Skip to product information
1 of 6

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 31722-2015 English PDF (GBT31722-2015)

GB/T 31722-2015 English PDF (GBT31722-2015)

Regular price $495.00 USD
Regular price Sale price $495.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 31722-2015 to get it for Purchase Approval, Bank TT...

GB/T 31722-2015: Information technology -- Security techniques -- Information security risk management

GB/T 31722-2015
Information technology-Security techniques-Information security risk management ICS 35.040
L80
National Standards of People's Republic of China
Information Technology Security Technology
Information Security Risk Management
(ISO /IEC 27005..2008, IDT)
Published on.2015-06-02
2016-02-01 implementation
General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China Published by China National Standardization Administration
Contents
Foreword I
Introduction Ⅱ
1 range 1
2 Normative references 1
3 Terms and definitions 1
4 Structure of this standard 2
5 Background 3
6 Overview of Information Security Risk Management Process 3
7 Context Establishment 5
8 Information security risk assessment 7
9 Information Security Risk Disposal 13
10 Information Security Risk Acceptance 16
11 Information Security Risk Communication 16
12 Information security risk monitoring and review 17
Appendix A (informative) Determining the scope and boundaries of the information security risk management process 19 Appendix B (informative) Asset identification and valuation and impact assessment 22 Appendix C (informative) Examples of typical threats 28
Appendix D (informative) Vulnerability and vulnerability assessment methods 31 Appendix E (informative) Information security assessment methods 35
Appendix F (informative) Constraints on risk reduction 40
References 42
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009. Please note that some elements of this document may involve patents. The issuer of this document is not responsible for identifying these patents. This standard uses the translation method equivalent to ISO /IEC 27005..2008 Information Technology Security Technology Information Security Risk Management Text version).
The following amendments have been made to this standard.
--- Made some editorial changes to the introduction.
This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). This standard was drafted. China National Institute of Electronic Standardization, Shanghai Sanlingwei Information Security Co., Ltd. Uniform Application Co., Ltd., Shandong Provincial Computing Center, Beijing Information Security Evaluation Center. The main drafters of this standard. Xu Yuna, Min Jinghua, Shangguan Xiaoli, Dong Huomin, Zhao Zhangjie, Li Gang, Zhou Mingle. introduction
Information Security Management System standard family (InformationSecurityManagementSystem, ISMS standard family for short) is an international A series of international standards for information security management systems formulated by the Information Security Technology Standardization Organization (ISO /IEC JTC1SC27). ISMS Standard Families are designed to help organizations of all types and sizes, develop and implement a framework for managing the security of their information assets, and to protect organizational information such as, Financial information, intellectual property, employee details, or information commissioned by customers or third parties) for independent assessment of ISMS. The ISMS standard family includes standards. a) defining the requirements of the ISMS and its certification bodies; b) providing the entire planning-implementation-inspection Direct support, detailed guidance and/or explanations of the process of “Discovery-Disposal” (PDCA) processes and requirements; c) elaboration of ISMS guidelines for specific industries; d) elaboration Describes the consistency assessment of ISMS.
Currently, the ISMS standard family consists of the following standards. --- GB/T 29246-2012 Information Technology Security Technology Information Security Management System Overview and Vocabulary (ISO /IEC 27000..2009)
--- GB/T 22080-2008 Information Technology Security Technology Information Security Management System Requirements (ISO /IEC 27001. 2005)
--- GB/T 22081-2008 Information Technology Security Technology Practical Rules for Information Security Management (ISO /IEC 27002..2005) --- GB/T 31496-2015 Information Technology Security Technology Information Security Management System Implementation Guide (ISO /IEC 27003. 2010)
--- GB/T 31497-2015 Information technology security technology Information security management measurement (ISO /IEC 27004..2009) --- GB/T 25067-2010 Information technology security technology Information security management system audit certification requirements (IEC 27006..2007)
--- ISO /IEC 27007..2011 Information Technology Security Technology Information Security Management System Audit Guide --- ISO /IEC TR27008..2011 Information Technology Security Technology Information Security Control Measures Auditor's Guide --- ISO /IEC 27010..2012 Information technology security technology Information security management for communication between industries and organizations --- ISO /IEC 27011..2008 Information technology security technology Information based on ISO /IEC 27002 telecommunications industry organizations Safety Management Guide
--- ISO /IEC 27013..2012 Information technology security technology ISO /IEC 27001 and ISO /IEC .20000-1 integrated implementation guide
--- ISO /IEC 27014..2013 Information technology security technology Information security governance --- ISO /IEC TR27015..2012 Information Technology Security Technology Financial Services Information Security Management Guide As one of the ISMS family of standards, this standard provides guidance for the management of information security risks in an organization. GB/T 22080 ISMS requirements. However, this standard does not provide any specific method for information security risk management. Determined by the organization Its risk management approach depends on, for example, the scope of the organization's ISMS, the context of risk management, or the industry in which it operates. Some existing methods are available in this Used under the framework of the standard description to achieve the requirements of ISMS. Stakeholders of this standard include managers and employees who are concerned about information security risks within the organization and (where appropriate) support such activities Outside parties.
Information Technology Security Technology
Information Security Risk Management
1 Scope
This standard provides guidance for information security risk management. This standard supports the general concepts of the GB/T 22080 protocol, and is designed to meet the requirements for information security based on risk management methods. All help.
Knowledge of the concepts, models, processes and terminologies described in GB/T 22080 and GB/T 22081. important.
This standard applies to various types of organizations (e.g., business enterprises, government agencies, non-profit organizations) that expect management Risks to their information security.
2 Normative references
The following documents are essential for the application of this document. For dated references, only the dated version applies to this article Pieces. For undated references, the latest version (including all amendments) applies to this document. GB/T 22080-2008 Information Technology Security Technology Information Security Management System Requirements (ISO /IEC 27001..2005, IDT)
GB/T 22081-2008 Information Technology Security Technology Practical Rules for Information Security Management (ISO /IEC 27002..2005, IDT) 3 terms and definitions
The following terms and definitions defined in GB/T 22080-2008 and GB/T 22081-2008 apply to this document. 3.1
Impact
Adverse changes to business goals achieved.
3.2
Information security risk
The potential for a particular threat to exploit the vulnerability of a single asset or group of assets and the damage it can cause to the organization. Note. It is measured by a combination of the likelihood of an event and its consequences. 3.3
Riskavoidance
Decision not to be involved in a risk situation or action to withdraw from a risk situation. [ISO /IEC Guide73..2002]
3.4
Risk communication
Exchange or share information about risk between decision makers and other stakeholders. [ISO /IEC Guide73..2002]
3.5
Riskestimation
Activities that assign value to the likelihood and consequences of risks. [ISO /IEC Guide73..2002]
3.6
Risk identification
Activities that identify and characterize risk elements.
[ISO /IEC Guide73..2002]
3.7
Risk reduction
Actions taken to reduce the likelihood of risk and/or negative consequences. [ISO /IEC Guide73..2002]
3.8
Riskretention
Acceptance of losses or gains from specific risks.
[ISO /IEC Guide73..2002]
Note. In the context of information security risks, only negative consequences (losses) are considered for risk retention. 3.9
Risk transfer
Sharing of losses or gains from risk with another party.
[ISO /IEC Guide73..2002]
Note. In the context of information security risks, only negative consequences (losses) are considered for risk transfer. 4 Structure of this standard
This standard describes the information security risk management process and its activities. Chapter 5 provides background information.
Chapter 6 gives a general overview of the information security risk management process. All information security risk management activities proposed in Chapter 6 are described in turn in the following chapters. ● Chapter 7 Context Establishment;
● Chapter 8 Risk Assessment;
● Chapter 9 Risk Disposal;
● Chapter 10 Risk Acceptance;
● Chapter 11 Risk Communication;
● Chapter 12 Risk Monitoring and Review.
Additional information on information security risk management activities is given in the appendix. Appendix A (Determining the scope and scope of the information security risk management process Boundaries) provide contextual support. Appendix B (example of assets), Appendix C (example of typical threats), and Appendix D (example of typical vulnerabilities) discuss Discusses asset identification and valuation and impact assessment.
Appendix E gives examples of information security risk assessment methods. Appendix F gives constraints on risk reduction.
The structure of all risk management activities given in Chapters 7 to 12 is as follows. Input. Identifies any information needed to perform the activity.
Action. Describe the activity.
Implementation guidelines. Provide guidelines for performing this action. Some things in the guide may not apply in all situations, so the Other methods may be more appropriate.
Output. Identifies any information obtained after performing the activity. 5 Background
To identify the organization's information security needs and create an effective information security management system (ISMS), a systematic information security risk Management methods are necessary. This approach should be appropriate for the organization's environment, and especially consistent with risk management throughout the organization. Safety Work should address risks where and when needed in an effective and timely manner. Information security risk management should be all information security management The inseparable part of the activity is applied to both the implementation of ISMS and the continuous operation of ISMS. Information security risk management should be an ongoing process. The process should establish context, assess risks, and proceed according to a risk treatment plan Risk management to implement relevant recommendations and decisions. Risk management To reduce risk to acceptable levels, decide what to do and what to do Before you do it, analyze what might happen and what the possible consequences are. Information security risk management will help.
● identify risks;
● Assess risks based on their business consequences and likelihood of occurrence; ● Communicate and understand the possibilities and consequences of these risks; ● Establish priorities for risk management;
● Prioritize actions to reduce risk;
● Engage stakeholders in risk management decisions and continuously inform the status of risk management; ● monitor the effectiveness of risk management;
● Monitor and regularly review risks and risk management processes;
● obtain information to improve risk management methods;
● Communicate risk knowledge to managers and employees and actions to mitigate risk. The information security risk management process can be applied to the entire organization, any independent part of the organization (e.g., a department, a physical location, A service), any information system, existing or planned or specific controls (for example, business continuity plans). 6 Overview of Information Security Risk Management Process
Information security risk management process is established by context (Chapter 7), risk assessment (Chapter 8), risk disposal (Chapter 9), risk acceptance (Chapter 9) Chapter 10), risk communication (Chapter 11) and risk monitoring and review (Chapter 12). As shown in Figure 1, the information security risk management process can iteratively conduct risk assessment and/or risk disposal activities. Iterative method Performing a risk assessment adds depth and detail to the assessment at each iteration. This iterative method minimizes the time and There is a good balance between energy and ensuring that high risks are properly assessed. Establish context first, and then conduct risk assessment. For effectively determining actions required to reduce risk to acceptable levels, if risk The assessment provides enough information, then the risk assessment is ended, and the risk treatment is then carried out. If the information provided is not sufficient, then Another iteration of this risk assessment in a revised context (e.g., risk assessment criteria, risk acceptance criteria, or impact criteria) (See Figure 1, Risk Decision Point 1). This iteration may be performed on a limited portion of the entire scope. The effectiveness of risk management depends on the results of the risk assessment. Residual risks after risk disposal may not immediately reach an acceptable level s level. In this case, if necessary, changing context parameters (e.g. risk assessment criteria, risk acceptance criteria Or impact criteria) under another iteration of this risk assessment, and subsequent further risk treatment (see Figure 1, Risk Decision Point 2). Risk acceptance activities ensure that residual risks are clearly accepted by the organization's managers. When, for example, costs are omitted or delayed This is particularly important in the context of regulatory measures.
During the entire information security risk management process, it is important to communicate risks and their disposal to the appropriate managers and operators. Even before the risk is dealt with, the identified risk information can be very valuable for managing events and may help reduce potential damage. Risk awareness among managers and employees, the nature of existing controls to mitigate risks, and areas of concern to the organization all contribute to Handle events and unexpected situations in an efficient manner. Each activity of the information security risk management process and detailed conclusions from two risk decision points The results should be recorded.
GB/T 22080 stipulates that the scope, boundary and control measures of ISMS shall be based on risks. Information Security Risk Management The application of management processes can meet this requirement. There are many ways to successfully implement this process within an organization. But no matter what method, group For each specific application of the process, we should choose the method that best suits its situation. In an ISMS, context establishment, risk assessment, risk disposal plan formulation and risk acceptance are all part of its "planning" phase. in The "implementation" phase of this ISMS implements actions and control measures required to reduce risk to acceptable levels based on the risk treatment plan. in During the "inspection" phase of this ISMS, managers will determine the need for risk assessment and risk management revision based on events and environmental changes. At The "setting" phase performs any actions required, including the re-application of the risk management process. Figure 1 Information security risk management process
Table 1 summarizes the information security risk management activities related to the four phases of the ISMS process. Table 1 ISMS and information security risk management process comparison table ISMS Process Information Security Risk Management Process
planning
Context building
Risk assessment
Formulation of risk treatment plan
Risk acceptance
Implementation of risk disposal plan
Check ongoing risk monitoring and review
Maintenance and improvement of information security risk management process 7 Context Establishment
7.1 General considerations
Input. All information about the organization related to the establishment of an information security risk management context. Action. Establish the context of information security risk management, including setting the basic criteria (7.2) necessary for information security risk management, and determine Its scope and boundaries (7.3), and establish an appropriate organization that operates information security risk management (7.4). Implementation guide.
Determining the purpose of information security risk management is essential, because it will affect the entire process, especially the establishment of context. Purpose So.
● Support ISMS;
● Compliance with laws and certification due diligence;
● Prepare business continuity plans;
● Prepare an incident response plan;
● Describe the information security requirements of a product, service, or mechanism. Implementation guidelines for the context-building elements required to support ISMS are discussed further in 7.2, 7.3, and 7.4. Note. GB/T 22080 does not use the term "context". However, everything in Chapter 7 is consistent with the "determining the scope of ISMS and "Boundaries" [4.2.1a)] "Determining the ISMS policy" [4.2.1b)] and "Determining the risk assessment method" [4.2.1c)] requirements. Output. The basic criteria, scope, and boundaries of the information security risk management process and the organization's requirements. 7.2 Basic guidelines
Depending on the scope and objectives of risk management, different approaches can be applied. The method may be different for each iteration. An appropriate risk management method should be selected or developed to establish basic principles such as risk assessment criteria, impact criteria, risk acceptance criteria, etc. Guidelines.
In addition, the organization should assess the availability of the necessary resources for. ● Perform risk assessment and establish risk treatment plan;
Identify and implement strategies and procedures, including the implementation of selected control measures; ● monitoring control measures;
● Monitor information security risk management processes.
Note. See 5.2.1 of GB/T 22080-2008 for the supply of resources for the implementation and operation of ISMS. Risk assessment criteria
It is advisable to evaluate the organization's information security risks by developing risk evaluation criteria by considering the following factors. ● Strategic value of business information process;
The criticality of the information assets involved;
● the requirements of laws, regulations and rules, an...

View full details