This standard provides guidelines for information security risk management.
This standard supports the general concepts specified in GB/T 22080 and is designed to assist the satisfactory implementation of information security based on a risk management approach.
Knowledge of the concepts, models, processes and terminologies described in GB/T 22080 and GB/T 22081 is important for a complete understanding of this standard.
This standard is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization’s information security.
2 Normative References
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 22080-2008 Information Technology — Security Techniques — Information Security Management Systems — Requirements (ISO/IEC 27001:2005, IDT)
GB/T 22081-2008 Information Technology — Security Techniques — Code of Practice for Information Security Management (ISO/IEC 27002:2005, IDT)
3 Terms and Definitions
For the purposes of this document, the terms and definitions given in GB/T 22080-2008 and GB/T 22081-2008 and the following apply.
3.1
impact
adverse change to the level of business objectives achieved
3.2
information security risk
potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization
Note: It is measured in terms of a combination of the likelihood of an event and its consequence.
3.3
risk avoidance
decision not to become involved in, or action to withdraw from, a risk situation
[ISO/IEC Guide73:2002]
3.4
risk communication
exchange or sharing of information about risk between the decision-maker and other stakeholders
[ISO/IEC Guide73:2002]
3.5
risk estimation
process to assign values to the probability and consequences of a risk
[ISO/IEC Guide73:2002]
3.6
risk identification
process to find, list and characterize elements of risk
[ISO/IEC Guide73:2002]
3.7
risk reduction
actions taken to lessen the probability, negative consequences, or both, associated with a risk
[ISO/IEC Guide73:2002]
3.8
risk retention
acceptance of the burden of loss or benefit of gain from a particular risk
[ISO/IEC Guide73:2002]
Note: In the context of information security risks, only negative consequences (losses) are considered for risk retention.
3.9
risk transfer
sharing with another party the burden of loss or benefit of gain, for a risk
[ISO/IEC Guide73:2002]
Note: In the context of information security risks, only negative consequences (losses) are considered for risk transfer.
4 Structure of This Standard
This standard contains the description of the information security risk management process and its activities.
The background information is provided in Clause 5.
A general overview of the information security risk management process is given in Clause 6.
All information security risk management activities as presented in Clause 6 are subsequently described in the following clauses:
