ISO/IEC FDIS 27000

FINAL DRAFT
International
Standard
ISO/IEC FDIS
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Information security management
2026-04-06
systems — Overview
Voting terminates on:
2026-06-01
Sécurité de l'information, cybersécurité et protection de
la vie privée — Systèmes de management de la sécurité de
l'information — Vue d'ensemble
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/CEN PARALLEL PROCESSING LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
Horizontal document
Reference number
FINAL DRAFT
International
Standard
ISO/IEC FDIS
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Information security management
systems — Overview
Voting terminates on:
Sécurité de l'information, cybersécurité et protection de
la vie privée — Systèmes de management de la sécurité de
l'information — Vue d'ensemble
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
© ISO/IEC 2026
IN ADDITION TO THEIR EVALUATION AS
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/CEN PARALLEL PROCESSING
LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
or ISO’s member body in the country of the requester.
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Horizontal document
Published in Switzerland Reference number
© ISO/IEC 2026 – All rights reserved
ii
Contents Page
Foreword .iv
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Concepts and principles . 2
4.1 Concepts .2
4.1.1 The need for information security .2
4.1.2 Information .3
4.1.3 Information security . .3
4.1.4 Constantly changing risks .3
4.1.5 Risk treatment plan .3
4.1.6 Purpose of an information security management system (ISMS) .4
4.1.7 Importance of an ISMS .4
4.1.8 Process approach .5
4.1.9 Scope .5
4.2 Principles .5
4.2.1 Establishing, implementing, maintaining and improving an ISMS .5
4.2.2 Successfully implementing an ISMS .5
4.2.3 Determining information security requirements .5
4.2.4 Integration into business processes .6
5 Documents related to ISMS including ISO/IEC 27001 . 6
5.1 General .6
5.2 ISO/IEC 27001 (specification of an ISMS) .6
5.3 Candidate necessary information security controls .6
5.3.1 ISO/IEC 27002 (information security controls) .6
5.3.2 ISO/IEC 27010 (inter-sector and inter-organizational communications) .7
5.3.3 ISO/IEC 27011 (telecommunications organizations) .7
5.3.4 ISO/IEC 27017 (cloud services) .7
5.3.5 ISO/IEC 27019 (energy utility industry) .7
5.4 Fulfilment of ISMS requirements .7
5.4.1 ISO/IEC 27003 (ISMS guidance) .7
5.4.2 ISO/IEC 27004 (monitoring, measurement, analysis and evaluation) .7
5.4.3 ISO/IEC 27005 (guidance on managing information security risks) .7
5.4.4 ISO/IEC 27007 (ISMS auditing) .7
5.5 Use of ISMS .7
5.5.1 ISO/IEC 27013 (integrated implementation of ISO/IEC 27001 and ISO/IEC
20000-1) .7
5.5.2 ISO/IEC 27014 (governance of information security) .7
5.5.3 ISO/IEC TR 27016 (organizational economics) .8
5.6 Control assessment, attributes, processes and competence .8
5.6.1 ISO/IEC TS 27008 (assessment of information security controls) .8
5.6.2 ISO/IEC 27021 (competence requirements for ISMS professionals) .8
5.6.3 ISO/IEC TS 27022 (ISMS processes) .8
5.6.4 ISO/IEC 27028 (ISO/IEC 27002 attributes) .8
5.7 ISO/IEC 27006-1 (Conformity assessment) .8
5.8 Relationships between the standards .8
Bibliography .10

© ISO/IEC 2026 – All rights reserved
iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection, in collaboration with the
European Committee for Standardization (CEN) Technical Committee CEN/CLC/JTC 13, Cybersecurity and
data protection, in accordance with the Agreement on technical cooperation between ISO and CEN (Vienna
Agreement).
This sixth edition cancels and replaces the fifth edition (ISO/IEC 27000:2018), which has been technically
revised.
The main changes are as follows:
— the title has been modified;
— the structure of the document has been changed to stress its primary role, which is to provide an
overview of, and explain the relationships between, documents related to ISMS (information security
management systems) including ISO/IEC 27001;
— text presenting the concepts and principles of information security and information security management
systems has been added;
— Clause 3 has been modified to only contain definitions for those terms used in presenting the concepts
and principles described in this document;
— it is no longer a terminology document.
This document has been given the status of a horizontal document in accordance with the ISO/IEC Directives,
Part 1.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2026 – All rights reserved
iv
© ISO/IEC 2026 – All rights reserved
v
Introduction
This document explains the concepts and principles that underpin information security and information
security management systems. It provides an overview of all documents related to ISMS (information
security management systems) including ISO/IEC 27001 and explains the relationship between them.

© ISO/IEC 2026 – All rights reserved
vi
FINAL DRAFT International Standard ISO/IEC FDIS 27000:2026(en)
Information security, cybersecurity and privacy protection —
Information security management systems — Overview
1 Scope
This document gives an overview of the concepts and principles used in the documents related to information
security management systems (ISMS), including ISO/IEC 27001.
This document is considered to be a horizontal document as it provides an explanation of the concepts and
principles that underpin information security and ISMS.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
information security
preservation of confidentiality (3.2), integrity (3.3) and availability (3.4) of information
3.2
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes
3.3
integrity
property of accuracy and completeness
3.4
availability
property of being accessible and usable on demand by an authorized entity
3.5
event
occurrence or change of a particular set of circumstances
[SOURCE: ISO/IEC 27005:2022, 3.1.11, modified — The two notes to entry have been omitted.]
3.6
likelihood
chance of something happening
[SOURCE: ISO/IEC 27005:2022, 3.1.13, modified — The two notes to entry have been omitted.]

© ISO/IEC 2026 – All rights reserved
3.7
consequence
outcome of an event (3.5) affecting objectives
[SOURCE: ISO/IEC 27005:2022, 3.1.14, modified — The three notes to entry have been omitted.]
3.8
risk
effect of uncertainty on objectives
[SOURCE: ISO/IEC 27005:2022, 3.1.3, modified — The seven notes to entry have been omitted.]
3.9
risk treatment
process to modify risk (3.8)
3.10
control
measure that maintains and/or modifies risk (3.8)
[SOURCE: ISO/IEC 27002:2022, 3.1.8, modified — The two notes to entry have been omitted.]
3.11
specified requirement
need or expectation that is stated
[SOURCE: ISO/IEC 17000:2020, 4.1, modified — The four notes to entry have been omitted.]
3.12
conformity assessment
demonstration that specified requirements (3.12) relating to a product, process, system, person or body are
fulfilled
[SOURCE: ISO/IEC 17000:2020, 5.1, modified — The two notes to entry have been omitted.]
4 Concepts and principles
4.1 Concepts
4.1.1 The need for information security
Organizations of all types and sizes:
a) collect, process, store, transmit and delete information;
b) recognize that some information (and the associated information and communications technology,
software, processes and people) can help the organization to achieve its objectives, and can therefore be
regarded as an asset;
c) appreciate that some of this information belongs to other organizations (e.g. customers) and that they
should manage that information in accordance with the agreed requirements;
d) realize that the organization can suffer if information is disclosed, lacks or loses integrity or is not
available when it is required.
Confidentiality, integrity and availability of information are important properties of value to organizations.
The preservation of these properties is referred to as information security.
In this modern interconnected world, information and related processes, systems, and networks can
constitute critical business assets. Organizations and their information systems and networks face
information security threats from a wide range of sources, including human errors, computer-assisted

© ISO/IEC 2026 – All rights reserved
fraud, theft, espionage, sabotage, vandalism, fire, flood and climate change. Damage to information systems
and networks caused by malicious code, computer hacking and denial of service attacks have become more
common, more ambitious and increasingly more sophisticated. The extent to which such events should
worry an organization depends on the likelihood of the occurrence of the event and the severity of the
consequences. The combination of likelihood and consequence is referred to as risk.
If the risk is unacceptable to the organization, it must be “treated”. Risk treatment is the process whereby
risks are modified, often through the implementation of information security controls. Ideally, the process
of treatment continues until the risk becomes acceptable to the organization.
Risks associated with an organization’s information assets should be addressed. Achieving information
security requires the management of risk, and encomp
...

Formatted
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
ISO/IEC DISFDIS 27000:2025(en)
Style Definition
...
ISO/IEC JTC 1/SC 27/WG 1
Style Definition
...
Style Definition
...
Secretariat: DIN
Style Definition
...
Style Definition
Date: 2026-01-2903-23 .
Style Definition
...
Horizontal publication
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
Information security, cybersecurity and privacy protection — .
Style Definition
...
Information security management systems — Overview
Style Definition
...
Style Definition
Sécurité de l'information, cybersécurité et protection de la vie privée — Systèmes de management de la sécurité .
de l'information ―— Vue d'ensemble Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
FDIS stage
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
TThhiiss d drraftaft i iss s suubbmmiitttteded t too a pa pararallel vallel vootte e iinn I ISSOO,, C CEENN.
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Formatted: HeaderCentered
© ISO/IEC 20252026
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication Formatted: Right: 1.5 cm, Gutter: 0 cm, Header distance
from edge: 1.27 cm, Footer distance from edge: 0.5 cm
may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying,
or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO
at the address below or ISO’s member body in the country of the requester.
ISO copyright office
Formatted: zzCopyright address
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
Formatted: French (Switzerland)
EmailE-mail: copyright@iso.org
Formatted: French (Switzerland)
Website: www.iso.orgwww.iso.org
Formatted: German (Germany)
Formatted: German (Germany)
Published in Switzerland
Formatted: FooterPageRomanNumber
© ISO/IEC 2026 – All rights reserved
ii
Formatted: Font: 11 pt, Bold, Font color: Auto
ISO/IEC DISFDIS 27000:20252026(en)
Formatted: Font: 11 pt, Bold, Font color: Auto
Formatted: Font: 11 pt, Bold, Font color: Auto
Contents Page Formatted: Font: Bold
Formatted: HeaderCentered, Left
Foreword . v
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers, Tab stops: Not
Introduction . vii
at 0.71 cm + 17.2 cm
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Concepts and principles . 2
4.1 Concepts . 2
4.2 Principles . 5
5 Documents related to ISMS including ISO/IEC 27001 . 6
5.1 General. 6
5.2 ISO/IEC 27001 (specification of an ISMS) . 7
5.3 Candidate necessary information security controls . 7
5.4 Fulfilment of ISMS requirements . 8
5.5 Use of ISMS. 8
5.6 Control assessment, attributes, processes and competence . 9
5.7 ISO/IEC 27006-1 (Conformity assessment). 9
5.8 Relationships between the standards . 9
Bibliography . 12

Foreword . 4
Introduction . 5
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Concepts and principles . 2
4.1 Concepts . 2
4.1.1 The need for information security . 2
4.1.2 Information . 3
4.1.3 Information security . 3
4.1.4 Risks are constantly changing . 3
4.1.5 Risk treatment plan . 4
4.1.6 Purpose of an information security management system (ISMS) . 4
4.1.7 Importance of an ISMS . 4
4.1.8 Process approach . 5
4.1.9 Scope . 5
4.2 Principles . 5
4.2.1 Establishing, implementing, maintaining and improving an ISMS . 5
4.2.2 Successful ISMS implementation . 6
4.2.3 Determining information security requirements . 6
Formatted: Font: 10 pt
4.2.4 Integration into business processes . 6
Formatted: Font: 10 pt
5 Documents related to ISMS including ISO/IEC 27001 . 6
Formatted: FooterCentered, Left, Space Before: 0 pt, Tab
5.1 General. 6
stops: Not at 17.2 cm
5.2 ISO/IEC 27001 (Specification of an ISMS) . 7
Formatted: Font: 11 pt
5.3 Candidate necessary information security controls . 7
Formatted: FooterPageRomanNumber, Left, Space After: 0
5.3.1 ISO/IEC 27002 (Information security controls) . 7
pt, Tab stops: Not at 17.2 cm
© ISO/IEC 2025 2026 – All rights reserved
iii
Formatted: HeaderCentered
5.3.2 ISO/IEC 27010 (Inter-sector and inter-organizational communications) . 7
5.3.3 ISO/IEC 27011 (Telecommunications organizations) . 8
5.3.4 ISO/IEC 27017 (Cloud services) . 8
5.3.5 ISO/IEC 27019 (Energy utility industry) . 8
5.4 Fulfilment of ISMS requirements . 8
5.4.1 ISO/IEC 27003 (ISMS guidance). 8
5.4.2 ISO/IEC 27004 (Monitoring, measurement, analysis and evaluation) . 8
5.4.3 ISO/IEC 27005 (Guidance on managing information security risks) . 8
5.4.4 ISO/IEC 27007 (ISMS auditing) . 8
5.5 Use of ISMS. 8
5.5.1 ISO/IEC 27013 (Integrated implementation with ISO/IEC 20000-1) . 8
5.5.2 ISO/IEC 27014 (Governance of information security) . 8
5.5.3 ISO/IEC TR 27016 (Organizational economics) . 8
5.5.4 ISO/IEC TR 27029 (ISO/IEC 27002 and ISO and IEC standards) . 9
5.6 Control assessment, attributes, processes and competence . 9
5.6.1 ISO/IEC TS 27008 (Assessment of information security controls) . 9
5.6.2 ISO/IEC 27021 (Competence requirements for ISMS professionals). 9
5.6.3 ISO/IEC TS 27022 (ISMS processes) . 9
5.6.4 ISO/IEC 27028 (ISO/IEC 27002 attributes) . 9
5.7 Conformity assessment . 9
5.7.1 ISO/IEC 27006-1 (Requirements for bodies providing audit and certification) . 9
5.8 Relationships between the standards . 9
Bibliography . 11

Formatted: FooterPageRomanNumber
© ISO/IEC 2026 – All rights reserved
iv
Formatted: Font: 11 pt, Bold, Font color: Auto
ISO/IEC DISFDIS 27000:20252026(en)
Formatted: Font: 11 pt, Bold, Font color: Auto
Formatted: Font: 11 pt, Bold, Font color: Auto
Foreword Formatted: Font: Bold
Formatted: HeaderCentered, Left
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Formatted: Adjust space between Latin and Asian text,
Commission) form the specialized system for worldwide standardization. National bodies that are members
Adjust space between Asian text and numbers, Tab stops: Not
at 13.05 cm
of ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of
document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC
Directives, Part 2 (see www.iso.org/directiveswww.iso.org/directives or
www.iec.ch/members_experts/refdocs). Formatted: English (United Kingdom)
Field Code Changed
ISO and IEC draw attention to the possibility that the implementation of this document may involve the use of
(a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any claimed
patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not received Formatted: Font color: Auto
notice of (a) patent(s) which may be required to implement this document. However, implementers are
cautioned that this may not represent the latest information, which may be obtained from the patent database
available at www.iso.org/patents and https://patents.iec.ch.www.iso.org/patents and https://patents.iec.ch.
ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html.www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding- Formatted: English (United Kingdom)
standards.
Field Code Changed
Formatted: Default Paragraph Font
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection, in collaboration with the
Formatted: Default Paragraph Font
European Committee for Standardization (CEN) Technical Committee CEN/CLC/JTC 13, Cybersecurity and
Formatted: Adjust space between Latin and Asian text,
data protection, in accordance with the Agreement on technical cooperation between ISO and CEN (Vienna Adjust space between Asian text and numbers
Agreement).
Formatted: Default Paragraph Font
Formatted: Default Paragraph Font

Formatted: Default Paragraph Font
This sixth edition cancels and replaces the fifth edition (ISO/IEC 27000:2018), which has been technically
Formatted: Adjust space between Latin and Asian text,
revised. Adjust space between Asian text and numbers
Formatted: Adjust space between Latin and Asian text,
The main changes are as follows: Adjust space between Asian text and numbers, Tab stops: Not
at 0.7 cm + 1.4 cm + 2.1 cm + 2.8 cm + 3.5 cm + 4.2
cm + 4.9 cm + 5.6 cm + 6.3 cm + 7 cm
— — the title has been modified;
Formatted: Default Paragraph Font
— — the structure of the document has been changed to stress its primary role, which is to provide an Formatted: Default Paragraph Font
overview of, and explain the relationships between, documents related to ISMS (information security
Formatted: Font: 10 pt
management systems) including ISO/IEC 27001;
Formatted: Font: 10 pt
Formatted: FooterCentered, Left, Space Before: 0 pt, Tab
— — text presenting the concepts and principles of information security and information security
stops: Not at 17.2 cm
management systems has been added;
Formatted: Font: 11 pt
Formatted: FooterPageRomanNumber, Left, Space After: 0
pt, Tab stops: Not at 17.2 cm
© ISO/IEC 2025 2026 – All rights reserved
v
Formatted: HeaderCentered
— — Clause 3Clause 3 has been modified to only contain definitions for those terms used in presenting the
concepts and principles described in ISO/IEC 27000this document;
— — ISO/IEC 27000it is no longer a terminology document.
This document has been given the status of a horizontal document in accordance with the ISO/IEC Directives,
Part 1.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html and www.iec.ch/national-
committeeswww.iso.org/members.html and www.iec.ch/national-committees.
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
Formatted: FooterPageRomanNumber
© ISO/IEC 2026 – All rights reserved
vi
Formatted: Font: 11 pt, Bold, Font color: Auto
ISO/IEC DISFDIS 27000:20252026(en)
Formatted: Font: 11 pt, Bold, Font color: Auto
Formatted: Font: 11 pt, Bold, Font color: Auto
Formatted: Font: Bold
Introduction
Formatted: HeaderCentered, Left
This document explains the concepts and principles that underpin information security and information
security management systems. It provides an overview of all documents related to ISMS (information security
management systems) including ISO/IEC 27001 and explains the relationship between them. Formatted: Default Paragraph Font
Formatted: Default Paragraph Font
Formatted: Font: 10 pt
Formatted: Font: 10 pt
Formatted: FooterCentered, Left, Space Before: 0 pt, Tab
stops: Not at 17.2 cm
Formatted: Font: 11 pt
Formatted: FooterPageRomanNumber, Left, Space After: 0
pt, Tab stops: Not at 17.2 cm
© ISO/IEC 2025 2026 – All rights reserved
vii
DRAFT International Standard ISO/IEC DIS 27000:2025(en)
Formatted: Font: 11 pt
Information security, cybersecurity and privacy protection —
Information security management systems — Overview
Formatted: Right: 1.5 cm, Gutter: 0 cm, Header distance
1 Scope
from edge: 1.27 cm, Footer distance from edge: 0.5 cm
This document gives an overview of the concepts and principles used in the documents related to information
security management systemsystems (ISMS), including ISO/IEC 27001. Formatted: Default Paragraph Font
Formatted: Default Paragraph Font
This document is considered to be a horizontal document as it provides an explanation of the concepts and
principles that underpin information security and ISMS.
Formatted: Adjust space between Latin and Asian text,
2 Normative references
Adjust space between Asian text and numbers
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
Formatted: English (United Kingdom)
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
Formatted: Font: 11 pt, English (United Kingdom)
— — ISO Online browsing platform: available at https://www.iso.org/obphttps://www.iso.org/obp
Formatted: English (United Kingdom)
— — IEC Electropedia: available at https://www.electropedia.org/https://www.electropedia.org/ Formatted: English (United Kingdom)
3.1 3.1
Formatted: TermNum2, Adjust space between Latin and
Asian text, Adjust space between Asian text and numbers
information security
preservation of confidentiality (3.2),(3.2), integrity (3.3)(3.3) and availability (3.4)(3.4) of information
3.2 3.2
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or processes
3.3 3.3
integrity
property of accuracy and completeness
3.4 3.4
availability
property of being accessible and usable on demand by an authorized entity
3.5 3.5
event
occurrence or change of a particular set of circumstances
Formatted: Font: 11 pt
[SOURCE: ISO/IEC 27005:2022, 3.1.11, modified — The two notes to entry have been omitted.]
Formatted: Default Paragraph Font
3.6 3.6
likelihood
Formatted: Footer, Left, Space After: 0 pt, Tab stops: Not
chance of something happening
at 17.2 cm
© ISO/IEC 2025 – All rights reserved
Formatted: HeaderCentered
[SOURCE: ISO/IEC 27005:2022, 3.1.13, modified — The two notes to entry have been omitted.] Formatted: Font: 11 pt
Formatted: Font: 11 pt
3.7 3.7
Formatted: Default Paragraph Font, English (United
consequence
Kingdom)
outcome of an event (3.5)(3.5) affecting objectives
[SOURCE: ISO/IEC 27005:2022, 3.1.14, modified — The three notes to entry have been omitted.] Formatted: Font: 11 pt
Formatted: Font: 11 pt
3.8 3.8
Formatted: Default Paragraph Font
risk
effect of uncertainty on objectives
[SOURCE: ISO/IEC 27005:2022, 3.1.3, modified — The seven notes to entry have been omitted.] Formatted: Font: 11 pt
Formatted: Font: 11 pt
3.9 3.9
Formatted: Default Paragraph Font
risk treatment
process to modify risk (3.8)(3.8)
3.10 3.10
control
measure that maintains and/or modifies risk (3.8)(3.8)
[SOURCE: ISO/IEC 27002:2022, 3.1.8, modified — The two notes to entry have been omitted.] Formatted: Font: 11 pt
Formatted: Font: 11 pt
3.11 3.11
Formatted: Default Paragraph Font
specified requirement
need or expectation that is stated
Formatted: Font: 11 pt
[SOURCE: ISO/IEC 17000:2020, 4.1, modified — The four notes to entry have been omitted].]
Formatted: Font: 11 pt
3.12 3.12
conformity assessment
demonstration that specified requirements (3.12)(3.12) relating to a product, process, system, person or body
are fulfilled
Formatted: Font: 11 pt
[SOURCE: ISO/IEC 17000:2020, 5.1, modified — The two notes to entry have been omitted.]
Formatted: Font: 11 pt
4 Concepts and principles
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers, Tab stops: Not
4.1 Concepts
at 0.71 cm
Formatted: Adjust space between Latin and Asian text,
4.1.1 The need for information security
Adjust space between Asian text and numbers, Tab stops: Not
at 0.71 cm + 0.99 cm + 1.27 cm
Organizations of all types and sizes:
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
a) a) collect, process, store, transmit and delete information;
Formatted: Numbered + Level: 1 + Numbering Style: a, b,
c, … + Start at: 1 + Alignment: Left + Aligned at: 0 cm +
b) b) recognize that some information (and the associated information and communications
Indent at: 0 cm, Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers, Tab stops: Not
technology, software, processes and people) can help the organization to achieve its objectives, and can
at 0.7 cm + 1.4 cm + 2.1 cm + 2.8 cm + 3.5 cm + 4.2
therefore be regarded as an asset;
cm + 4.9 cm + 5.6 cm + 6.3 cm + 7 cm
Formatted: English (United Kingdom)
Formatted: FooterPageNumber
© ISO/IEC 2025 – All rights reserved
© ISO/IEC 2026 – All rights reserved
Formatted: Font: 11 pt, Bold, Font color: Auto
ISO/IEC DISFDIS 27000:20252026(en)
Formatted: Font: 11 pt, Bold, Font color: Auto
Formatted: Font: 11 pt, Bold, Font color: Auto
c) c) appreciate that some of this information belongs to other organizations (e.g. customers) and
Formatted: Font: Bold
that they should manage that information in accordance with the agreed requirements;
Formatted: HeaderCentered, Left
d) d) realiserealize that the organization can suffer if information is disclosed, lacks or loses integrity
or is not available when it is required.
Confidentiality, integrity and availability of information are important properties of value to organizations. Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
The preservation of these properties is referred to as information security.
In this modern interconnected world, information and related processes, systems, and networks can
constitute critical business assets. Organizations and their information systems and networks face
information security threats from a wide range of sources, including human errors, computer-assisted fraud,
theft, espionage, sabotage, vandalism, fire, flood and climate change. Damage to information systems and
networks caused by malicious code, computer hacking and denial of service attacks have become more
common, more ambitious and increasingly more sophisticated. The extent to which such events should worry
an organization depends on the likelihood of the occurrence of the event and the severity of the consequences.
The combination of likelihood and consequence is referred to as risk.
If the risk is unacceptable to the organization, it must be “treated”. Risk treatment is the process whereby risks
are modified, often through the implementation of information security controls. Ideally, the process of
treatment continues until the risk becomes acceptable to the organization.
Risks associated with an organization’s information assets should be addressed. Achieving information
security requires the management of risk, and encompasses risks from physical, human and technology
related threats associated with all forms of information within, used by or looked after by the organization.
4.1.2 Information
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers, Tab stops: Not
at 0.71 cm + 0.99 cm + 1.27 cm
Information is an asset that, like other important business assets, is essential to an organization’s business
Formatted: Adjust space between Latin and Asian text,
and, consequently, should be suitably protected. It does not matter whether the information is owned by the
Adjust space between Asian text and numbers
organization or is entrusted to its care by a third party, e.g. a customer.
Formatted: Font: Cambria, 11 pt
Information can be in many forms, including data files stored on electronic or optical media or on paper, as
well as knowledge. Information can be transmitted by various means including courier, electronic or verbal
communication. Whatever form information takes, or how it is transmitted, it always needs appropriate
Formatted: Adjust space between Latin and Asian text,
protection. Adjust space between Asian text and numbers, Tab stops: Not
at 0.71 cm + 0.99 cm + 1.27 cm
Formatted: Adjust space between Latin and Asian text,
In many organizations, information is dependent on information and communications technology. This
Adjust space between Asian text and numbers
technology is often an essential element in the organization and assists in facilitating the creation, processing,
Formatted: Adjust space between Latin and Asian text,
storing, transmitting, protection and destruction of information.
Adjust space between Asian text and numbers, Tab stops: Not
at 0.71 cm + 0.99 cm + 1.27 cm
4.1.3 Information security
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
Information security ensures the confidentiality, availability and integrity of information. Information security
Formatted: Numbered + Level: 1 + Numbering Style: a, b,
involves the application and management of appropriate controls to counter a wide range of threats,
c, … + Start at: 1 + Alignment: Left + Aligned at: 0 cm +
whilstwhile ensuring sustained business success and continuity whilstwhile minimizing the consequences of
Indent at: 0 cm, Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers, Tab stops: Not
information security incidents.
at 0.7 cm + 1.4 cm + 2.1 cm + 2.8 cm + 3.5 cm + 4.2
cm + 4.9 cm + 5.6 cm + 6.3 cm + 7 cm
4.1.4 Constantly changing risks
Formatted: Font: 10 pt
Risks are not static. Changes in the organization can change the likelihood of the occurrence of information Formatted: Font: 10 pt
security relevant events and the severity of the consequences. Likewise, changes in
...

PROJET
Norme
internationale
ISO/IEC DIS 27000
ISO/IEC JTC 1/SC 27
Sécurité de l'information,
Secrétariat: DIN
cybersécurité et protection de la vie
Début de vote:
privée — Systèmes de management
2025-07-15
de la sécurité de l'information —
Vote clos le:
Vue d'ensemble
2025-10-07
Information security, cybersecurity and privacy protection —
Information security management systems — Overview
ICS: 35.030; 01.040.35
CE DOCUMENT EST UN PROJET DIFFUSÉ
POUR OBSERVATIONS ET APPROBATION. IL
EST DONC SUSCEPTIBLE DE MODIFICATION
ET NE PEUT ÊTRE CITÉ COMME NORME
INTERNATIONALE AVANT SA PUBLICATION EN
TANT QUE TELLE.
OUTRE LE FAIT D’ÊTRE EXAMINÉS POUR
Ce document n’a pas été rédigé par le Secrétariat central de l’ISO.
ÉTABLIR S’ILS SONT ACCEPTABLES À DES
FINS INDUSTRIELLES, TECHNOLOGIQUES ET
COMMERCIALES, AINSI QUE DU POINT DE VUE
DES UTILISATEURS, LES PROJETS DE NORMES
INTERNATIONALES DOIVENT PARFOIS ÊTRE
TRAITEMENT PARALLÈLE ISO/CEN
CONSIDÉRÉS DU POINT DE VUE DE LEUR
POSSIBILITÉ DE DEVENIR DES NORMES
POUVANT SERVIR DE RÉFÉRENCE DANS LA
RÉGLEMENTATION NATIONALE.
LES DESTINATAIRES DU PRÉSENT PROJET
SONT INVITÉS À PRÉSENTER, AVEC LEURS
OBSERVATIONS, NOTIFICATION DES DROITS
DE PROPRIÉTÉ DONT ILS AURAIENT
ÉVENTUELLEMENT CONNAISSANCE
ET À FOURNIR UNE DOCUMENTATION
EXPLICATIVE.
Numéro de référence
© ISO/IEC 2025
ISO/IEC DIS 27000:2025(fr)
Ȁ
 1Ȁ 27
ISO/IEC DIS 27000:2025(fr)
ƒ–‡ǣ 2025-07-15
ISO/IEC DIS 27000:2025(fr)
Ȁ
 1Ȁ 27
‡…”±–ƒ”‹ƒ–ǣ DIN
Sécurité de l'information, cybersécurité et protection de la vie
privée — Systèmes de management de la sécurité de
l'information — Vue d'ensemble
Information security, cybersecurity and privacy protection — Information security management
systems — Overview

ǣ͵ͷǤͲ͵ͲǢͲͳǤͲͶͲǤ͵ͷ
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO/IEC 2025
Tous droits réservés. Sauf prescription différente ou nécessité dans le contexte de sa mise en œuvre, aucune partie de cette
publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique,
y compris la photocopie, ou la diffusion sur l’internet ou sur un intranet, sans autorisation écrite préalable. Une autorisation peut
être demandée à l’ISO à l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Genève
Tél.: +41 22 749 01 11
E-mail: copyright@iso.org
Web: www.iso.org
›’‡†—†‘…—‡–ǣ‘”‡‹–‡”ƒ–‹‘ƒŽ‡
‘—•Ǧ–›’‡†—†‘…—‡–ǣ
Publié en Suisse
–ƒ†‡†—†‘…—‡–ǣȋͶͲȌ“—²–‡
ƒ‰—‡†—†‘…—‡–ǣ 
© ISO/IEC 2025 – Tous droits réservés
ii
ISO/IEC DIS 27000:2025(fr)
Sommaire Page
Avant-propos . v
Introduction . vii
1 Domaine d'application . 1
2 Références normatives . 1
3 Termes et définitions . 1
4 Concepts et principes . 3
4.1 Concepts . 3
4.1.1 La nécessité de la sécurité de l'information . 3
4.1.2 Informations . 3
4.1.3 Sécurité de l'information . 4
4.1.4 Les risques sont en constante évolution . 4
4.1.5 Plan de traitement des risques . 4
4.1.6 Objectif d'un système de management de la sécurité de l'information (SMSI) . 5
4.1.7 L'importance d'un SMSI . 5
4.1.8 Approche par processus . 6
4.1.9 Domaine d'application . 6
4.2 Principes . 6
4.2.1 Établissement, mise en œuvre, maintenance et amélioration d'un SMSI . 6
4.2.2 Mise en œuvre réussie du SMSI . 6
4.2.3 Déterminer les exigences liées à la sécurité de l'information . 7
4.2.4 Intégration dans les processus métier . 7
5 Documents relatifs au SMSI, y compris l'ISO/IEC 27001 . 7
5.1 Généralités . 7
5.2 ISO/IEC 27001 (Spécification d'un SMSI) . 8
5.3 Candidat aux mesures de sécurité de l'information nécessaires. 8
5.3.1 ISO/IEC 27002 (mesures de sécurité de l'information) . 8
5.3.2 ISO/IEC 27010 (Communications intersectorielles et interorganisationnelles) . 8
5.3.3 ISO/IEC 27011 (Organismes de télécommunications) . 8
5.3.4 ISO/IEC 27017 (Services du nuage) . 8
5.3.5 ISO/IEC 27019 (Industrie des opérateurs de l'énergie) . 9
5.4 Satisfaction d'exigences du SMSI . 9
5.4.1 ISO/IEC 27003 (recommandations SMSI) . 9
5.4.2 ISO/IEC 27004 (Surveillance, mesure, analyse et évaluation) . 9
5.4.3 ISO/IEC 27005 (Préconisations pour la gestion des risques liés à la sécurité de
l'information) . 9
5.4.4 ISO/IEC 27007 (audit du SMSI) . 9
5.5 Utilisation du ISMS . 9
5.5.1 ISO/IEC 27013 (Mise en œuvre intégrée avec l'ISO/IEC 20000-1) . 9
5.5.2 ISO/IEC 27014 (Gouvernance de la sécurité de l'information) . 9
5.5.3 ISO/IEC TR 27016 (Économie organisationnelle) . 9
5.5.4 ISO/IEC TR 27029 (ISO/IEC 27002 et normes ISO et IEC) . 9
5.6 Évaluation de la maîtrise, attributs, processus et compétences . 10
5.6.1 ISO/IEC TS 27008 (Évaluation des mesures de sécurité de l'information) . 10
5.6.2 ISO/IEC 27021 (Exigences de compétence pour les professionnels du SMSI) . 10
5.6.3 ISO/IEC TS 27022 (processus ISMS) . 10
5.6.4 ISO/IEC 27028 (attributs ISO/IEC 27002) . 10
5.7 Évaluation de la conformité . 10
© ISO/IEC 2025 – Tous droits réservés
iii
ISO/IEC DIS 27000:2025(fr)
5.7.1 ISO/IEC 27006-1, (Exigences pour les organismes procédant à l'audit et à la
certification) . 10
5.8 Relations entre les normes . 10
Bibliographie . 12

© ISO/IEC 2025 – Tous droits réservés
iv
ISO/IEC DIS 27000:2025(fr)
Avant-propos
L'ISO (Organisation internationale de normalisation) est une fédération mondiale d'organismes nationaux
de normalisation (comités membres de l'ISO). L'élaboration des Normes internationales est en général
confiée aux comités techniques de l'ISO. Chaque comité membre intéressé par une étude a le droit de faire
partie du comité technique créé à cet effet. Les organisations internationales, gouvernementales et non
gouvernementales, en liaison avec l'ISO participent également aux travaux. L'ISO collabore étroitement avec
la Commission électrotechnique internationale (IEC) en ce qui concerne la normalisation électrotechnique.
Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont décrites
dans les Directives ISO/IEC, Partie 1. Il convient, en particulier, de prendre note des différents critères
d'approbation requis pour les différents types de documents ISO. Le présent document a été rédigé
conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2
(voir www.iso.org/directives).
L'attention est attirée sur le fait que certains des éléments du présent document peuvent faire l'objet de
droits de propriété intellectuelle ou de droits analogues. L'ISO ne saurait être tenue pour responsable de ne
pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant les références
aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de l'élaboration du document
sont indiqués dans l'Introduction et/ou dans la liste des déclarations de brevets reçues par l'ISO
(voir www.iso.org/brevets).
Les appellations commerciales éventuellement mentionnées dans le présent document sont données pour
information, par souci de commodité, à l'intention des utilisateurs et ne sauraient constituer un engagement.
Pour une explication de la nature volontaire des normes, la signification des termes et expressions
spécifiques de l'ISO liés à l'évaluation de la conformité, ou pour toute information au sujet de l'adhésion de
l'ISO aux principes de l'Organisation mondiale du commerce (OMC) concernant les obstacles techniques au
commerce (OTC), voir www.iso.org/avant-propos.
Le présent document a été élaboré par le comité technique ISO/IEC JTC 1, Technologies de l'information,
sous-comité SC 27, Sécurité de l'information, cybersécurité et protection de la vie privée.
Cette sixième édition annule et remplace la cinquième édition (ISO/IEC 27000:2018), qui a fait l'objet d'une
révision technique.
Les principales modifications sont les suivantes :
— le titre a été modifié ;
— la structure du document a été modifiée pour souligner son rôle principal, qui est de fournir une vue
d'ensemble et les relations entre les documents relatifs au SMSI (systèmes de management de la sécurité
de l'information), y compris l'ISO/IEC 27001 ;
— un texte présentant les concepts et les principes de la sécurité de l'information et des systèmes de
management de la sécurité de l'information a été ajouté ;
— l'Article 3 contient des définitions des termes utilisés dans la présentation des concepts et principes de
l'ISO/IEC 27000 ;
— L'ISO/IEC 27000 n'est plus un document terminologique.
© ISO/IEC 2025 – Tous droits réservés
v
ISO/IEC DIS 27000:2025(fr)
Il convient que l'utilisateur adresse tout retour d'information ou toute question concernant le présent
document à l'organisme national de normalisation de son pays. Une liste exhaustive desdits organismes se
trouve aux adresses www.iso.org/fr/members.html et www.iec.ch/national-committees.
© ISO/IEC 2025 – Tous droits réservés
vi
ISO/IEC DIS 27000:2025(fr)
Introduction
Le présent document explique les concepts et les principes qui sous-tendent les systèmes de management
de la sécurité de l'information. Il fournit une vue d'ensemble de tous les documents relatifs au SMSI
(systèmes de management de la sécurité de l'information), y compris l'ISO/IEC 27001 et explique la relation
entre eux.
© ISO/IEC 2025 – Tous droits réservés
vii
PROJET de Norme internationale ISO/IEC DIS 27000:2025(fr)

Sécurité de l'information, cybersécurité et protection de la vie
privée — Systèmes de management de la sécurité de
l'information — Vue d'ensemble
1 Domaine d'application
Le présent document donne une vue d'ensemble des concepts et des principes des documents relatifs au
système de management de la sécurité de l'information (SMSI), y compris l'ISO/IEC 27001.
2 Références normatives
Le présent document ne contient aucune référence normative.
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions suivants s'appliquent.
L'ISO et l'IEC tiennent à jour des bases de données terminologiques destinées à être utilisées en
normalisation, consultables aux adresses suivantes :
— ISO Online browsing platform : disponible à l'adresse https://www.iso.org/obp
— IEC Electropedia : disponible à l'adresse https://www.electropedia.org/
3.1
sécurité de l'information
protection de la confidentialité (3.2), de l'intégrité (3.3) et de la disponibilité (3.4) de l'information
3.2
confidentialité
propriété d’une information qui n’est ni disponible, ni divulguée aux personnes, entités ou processus non
autorisés
3.3
intégrité
propriété d'exactitude et de complétude
3.4
disponibilité
propriété d'être accessible et utilisable à la demande par une entité autorisée
3.5
événement
occurrence ou changement d'un ensemble particulier de circonstances
[SOURCE : ISO 31000:2018, 3.5]

© ISO/IEC 2025 – Tous droits réservés
ISO/IEC DIS 27000:2025(fr)
3.6
vraisemblance
possibilité que quelque chose se produise
[SOURCE : ISO 31000:2018, 3.7]
3.7
conséquence
effet d’un événement (3.5) affectant les objectifs
[SOURCE : ISO 31000:2018, 3.6]
3.8
risque
effet de l'incertitude sur les objectifs
[SOURCE : ISO 31000:2018, 3.1]
3.9
traitement du risque
processus destiné à modifier un risque (3.8)
3.10
propriétaire du risque
personne ou entité ayant la responsabilité du risque (3.8) et ayant autorité pour le gérer
[SOURCE : Guide ISO 73:2009, 3.5.1.5]
3.11
moyen de maîtrise
action qui maintient et/ou modifie un risque (3.8)
[SOURCE : ISO 31000:2018, 3.8]
3.12
exigence spécifiée
besoin ou attente formulé
[SOURCE : ISO/IEC 17000-1:2004, 3.1]
3.13
évaluation de la conformité
démonstration que les exigences spécifiées (3.12) relatives à un produit, un processus, un système, une
personne ou un corps sont satisfaites
[SOURCE : ISO/IEC 17000-1:2004, 2.1]
© ISO/IEC 2025 – Tous droits réservés
ISO/IEC DIS 27000:2025(fr)
4 Concepts et principes
4.1 Concepts
4.1.1 La nécessité de la sécurité de l'information
Des organismes de toutes catégories et de toutes tailles :
a) collectent, traitent, stockent, transmettent et suppriment des informations ;
b) reconnaissent que certaines informations (et les technologies de l'information et de la
communication, logiciels, processus et personnes associés) peuvent aider l'organisme à atteindre ses
objectifs et peuvent donc être considérées comme un actif ;
c) apprécient le fait que certaines de ces informations appartiennent à d'autres organismes (par
exemple clients) et qu'il convient qu'ils gèrent ces informations conformément aux exigences
convenues ;
d) réalisent que l'organisme peut subir des préjudices si l'information est divulguée, manque ou perd
de l'intégrité ou n'est pas disponible au moment nécessaire.
La confidentialité, l'intégrité et la disponibilité de l'information sont des propriétés importantes de valeur
pour les organismes. La préservation de ces propriétés est appelée « sécurité de l'information ».
Dans ce monde interconnecté, l'information et les processus, systèmes et réseaux qui s'y rapportent
peuvent constituer des actifs critiques de l'organisme. Les organismes et leurs systèmes et réseaux
d'informations sont confrontés à des menaces pour la sécurité de l'information dont les origines sont très
variées : erreurs humaines, fraude assistée par ordinateur, vol, espionnage, sabotage, vandalisme,
incendies le changement climatique, par exemple. Les dommages causés aux systèmes et aux réseaux
d'information par des programmes malveillants, le piratage informatique et des attaques de type Refus
de service sont de plus en plus courants, ambitieux et sophistiqués. La mesure dans laquelle il convient
que de tels événements inquiètent un organisme dépend de la vraisemblance de l'occurrence de
l'événement et de la gravité des conséquences. La combinaison de vraisemblance et de conséquence est
appelée « risque ».
Si le risque est inacceptable pour l'organisme, il doit être « traité ». Le traitement des risques est le
processus par lequel les risques sont modifiés, souvent par la mise en œuvre de mesures de sécurité de
l'information. Dans l'idéal, le processus de traitement se poursuit jusqu'à ce que le risque devienne
acceptable pour l'organisme.
Il est nécessaire de traiter les risques associés aux actifs informationnels d'un organisme. Mener à bien
la sécurité de l'information requiert un management du risque et englobe les risques qui découlent des
menaces physiques, humaines et technologiques associées aux informations sous toutes leurs formes, au
sein de l'organisme, utilisées par celui-ci ou dont il s'occupe.
4.1.2 Informations
L'information est un actif qui, comme tous les autres actifs importants de l'organisme, est essentiel à son
fonctionnement et qui, par conséquent, requiert une protection adéquate. Peu importe que les
informations soient détenues par l'organisme ou qu'elles lui soient confiées par un tiers, par exemple un
client.
© ISO/IEC 2025 – Tous droits réservés
ISO/IEC DIS 27000:2025(fr)
Elle peut être stockée sous différentes formes, notamment numérique (par exemple : des fichiers de
données stockés sur un support électronique ou optique), matérielle (par exemple : sur papier) ou en
tant qu'information (par exemple : les connaissances). L'information peut être transmise par différents
moyens, notamment par courrier ou dans le cadre de communications électroniques ou verbales. Quelle
que soit la forme que prend l'information ou la manière dont elle est transmise, elle requiert une
protection appropriée.
Dans de nombreux organismes, l'information dépend des technologies de l'information et des
communications. Ces technologies représentent souvent un élément essentiel dans l'organisme et elles
facilitent la création, le traitement, le stockage, la transmission, la protection et la destruction de
l'information.
4.1.3 Sécurité de l'information
La sécurité de l'information garantit la confidentialité, la disponibilité et l'intégrité de l'information. Afin
de contribuer au succès de l'organisme et à sa pérennité, tout en minimisant le plus possible les
conséquences des incidents liés à la sécurité de l'information, la sécurité de l'information implique
l'application et le management de mesures de sécurité appropriées, ce qui sous-entend la prise en compte
d'un vaste éventail de menaces.
4.1.4 Les risques sont en constante évolution
Les risques ne sont pas statiques. Les changements au sein de l'organisme peuvent modifier la
vraisemblance d'occurrence d'événements liés à la sécurité de l'information et la gravité des
conséquences. Pareillement, les changements dans l'environnement, ainsi que les intérêts et les capacités
des attaquants, peuvent également modifier la vraisemblance et les conséquences. Certains changements
interviennent plus rapidement que d'autres. Il est donc nécessaire pour les organismes de :
a) surveiller et
...