HOME   Cart(0)   Quotation   About-Us Policy PDFs Standard-List
www.ChineseStandard.net Database: 189759 (19 Oct 2025)

GB/T 24364-2023 English PDF

US$1159.00 ยท In stock
Delivery: <= 7 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 24364-2023: Information security technology - Implementation guide for information security risk management
Status: Valid
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)StatusPDF
GB/T 24364-2023English1159 Add to Cart 7 days [Need to translate] Information security technology - Implementation guide for information security risk management Valid GB/T 24364-2023

PDF similar to GB/T 24364-2023


Standard similar to GB/T 24364-2023

GB/T 25058   GB/T 25061   GB/T 25064   GB/T 19713   GB/T 24363   

Basic data

Standard ID GB/T 24364-2023 (GB/T24364-2023)
Description (Translated English) Information security technology - Implementation guide for information security risk management
Sector / Industry National Standard (Recommended)
Classification of Chinese Standard L80
Classification of International Standard 35.030
Word Count Estimation 57,597
Date of Issue 2023-05-23
Date of Implementation 2023-12-01
Older Standard (superseded by this standard) GB/Z 24364-2009
Issuing agency(ies) State Administration for Market Regulation, China National Standardization Administration

GB/T 24364-2023: Information security technology - Implementation guide for information security risk management


---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
ICS 35:030 CCSL80 National Standards of People's Republic of China Replacing GB /Z 24364-2009 Information Security Technology Information Security Risk Management Implementation Guide Released on 2023-05-23 2023-12-01 Implementation State Administration for Market Regulation Released by the National Standardization Management Committee

table of contents

Preface III Introduction IV 1 Scope 1 2 Normative references 1 3 Terms and Definitions, Abbreviations 1 3:1 Terms and Definitions 1 3:2 Abbreviations 2 4 Information Security Risk Management Implementation Framework 2 5 Information Security Risk Management Principles 3 5:1 Hierarchical management 3 5:2 Overall management 3 5:3 Dynamic adjustment 3 5:4 Scientific and reasonable3 6 Information Security Risk Management Guarantee Mechanism 4 6:1 Leadership responsibility system 4 6:2 Overall coordination mechanism 4 6:3 Expert Advisory Mechanism 4 6:4 Major Risk Consultation Mechanism 4 7 Information Security Risk Management Guarantee Measures 5 7:1 Personnel protection 5 7:2 System guarantee 5 7:3 Funding Guarantee 5 7:4 Tool guarantee 5 8 Information Security Risk Management Capabilities6 8:1 Asset Identification Capability 6 8:2 Threat identification capability 6 8:3 Vulnerability identification capability 6 8:4 Ability to evaluate the effectiveness of existing measures6 8:5 Risk Analysis and Evaluation Capabilities 7 8:6 Risk handling ability 7 8:7 Risk monitoring and early warning capabilities 7 8:8 Risk Information Sharing Capability 8 9 Information Security Risk Management Process 8 9:1 Overview 8 9:2 Context establishment 10 9:3 Risk assessment 14 9:4 Risk Treatment 18 9:5 Approved retention 23 9:6 Monitoring and review 27 9:7 Communication and consultation 30 Appendix A (informative) Documentation output 35 A:1 Context building documentation 35 A:2 Risk assessment documentation 35 A:3 Risk Treatment Documentation 36 A:4 Approval to retain documentation 37 A:5 Monitoring and review documentation 37 A:6 Communication and Consultation Documentation 37 Appendix B (informative) Examples of risk treatment practices 39 B:1 Example 39 B:2 Risk treatment preparation 40 B:3 Risk treatment implementation 42 B:4 Risk Treatment Evaluation 48 Reference 51

foreword

This document is in accordance with the provisions of GB/T 1:1-2020 "Guidelines for Standardization Work Part 1: Structure and Drafting Rules for Standardization Documents" drafting: This document replaces GB /Z 24364-2009 "Information Security Technology Information Security Risk Management Guidelines", and GB /Z 24364-2009 In comparison, except for structural adjustments and editorial changes, the main technical changes are as follows: a) The standard object and scope are changed from information system-oriented to risk management object (see Chapter 1); b) The terms and definitions of "availability", "confidentiality", "integrity", "risk" and "risk treatment" are deleted (see 3:1, 3:2,:2009 edition 3:4, 3:5, 3:7); c) The information security risk management framework has been added, including risk management principles, safeguard mechanisms, safeguard measures, management capabilities, etc: (see Chapter 4); d) Changed the content and process of information security risk management (see 9:1, 4:2 of the:2009 edition); e) Changed the context establishment process, introduced basic criteria to determine content, etc: (see 9:2, Chapter 5 of the:2009 edition); f) Changes related to risk assessment (see 9:3, Chapter 6 of the:2009 edition); g) Change monitoring and review to monitoring and review, and change related content (see 9:6, Chapter 9 of the:2009 edition); h) Changes related to communication and consultation (see 9:7, Chapter 10 of the:2009 edition); i) Deleted the content of risk management in each life cycle stage (see Chapter 11, Chapter 12, Chapter 13, Chapter 14, Chapter 15 of the:2009 edition chapter); j) Changes related to risk treatment (see 9:2, 9:4, Chapter 7 of the:2009 edition): Please note that some contents of this document may refer to patents: The issuing agency of this document assumes no responsibility for identifying patents: This document is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260): This document was drafted by: State Information Center, China Electronics Technology Group Corporation Fifteenth Research Institute, Beijing Anxin Tianxing Technology Co:, Ltd: Division, Beijing Tianrongxin Network Security Technology Co:, Ltd:, China Information Security Evaluation Center, China Network Security Review Technology and Certification Center, Shenzhen Sinfu Technology Co:, Ltd:, Beijing Information Security Evaluation Center, the First Research Institute of the Ministry of Public Security, the Third Research Institute of the Ministry of Public Security, Beijing Guoxin Jingning Information Security Technology Co:, Ltd:, Shanghai Guanan Information Technology Co:, Ltd:, Zhengzhou University of Light Industry, Henan Agricultural University, Shenzhen Information Security Management Center, Guangzhou Information Security Evaluation Center, Shenzhen Longhua District Government Service Data Administration, Shenzhen Huasheng Jiusi Technology Co:, Ltd: company: The main drafters of this document: Lu Kai, Chen Yonggang, Zhao Zengzhen, Ge Xiaonan, Chen Qingmin, Yang Jian, Liu Runyi, Du Yuge, Chen Yangguo, Liu Delin, Cheng Yuqi, Li Yuan, Ma Jiangtao, Li Qiuxiang, Chen Pan, Chen Yibo, Zhang Yi, Liu Jian, Liu Feng, Ren Jinqiang, Wang Yan, Zhang Ruiqing, Dong Anbo, Liu Yongjie, Zhu Runsu, Gao Jie, Tang Zhiqiang, Zhu Jianxing, Li Shanghao: The release status of previous versions of this document and the documents it replaces are as follows: ---First published as GB /Z 24364-2009 in:2009; --- This is the first revision:

Introduction

Currently, information security risk management standards mainly include: ---GB/T 26333-2010 "Industrial Control Network Security Risk Assessment Specification"; ---GB/T 31722-2015 "Information Technology Security Technology Information Security Risk Management" (ISO /IEC 27005:2008, IDT); ---GB/T 31509-2015 "Guidelines for the Implementation of Information Security Technology Information Security Risk Assessment"; ---GB/T 33132-2016 "Information Security Technology Information Security Risk Management Implementation Guide"; ---GB/T 36637-2018 "Information Security Technology ICT Supply Chain Security Risk Management Guidelines"; ---GB/T 20984-2022 "Information Security Technology Information Security Risk Assessment Method"; ---ISO 31000:2018 "Risk Management Guidelines"; ---ISO /IEC 27005:2018 "Information Technology Security Technology Information Security Risk Management": As one of the information security risk management standards, this document was revised in accordance with national information security risk management related policies and Refer to GB/T 31722-2015, ISO 31000:2018, ISO /IEC 27005:2018 and other standards to provide information security risk management for the organization Implementation provides more specific guidance, including information security risk management objectives, principles, safeguard mechanisms, safeguard measures, capabilities and processes, etc: Table 1 shows the risk management standards of this document and ISO 31000:2018, GB/T 31722-2015, ISO /IEC 27005:2018 The corresponding relationship of the process: However, this document does not specify the specific implementation details of information security risk management, the organization can according to its own risk management scope, risk management The context or industry in which it operates determines the details of its risk management implementation: Its existing methods can also be used within the framework described in this document to meet the requirements for risk management: Table 1 Correspondence table of risk management process ISO 31000:2018 GB/T 31722-2015 ISO /IEC 27005:2018 This document Scope, Context, Criteria Context Creation Environment Creation Context Creation risk assessment risk assessment risk assessment risk assessment risk treatment risk treatment risk treatment risk treatment - Risk Acceptance - Approval Retention Communication and Consulting Risk Communication Communication and Consulting Communication and Consulting Monitoring and Review Risk Monitoring and Review Monitoring and Review Monitoring and Review Records and Reports - - Approved Retention Note: In Chapter 9 of this document, the concept and work content of the implementation process of information security risk management are elaborated: Information Security Technology Information Security Risk Management Implementation Guide

1 Scope

This document establishes the implementation framework of information security risk management, describes the principles, guarantee mechanisms and safeguard measures of information security risk management: Implementation, capability and process, providing the implementation points and work forms of each management process: This document is applicable to all types of organizations carrying out information security risk management:

2 Normative references

The contents of the following documents constitute the essential provisions of this document through normative references in the text: Among them, dated references For documents, only the version corresponding to the date is applicable to this document; for undated reference documents, the latest version (including all amendments) is applicable to this document: GB/T 20984-2022 Information Security Technology Information Security Risk Assessment Method GB/T 24363-2009 Information Security Technology Information Security Emergency Response Plan Specification GB/T 25069-2022 Information Security Technical Terminology GB/T 29246-2017 Information Technology Security Technical Information Security Management System Overview and Vocabulary GB/T 31509 Information Security Technology Information Security Risk Assessment Implementation Guide GB/T 31722-2015 Information Technology Security Technology Information Security Risk Management GB/T 38645-2020 Information Security Technology Network Security Incident Emergency Drill Guide 3 Terms and definitions, abbreviations 3:1 Terms and Definitions The techniques defined in GB/T 25069-2022, GB/T 29246-2017, GB/T 31722-2015 and GB/T 20984-2022 terms and definitions apply to this document: 3:1:1 The potential for a particular threat to exploit a vulnerability of an asset or a group of assets and the damage it could cause to an organization: Note: Measured by the combination of the possibility of a situation and its consequences: [Source: GB/T 25069-2022, 3:681] 3:1:2 risk management risk management Coordinated activities to direct and control risks associated with an organization: [Source: GB/T 29246-2017, 2:76] 3:1:3 business Operational activities carried out by an organization to achieve a certain development strategy:

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of GB/T 24364-2023_English be delivered?

Answer: Upon your order, we will start to translate GB/T 24364-2023_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 7 working days. The lengthier the document the longer the lead time.

Question 2: Can I share the purchased PDF of GB/T 24364-2023_English with my colleagues?

Answer: Yes. The purchased PDF of GB/T 24364-2023_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?

Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?

Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.