ISO/IEC 27000-2016 pdf free.Information technology一Security techniques一Information security management systems一Overview and vocabulary.
Organizations of all types and sizes:
a) collect, process, store, and transmit information;
b) recognize that information, and related processes, systems, networks and people are important assets for achieving organization objectives;
c) face a range of risks that may affect the functioning of assets; and
d) address their perceived risk exposure by implementing information security controls.
All information held and processed by an organization is subject to threats of attack, error, nature (for example, flood or fire), etc., and is subject to vulnerabilities inherent in its use. The term information security is generally based on information being considered as an asset which has a value requiring appropriate protection, for example, against the loss of availability, confidentiality and integrity. Enabling accurate and complete information to be available in a timely manner to those with an authorized need is a catalyst for business efficiency.
Protecting information assets through defining, achieving, maintaining, and improving information security effectively is essential to enable an organization to achieve its objectives, and maintain and enhance its legal compliance and image. These coordinated activities directing the implementation of suitable controls and treating unacceptable information security risks are generally known as elements of information security management.
As information security risks and the effectiveness of controls change depending on shifting circumstances, organizations need to:
a) monitor and evaluate the effectiveness of implemented controls and procedures;
b) identify emerging risks to be treated; and
c) select, implement and improve appropriate controls as needed.
To interrelate and coordinate such information security activities, each organization needs to establish its policy and objectives for information security and achieve those objectives effectively by using a management system.
3.2 What is an ISMS?
3.2.1 OvervIew and principles
An Information Security Management System (ISMS) consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets. An ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives. It is based upon a risk assessment and the organization’s risk acceptance levels designed to effectively treat and manage risks. Analysing requirements for the protection of information assets and applying appropriate controls to ensure the protection of these information assets, as required, contributes to the successful implementation of an ISMS. The following fundamental
principles also contribute to the successful implementation of an ISMS:
a) awareness of the need for information security;
b) assignment of responsibility for information security;
c) incorporating management commitment and the interests of stakeholders;
d) enhancing societal values;
e) risk assessments determining appropriate controls to reach acceptable levels of risk;
f) security incorporated as an essential element of information networks and systems;
g) active prevention and detection of information security incidents;
h) ensuring a comprehensive approach to information security management;
I) continual reassessment of information security and making of modifications as appropriate.
3.2.2 Information
Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. Information can be stored in many forms, including:
digital form (e.g. data files stored on electronic or optical media), material form (e.g. on paper), as well as unrepresented information in the form of knowledge of the employees. Information may be transmitted by various means including: courier, electronic or verbal communication. Whatever form information takes, or the means by which the information is transmitted, it always needs appropriate protection.
In many organizations, information is dependent upon information and communications technology. This technology is often an essential element in the organization and assists in facilitating the creation, processing, storing, transmitting, protection and destruction of information.
3.2.3 information security
Information security ensures the confidentiality, availability and integrity of information. Information security involves the application and management of appropriate controls that involves consideration of a wide range of threats, with the aim of ensuring sustained business success and continuity, and minimizing consequences of information security incidents.
Information security is achieved through the implementation of an applicable set of controls, selected through the chosen risk management process and managed using an ISMS, including policies, processes, procedures, organizational structures, software and hardware to protect the identified information assets. These controls need to be specified, implemented, monitored, reviewed and improved where necessary, to ensure that the specific information security and business objectives of the organization are met. Relevant information security controls are expected to be seamlessly integrated with an organization’s business processes.ISO/IEC 27000 pdf free download.