ISO 13335-1 PDF

: ISO/IEC , Information technology – Security techniques – Management of information and communications technology security – Part. Title: ISO/IEC – Information technology — Security techniques — Management of information and communications technology security — Part 1. International Organization for Standardization’s (ISO) [3] standards and guides for conformity The ISO/IEC [5] standard is dedicated in providing.

Author: Samuro Akinokus
Country: New Zealand
Language: English (Spanish)
Genre: Marketing
Published (Last): 18 April 2011
Pages: 338
PDF File Size: 17.69 Mb
ePub File Size: 16.79 Mb
ISBN: 734-2-31628-392-9
Downloads: 55332
Price: Free* [*Free Regsitration Required]
Uploader: Tojakazahn

Such data may be obtained and used by an organization while assessing threats. Concepts and models for information and communications technology security management Status: These environmental, cultural kso legal variations can be significant for international organizations and their use of ICT systems across international boundaries. In other instances it is the owner or manager who is considered responsible.

ISO/IEC Standard — ENISA

A threat has the potential to cause harm to an asset and therefore an organization. The topics such a strategy should address will depend on the number, type and importance of those objectives, and will normally be those that the organization considers important to address uniformly.

The environments and cultures in which the organization is situated can have a significant bearing and infiuence on how the threats to the organization and to its isk are addressed.

Safeguards may be considered to perform one or more of the following functions: For new systems and systems at the planning stage, it should be part of the design and development process. The corporate ICT security policy should reflect the essential ICT security principles and directives applicable to the corporate security policy and information security policy, and the general use of ICT systems iao the organization.

As an example of a specific topic, an organization could have a primary ICT security objective that, because of the nature of its business, all of its systems should be continuously available. However, as the environment can change unpredictably, all vulnerabilities should is monitored to identify those that have become exposed to new or re-emerging threats. This is particularly important when the amount of harm caused iao each occurrence is low but where the aggregate effect of many incidents over time may be harmful.


When flinctions are combined it is important to ensure that the appropriate checks and balances are maintained to avoid concentrating too much responsibility in one person’s hands without having the possibility of influence or control. When significant changes to systems are planned, risk management should be part of this planning process. 31335-1 employee and contractor should know his or her role and responsibility, contribution to ICT security and should be entrusted to achieving such goals.

Measures of risk will then indicate the overall protection requirement, which in real terms is effected or met by the implementation of safeguards. The information security policy may contain the principles and directives specific to the protection of information that is sensitive or valuable, or otherwise of importance, to the organization. Protection should be ensured throughout the life cycle of information and ICT systems, from planning to acquisition, testing and operation.

The benefits of using standards include: Vulnerabilities may remain unless the asset itself changes such that the vulnerability no longer applies. A risk scenario describes how a particular threat or group 1335-1 threats 1333-1 exploit a particular vulnerability or group of vulnerabilities that 1335-1 assets to harm.

The standard is not free of charge, and its provisions are not publicly available.

No part of the these publications may be reproduced in any form without the prior permission in writing of BIS. For example, some cultures consider the protection of personal information iao very important while others give a lower significance to this issue.

Certain conventions are, however, not identical to those used in Indian Standards.

These changes in the environment could create new system vulnerabilities that should be analyzed and 133351- and either mitigated or accepted. Possible questions for assessing how much an organization’s business depends on ICT are: Take the smart route to manage medical device compliance.

BS ISO/IEC 13335-1:2004

The corporate ICT security officer should act as the focus for all ICT security aspects within the organization; however, the corporate ICT security officer may delegate some aspects of the role. This standard has been withdrawn. Principles contained therein will be derived from, and thus consistent with, the principles of the corporate security policy. Scenario 2 – A safeguard may be effective in reducing the risks associated with a threat exploiting multiple vulnerabilities.


Attention is particularly drawn to the following: Vulnerabilities should be assessed both individually and in aggregate to consider the full operational context. Examples of specific safeguards are: New or changed security components should be tested separately to ensure that they operate as intended, and then tested in the operational environment, to ensure that the integration into the ICT system does not impact the security properties or features.

ISO/IEC Standard 13335

Examples of possible delegated functions are as follows: Human Environmental Deliberate Accidental Earthquake Lightning Eavesdropping Errors and omissions Information modification File deletion Floods System hacking Licorrect routing Fire Malicious code Physical accidents Theft Table 1 – Examples of threats Threats may impact specific parts of an organization, for example disruption to computers.

In addition, the culture and environment can have an impact on those that are responsible for the protection of specific parts of the organization. If, for example, some important or very important components of the business are dependent on accurate or up-to-date information, then one of the ICT security objectives of this organization may be to ensure the integrity and timeliness of the information as it is stored and processed in the ICT systems.

In such cases, independent review is important to avoid confiict of interest and to ensure appropriate separation of roles.

Safeguards may be implemented to monitor the threat environment to ensure that no threats develop which can exploit the vulnerability. The text is a direct resource for the implementation of security management.

Regardless of the documentation and organizational structure in use by the organization, it is important that the different messages of the policies described are addressed, and that consistency is maintained.