1、BSI Standards Publication PD ISO/IEC TR 27016:2014 Information technology Security techniques Information security management Organizational economicsPD ISO/IEC TR 27016:2014 PUBLISHED DOCUMENT National foreword This Published Document is the UK implementation of ISO/IEC TR 27016:2014. The UK partic
2、ipation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are resp
3、onsible for its correct application. The British Standards Institution 2014. Published by BSI Standards Limited 2014 ISBN 978 0 580 74023 7 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This Published Document was published under the authority of the St
4、andards Policy and Strategy Committee on 28 February 2014. Amendments issued since publication Date Text affectedPD ISO/IEC TR 27016:2014 ISO/IEC 2014 Information technology Security techniques Information security management Organizational economics Technologies de linformation Techniques de scurit
5、 Management de la scurit de linformation conomie organisationnelle TECHNICAL REPORT ISO/IEC TR 27016 First edition 2014-03-01 Reference number ISO/IEC TR 27016:2014(E)PD ISO/IEC TR 27016:2014ISO/IEC TR 27016:2014(E)ii ISO/IEC 2014 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2014 All rig
6、hts reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from e
7、ither ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in SwitzerlandPD ISO/IEC TR 27016:2014ISO/IEC TR 27016:2014(E) ISO
8、/IEC 2014 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Abbreviated terms 3 5 Structure of this Document . 3 6 Information Security Economic Factors . 4 6.1 Management Decisions 4 6.2 Business Cases . 4 6.3 Stakeh
9、older Interests 7 6.4 Economic Decision Review . 8 7 Economic Objectives . 8 7.1 Introduction 8 7.2 Information Asset Valuations . 8 8 Balancing Information Security Economics for ISM .10 8.1 Introduction .10 8.2 Economic Benefits .11 8.3 Economic Costs 11 8.4 Applying Economic Calculations to ISM .
10、12 Annex A (informative) Identification of Stak eholders and Objecti v es for S etting V alues 17 Annex B (informative) Economic Decisions and Key Cost Decision Factors .19 Annex C (informative) Economic Models Appropriate for Information Security .22 Annex D (informative) Business Cases Calculation
11、 Examples 26 Bibliography .31PD ISO/IEC TR 27016:2014ISO/IEC TR 27016:2014(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO o
12、r IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
13、governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directive
14、s, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the nat
15、ional bodies casting a vote. In exceptional circumstances, when the joint technical committee has collected data of a different kind from that which is normally published as an International Standard (“state of the art”, for example), it may decide to publish a Technical Report. A Technical Report i
16、s entirely informative in nature and shall be subject to review every five years in the same manner as an International Standard. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identi
17、fying any or all such patent rights. ISO/IEC TR 27016 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.iv ISO/IEC 2014 All rights reservedPD ISO/IEC TR 27016:2014ISO/IEC TR 27016:2014(E) Introduction This Technical Report pro
18、vides guidelines on information security economics as a decision making process concerning the production, distribution, and consumption of limited goods and services. Actions for the protection of an organizations information assets require resources, which otherwise could be allocated to alternati
19、ve non-information security related uses. The reader of this Technical Report is primarily intended to be executive management who have delegated responsibility from the governing body for strategy and policy, e.g. Chief Executive Officers (CEOs), Heads of Government Organizations, Chief Financial O
20、fficers (CFOs), Chief Operating Officers (COOs), Chief Information Officers (CIOs), Chief Information Security Officers (CISOs) and similar roles. Information security management is often seen as an information technology only approach using technical controls (e.g. encryption, access and privilege
21、management, firewalls, and intrusion and malicious code eradication). However, any application of information security is not effective without considering a broad range of other controls (e.g. physical controls, human resource controls, policies and rules, etc.). A decision has to be made to alloca
22、te sufficient resources to support a broad range of controls as part of information security management. This Technical Report supports the broad objectives of information security as provided in the ISO/IEC 27000 family of standards by introducing economics as a key component of the decision making
23、 process. Coupled with a risk management approach (ISO/IEC 27005 5 ) and the ability to perform information security measurements (ISO/IEC 27004 4 ), economic factors need to be considered as part of information security management when planning, implementing, maintaining and improving the security
24、of the organizations information assets. In particular, economic justifications are required to ensure spending on information security is effective as opposed to using the resources in a less efficient way. Typically, economic benefits of information security management concern one or more of the f
25、ollowing: a) minimizing any negative impact to the organizations business objectives; b) ensuring any financial loss is acceptable; c) avoiding requirements for additional risk capital and contingency provisioning. Information security management may also produce benefits that are not driven by fina
26、ncial concerns alone. While these non-financial benefits are important, they are usually excluded from financial based economic analysis. Such benefits need to be quantified and included as part of the economic analysis. Examples include: a) enabling the business to participate in high-risk endeavou
27、rs; b) enabling the business to satisfy legal and regulatory obligations; c) managing customer expectations of the organization; d) managing community expectations of the organization; e) maintaining a trusted organizational reputation; f) providing assurance of completeness and accuracy of financia
28、l reporting. Negative financial and non-financial economic impacts as a result of a failure by the organization to provide adequate protection of its information assets are increasingly becoming a business issue. The value of information security management includes identifying a direct relationship
29、 between the cost of controls to prevent loss, and the cost benefit of avoiding a loss. Increasing levels of competition are resulting in the need for organizations to focus on the economics of risk. ISO/IEC 2014 All rights reserved vPD ISO/IEC TR 27016:2014ISO/IEC TR 27016:2014(E) This Technical Re
30、port supplements the ISO/IEC 27000 family of standards by overlaying an economic perspective on protecting an organizations information assets in the context of the wider societal environment in which an organization operates.vi ISO/IEC 2014 All rights reservedPD ISO/IEC TR 27016:2014TECHNICAL REPOR
31、T ISO/IEC TR 27016:2014(E) Information technology Security techniques Information security management Organizational economics 1 Scope This Technical Report provides guidelines on how an organization can make decisions to protect information and understand the economic consequences of these decision
32、s in the context of competing requirements for resources. This Technical Report is applicable to all types and sizes of organizations and provides information to enable economic decisions in information security management by top management who have responsibility for information security decisions.
33、 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amen
34、dments) applies. ISO/IEC 27000, Information technology Security techniques Information security management systems Overview and vocabulary 3 T erms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply. 3.1 annualized loss expec
35、tancy ALE monetary loss (3.13) that can be expected for an asset due to a risk over a one year period Note 1 to entry: ALE is defined as: ALE = SLE ARO, where SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence. 3.2 direct value value that can be determined by a value of a
36、n identical replacement or substitute in the event of an information asset or assets being harmed or lost Note 1 to entry: This value is positive as long as the information asset is not harmed but seen as loss if the event occurs. 3.3 economic factor item or information that affects an assets value
37、3.22) 3.4 economic comparison consideration of competing or alternative cases for the allocation of resource ISO/IEC 2014 All rights reserved 1PD ISO/IEC TR 27016:2014ISO/IEC TR 27016:2014(E) 3.5 e c onom ic ju s t i f ic at ion element of business case desiged to enable the allocation of resource
38、3.6 economic value added measure that compares net operating profit to total cost of capital 3.7 economics efficient use of limited resources 3.8 expected value value estimated as an impact to the business by an information asset being harmed or lost Note 1 to entry: This value is positive as long a
39、s the information asset is not harmed but seen as loss if the event occurs. 3.9 extended value expected value times the number of times that value might occur 3.10 indirect value value that is estimated for the replacement or restoring in the event of an information asset or assets being harmed or l
40、ost Note 1 to entry: This value is positive as long as the information asset is not harmed but seen as negative if the event occurs. 3.11 information security economics efficient use of limited resources for information security management 3.12 information security management ISM managing the preser
41、vation of confidentiality, integrity and availability of information 3.13 loss reduction in the value (3.22) of an asset Note 1 to entry: In terms of information security economics (3.11), a loss may also be used in the context as a positive value. In this document a cost is always negative unless o
42、therwise stated. 3.14 m a rk e t v a l u e highest price that a ready, willing and able buyer will pay and the lowest price a seller will accept 3.15 net present value sum of the present values (3.16) of the individual cash flows of the same entity 3.16 present value current worth of a future sum of
43、 money or stream of cash flows given a specified rate of return 3.17 n o n e c o n o m i c b e n e f i t benefit for which no payment has been made2 ISO/IEC 2014 All rights reservedPD ISO/IEC TR 27016:2014ISO/IEC TR 27016:2014(E) 3.18 opportunity cost future estimated cost for a certain information
44、security activity or activities 3.19 opportunity value future estimated positive value gained from a certain information security activity or activities 3.20 regulatory requirements mandatory resource demands associated with a specific market 3.21 return on investment measurement per period rates of
45、 return on value invested in an economic entity 3.22 societal value public distinction between right and wrong 3.23 value relative worth of an asset to other objects or a defined absolute value Note 1 to entry: In terms of information security economics (3.11) a value may be positive or negative. In
46、 this document a value is always positive unless otherwise stated. 3.24 v a l u e - a t- r i s k VA R summarizes the worst loss (3.13) over a target time that will not be exceeded with a given probability Note 1 to entry: Target time for example could be 1 year and the given probability could also b
47、e referred to as confidence level. 4 Abbreviated terms BVM Basic Value Model CIA ConfidentialityIntegrityAvailability ICT Information and Communications Technology IRP Interest Rate Parity ISMS Information Security Management System ROI Return On Investment 5 Structure of this Document Fundamental t
48、o the organizational economics of information security management is the ability to enable economic values to be presented to management thereby enabling better factual based decisions regarding the resources to be applied to the protection of the organizations information assets. In this Technical
49、Report Clause 6 descibes information security economic factors and their relevance in management decision making. Clause 7 describes the economic objectives in terms of asset evaluations. Clause 8 describes how to apply an economic balance using information security benefits and costs in an organizational context in general and using examples depending on the category of a business case. ISO/IEC 2014 All rights reserved 3PD ISO/IEC TR 27016:2014ISO/IEC TR 27016:2014(E) These clauses are supported by a num
