Information technology - Process assessment - Process capabilityassessment model for information security management

Standards Development Organisation:

Canadian Standards Association (operating as CSA Group)

Contact Information:

Canadian Standards Association (operating as CSA Group)

Working Program:

View the CSA work program

Designation Number:

CAN/CSA-ISO/IEC TS 33072:18

Standard Type:

National Standard of Canada - Adoption of International Standard

Standard Development Activity:

Reaffirmation

ICS code(s):

35.080

Status:

Proceeding to development

SDO Comment Period Start Date:

2022-08-03

SDO Comment Period End Date:

2022-08-24

Posted On:

2022-07-27

Scope:

This Technical Specification:

defines a process assessment model (PAM) that meets the requirements of ISO/IEC 33004 and that supports the performance of an assessment of process capability by providing indicators for guidance on the interpretation of the process purposes and outcomes as defined in ISO/IEC TS 33052 and the process attributes as defined in ISO/IEC 33020;
provides guidance, by example, on the definition, selection and use of assessment indicators.

A PAM comprises a set of indicators of process performance and process capability. The indicators are used as a basis for collecting the objective evidence that enables an assessor to assign ratings. The set of indicators included in this Technical Specification is not intended to be an all-inclusive set nor is it intended to be applicable in its entirety.

The PAM in this Technical Specification is directed at assessment sponsors and competent assessors who wish to select a model, and associated documented process method, for assessment (for either capability determination or process improvement). Additionally it may be of use to developers of assessment models in the construction of their own model, by providing examples of good information security management practices. It can be used by:

a) service providers to assess and improve an Information Security Management System (ISMS);
b) service providers to demonstrate their capability for the design, development, transition and delivery of services that fulfil information security management requirements.

Any PAM meeting the requirements defined in ISO/IEC 33004 concerning models for process assessment can be used for assessment. Different models and methods might be needed to address differing business needs. The assessment model in this Technical Specification meets all the requirements expressed in ISO/IEC 33004.

NOTE Copyright release for the PAM: Users of this Technical Specification may reproduce subclauses 5.2 to 5.27, 6.2, B.2 and B.3 as part of any tool or other material to support the performance of process assessments so that it can be used for its intended purpose.

Project need:

To review the Standard within the required 5 year period.

Note: The information provided above was obtained by the Standards Council of Canada (SCC) and is provided as part of a centralized, transparent notification system for new standards development. The system allows SCC-accredited Standards Development Organizations (SDOs), and members of the public, to be informed of new work in Canadian standards development, and allows SCC-accredited SDOs to identify and resolve potential duplication of standards and effort.

Individual SDOs are responsible for the content and accuracy of the information presented here. The text is presented in the language in which it was provided to SCC.