GB/T 20984-2022 PDF EnglishUS$470.00 · In stock · Download in 9 seconds
GB/T 20984-2022: Information security technology - Risk assessment method for information security Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure Status: Valid GB/T 20984: Historical versions
Similar standardsGB/T 20984-2022: Information security technology - Risk assessment method for information security---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT20984-2022 NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.030 CCS L 80 Replacing GB/T 20984-2007 Information security technology - Risk assessment method for information security Issued on. APRIL 15, 2022 Implemented on. NOVEMBER 01, 2022 Issued by. State Administration for Market Regulation; Standardization Administration of the PRC. Table of ContentsForeword... 3 1 Scope... 5 2 Normative references... 5 3 Terms and definitions, abbreviations... 5 3.1 Terms and definitions... 5 3.2 Abbreviations... 7 4 Risk assessment framework and process... 8 4.1 Relationship between risk factors... 8 4.2 Principles of risk analysis... 9 4.3 Risk assessment process... 9 5 Implementation of risk assessment... 11 5.1 Preparation of risk assessment... 11 5.2 Risk identification... 12 5.3 Risk analysis... 22 5.4 Risk evaluation... 22 5.5 Communication and negotiation... 24 5.6 Risk assessment documentation... 24 Appendix A (Informative) Risk assessment at each stage of assessment object lifecycle ... 27 Appendix B (Informative) Work forms of risk assessment... 33 Appendix C (Informative) Tools for risk assessment... 35 Appendix D (Informative) Asset identification... 40 Appendix E (Informative) Threat identification... 43 Appendix F (Informative) Examples of risk calculation... 47 Bibliography... 491 ScopeThis document describes the basic concepts of information security risk assessment, relationship between risk factors, principles of risk analysis, implementation process and assessment method of risk assessment, as well as the implementation points and work forms of risk assessment at different stages of information system lifecycle. This document applies to all types of organizations conducting information security risk assessments.2 Normative referencesThe contents of the following documents, through normative references in this text, constitute indispensable provisions of this document. Among them, for dated references, only the edition corresponding to that date applies to this document. For undated references, the latest edition (including all amendments) applies to this document. GB/T 25069 Information security techniques - Terminology GB/T 33132-2016 Information security technology - Guide of implementation for information security risk treatment3 Terms and definitions, abbreviations3.1 Terms and definitions The terms and definitions defined in GB/T 25069 and the following ones apply to this document. 3.1.1 Information security risk The potential for a particular threat to exploit the vulnerability of a single or group of assets and the damage that this may cause to an organization. 3.1.2 Risk assessment The entire process of risk identification, risk analysis, and risk evaluation. 3.1.3 Organization An individual or group that has its own responsibilities, authority, and relationships to achieve its goals. Note. The concept of organization includes, but is not limited to, a sole proprietor, company, legal person, firm, enterprise, agency, partnership, charity or institution, or parts or combinations thereof, whether incorporated or not, public or private. [Source. GB/T 29246-2017, 2.57, modified]4 Risk assessment framework and process4.1 Relationship between risk factors The relationship between the basic factors in risk assessment is shown in Figure 1.The basic factors of risk assessment include asset, threat, vulnerability, and security control. Risk assessment is carried out based on the above factors. 4.2 Principles of risk analysis The principles of risk analysis are as follows. 4.3 Risk assessment process The implementation process of risk assessment is shown in Figure 2.The risk assessment process shall include the following.5 Implementation of risk assessment5.1 Preparation of risk assessment Organization’s implementation of risk assessment is a strategic consideration. Its results will be affected by organizational planning, business, business process, security requirement, system scale and structure, etc. Therefore, before the implementation of risk assessment, the following work shall be prepared. 5.2 Risk identification 5.2.1 Asset identification 5.2.2 Threat identification 5.2.2.1 Content of threat identification The content of threat identification includes the source, subject, type, motivation, timing, and frequency of the threat. 5.2.4 Vulnerability identification 5.2.4.1 Content of vulnerability identification If vulnerabilities do not have a corresponding threat, controls do not need to be implemented; but they shall be noted and monitored for changes. Conversely, if a threat does not have a corresponding vulnerability, it does not lead to a risk. It shall be noted that unreasonable implementation of controls, failure of controls, or misuse of controls are inherent vulnerabilities. Controls may or may not be effective depending on the environment in which they operate. 5.4 Risk evaluation 5.4.1 Evaluation of system asset risk According to the risk evaluation criteria, the system asset risk calculation results are graded. Table 11 presents a grading method for system asset risk. 5.4.2 Evaluation of business risk According to the risk evaluation criteria, the business risk calculation results are graded. When conducting business risk evaluation, it can be analyzed from two aspects. Social impact and organizational impact. Social impact covers the aspects such as national security, social order, public interests, and the legitimate rights and interests of citizens, legal persons, and other organizations. 5.6.2 Risk assessment documents Risk assessment documents refer to the process documents and result documents generated during the risk assessment process, including (but not limited to).Appendix A(Informative) Risk assessment at each stage of assessment object lifecycle A.1 Overview Risk assessment shall run through all stages of the assessment object lifecycle. The risk assessment principles and methods involved in each stage of the assessment object lifecycle are consistent. But due to the different implementation contents, objects, and security requirements in each stage, the risk assessment objects, purposes, requirements and other aspects are also different. In the planning and design stage, use risk assessment to determine the security objectives of the assessment object. ......Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al. Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of English version of GB/T 20984-2022 be delivered?Answer: The full copy PDF of English version of GB/T 20984-2022 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice.Question 2: Can I share the purchased PDF of GB/T 20984-2022_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 20984-2022_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GB/T 20984-2022 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.Question 5: Should I purchase the latest version GB/T 20984-2022?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 20984-2022 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically.How to buy and download a true PDF of English version of GB/T 20984-2022?A step-by-step guide to download PDF of GB/T 20984-2022_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).Step 2: Search keyword "GB/T 20984-2022". Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart. Step 4: Select payment option (Via payment agents Stripe or PayPal). Step 5: Customize Tax Invoice -- Fill up your email etc. Step 6: Click "Checkout". Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively. Step 8: Optional -- Go to download PDF. Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice. See screenshots for above steps: Steps 1~3 Steps 4~6 Step 7 Step 8 Step 9 |