1、BS 7799-3:2006Information security management systems Part 3: Guidelines for information security risk managementICS 35.020; 35.040NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWBRITISH STANDARDLicensed Copy: Wang Bin, na, Mon May 15 04:08:52 BST 2006, Uncontrolled Copy, (c) B
2、SIPublishing and copyright informationThe BSI copyright notice displayed in this document indicates when the document was last issued. BSI 17 MARCH 2006ISBN 0 580 47247 7The following BSI references relate to the work on this standard:Committee reference BDD/2Draft for comment 05/30125021 DCPublicat
3、ion historyFirst published March 2006Amendments issued since publicationAmd. no. Date Text affectedBS 7799-3:20067Licensed Copy: Wang Bin, na, Mon May 15 04:08:52 BST 2006, Uncontrolled Copy, (c) BSI BSI MARCH 2006 iBS 7799-3:2006ContentsForeword iiIntroduction 11 Scope 42 Normative references 43 Te
4、rms and definitions 44 Information security risks in the organizational context 75 Risk assessment 96 Risk treatment and management decision-making 167 Ongoing risk management activities 21AnnexesAnnex A (informative) Examples of legal and regulatory compliance 26Annex B (informative) Information se
5、curity risks and organizational risks 30Annex C (informative) Examples of assets, threats, vulnerabilities and risk assessment methods 33Annex D (informative) Risk management tools 47Annex E (informative) Relationship between BS ISO/IEC 27001:2005 and BS 7799-3:2006 48Bibliography 49List of figuresF
6、igure 1 Risk management process model 1Figure C.1 Types of assets 33List of tablesTable C.1 Vulnerabilities related to human resources security 41Table C.2 Vulnerabilities related to physical and environmental security 42Table C.3 Vulnerabilities related to communications and operations management 4
7、2Table C.4 Vulnerabilities related to access control 43Table C.5 Vulnerabilities related to systems acquisition, development and maintenance 43Table C.6 Matrix with risk values 45Table C.7 Matrix ranking incidents by measures of risk 46Table E.1 Relationship between BS ISO/IEC 27001:2005 and BS 7799
8、-3:2006 48Summary of pagesThis document comprises a front cover, an inside front cover, pages i and ii, pages 1 to 50, an inside back cover and a back cover.Licensed Copy: Wang Bin, na, Mon May 15 04:08:52 BST 2006, Uncontrolled Copy, (c) BSIBS 7799-3:2006ii BSI MARCH 2006ForewordPublishing informat
9、ionThis British Standard was published by BSI and came into effect on 17 March 2006. It was prepared by Technical Committee BDD/2, Information security management.Relationship with other publicationsThis British Standard includes and replaces the existing BS 7799 guidance material provided in the BS
10、I publications PD 3002 and PD 3005.It is harmonized with other ISO/IEC work, in particular BS ISO/IEC 17799:2005 and BS ISO/IEC 27001:2005 (the revised version of BS 7799-2:2002) to ensure consistency of terminology and methods.Information about this documentThis British Standard provides guidance a
11、nd support for the implementation of BS 7799-2 and is generic enough to be of use to small, medium and large organizations. The guidance and advice given in this British Standard is not exhaustive and an organization might need to augment it with further guidance before it can be used as the basis f
12、or a risk management framework for BS ISO/IEC 27001:2005 (the revised version of BS 7799-2:2002).As a guide, this British Standard takes the form of guidance and recommendations. It should not be quoted as if it was a specification and particular care should be taken to ensure that claims of complia
13、nce are not misleading. Contractual and legal considerationsThis publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application.Compliance with a British Standard cannot confer immunity from legal obligations.Licensed Copy: Wang
14、Bin, na, Mon May 15 04:08:52 BST 2006, Uncontrolled Copy, (c) BSI BSI MARCH 2006 1BS 7799-3:20060Introduction0.1 GeneralThis British Standard has been prepared for those business managers and their staff involved in ISMS (Information Security Management System) risk management activities. It provide
15、s guidance and advice to specifically support the implementation of those requirements defined in BS ISO/IEC 27001:2005 that relate to risk management processes and associated activities. Table E.1 illustrates the relationship between the two documents.0.2 Process approachThis British Standard promo
16、tes the adoption of a process approach for assessing risks, treating risks, and ongoing risk monitoring, risk reviews and re-assessments. A process approach encourages its users to emphasize the importance of:a) understanding business information security requirements and the need to establish polic
17、y and objectives for information security;b) selecting, implementing and operating controls in the context of managing an organizations overall business risks;c) monitoring and reviewing the performance and effectiveness of the Information Security Management System (ISMS) to manage the business ris
18、ks;d) continual improvement based on objective risk measurement.See Figure 1.Figure 1 Risk management process modelThis risk management process focuses on providing the business with an understanding of risks to allow effective decision-making to control risks. The risk management process is an ongo
19、ing activity that aims to continuously improve its efficiency and effectiveness. Maintainand improve therisk controlsAssess andevaluatethe risksSelect, implementand operate controlsto treatthe risksMonitorand reviewthe risksClause 7 Ongoing riskmanagement activitiesClause 5 RiskassessmentClause 6 Ri
20、sktreatement andmanagementdecision makingClause 7 Ongoing riskmanagement activitiesLicensed Copy: Wang Bin, na, Mon May 15 04:08:52 BST 2006, Uncontrolled Copy, (c) BSIBS 7799-3:20062 BSI MARCH 2006The risk management process should be applied to the whole ISMS (as specified in BS ISO/IEC 27001:2005
21、), and new information systems should be integrated into the ISMS in the planning and design stage to ensure that any information security risks are appropriately managed. This document describes the elements and important aspects of this risk management process.The information security risks need t
22、o be considered in their business context, and the interrelationships with other business functions, such as human resources, research and development, production and operations, administration, IT, finance, and customers need to be identified, to achieve a holistic and complete picture of these ris
23、ks. This consideration includes taking account of the organizational risks, and applying the concepts and ideas of corporate governance. This, together with the organizations business, effectiveness, and the legal and regulatory environment all serve as drivers and motivators for a successful risk m
24、anagement process. These ideas are described in more detail in Clause 4.An important part of the risk management process is the assessment of information security risks, which is necessary to understand the business information security requirements, and the risks to the organizations business asset
25、s. As also described in BS ISO/IEC 27001:2005, the risk assessment includes the following actions and activities, which are described in more detail in Clause 5. Identification of assets. Identification of legal and business requirements that are relevant for the identified assets. Valuation of the
26、identified assets, taking account of the identified legal and business requirements and the impacts of a loss of confidentiality, integrity and availability. Identification of significant threats and vulnerabilities for the identified assets. Assessment of the likelihood of the threats and vulnerabi
27、lities to occur. Calculation of risk. Evaluation of the risks against a predefined risk scale.The next step in the risk management process is to identify the appropriate risk treatment action for each of the risks that have been identified in the risk assessment. Risks can be managed through a combi
28、nation of prevention and detection controls, avoidance tactics, insurance and/or simple acceptance. Once a risk has been assessed a business decision needs to be made on what, if any, action to take. In all cases, the decision should be based on a business case which justifies the decision and which
29、 can be accepted or challenged by key stakeholders. The different risk treatment options and factors that influence this decision are described in Clause 6.Licensed Copy: Wang Bin, na, Mon May 15 04:08:52 BST 2006, Uncontrolled Copy, (c) BSI BSI MARCH 2006 3BS 7799-3:2006Once the risk treatment deci
30、sions have been made and the controls selected following these decisions have been implemented, the ongoing risk management activities should start. These activities include the process of monitoring the risks and the performance of the ISMS to ensure that the implemented controls work as intended.
31、Another activity is the risk review and re-assessment, which is necessary to adapt the risk assessment to the changes that might occur over time in the business environment. Risk reporting and communication is necessary to ensure that business decisions are taken in the context of an organization-wi
32、de understanding of risks. The co-ordination of the different risk related processes should ensure that the organization can operate in an efficient and effective way. Continual improvement is an essential part of the ongoing risk management activities to increase the effectiveness of the implemente
33、d controls towards achieving the goals that have been set for the ISMS. The ongoing risk management activities are described in Clause 7.The successful implementation of the risk management process requires that roles and responsibilities are clearly defined and discharged within the organization. R
34、oles and responsibilities that are involved in the risk management process are included in the document, as relevant.Licensed Copy: Wang Bin, na, Mon May 15 04:08:52 BST 2006, Uncontrolled Copy, (c) BSIBS 7799-3:20064 BSI MARCH 20061 ScopeThis British Standard gives guidance to support the requireme
35、nts given in BS ISO/IEC 27001:2005 regarding all aspects of an ISMS risk management cycle. This cycle includes assessing and evaluating the risks, implementing controls to treat the risks, monitoring and reviewing the risks, and maintaining and improving the system of risk controls.The focus of this
36、 standard is effective information security through an ongoing programme of risk management activities. This focus is targeted at information security in the context of an organizations business risks.The guidance set out in this British Standard is intended to be applicable to all organizations, re
37、gardless of their type, size and nature of business. It is intended for those business managers and their staff involved in ISMS (Information Security Management System) risk management activities.2 Normative referencesThe following referenced documents are indispensable for the application of this
38、document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. BS ISO/IEC 27001:2005 (BS 7799-2:2005), Information technology Security techniques Information security management systems Require
39、ments3 Terms and definitionsFor the purposes of this British Standard, the following terms and definitions apply.3.1 information security eventan information security event is an identified occurrence of a system, service or network state indicating a possible breach of information security policy o
40、r failure of safeguards, or a previously unknown situation that may be security relevant BS ISO/IEC TR 18044:2004 3.2 information security incidentan information security incident is indicated by a single or a series of unwanted or unexpected information security events that have a significant proba
41、bility of compromising business operations and threatening information security BS ISO/IEC TR 18044:2004 3.3 residual riskrisk remaining after risk treatment ISO Guide 73:20023.4 riskcombination of the probability of an event and its consequence ISO Guide 73:2002Licensed Copy: Wang Bin, na, Mon May
42、15 04:08:52 BST 2006, Uncontrolled Copy, (c) BSI BSI MARCH 2006 5BS 7799-3:20063.5 risk acceptanceNOTE 1 The verb “to accept” is chosen to convey the idea that acceptance has its basic dictionary meaning.NOTE 2 Risk acceptance depends on risk criteria.decision to accept a risk ISO Guide 73:20023.6 r
43、isk analysisNOTE 1 Risk analysis provides a basis for risk evaluation, risk treatment, and risk acceptance.NOTE 2 Information can include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders.systematic use of information to identify sources and to estimate the r
44、isk ISO Guide 73:20023.7 risk assessmentoverall process of risk analysis and risk evaluation ISO Guide 73:20023.8 risk avoidanceNOTE The decision may be taken based on the result of risk evaluation.decision not to become involved in, or action to withdraw from, a risk situation ISO Guide 73:20023.9
45、risk communicationNOTE The information can relate to the existence, nature, form, probability, severity, acceptability, treatment or other aspects of risk.exchange or sharing of information about risk between the decision-maker and other stakeholders ISO Guide 73:20023.10 risk controlNOTE Risk contr
46、ol may involve monitoring, re-evaluation, and compliance with decisions.actions implementing risk management decisions ISO Guide 73:20023.11 risk criteriaNOTE Risk criteria can include associated cost and benefits, legal and statutory requirements, socio-economic and environmental aspects, the conce
47、rns of stakeholders, priorities and other inputs to the assessment.terms of reference by which the significance of risk is assessed ISO Guide 73:20023.12 risk evaluationprocess of comparing the estimated risk against given risk criteria to determine the significance of risk ISO Guide 73:20023.13 ris
48、k managementNOTE Risk management generally includes risk assessment, risk treatment, risk acceptance and risk communication.co-ordinated activities to direct and control an organization with regard to risk ISO Guide 73:2002Licensed Copy: Wang Bin, na, Mon May 15 04:08:52 BST 2006, Uncontrolled Copy,
49、 (c) BSIBS 7799-3:20066 BSI MARCH 20063.14 risk management systemNOTE 1 Management system elements can include strategic planning, decision making, and other processes for dealing with risk.NOTE 2 The culture of an organization is reflected in its risk management system.set of elements of an organizations management system concerned with managing risk ISO Guide 73:20023.15 risk reductionactions taken to lessen the probability, negative consequences, or both, asso