HOME   Cart(0)   Quotation   About-Us Policy PDFs Standard-List
www.ChineseStandard.net Database: 189760 (18 Oct 2025)

GB/T 31722-2025 (GB/T 31722-2015) PDF English

US$495.00 · In stock · Download in 9 seconds
GB/T 31722-2015: Information technology -- Security techniques -- Information security risk management
Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure
Status: Valid

GB/T 31722: Evolution and historical versions

Standard IDContents [version]USDSTEP2[PDF] deliveryName of Chinese StandardStatus
GB/T 31722-2025English1084 Add to Cart 7 days Cybersecurity technology - Guidance on managing information security risks Valid
GB/T 31722-2015English495 Add to Cart 0-9 seconds. Auto-delivery Information technology -- Security techniques -- Information security risk management Valid

Excerpted PDFs (Download full copy in 9 seconds upon purchase)

PDF Preview: GB/T 31722-2015
      

Similar standards

GB/T 31509   GB/T 31505   GB/T 31168   GB/T 37027   

GB/T 31722-2015: Information technology -- Security techniques -- Information security risk management


---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT31722-2015
NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 GB/T 31722-2015 / ISO/IEC 27005.2008 Information technology - Security techniques - Information security risk management (ISO/IEC 27005.2008, IDT) Issued on. JUNE 02, 2015 Implemented on. FEBRUARY 01, 2016 Issued by. General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China; Standardization Administration of the People's Republic of China.

Table of Contents

Foreword... 3 Introduction... 4 1 Scope... 6 2 Normative references... 6 3 Terms and definitions... 6 4 Structure of this Standard... 8 5 Background... 9 6 Overview of the information security risk management process... 10 7 Context establishment... 13 8 Information security risk assessment... 18 9 Information security risk treatment... 29 10 Information security risk acceptance... 34 11 Information security risk communication... 35 12 Information security risk monitoring and review... 36 Annex A (informative) Defining the scope and boundaries of the information security risk management process... 40 Annex B (informative) Identification and valuation of assets and impact assessment... 47 Annex C (informative) Examples of typical threats... 60 Annex D (informative) Vulnerabilities and methods for vulnerability assessment ... 63 Annex E (informative) Information security risk assessment approaches... 69 Annex F (informative) Constraints for risk reduction... 77 Bibliography... 80

Foreword

This Standard was drafted in accordance with the rules given in GB/T 1.1-2009. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The drafting authority of this document shall not be held responsible for identifying any or all such patent rights. This Standard uses the translation method to be identical to ISO/IEC 27005.2008 “Information technology - Security techniques - Information security risk management” (English version). The following changes have been made to this Standard. - MAKE some editorial changes to the introduction. This Standard was proposed by and shall be under the jurisdiction of National Information Security Standardization Technical Committee (SAC/TC 260). Drafting organizations of this Standard. China Electronics Standardization Institute, Shanghai 30Wish Information Security Co., Ltd., CEC Cyberspace Great Wall Co., Ltd., Shandong Computer Science Center, Beijing Information Security Test and Evaluation Center. Main drafters of this Standard. Xu Yuna, Min Jinghua, Shangguan Xiaoli, Dong Huomin, Zhao Zhangjie, Li Gang, Zhou Mingle.

1 Scope

This Standard provides guidelines for information security risk management. This Standard supports the general concepts specified in GB/T 22080 and is designed to assist the satisfactory implementation of information security based on a risk management approach.

2 Normative references

The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. GB/T 22080-2008 Information technology - Security techniques - Information security management systems - Requirements (ISO/IEC 27001.2005, IDT)

3 Terms and definitions

For the purposes of this document, the terms and definitions given in GB/T 22080-2008, GB/T 22081-2008 and the following apply. Exchange or sharing of information about risk between the decision-maker and other stakeholders.

4 Structure of this Standard

This Standard contains the description of the information security risk management process and its activities. Some of this guidance may not be suitable in all cases and so other ways of performing the action may be more appropriate. Output. Identifies any information derived after performing the activity.

5 Background

The information security risk management process can be applied to the organization as a whole, any discrete part of the organization (e.g. a department, a physical location, a service), any information system, existing or planned or particular aspects of control (e.g. business continuity planning).

6 Overview of the information security risk management process

The context is established first. Then a risk assessment is conducted. If this provides sufficient information to effectively determine the actions required to modify the risks to an acceptable level then the task is complete and the risk treatment follows.

7 Context establishment

Depending on the scope and objectives of the risk management, different approaches can be applied. The approach might also be different for each iteration.

8 Information security risk assessment

It is up to the organization to select its own approach to risk assessment based on the objectives and the aim of the risk assessment. Input. Information on threats obtained from incident reviewing, asset owners, users and other sources, including external threat catalogues.

9 Information security risk treatment

There are four options available for risk treatment. risk reduction (see 9.2), risk retention (see 9.3), risk avoidance (see 9.4) and risk transfer (see 9.5). Action. The activity or condition that gives rise to the particular risk should be avoided.

10 Information security risk acceptance

Risk treatment plans should describe how assessed risks are to be treated to meet risk acceptance criteria (see 7.2 - Risk acceptance criteria). It is important for responsible managers to review and approve proposed risk treatment plans and resulting residual risks, and record any conditions associated with such approval.

11 Information security risk communication

Input. All risk information obtained from the risk management activities (see Figure 1).

12 Information security risk monitoring and review

......
Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al.