iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC TS 33072:2016

(Main)

Information technology — Process assessment — Process capability assessment model for information security management

Information technology — Process assessment — Process capability assessment model for information security management

ISO/IEC TS 33072:2016: - defines a process assessment model (PAM) that meets the requirements of ISO/IEC 33004 and that supports the performance of an assessment of process capability by providing indicators for guidance on the interpretation of the process purposes and outcomes as defined in ISO/IEC TS 33052 and the process attributes as defined in ISO/IEC 33020; - provides guidance, by example, on the definition, selection and use of assessment indicators.

Technologies de l'information — Évaluation des procédés — Modèle d'évaluation de la capacité des procédés pour le management de la sécurité de l'information

General Information

Status
Published
Publication Date
06-Jul-2016
ICS
35.080 - Software
Technical Committee
ISO/IEC JTC 1/SC 7 - Software and systems engineering
Drafting Committee
ISO/IEC JTC 1/SC 7/WG 10 - Process assessment
Current Stage
9093 - International Standard confirmed
Completion Date
10-May-2024
Ref Project

Buy Standard

ISO/IEC TS 33072:2016 - Information technology -- Process assessment -- Process capability assessment model for information security managementISO/IEC TS 33072:2016 - Information technology -- Process assessment -- Process capability assessment model for information security management
PreviousNext
Technical specification
ISO/IEC TS 33072:2016 - Information technology -- Process assessment -- Process capability assessment model for information security management
English language
183 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/IEC TS 33072:2016 - Information technology -- Process assessment -- Process capability assessment model for information security managementISO/IEC TS 33072:2016 - Information technology -- Process assessment -- Process capability assessment model for information security management
PreviousNext
Technical specification
ISO/IEC TS 33072:2016 - Information technology -- Process assessment -- Process capability assessment model for information security management
English language
183 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

TECHNICAL ISO/IEC TS
SPECIFICATION 33072
First edition
2016-06-01
Information technology — Process
assessment — Process capability
assessment model for information
security management
Technologies de l’information — Évaluation des procédés — Modèle
d’évaluation de la capacité des procédés pour le management de la
sécurité de l’information
PROOF/ÉPREUVE
Reference number
ISO/IEC TS 33072:2016(E)
©
ISO/IEC 2016

---------------------- Page: 1 ----------------------
ISO/IEC TS 33072:2016(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TS 33072:2016(E)
Contents Page
Foreword . v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Overview of the Process Assessment Model . 2
4.1 Introduction to Overview . 2
4.2 Structure of the Process Assessment Model . 3
4.2.1 Processes . 3
4.2.2 Process dimension . 4
4.2.3 Capability dimension . 4
4.3 Assessment Indicators . 6
4.3.1 Process Capability Indicators . 7
4.3.2 Process Performance Indicators . 8
4.4 Measuring process capability . 9
5 The process dimension and process performance indicators (Level 1) . 10
5.1 General . 10
5.2 ORG.1 Asset management . 11
5.3 TEC.01 Capacity management . 12
5.4 TEC.02 Change management . 13
5.5 COM.01 Communication management . 13
5.6 TEC.03 Configuration management . 14
5.7 COM.02 Documentation management . 15
5.8 ORG.2 Equipment management . 17
5.9 ORG.3 Human resource employment management . 18
5.10 COM.03 Human resource management .
...

TECHNICAL ISO/IEC TS
SPECIFICATION 33072
First edition
2016-07-15
Corrected version
2016-09-01
Information technology — Process
assessment — Process capability
assessment model for information
security management
Technologies de l’information — Évaluation des procédés — Modèle
d’évaluation de la capacité des procédés pour le management de la
sécurité de l’information
Reference number
ISO/IEC TS 33072:2016(E)
©
ISO/IEC 2016

---------------------- Page: 1 ----------------------
ISO/IEC TS 33072:2016(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TS 33072:2016(E)
Contents Page
Foreword . v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Overview of the Process Assessment Model . 2
4.1 Introduction to Overview . 2
4.2 Structure of the Process Assessment Model . 3
4.2.1 Processes . 3
4.2.2 Process dimension . 4
4.2.3 Capability dimension . 4
4.3 Assessment Indicators . 6
4.3.1 Process Capability Indicators . 7
4.3.2 Process Performance Indicators . 8
4.4 Measuring process capability . 9
5 The process dimension and process performance indicators (Level 1) . 10
5.1 General . 10
5.2 ORG.1 Asset management . 11
5.3 TEC.01 Capacity management . 12
5.4 TEC.02 Change management . 13
5.5 COM.01 Communication management . 13
5.6 TEC.03 Configuration management . 14
5.7 COM.02 Documentation management . 15
5.8 ORG.2 Equipment management . 17
5.9 ORG.3 Human resource employment management . 18
5.10 COM.03 Human resource management .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC/IEEE 24748-1:2024(Main)
Systems and software engineering — Life cycle management — Part 1: Guidelines for life cycle management

This document provides guidance for the life cycle management of systems and software, complementing the processes described in ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207. This document: — addresses systems concepts and life cycle concepts, models, stages, processes, process application, key points of view, adaptation and use in various domains and by various disciplines; — establishes a common framework for describing life cycles, including their individual stages, for the management of projects that provide or acquire either products or services; — defines the concept of a life cycle; — supports the use of the life cycle processes within an organization or a project; organizations and projects can use these life cycle concepts when acquiring and supplying either products or services; — provides guidance on adapting a life cycle model and the content associated with a life cycle or a part of a life cycle; — describes the relationship between life cycles and their use in applying the processes in ISO/IEC/IEEE 15288 (systems aspects) and ISO/IEC/IEEE 12207 (software systems aspects); — shows the relationships of life cycle concepts to the hardware, human, services, process, procedure, facility and naturally occurring entity aspects of projects; — describes how its concepts relate to detailed process standards, for example, in the areas of measurement, project management, risk management and model-based systems and software engineering.

  • Standard
    76 pages
    English language
    sale 15% off
ISO
ISO/IEC/IEEE 24748-2:2024(Main)
Systems and software engineering — Life cycle management — Part 2: Guidelines for the application of ISO/IEC/IEEE 15288 (system life cycle processes)

The proposed project is a revision of ISO/IEC/IEEE 24748-2:2018, Systems and software engineering — Life cycle management — Part 2: Guidelines for the application of ISO/IEC/IEEE 15288 (System life cycle processes). There are no scope changes. ISO/IEC/IEEE 24748-2 is a guideline for the application of ISO/IEC/IEEE 15288. It addresses system, life cycle, organizational, project, and process, concept application, principally through reference to ISO/IEC/IEEE 24748-1 and ISO/IEC/IEEE 15288. It gives guidance on applying ISO/IEC/IEEE 15288 from the aspects of strategy, planning, application in organizations, and application on projects. It also provides comparison of the differences between ISO/IEC/IEEE 15288 current revision and the prior version, ISO/IEC 15288:2015.

  • Standard
    63 pages
    English language
    sale 15% off
ISO
ISO/IEC 25002:2024(Main)
Systems and software engineering — Systems and software Quality Requirements and Evaluation (SQuaRE) — Quality model overview and usage

This document establishes a framework for defining quality models which are composed of quality characteristics and sub-characteristics. In particular, this document provides: — the concept of a quality model; — the structure and semantics of quality models; — the relationship between quality models and the other concepts, including measurement, requirement definition, and evaluation; — guidelines, requirements and examples for using quality models.

  • Standard
    17 pages
    English language
    sale 15% off
ISO
ISO/IEC 19770-1:2017/Amd 1:2024(Amendment)
Information technology — IT asset management — Part 1: IT asset management systems — Requirements — Amendment 1: Climate action changes
  • Standard
    1 page
    English language
    sale 15% off
ISO
ISO/IEC 19770-6:2024(Main)
Information technology — IT asset management — Part 6: Hardware identification tag

This document provides specifications for a transport format which enables the digital encapsulation of this data. This document refers to an encapsulation of hardware identification (HWID) data as a HWID tag, just as ISO/IEC 19770-2 refers to software identification (SWID) tags for software identification. This document applies to the following. — Tag producers: organizations that create HWID tags for use by others in the market. A tag producer can be part of the organization creating the hardware or a third-party organization. These organizations can be broken down into two major categories. — Device or component providers: entities responsible for the manufacturing or creation of the hardware device and/or associated operating system, virtual environment, or application platform. Platform providers which support this document can additionally provide tag management capabilities at the level of the platform or operating system. — Tag tool providers: entities that provide tools to create hardware identification tags. For example, tools within development environments that generate hardware identification tags, or installation tools that can create tags on behalf of the installation process, and/or desktop management tools that can create tags for underlying hardware, virtual machines, or platforms that did not originally have a hardware identification tag. — Tag consumers: tools and/or organizations who utilize information from HWID tags are broken down into the following two major categories. — Device or component consumers: entities that purchase, install, integrate, and/or otherwise deploy physical or virtual hardware or components. — IT discovery and processing tool providers: entities that provide tools to collect, store, and process hardware identification tags. These tools may be targeted at a variety of different market segments, including security, asset management, and logistics. This document deals only with hardware device or component identification. This document does not detail information technology asset management (ITAM) processes required for discovery and management of hardware (which is provided in ISO/IEC 19770-1) software identification tags (as defined by ISO/IEC 19770-2), entitlement tags (as defined by ISO/IEC 19770-3), or resource utilization measurements (as defined by ISO/IEC 19770-4).

  • Standard
    41 pages
    English language
    sale 15% off
ISO
ISO/IEC 25019:2023(Main)
Systems and software engineering — Systems and software Quality Requirements and Evaluation (SQuaRE) — Quality-in-use model

This document defines a quality-in-use model composed of three characteristics (which are further subdivided into sub-characteristics) that can influence stakeholders when products or systems are used in a specified context of use. This model is applicable to the entire spectrum of information system and IT service system, including both computer systems in use and software products in use. This document provides a set of quality characteristics for specifying, measuring, evaluating and improving quality-in-use. In this document, because context of use is specified as prerequisite of quality-in-use, context of use is necessary to be re-specified to change prerequisite when a product or service intend to fulfil to context of use changes. The model can be applied, in particular, by those responsible for specifying and evaluating software product quality, such as developers, acquirers, quality assurance and control staff, and independent evaluators. Activities during product development that can benefit from the use of the quality model can include, but are not limited to: — identifying requirements for information system and IT service system in use; — validating the comprehensiveness of a quality-in-use requirements specification; — identifying information system and IT service system design objectives for quality-in-use; — identifying quality-in-use control criteria as part of overall quality assurance; — identifying acceptance criteria for information system and IT service system or information systems; — establishing measures to address the consequences of using products in specified context-of -use; — presenting evaluation items for ethics considerations when using information system and IT service system; — supporting governance of digitalization activities.

  • Standard
    31 pages
    English language
    sale 15% off
ISO
ISO/IEC 25010:2023(Main)
Systems and software engineering — Systems and software Quality Requirements and Evaluation (SQuaRE) — Product quality model

This document defines a product quality model, which is applicable to ICT (information and communication technology) products and software products. The product quality model is composed of nine characteristics (which are further subdivided into subcharacteristics) that relate to quality properties of the products. The characteristics and subcharacteristics provide a reference model for the quality of the products to be specified, measured and evaluated. NOTE 1 In this document, a product refers to an ICT product that is part of an information system. ICT product components include subsystems, software, firmware, hardware, data, communication infrastructure, and other elements that are part of the ICT product. This model can be used for requirements specification and evaluation of the target products’ quality throughout their lifecycle by several stakeholders, including developers, acquirers, quality assurance and control staff and independent evaluators. Activities in the product lifecycle that can benefit from the use of this model include: — eliciting and defining product and information system requirements; — validating the comprehensiveness of requirements definition; — identifying product and information system design objectives, and design necessary process for achieving quality; — identifying product and information system testing objectives; — identifying quality control criteria as the part of quality assurance; — identifying acceptance criteria for a product and/or an information system; — establishing measures of product quality characteristics in support of these activities. NOTE 2 Usage of the quality model for measurement is explained in Annex C.

  • Standard
    22 pages
    English language
    sale 15% off
ISO
ISO/IEC/IEEE 15026-3:2023(Main)
Systems and software engineering — Systems and software assurance — Part 3: System integrity levels

This document specifies the concept of integrity levels with the corresponding integrity level requirements for achieving the integrity levels. Requirements and recommended methods are provided for defining and using integrity levels and their corresponding integrity level requirements. This document covers systems, software products, and their elements, as well as relevant external dependences. This document is applicable to systems and software and is intended for use by: a) definers of integrity levels such as industry and professional organizations, standards organizations, and government agencies; b) users of integrity levels such as developers and maintainers, suppliers and acquirers, system or software users, assessors of systems or software and administrative and technical support staff of systems and/or software products. One important use of integrity levels is by suppliers and acquirers in agreements, for example, to aid in assuring safety, financial, or security characteristics of a delivered system or product. This document does not prescribe a specific set of integrity levels or their integrity level requirements. In addition, it does not prescribe the way in which integrity level use is integrated with the overall system or software engineering life cycle processes. It does, however, provide an example of use of this document in Annex A.

  • Standard
    21 pages
    English language
    sale 15% off
ISO
ISO/IEC TR 7052:2023(Main)
Software engineering — Controlling frequently occurring risks during development and maintenance of custom software

This document: — describes frequently occurring risks during development and maintenance of custom software; — describes possible controls for frequently occurring risks; — describes the related: — activities, facilities and roles typically used for these controls; — properties of products and processes; — standards, measurements, testing and assessment of the properties of products and processes.

  • Technical report
    36 pages
    English language
    sale 15% off
ISO
ISO/IEC/IEEE 24748-6:2023(Main)
Systems and software engineering — Life cycle management — Part 6: System and software integration

This document: — provides supplemental requirements and guidance for the planning and performing of the integration processes given in ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207; — provides guidance on the relationship between the integration process and other life cycle processes. — specifies requirements for information items to be produced as a result of using the integration process, including the content of the information items. This document is applicable to: — those who use or plan to use ISO/IEC/IEEE 12207 or ISO/IEC/IEEE 15288, or both, on projects dealing with human-made systems, software-intensive systems, and products and services related to those systems, regardless of the project scope, methodology, size, or complexity; — anyone planning or performing integration activities to aid in ensuring that the application of the integration process and its relationships to other system life cycle processes conform to ISO/IEC/IEEE 15288 or ISO/IEC/IEEE 12207.

  • Standard
    42 pages
    English language
    sale 15% off