ISO/IEC 27006:2007, Requirements for bodies providing audit and certification of information security management systems ISO/IEC 27007, Guidelines for information security management systems auditing ISO

19、/IEC 27011, Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 NOTE The general title “Information technology Security techniques” indicates that these standards were prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subc

20、ommittee SC 27, IT Security techniques. 1) Standards identified throughout this subclause with no release year indicated are still under development. Information technology Security techniques Information security management systems Overview and vocabulary 4 DIN ISO/IEC 27000:2011-07 0.3 Purpose of

21、this International Standard This International Standard provides an overview of information security management systems, which form the subject of the ISMS family of standards, and defines related terms. NOTE Annex A provides clarification on how verbal forms are used to express requirements and/or

22、guidance in the ISMS family of standards. The ISMS family of standards includes standards that: a) define requirements for an ISMS and for those certifying such systems; b) provide direct support, detailed guidance and/or interpretation for the overall Plan-Do-Check-Act (PDCA) processes and requirem

23、ents; c) address sector-specific guidelines for ISMS; and d) address conformity assessment for ISMS. The terms and definitions provided in this International Standard: cover commonly used terms and definitions in the ISMS family of standards; will not cover all terms and definitions applied within t

24、he ISMS family of standards; and do not limit the ISMS family of standards in defining terms for own use. Standards addressing only the implementation of controls, as opposed to addressing all controls, from ISO/IEC 27002 are excluded from the ISMS family of standards. To reflect the changing status

25、 of the ISMS family of standards, this International Standard is expected to be continually updated on a more frequent basis than would normally be the case for other ISO/IEC standards. International Standards not under the same general title that are also part of the ISMS family of standards are as

26、 follows: ISO 27799:2008, Health informatics Information security management in health using ISO/IEC 27002 5 DIN ISO/IEC 27000:2011-07 1 Scope This International Standard provides: a) an overview of the ISMS family of standards; b) an introduction to information security management systems (ISMS); c

27、) a brief description of the Plan-Do-Check-Act (PDCA) process; and d) terms and definitions for use in the ISMS family of standards. This International Standard is applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations). 2 Terms and defini

28、tions For the purposes of this document, the following terms and definitions apply. NOTE A term in a definition or note which is defined elsewhere in this clause is indicated by boldface followed by its entry number in parentheses. Such a boldface term can be replaced in the definition by its comple

29、te definition. For example: attack (2.4) is defined as “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset (2.3)”; asset is defined as “anything that has value to the organization”. If the term “asset” is replaced by its definition:

30、attack then becomes “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of anything that has value to the organization”. 2.1 access control means to ensure that access to assets (2.3) is authorized and restricted based on business and security r

31、equirements 2.2 accountability responsibility of an entity for its actions and decisions 6 DIN ISO/IEC 27000:2011-07 2.3 asset anything that has value to the organization NOTE There are many types of assets, including: a) information (2.18); b) software, such as a computer program; c) physical, such

32、 as computer; d) services; e) people, and their qualifications, skills, and experience; and f) intangibles, such as reputation and image. 2.4 attack attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset (2.3) 2.5 authentication provisio

33、n of assurance that a claimed characteristic of an entity is correct 2.6 authenticity property that an entity is what it claims to be 2.7 availability property of being accessible and usable upon demand by an authorized entity 2.8 business continuity processes (2.31) and/or procedures (2.30) for ens

34、uring continued business operations 2.9 confidentiality property that information is not made available or disclosed to unauthorized individuals, entities, or processes (2.31) 2.10 control means of managing risk (2.34), including policies (2.28), procedures (2.30), guidelines (2.16), practices or or

35、ganizational structures, which can be administrative, technical, management, or legal in nature NOTE Control is also used as a synonym for safeguard or countermeasure. 2.11 control objective statement describing what is to be achieved as a result of implementing controls (2.10) 2.12 corrective actio

36、n action to eliminate the cause of a detected nonconformity or other undesirable situation ISO 9000:2005 7 DIN ISO/IEC 27000:2011-07 2.13 effectiveness extent to which planned activities are realized and planned results achieved ISO 9000:2005 2.14 efficiency relationship between the results achieved

37、 and how well the resources have been used 2.15 event occurrence of a particular set of circumstances ISO/IEC Guide 73:2002 2.16 guideline recommendation of what is expected to be done to achieve an objective 2.17 impact adverse change to the level of business objectives achieved 2.18 information as

38、set knowledge or data that has value to the organization 2.19 information security preservation of confidentiality (2.9), integrity (2.25) and availability (2.7) of information NOTE In addition, other properties, such as authenticity (2.6), accountability (2.2), non-repudiation (2.27), and reliabili

39、ty (2.33) can also be involved. 2.20 information security event identified occurrence of a system, service or network state indicating a possible breach of information security (2.19) policy (2.28) or failure of controls (2.10), or a previously unknown situation that may be security relevant 2.21 in

40、formation security incident single or a series of unwanted or unexpected information security events (2.20) that have a significant probability of compromising business operations and threatening information security (2.19) 2.22 information security incident management processes (2.31) for detecting

41、, reporting, assessing, responding to, dealing with, and learning from information security incidents (2.21) 2.23 information security management system ISMS part of the overall management system (2.26), based on a business risk approach, to establish, implement, operate, monitor, review, maintain a

42、nd improve information security (2.19) 8 DIN ISO/IEC 27000:2011-07 2.24 information security risk potential that a threat (2.45) will exploit a vulnerability (2.46) of an asset (2.3) or group of assets and thereby cause harm to the organization 2.25 integrity property of protecting the accuracy and

43、completeness of assets (2.3) 2.26 management system framework of policies (2.28), procedures (2.30), guidelines (2.16) and associated resources to achieve the objectives of the organization 2.27 non-repudiation ability to prove the occurrence of a claimed event (2.15) or action and its originating e

44、ntities, in order to resolve disputes about the occurrence or non-occurrence of the event (2.15) or action and involvement of entities in the event (2.15) 2.28 policy overall intention and direction as formally expressed by management 2.29 preventive action action to eliminate the cause of a potenti

45、al nonconformity or other undesirable potential situation ISO 9000:2005 2.30 procedure specified way to carry out an activity or a process (2.31) ISO 9000:2005 2.31 process set of interrelated or interacting activities which transforms inputs into outputs ISO 9000:2005 2.32 record document stating r

46、esults achieved or providing evidence of activities performed ISO 9000:2005 2.33 reliability property of consistent intended behaviour and results 2.34 risk combination of the probability of an event (2.15) and its consequence ISO/IEC Guide 73:2002 9 DIN ISO/IEC 27000:2011-07 2.35 risk acceptance de

47、cision to accept a risk (2.34) ISO/IEC Guide 73:2002 2.36 risk analysis systematic use of information to identify sources and to estimate risk (2.34) ISO/IEC Guide 73:2002 NOTE Risk analysis provides a basis for risk evaluation (2.41), risk treatment (2.43) and risk acceptance (2.35). 2.37 risk asse

48、ssment overall process (2.31) of risk analysis (2.36) and risk evaluation (2.41) ISO/IEC Guide 73:2002 2.38 risk communication exchange or sharing of information about risk (2.34) between the decision-maker and other stakeholders ISO/IEC Guide 73:2002 2.39 risk criteria terms of reference by which the significance of risk (2.34) is assessed ISO/IEC Guide 73:2002 2.40 risk estimation activity to assign values to the probability and consequences of a risk (2.34) ISO/IEC

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1