1、BSI Standards PublicationBS 16000:2015Security management Strategic and operationalguidelinesPublishing and copyright informationThe BSI copyright notice displayed in this document indicates when the documentwas last issued. The British Standards Institution 2015Published by BSI Standards Limited 20
2、15ISBN 978 0 580 83490 5ICS 03.100.01; 13.310The following BSI references relate to the work on this document:Committee reference SSM/1Draft for comment 14/30285865 DCPublication historyFirst published, June 2015Amendments issued since publicationDate Text affectedBS 16000:2015 BRITISH STANDARDConte
3、ntsForeword iii0 Introduction 11 Scope 22 Terms and definitions 23 Understanding the organizations context 63.1 General 63.2 External context 63.3 Internal context 63.4 Deriving requirements for security management 84 Developing the security framework 84.1 General 84.2 Commitment to security managem
4、ent 84.3 Communication and awareness 84.4 Organization structure and roles and responsibilities 94.5 Security advice 105 Security risk assessment 105.1 General 105.2 Asset identification 105.3 Security threat and risk analysis 105.4 Risk register 116 Implementing security solutions 116.1 General 116
5、.2 Avoidance 126.3 Transfer/sharing 126.4 Elimination 126.5 Mitigation 126.6 Tolerance/acceptance 137 Implementing the security programme 137.1 Programme management and accountability 137.2 Security policies 137.3 Security programme 138 Security solutions 148.1 General 148.2 Physical security 158.3
6、Technical security 158.4 Manned security 158.5 Information security 168.6 Procedural security 168.7 Asset management 178.8 Personnel security 188.9 Security in procurement 189 Monitoring the security programme and solutions 189.1 General 189.2 Security monitoring and reporting 199.3 Regular reassess
7、ment of risks 199.4 Reviewing the security framework 199.5 Exercising and testing 199.6 Auditing 199.7 Management consideration of monitoring and review results 20Bibliography 21BRITISH STANDARD BS 16000:2015 The British Standards Institution 2015 iList of figuresFigure 1 Embedding security manageme
8、nt in the organization 1Summary of pagesThis document comprises a front cover, an inside front cover, pages i to iv,pages 1 to 22, an inside back cover and a back cover.BRITISH STANDARDBS 16000:2015ii The British Standards Institution 2015ForewordPublishing informationThis British Standard is publis
9、hed by BSI Standards Limited, under licence fromThe British Standards Institution, and came into effect on 30 June 2015. It wasprepared by Technical Committee SSM/1, Societal security management. A list oforganizations represented on this committee can be obtained on request to itssecretary.Use of t
10、his documentAs a guide, this British Standard takes the form of guidance andrecommendations. It should not be quoted as if it were a specification or a codeof practice and claims of compliance cannot be made to it.Presentational conventionsThe guidance in this standard is presented in roman (i.e. up
11、right) type. Anyrecommendations are expressed in sentences in which the principal auxiliaryverb is “should”.Commentary, explanation and general informative material is presented insmaller italic type, and does not constitute a normative element.Contractual and legal considerationsThis publication do
12、es not purport to include all the necessary provisions of acontract. Users are responsible for its correct application.Compliance with a British Standard cannot confer immunity from legalobligations.BRITISH STANDARD BS 16000:2015 The British Standards Institution 2015 iiiBRITISH STANDARDBS 16000:201
13、5This page deliberately left blankiv The British Standards Institution 20150 IntroductionSecurity management is a vitally important strategic capability for a modernorganization that supports the achievement of the organizations objectives byprotecting the organizations reputation and financial well
14、-being. Indeed,beyond simply reacting to threats and risks, effective security managementproactively supports both the capture and exploitation of opportunity andcompetitive or service delivery advantage.As a management discipline, security management is best delivered when itfollows a lifecycle pro
15、cess as shown in Figure 1.The application of the processes in Figure 1 to the various security domainsmight not all reside in any one area of the organization. Indeed, there are manydifferent ways in which responsibilities can be split across a larger organization.Increasingly, good practice in secu
16、rity management acknowledges the need forclose alignment between related security disciplines and, indeed, with otherdisciplines that rely upon, or are relied upon by, security, such as governance,resilience, risk management, business continuity and disaster recovery, assetmanagement and crisis mana
17、gement. To achieve this, especially whereconvergence of these disciplines is not adopted as a corporate objective, acommon understanding of the challenges in achieving security management isneeded to ensure that all efforts are complementary.Figure 1 Embedding security management in the organization
18、BRITISH STANDARD BS 16000:2015 The British Standards Institution 2015 1Successful security is not done “to” the organization “by” a security function. Itneeds to be embedded in the organizations strategy and processes, such thatsecurity is done “by” the organization, which is supported by the securi
19、tyfunction. Everyone has a role to play in ensuring effective security within theorganization.Security management is one of the major responses to the risks identified by theorganization. By definition, therefore, as every organizations risk appetitevaries, it follows that the security management un
20、dertaken by the organizationis bespoke. Security management does not necessarily involve either significanttechnology adoption and/or significant capital or revenue expenditure.1 ScopeThis British Standard gives guidance on security management for anyorganization, whether large or small, public or p
21、rivate, to support its viability,productivity, reputation, sustainability and, ultimately, success. The standardclarifies the basic principles of security management and demonstrates howsecurity can be embedded in an organization.An organization might already have implemented security solutions that
22、 haveaddressed some or all of its requirements, and this standard can be used to assistin the monitoring and review of the organizations security management and todetermine how it might be improved.2 Terms and definitionsFor the purposes of this British Standard, the following terms and definitionsa
23、pply.2.1 countermeasureaction taken to counter or offset another action2.2 governing bodyindividual or group of people ultimately responsible and accountable for thelong-term direction and control of the organizationSOURCE: BS 13500:2013, 2.82.3 likelihoodchance of something happeningNOTE 1 In risk
24、management terminology, the word “likelihood” is used to refer tothe chance of something happening, whether defined, measured or determinedobjectively or subjectively, qualitatively or quantitatively, and described using generalterms or mathematically (such as a probability or a frequency over a giv
25、en timeperiod).NOTE 2 The English term “likelihood” does not have a direct equivalent in somelanguages; instead, the equivalent of the term “probability” is often used. However,in English, “probability” is often narrowly interpreted as a mathematical term.Therefore, in risk management terminology, “
26、likelihood” is used with the intent thatit should have the same broad interpretation as the term “probability” has in manylanguages other than English.SOURCE: PD ISO Guide 73:2009, 3.6.1.12.4 operational requirementsmeasures identified as necessary to address risks, threats and vulnerabilitiesBRITIS
27、H STANDARDBS 16000:20152 The British Standards Institution 20152.5 organizational resilienceability of an organization to anticipate, prepare for, and respond and adapt toincremental change and sudden disruptions in order to survive and prosperSOURCE: BS 65000:2014, 2.3NOTE Organizational resilience
28、 is a framework for bringing strategic direction andcoherence to the full range of protective functions undertaken by an organization,including for example security management, risk management, business continuitymanagement, supply chain management and crisis management.2.6 residual riskrisk remaini
29、ng after risk treatmentNOTE 1 Residual risk can contain unidentified risk.NOTE 2 Residual risk can also be known as “retained risk”.SOURCE: PD ISO Guide 73:2009, 3.8.1.62.7 riskeffect of uncertainty on objectivesNOTE 1 Although sometimes used colloquially to indicate something that isundesirable, “r
30、isk” as defined here is a neutral concept that is neither inherentlydesirable nor undesirable; willingness to accept some uncertainty (and therefore risk)is generally necessary in order to pursue objectives.NOTE 2 Organizations typically have multiple objectives (such as those concerningfinancial, s
31、afety, environmental goals and reputation) which drive all aspects of theorganizations activities (such as policies, strategies, projects, products and processes).NOTE 3 Risk is often characterized by reference to the likelihood of experiencingconsequences together with the potential for events from
32、 which such consequencescould result.NOTE 4 Uncertainty relates to a deficiency of information relevant todecision-making and takes many forms.NOTE 5 See ISO/IEC Guide 51 for this term in the context of safety.SOURCE: PD ISO Guide 73:2009, 1.1, modified2.8 risk acceptanceinformed decision to take a
33、particular riskNOTE Risk acceptance can occur without risk treatment or during the process ofrisk treatment.SOURCE: PD ISO Guide 73:2009, 3.7.1.6, modified2.9 risk analysisprocess to comprehend the nature of risk and to determine the level of riskNOTE 1 Risk analysis provides the basis for risk eval
34、uation and decisions about risktreatment.NOTE 2 Risk analysis includes risk estimation.NOTE 3 See ISO/IEC Guide 51 for this term in the context of safety.SOURCE: PD ISO Guide 73:2009, 3.6.12.10 risk appetiteamount and type of risk that an organization is willing to pursue or retainSOURCE: PD ISO Gui
35、de 73:2009, 3.7.1.2BRITISH STANDARD BS 16000:2015 The British Standards Institution 2015 32.11 risk assessmentoverall process of risk identification, risk analysis and risk evaluationNOTE See ISO/IEC Guide 51 for this term in the context of safety.SOURCE: PD ISO Guide 73:2009, 3.4.12.12 risk avoidan
36、ceinformed decision not to be involved in, or to withdraw from, an activity inorder not to be exposed to a particular riskNOTE Risk avoidance can be based on the result of risk evaluation and/or legal andregulatory obligations.SOURCE: PD ISO Guide 73:2009, 3.8.1.22.13 risk managementcoordinated acti
37、vities to direct and control an organization with regard to riskSOURCE: PD ISO Guide 73:2009, 2.12.14 risk mitigationmeasures taken to reduce an undesired consequence2.15 risk sharingform of risk treatment involving the agreed distribution of risk with otherpartiesNOTE 1 Legal or regulatory requirem
38、ents can limit, prohibit or mandate risksharing.NOTE 2 Risk sharing can be carried out through insurance or other forms ofcontract.NOTE 3 The extent to which risk is distributed can depend on the reliability andclarity of the sharing arrangements.NOTE 4 Risk transfer is a form of risk sharing.SOURCE
39、: PD ISO Guide 73:2009, 3.8.1.32.16 risk toleranceorganizations or stakeholders readiness to bear the risk after risk treatment inorder to achieve its objectivesNOTE Risk tolerance can be influenced by legal or regulatory requirements toensure that no applicable law and no specific norm in the field
40、s of safety, health orenvironmental protection is violated thereby.SOURCE: PD ISO Guide 73:2009, 3.7.1.3, modified2.17 risk treatmentprocess to modify riskNOTE 1 Risk treatment can involve: avoiding the risk by deciding not to start or continue with the activity that givesrise to the risk; taking or
41、 increasing risk in order to pursue an opportunity provided noapplicable law and no specific norm in the fields of safety, health orenvironmental protection is violated thereby; increasing risk in order to pursue an opportunity; removing the risk source; changing the likelihood;BRITISH STANDARDBS 16
42、000:20154 The British Standards Institution 2015 changing the consequences; sharing the risk with another party or parties (including contracts and riskfinancing); and retaining the risk by informed decision.NOTE 2 Risk treatments that deal with negative consequences are sometimesreferred to as “ris
43、k mitigation”, “risk elimination”, “risk prevention” and “riskreduction”.NOTE 3 Risk treatment can create new risks or modify existing risks.NOTE 4 See ISO/IEC Guide 51 for this term in the context of safety.SOURCE: PD ISO Guide 73:2009, 3.8.12.18 securitycondition of being protected against damage,
44、 harm or loss, achieved throughthe management of adverse consequences associated with natural events andthe intentional and/or unwanted actions of others by physical, technical,electronic, information technology (IT) or human factors, or a combination ofthose factors2.19 security functionpersons(s)
45、responsible for managing security2.20 security managementset of interrelated or interacting elements of an organization to establishsecurity policies and objectives and processes to achieve those objectives2.21 security management systempart of the overall management system that establishes, impleme
46、nts, operates,monitors, reviews, maintains and progressively improves security managementNOTE The management system includes organizational structure, policies, planningactivities, responsibilities, procedures, processes and resources.2.22 security policycorporate document setting out the organizati
47、ons intentions and principles withregard to security, formally expressed by top management2.23 security programmeoutcome of the planning and implementation of the appropriate securitymeasures, encompassing everything that is happening or needs to happen interms of ensuring the security of the organi
48、zation2.24 standard security procedure (SSP)written instructions to achieve uniformity of performance of a specificfunction(s)NOTE These may be called “standard operating procedures” (SOPs) and“assignment instructions” (AIs).2.25 threataction or potential action likely to cause damage, harm or lossE
49、XAMPLESphysical; biological; chemical; ergonomic; psychological; criminal; fire,environmental, natural disaster; civil disturbance; espionage.BRITISH STANDARD BS 16000:2015 The British Standards Institution 2015 52.26 top managementperson or group of people who controls the management functions of anorganization on a day-to-day basisNOTE Top management has the power to delegate authority and provide resourceswithin the organization.SOURCE: ISO/IEC Annex SL:2012, 3.05, modified2.27 vulnerabilityintrinsic properti
