ISO IEC 27000:2018 pdf download – Information technology — Security techniques — Information security management systems — Overview and vocabulary.
3.64 risk assessment overall process (3.54) of risk identification (3.68), risk analysis (3.63) and risk evaluation (3.67) [SOURCE: ISO Guide 73:2009, 3.4.1] 3.65 risk communication and consultation set of continual and iterative processes (3.54) that an organization conducts to provide, share or obtain information, and to engage in dialogue with stakeholders (3.37) regarding the management of risk (3.61) Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.41), significance, evaluation, acceptability and treatment of risk. Note 2 to entry: Consultation is a two-way process of informed communication between an organization (3.50) and its stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is — a process which impacts on a decision through influence rather than power; and — an input to decision making, not joint decision making. 3.66 risk criteria terms of reference against which the significance of risk (3.61) is evaluated Note 1 to entry: Risk criteria are based on organizational objectives, and external context (3.22) and internal context (3.38). Note 2 to entry: Risk criteria can be derived from standards, laws, policies (3.53) and other requirements (3.56). [SOURCE: ISO Guide 73:2009, 3.3.1.3] 3.67 risk evaluation process (3.54) of comparing the results of risk analysis (3.63) with risk criteria (3.66) to determine whether the risk (3.61) and/or its magnitude is acceptable or tolerable Note 1 to entry: Risk evaluation assists in the decision about risk treatment (3.72). [SOURCE: ISO Guide 73:2009, 3.7.1] 3.68 risk identification process (3.54) of finding, recognizing and describing risks (3.61) Note 1 to entry: Risk identification involves the identification of risk sources, events (3.21), their causes and their potential consequences (3.12). Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders’ (3.37) needs. [SOURCE: ISO Guide 73:2009, 3.5.1] 3.69 risk management coordinated activities to direct and control an organization (3.50) with regard to risk (3.61) [SOURCE: ISO Guide 73:2009, 2.1]
3.70 risk management process systematic application of management policies (3.53), procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analysing, evaluating, treating, monitoring and reviewing risk (3.61) Note 1 to entry: ISO/IEC 27005 uses the term “process” (3.54) to describe risk management overall. The elements within the risk management (3.69) process are referred to as “activities”. [SOURCE: ISO Guide 73:2009, 3.1, modified — Note 1 to entry has been added.] 3.71 risk owner person or entity with the accountability and authority to manage a risk (3.61) [SOURCE: ISO Guide 73:2009, 3.5.1.5] 3.72 risk treatment process (3.54) to modify risk (3.61) Note 1 to entry: Risk treatment can involve: — avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; — taking or increasing risk in order to pursue an opportunity; — removing the risk source; — changing the likelihood (3.40); — changing the consequences (3.12); — sharing the risk with another party or parties (including contracts and risk financing); — retaining the risk by informed choice. Note 2 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
ISO IEC 27000:2018 pdf download – Information technology — Security techniques — Information security management systems — Overview and vocabulary
