TECHNICAL ISO/IEC TS SPECIFICATION 33052 First edition 2016-06-15 Information technology Process reference model (PRM) for information security management Technologies de I'information - Modele de réference des procedés pour le management de la sécurité de I'information Reference number IS0/IEC TS 33052:2016(E) E( @ IS0/IEC 2016 nitted without license from IHS IS0/IEC TS 33052:2016(E) COPYRIGHTPROTECTEDDOCUMENT IS0/IEC 2016, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 . CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 [email protected] www.iso.org @ IS0/IEC 2016 - All rights reserved or networking permited without license from IHS IS0/IEC TS 33052:2016(E) Contents Page Foreword ..iv Introduction. .. 1 Scope. ..1 2 Normative references 3 Terms and definitions 4 Overview of the PRM ..1 5 Process descriptions .2 5.1 Introduction .2 5.2 ORG.1 Asset management .3 5.3 TEC.01 Capacity management 3 5.4 TEC.02 Change management. 4 5.5 CoM.01 Communication management 4 5.6 TEC.03 Configuration management .5 5.7 COM.02 Documentation management. 5 5.8 ORG.2 Equipment management. .6 5.9 ORG.3 Human resource employment management 7 5.10 CoM.03 Human resource management. .8 5.11 coM.04 Improvement .9 5.12 TEC.04 Incident management. .9 5.13 ORG.4 Infrastructure and work environment .9 5.14 COM.05 Internal audit .11 5.15 TOP.1 Leadership. 11 5.16 COM.06 Management review. 12 5.17 CoM.07 Non-conformity management 13 5.18 CoM.o9 Operational implementation and control. ..13 5.19 COM.08 Operational planning. .15 5.20 COM.10 Performance evaluation .17 5.21 TEC.05 Product/service release 18 5.22 TEC.08 Product/Service/System requirements. .18 5.23 COM.11 Risk and opportunity management .19 5.24 TEC.06 Service availability management. 19 5.25 TEC.o7 Service continuity management. 20 5.26 ORG.5 Supplier management.. 20 5.27 TEC.09 Technical data preservation and recovery .21 Annex A (informative) The relationship between management system requirements and a process reference model. .22 Annex B (informative) Statement of conformity to IS0/IEC 33004 ..58 Bibliography ..60 ii ed without license from IHS IS0/IEC TS 33052:2016(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission)formthespecializedsystemforworldwidestandardization.Nationalbodiesthatare members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. IsO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with IsO and IEC, also take part in the work. In the field of information technology, IsO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISo/IE Directives, Part 1. In particular the different approval criteria needed for thedifferenttypesofdocumentshouldbenoted.Thisdocumentwasdraftedinaccordancewiththe editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the