Professional Documents
Culture Documents
ISO standards
Mari Seeba
ISO.org standards:
Requirements
3
ISO Management System
Approaches
Control and develop components of Scope and design components of
management system (ISO27001) management system (ISO31000)
Management Operational
system planning,
objectives and implementa Context
planning to tion and • Organization,
achieve them control Stakeholders,
Plan Do expectations and scope
of management system
Support
• Resources,
competence,
awareness,
Act Check communication and
documentation Leadership
Non-conformity, Monitoring,
corrective analysis, • Commitment, policy
actions and evaluation, and organizational roles
continual audit and and responsibilities
improvement review
4
ISO 31000:2018
Risk management –
Guidelines
ISO 31000:2018
Risk management – Guidelines
• Scope:
– guidelines on managing risk faced by organizations
– Common approach to managing and type of risk
– Is not industry or sector specific
– Usable Throughout of life of the organization
– Can be applied to any activity, including decision-making at all levels
• Overall purpose: integrating the management of risk into a strategic and operational
management system
• Key terms:
– risk, risk management, stakeholder, risk source, event, consequences, likelihood, control
• Principles, framework and process
6
ISO 31000:
Principles
7 Source:
ISO31000:2018(en)
ISO 31000:
Framework
8 Source:
ISO31000:2018(en)
ISO 31000:
Process
9 Source:
ISO31000:2018(en)
ISO 31000:
Principles,
framework and
process
10 Source:
ISO31000:2018(en)
ISO/IEC 27000:2018 (en)
Information technology — Security
techniques — Information security
management systems — Overview
and vocabulary
ISO/IEC 27000:2018 (en) Information technology — Security
13 Source: ISO/IEC
27000:2018(E)
ISO 27001:2013 Information
technology — Security techniques
— Information security management
systems — Requirements
ISO 27001:2013 Information technology —
• Purpose:
– The information security management system preserves the confidentiality, integrity and availability
of information by applying a risk management process and gives confidence to interested parties
that risks are adequately managed.
– Certification base standard
• Format:
– ISO Annex SL
15
ISO27001
Content
Plan Do
Act Check
16
ISO27001:
Annex A
17
ISO 27001
18
ISO/IEC 27005:2018 Information
technology — Security techniques —
Information security risk
management
ISO/IEC 27005:2018 Information technology — Security
21
• Risk management process Source:
as defined in ISO31000 ISO/IEC 27005:2018
ISO 27005: Risk
Treatment activity Risk
assessment
results
R
is
k
RISK
Risk Treatment Options
d
TREATMENT
e
ci
si
Risk Risk
Risk Retention o Risk Sharing
Modification Avoidance
n
p
o
i
Residual Risk
n
t
1
Risk decision point 2: Satisfactory Treatment
:
S
22 a
ti
ISO 27005
23
How these
ISO standards
interact?
24
Estonian approach –
Why we do not use
ISO27001?
25
Estonian
approach
• Granularity
26
Why we kept the compliance to
ISO27001?
• International communication
• Alternative solution to E-
ITS
28
www.cyber4dev
.eu