1、PD ISO/IEC TS 33072:2016 Information technology Process assessment Process capability assessment model for information security management BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06PD ISO/IEC TS 33072:2016 PUBLISHED DOCUMENT National foreword This Published Do
2、cument is the UK implementation of ISO/IEC TS 33072:2016. The UK participation in its preparation was entrusted to Technical Committee IST/15, Software and systems engineering. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does no
3、t purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 93543 5 ICS 35.080 Compliance with a British Standard cannot confer immunity from legal o
4、bligations. This Published Document was published under the authority of the Standards Policy and Strategy Committee on 30 September 2016. Amendments/corrigenda issued since publication Date Text affected Information technology Process assessment Process capability assessment model for information s
5、ecurity management Technologies de linformation valuation des procds Modle dvaluation de la capacit des procds pour le management de la scurit de linformation ISO/IEC TS 33072 First edition 2016-07-15 Reference number ISO/IEC TS 33072:2016(E) TECHNICAL SPECIFICATION ISO/IEC 2016 Corrected version 20
6、16-09-01PD ISO/IEC TS 33072:2016 PUBLISHED DOCUMENT National foreword This Published Document is the UK implementation of ISO/IEC TS 33072:2016. The UK participation in its preparation was entrusted to Technical Committee IST/15, Software and systems engineering. A list of organizations represented
7、on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 93
8、543 5 ICS 35.080 Compliance with a British Standard cannot confer immunity from legal obligations. This Published Document was published under the authority of the Standards Policy and Strategy Committee on 30 September 2016. Amendments/corrigenda issued since publication Date Text affected Informat
9、ion technology Process assessment Process capability assessment model for information security management Technologies de linformation valuation des procds Modle dvaluation de la capacit des procds pour le management de la scurit de linformation ISO/IEC TS 33072 First edition 2016-07-15 Reference nu
10、mber ISO/IEC TS 33072:2016(E) TECHNICAL SPECIFICATION ISO/IEC 2016 Corrected version 2016-09-01ISO/IEC TS 33072:2016(E) ISO/IEC 2016 All rights reserved iii Contents Page Foreword . v Introduction vi 1 Scope 1 2 Normative references 1 3 Terms and definitions . 1 4 Overview of the Process Assessment
11、Model . 2 4.1 Introduction to Overview 2 4.2 Structure of the Process Assessment Model . 3 4.2.1 Processes . 3 4.2.2 Process dimension 4 4.2.3 Capability dimension 4 4.3 Assessment Indicators . 6 4.3.1 Process Capability Indicators 7 4.3.2 Process Performance Indicators . 8 4.4 Measuring process cap
12、ability 9 5 The process dimension and process performance indicators (Level 1) . 10 5.1 General . 10 5.2 ORG.1 Asset management . 11 5.3 TEC.01 Capacity management . 12 5.4 TEC.02 Change management . 13 5.5 COM.01 Communication management 13 5.6 TEC.03 Configuration management 14 5.7 COM.02 Document
13、ation management . 15 5.8 ORG.2 Equipment management 17 5.9 ORG.3 Human resource employment management 18 5.10 COM.03 Human resource management 19 5.11 COM.04 Improvement 20 5.12 TEC.04 Incident management 21 5.13 ORG.4 Infrastructure and work environment . 21 5.14 COM.05 Internal audit 22 5.15 TOP.
14、1 Leadership 23 5.16 COM.06 Management review 24 5.17 COM.07 Non-conformity management 25 5.18 COM.09 Operational implementation and control 26 5.19 COM.08 Operational planning 27 5.20 COM.10 Performance evaluation . 29 5.21 TEC.05 Product/service release . 30 5.22 TEC.08 Product/Service/System requ
15、irements 31 5.23 COM.11 Risk and opportunity management . 32 5.24 TEC.06 Service availability management 33 5.25 TEC.07 Service continuity management . 34 5.26 ORG.5 Supplier management . 34 5.27 TEC.09 Technical data preservation and recovery 35 6 Process capability indicators . 36 6.1 Introduction
16、 36 6.2 Process capability levels and process attributes 36 6.2.1 Process capability Level 0: Incomplete process . 36 6.2.2 Process capability Level 1: Performed process 36 6.2.3 Process capability Level 2: Managed process . 37 PD ISO/IEC TS 33072:2016 ISO/IEC TS 33072:2016(E) ii ISO/IEC 2016 All ri
17、ghts reserved iv vISO/IEC TS 33072:2016(E) iv ISO/IEC 2016 All rights reserved 6.2.4 Process capability Level 3: Established process 42 6.2.5 Process capability Level 4: Predictable process 46 6.2.6 Process capability Level 5: Innovating process 51 6.3 Related processes for process attributes 55 Ann
18、ex A (informative) Conformity of the process assessment model . 57 A.1 Introduction . 57 A.2 Requirements for process assessment models 57 A.2.1 Introduction . 57 A.2.2 Process assessment model scope . 57 A.2.3 Requirements for process assessment models 58 A.2.4 Assessment indicators 58 A.2.5 Mappin
19、g process assessment models to process reference models. 59 A.2.6 Expression of assessment results 61 Annex B (informative) Input and output characteristics 62 B.1 General . 62 B.2 Generic input and outputs . 63 B.3 Specific inputs and outputs . 67 Annex C (informative) Association between base prac
20、tices and ISO/IEC 27001 requirements 97 C.1 Associations of base practices with requirements . 98 C.2 Associations of requirements with base practices . 136 C.3 Base practices that have no associated requirements. 180 Bibliography . 183 PD ISO/IEC TS 33072:2016 ISO/IEC TS 33072:2016(E) iii ISO/IEC 2
21、016 All rights reserved 96 97 135 179 182ISO/IEC TS 33072:2016(E) ISO/IEC 2016 All rights reserved v Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies th
22、at are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other intern
23、ational organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its
24、further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directive
25、s). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in
26、 the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions r
27、elated to conformity assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html. The committee responsible for this document is ISO/IEC JTC 1, Information techn
28、ology, SC 7, Software and systems engineering. This corrected version of ISO/IEC 33072 incorporates the text that was not visible in Annex B, Table B.3, references 08-39 and 08-40, in the column entitled: “ Characteristics“. PD ISO/IEC TS 33072:2016 ISO/IEC TS 33072:2016(E) iv ISO/IEC 2016 All right
29、s reservedISO/IEC TS 33072:2016(E) vi ISO/IEC 2016 All rights reserved Introduction This Technical Specification provides an Information Security Management Process Assessment Model (PAM) for use in performing a conformant assessment of process capability in accordance with the requirements of ISO/I
30、EC 33002. It is structured in accordance with the requirements of ISO/IEC 33004 to reflect processes that enable implementation of ISO/IEC 27001. The scale for assessing the extent of achievement of process capability is based on ISO/IEC 33020. An integral part of conducting an assessment is to use
31、a PAM that is constructed for that purpose. A PAM is related to a Process Reference Model (PRM) and is conformant with ISO/IEC 33004. ISO/IEC 33002 identifies the minimum requirements for performing an assessment in order to ensure consistency and repeatability of the ratings. ISO/IEC 33002 addresse
32、s the assessment of process and the application of process assessment for improvement and capability determination. Results of conformant process assessments can be compared when the scopes of the assessments are considered to be similar. The requirements for process assessment defined in ISO/IEC 33
33、002 form a structure which: a) facilitates self-assessment; b) provides a basis for use in process improvement and capability determination; c) takes into account the context in which the assessed process is implemented; d) produces a process rating; e) addresses the ability of the process to achiev
34、e its purpose; f) is applicable across all application domains and sizes of organization; g) can provide an objective benchmark between organizations. The PRM defined in ISO/IEC TS 33052 has been used as the basis for the PAM in ISO/IEC TS 33072; the process measurement framework for process capabil
35、ity defined in ISO/IEC 33020 is the basis for the capability measurement scale. The relationship between ISO/IEC 24774, ISO/IEC 27001, ISO/IEC 3002, ISO/IEC 33004, ISO/IEC 33020, ISO/IEC TS 33052 and ISO/IEC TS 33072 is shown in Figure 1. PD ISO/IEC TS 33072:2016 ISO/IEC TS 33072:2016(E) v ISO/IEC 2
36、016 All rights reservedISO/IEC TS 33072:2016(E) ISO/IEC 2016 All rights reserved vii Figure 1 Relationships between relevant standards Any organisation can use processes with additional elements in order to suit it to the environment and circumstances. This PAM contains a set of indicators to be con
37、sidered when interpreting the intent of its PRM. It provides greater detail to indicate process performance and capability. The indicators can also be used when implementing a process improvement program or to help evaluate and select an assessment model, method, methodology or tools. This PAM embod
38、ies the core characteristics that could be expected of any PAM consistent with ISO/IEC 33004. Nevertheless any other PAMs meeting the requirements of ISO/IEC 33004 can be used in a conformant assessment. ISO/IEC 33072 has a similar structure to ISO/IEC 15504-5 and ISO/IEC 15504-6. It can be used in
39、conjunction with these process assessment models to support joint assessment of information security processes and system/software life cycle processes. Within this Technical Specification: Clause 4 provides a detailed description of the structure and key components of a PAM, which includes two dime
40、nsions: a process dimension and a capability dimension. Assessment indicators are introduced in this clause; Clause 5 addresses the process dimension. It uses process definitions from ISO/IEC TS 33052 to designate the PRM. The processes of the PRM are described in the PAM in terms of purpose and out
41、comes. The PAM expands the PRM process definitions by including a set of process performance indicators called base practices for each process. The PAM also defines a second set of indicators of process performance by associating inputs and outputs with each process. Clause 5 is also linked directly
42、 to Annex B, which defines the inputs/outputs characteristics; Clause 6 addresses the capability dimension. It duplicates the definitions of the capability levels and process attributes from ISO/IEC 33020, and expands each of the nine attributes through the inclusion of a set of generic practices. T
43、hese generic practices belong to a set of indicators of process capability, in association with generic resource indicators, and generic inputs/outputs indicators. Annex B is also linked directly to Clause 6 as it defines the inputs/outputs characteristics; ISO/IEC TR 24774 - Guidelines for process
44、definition ISO/IEC TS 33052 A process reference model for information security management ISO/IEC TS 33072 A process assessment model for information security management informs provides description of processes assessed by provides requirements ISO/IEC 33002 Requirements for performing process asse
45、ssment ISO/IEC 27001 Information Security management system requirements ISO/IEC 33004 Requirements for process reference, process assessment and maturity models ISO/IEC 33020 Process measurement framework for assessment of process capability ISO/IEC 33003 Requirements for process measurement framew
46、orks PD ISO/IEC TS 33072:2016 ISO/IEC TS 33072:2016(E) vi ISO/IEC 2016 All rights reservedISO/IEC TS 33072:2016(E) viii ISO/IEC 2016 All rights reserved Annex A provides a statement of conformance of the PAM to the requirements defined in ISO/IEC 33004; Annex B provides selected characteristics for
47、typical inputs/outputs to assist the assessor in evaluating the capability level of processes; Annex C contains three tables. Table C.1 identifies the base practices linked to requirements; Table C.2 identifies the requirements linked to base practices; and lastly, Table C.3 identifies the base prac
48、tices not linked to requirements. a Bibliography contains a list of informative references. PD ISO/IEC TS 33072:2016 ISO/IEC TS 33072:2016(E) vii ISO/IEC 2016 All rights reservedTECHNICAL SPECIFICATION ISO/IEC TS 33072:2016(E) ISO/IEC 2016 All rights reserved 1 Information technology Process assessm
49、ent Process capability assessment model for information security management 1 Scope This Technical Specification: defines a process assessment model (PAM) that meets the requirements of ISO/IEC 33004 and that supports the performance of an assessment of process capability by providing indicators for guidance on the interpretation of the process purposes and outcomes as defined in ISO/IEC TS 33052 and the process attributes as defined in ISO/IEC 33020; provides
