scope:

This security management system standard addresses security-related risks of all acts and behaviour able to cause harm, damage, or loss to an organization's tangible and intangible assets, including people and environment. It defines requirements for an organization to assess its specific security-related risks and treat those risks that are pertinent to an organization and its risk tolerance. The treatments proactively prevent acts that are detrimental to the organization. This security management system should be an integral part of the organization's overall management system. The requirements specified in this International Standard are generic and intended to be applicable to all organizations (or parts thereof), regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment, product and service portfolio, risk profile and complexity.