1、Information technology Process reference model (PRM) for information security management PD ISO/IEC TS 33052:2016 BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06National foreword This Published Document is the UK implementation of ISO/IEC TS 33052:2016. The UK part
2、icipation in its preparation was entrusted to Technical Committee IST/15, Software and systems engineering. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. User
3、s are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 92221 3 ICS 35.080 Compliance with a British Standard cannot confer immunity from legal obligations. This Published Document was published under the authority
4、 of the Standards Policy and Strategy Committee on 30 June 2016. Amendments/corrigenda issued since publication Date Text affected PUBLISHED DOCUMENT PD ISO/IEC TS 33052:2016Information technology Process reference model (PRM) for information security management Technologies de linformation Modle de
5、 rfrence des procds pour le management de la scurit de linformation ISO/IEC TS 33052 First edition 2016-06-15 Reference number ISO/IEC TS 33052:2016(E) TECHNICAL SPECIFICATION ISO/IEC 2016 PD ISO/IEC TS 33052:2016 ii ISO/IEC 2016 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2016, Publish
6、ed in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permissio
7、n can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC TS 33052:2016(E) PD ISO/IE
8、C TS 33052:2016 ISO/IEC TS 33052:2016(E)Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Overview of the PRM 1 5 Process descriptions 2 5.1 Introduction 2 5.2 ORG.1 Asset management 3 5.3 TEC.01 Capacity management . 3 5.4 TEC.02 Change management 4 5.5
9、COM.01 Communication management . 4 5.6 TEC.03 Configuration management 5 5.7 COM.02 Documentation management 5 5.8 ORG.2 Equipment management . 6 5.9 ORG.3 Human resource employment management 7 5.10 COM.03 Human resource management . 8 5.11 COM.04 Improvement . 9 5.12 TEC.04 Incident management 9
10、5.13 ORG.4 Infrastructure and work environment 9 5.14 COM.05 Internal audit11 5.15 TOP .1 Leadership .11 5.16 COM.06 Management review .12 5.17 COM.07 Non-conformity management .13 5.18 COM.09 Operational implementation and control 13 5.19 COM.08 Operational planning .15 5.20 COM.10 Performance eval
11、uation 17 5.21 TEC.05 Product/service release18 5.22 TEC.08 Product/Service/System requirements 18 5.23 COM.11 Risk and opportunity management 19 5.24 TEC.06 Service availability management 19 5.25 TEC.07 Service continuity management 20 5.26 ORG.5 Supplier management .20 5.27 TEC.09 Technical data
12、preservation and recovery 21 Annex A (informative) The relationship between management system requirements and a process reference model .22 Annex B (informative) Statement of conformity to ISO/IEC 33004 .58 Bibliography .60 ISO/IEC 2016 All rights reserved iii Contents Page PD ISO/IEC TS 33052:2016
13、 ISO/IEC TS 33052:2016(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of Internationa
14、l Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with I
15、SO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In par
16、ticular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this
17、 document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (s
18、ee www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherenc
19、e to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 7, Software and systems engineering.iv ISO/IEC 2016 All rights reserved P
20、D ISO/IEC TS 33052:2016 ISO/IEC TS 33052:2016(E) Introduction The purpose of this Technical Specification is to facilitate the development of a process assessment model (PAM) described in ISO/IEC TS 33072. ISO/IEC 33002 describes the requirements for the conduct of an assessment. ISO/IEC 33020 descr
21、ibes the measurement scale for assessing the process quality characteristic of process capability. ISO/IEC 33001 describes the concepts and terminology used for process assessment. A process reference model (PRM) is a model comprising definitions of processes described in terms of process purpose an
22、d outcomes, together with an architecture describing the relationships between the processes. Using the PRM in a practical application may require additional elements suited to the environment and circumstances. The PRM specified in this Technical Specification describes the processes including the
23、information security management system (ISMS) processes implied by ISO/IEC 27001. Each process of this PRM is described in terms of a purpose and outcomes and provides traceability to requirements. The PRM does not attempt to place the processes in any specific environment nor does it pre-determine
24、any level of process capability required to fulfil the ISO/IEC 27001 requirements. The PRM is not intended to be used for a conformity assessment audit or as a process implementation reference guide. The relationships between ISO/IEC TR 24774, ISO/IEC 27001, ISO/IEC 33002, ISO/IEC 33004, ISO/IEC 330
25、20, ISO/IEC TS 33052 and ISO/IEC TS 33072 are shown in Figure 1. Figure 1 Relationships between relevant standards Any organization may define processes with additional elements in order to suit it to its specific environment and circumstances. Some processes cover general management aspects of an o
26、rganization. These processes have been identified in order to give coverage to the requirements of ISO/IEC 27001. The PRM does not provide the evidence required by ISO/IEC 27001. The PRM does not specify the interfaces between the processes. ISO/IEC 2016 All rights reserved v PD ISO/IEC TS 33052:201
27、6 ISO/IEC TS 33052:2016(E) This Technical Specification describes a PRM for information security management with descriptions of processes in Clause 5. Annex A provides the statement of conformity in accordance with ISO/IEC 33002.vi ISO/IEC 2016 All rights reserved PD ISO/IEC TS 33052:2016 TECHNICAL
28、 SPECIFICATION ISO/IEC TS 33052:2016(E) Information technology Process reference model (PRM) for information security management 1 Scope This Technical Specification defines a process reference model (PRM) for the domain of information security management. The model architecture specifies a process
29、architecture for the domain and comprises a set of processes, with each described in terms of process purpose and outcomes. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references
30、, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27001:2013, Information technology Security techniques Information security management systems Requirements ISO/IEC 33001, Information technology Proces
31、s assessment Concepts and terminology 3 T erms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 27001 and ISO/IEC 33001 apply. 4 Overview of the PRM This Clause describes the structure of a process reference model to support information security managem
32、ent. The process reference model includes processes, which can already exist in the context of a management system of a service provider. Figure 2 identifies the processes derived from ISO/IEC 27001 requirements. ISO/IEC 2016 All rights reserved 1 PD ISO/IEC TS 33052:2016 ISO/IEC TS 33052:2016(E) Fi
33、gure 2 Processes in the process reference model 5 Process descriptions 5.1 Introduction Each process in the PRM has the following descriptive elements: a) Process ID: Each process belonging to a Group is identified with a Process Identifier ID consisting of the Group abbreviated name and a sequentia
34、l number of the process in that Group. b) Name: The name of a process is a short phrase that summarizes the scope of the process, identifying the principal concern of the process, and distinguishes it from other processes within the scope of the process reference model. c) Context: For each process,
35、 a brief overview describes the intended context of the application of the process. d) Purpose: The purpose of the process is a high-level, overall goal for performing the process. e) Outcomes: An outcome is an observable result of the successful achievement of the process purpose. Outcomes are meas
36、urable, tangible, technical or business results that are achieved by a process. Outcomes are observable and assessable. f) Requirements traceability: The outcomes are based on the requirements of ISO/IEC 27001. The references identify the applicable subclauses of ISO/IEC 27001, the subclause heading
37、, and the outcomes that are supported.2 ISO/IEC 2016 All rights reserved PD ISO/IEC TS 33052:2016 ISO/IEC TS 33052:2016(E) In 5.2 to 5.27, all entries in the requirements traceability row end with numbers in square brackets, (i.e. n). Each number in the square brackets is a reference to a numbered o
38、utcome. These outcomes are directly linked to the requirements of ISO/IEC 27001. Some outcomes are shown in square brackets. These are only indirectly linked to requirements of ISO/IEC 27001. The outcomes in square brackets are not referenced by any of the entries in the requirements traceability ro
39、w. These additional outcomes have been included because they are considered necessary in order for this type of PRM to serve as the basis of the PAM (ISO/IEC TS 33072). With these additional outcomes, the process is complete and the process purpose can be achieved. 5.2 ORG.1 Asset management Process
40、 ID ORG.1 Name Asset management Purpose The purpose of Asset Management is to establish and maintain the integrity of all identified product assets. Context This process is concerned with establishing and maintaining the identity of the products and their configuration information to enable effectiv
41、e control of the products. The scope of assets may include physical assets (e.g. infrastructure, hardware, software) and intangible assets (e.g. intellectual property). Outcomes As a result of successful implementation of this process: 1. Items requiring asset management are identified. 2. Asset ite
42、ms are classified. 3. Assets are inventoried. 4. The status of assets is identified. 5. Changes to assets under management are controlled. Requirements traceability 27001 2ED A.08.1.1 Inventory of assets 1,3,5 27001 2ED A.08.2.1 Classification of information 2 27001 2ED A.08.3.2 Disposal of media 5
43、27001 2ED A.08.3.3 Physical media transfer 5 5.3 TEC.01 Capacity management Process ID TEC.01 Name Capacity management Purpose The purpose of Capacity Management is to ensure that the organization has the capacity to meet current and future system performance requirements. Context This process ensur
44、es that there are sufficient resources and capacity to meet current and future agreed requirements in a cost-effective and timely manner. The process enables a service provider to provide sufficient resources across an entire service in order to deliver the agreed service performance and meet the se
45、rvice-level targets. Outcomes As a result of successful implementation of this process: 1. Current and future capacity and performance requirements are identified. 2. Capacity is provided to meet current capacity and performance requirements. 3. Capacity usage is monitored, analysed and performance
46、is tuned. 4. Capacity is prepared to meet future capacity and performance needs. Requirements traceability 27001 2ED A.12.1.3 Capacity management 3 ISO/IEC 2016 All rights reserved 3 PD ISO/IEC TS 33052:2016 ISO/IEC TS 33052:2016(E) 5.4 TEC.02 Change management Process ID TEC.02 Name Change manageme
47、nt Purpose The purpose of Change Management is to provide the focus for all activities associated with changes associated with product, services, processes and systems used to produce a product or deliver a service. Context Changes to products, services and systems, their applications and infrastruc
48、ture, are planned and controlled to ensure timeliness without unnecessary disruption. Outcomes As a result of successful implementation of this process: 1. Change requests are classified. 2. Change requests are analysed and assessed using defined criteria. 3. Changes are approved or rejected using d
49、efined criteria. 4. Changes are implemented, as appropriate. Requirements traceability 27001 2ED A.15.2.2 Managing changes to supplier services 2 5.5 COM.01 Communication management Process ID COM.01 Name Communication management Purpose The purpose of Communication Management is to produce timely and accurate infor- mation products to support effective communication and decision making. Context This process represents the focus for all communication activities associated with the managem
