BS BRITISH STANDARD. Information security management systems –. Part 3: Guidelines for information security risk. BS was a standard originally published by BSI Group (BSI)in It was written by the United Kingdom Government’s Department of Trade and Industry. Работа по теме: Information security management systems BS ВУЗ: СПбГУТ.
|Published (Last):||26 July 2007|
|PDF File Size:||8.71 Mb|
|ePub File Size:||16.49 Mb|
|Price:||Free* [*Free Regsitration Required]|
The BSI copyright notice displayed in this document indicates when the document was last issued. The following Bx references relate to the work on this standard: Information security risks in the organizational context 7.
Annex A informative Examples of legal and regulatory compliance Annex B informative Information security risks and organizational risks Annex C informative Examples of assets, threats, vulnerabilities and risk assessment methods Figure 1 — Risk management process model 1 Figure C. This document comprises a front cover, an inside front cover, pages i and ii, pages 1 to 50, an inside back cover and a back cover. This British Standard provides guidance and support for the implementation of BS and is generic enough to be of use to small, medium and large organizations.
As a gs, this British Standard takes the form of guidance and recommendations. It should not be quoted as if it was a specification and particular care should be taken to ensure that claims of compliance are not misleading.
This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. Compliance with a British Standard cannot confer immunity from legal obligations. This document describes the elements and important aspects of this risk management process.
The information security risks need to be considered in their business context, and the interrelationships with other business functions, such as human resources, research and development, production and operations, administration, IT, finance, and customers need to be identified, to achieve a holistic and complete picture of these risks. This consideration includes taking account of the organizational risks, and applying the concepts and ideas of corporate governance.
These ideas are described in more detail in Clause 4. Sb important part of the risk management process is the assessment of information security risks, which is necessary to understand the business information security requirements, and the risks to.
The next step in the risk management process is to identify the appropriate risk treatment action for each of the risks that have been identified in the risk assessment.
Once a risk has been assessed a business decision needs to be made on what, if any, action to take. In all cases, the decision should be based on a ba case which justifies the decision and which can be accepted or challenged by key stakeholders.
The different risk treatment options and factors that influence this decision are described in Clause 6. Once the risk treatment decisions have been made and the controls selected following these decisions have been implemented, the ongoing risk management activities should start.
These activities include the process of monitoring the risks and the performance of the ISMS to ensure that the implemented controls work as intended.
Another 77799-3 is the risk review and re-assessment, which is necessary to adapt the risk assessment to the changes that might occur over time in the business environment.
Information security management systems BS – Стр 3
Risk reporting and communication is necessary to ensure that business decisions are taken in the context of an organization-wide understanding of risks. The co-ordination of the different risk related processes should ensure that the organization can operate in an efficient and effective way. Continual improvement is an essential part of the ongoing risk management activities to increase the effectiveness of the implemented controls towards achieving the goals that have been set for the ISMS.
Ba ongoing risk management activities are described in Clause 7. The successful implementation of the risk management process requires that roles and responsibilities are clearly defined and discharged within the organization.
Roles and responsibilities that are involved in the risk management process are included in the document, as relevant. This cycle includes assessing and evaluating the risks, implementing controls to treat the risks, monitoring and reviewing the risks, and maintaining and improving the system of risk controls. The focus of this standard is effective information security through an ongoing programme of risk management activities.
The guidance set out in this British Standard 206 intended to be applicable to all organizations, regardless of their type, size and nature of business.
The following 0206 documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document including any amendments applies. For the purposes of this British Standard, the following terms and definitions apply. NOTE 1 Risk analysis provides a basis for risk evaluation, risk treatment, and risk acceptance.
Information security management systems BS
NOTE 7799- Information can include historical data, theoretical analysis, informed opinions, and the concerns 20066 stakeholders. NOTE Risk criteria can include associated cost and benefits, legal and statutory requirements, socio-economic and environmental aspects, the concerns of stakeholders, priorities and other inputs to the assessment.
NOTE 1 Management system elements can include strategic planning, decision making, and other processes for dealing with risk. NOTE 2 The culture of an organization is reflected in its risk management system. NOTE 1 Legal or statutory requirements can limit, prohibit or mandate the transfer of certain risk. NOTE 3 Risk transfer can create new risks or modify existing risk.
NOTE 4 Relocation of the source is not risk transfer. NOTE 2 Risk treatment measures can include avoiding, optimizing, transferring or retaining risk.
Information security management systems BS Guidelines for information security risk management ICS Publishing 7 and copyright information The BSI copyright notice displayed in this document indicates when the document was last issued.
Information about this document This British Standard provides guidance and support for the implementation of BS and is generic enough to be of use to small, medium and large organizations. Contractual and legal considerations This publication does not purport to include all the necessary provisions of a contract. NOTE 2 Risk transfer can be carried out through insurance or other agreements. NOTE 1 The term risk treatment is sometimes used for the measures themselves.
Clause 5 Risk evaluate.