Information technology - Security techniques - Information security controls for the energy utility industry (ISO/IEC 27019:2017, Corrected version 2019-08)

ISO/IEC 27019:2017 provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following:
-      central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices;
-      digital controllers and automation components such as control and field devices or Programmable Logic Controllers (PLCs), including digital sensor and actuator elements;
-      all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes;
-      communication technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote control technology;
-      Advanced Metering Infrastructure (AMI) components, e.g. smart meters;
-      measurement devices, e.g. for emission values;
-      digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor mechanisms;
-      energy management systems, e.g. of Distributed Energy Resources (DER), electric charging infrastructures, in private households, residential buildings or industrial customer installations;
-      distributed components of smart grid environments, e.g. in energy grids, in private households, residential buildings or industrial customer installations;
-      all software, firmware and applications installed on above-mentioned systems, e.g. DMS (Distribution Management System) applications or OMS (Outage Management System);
-      any premises housing the above-mentioned equipment and systems;
-      remote maintenance systems for above-mentioned systems.
ISO/IEC 27019:2017 does not apply to the process control domain of nuclear facilities. This domain is covered by IEC 62645.
ISO/IEC 27019:2017 also includes a requirement to adapt the risk assessment and treatment processes described in ISO/IEC 27001:2013 to the energy utility industry-sector?specific guidance provided in this document.

Informationstechnik - Sicherheitsverfahren - Informationssicherheitsmaßnahmen für die Energieversorgung (ISO/IEC 27019:2017, korrigierte Fassung 2019-08)

Dieses Dokument gibt auf Basis von ISO/IEC 27002:2013 Hinweise für Systeme der Prozesssteuerung der Energieversorgung, die zur Steuerung, Regelung und Überwachung von Gewinnung oder Erzeugung, Übertragung, Speicherung und Verteilung von Strom, Gas, Öl und Wärme und für die Steuerung von unterstützenden Prozessen dienen. Dies umfasst insbesondere:
- zentrale und dezentrale Prozesssteuerungs-, Leit-, Automatisierungs- und Überwachungstechnik sowie die für ihren Betrieb genutzten Informationssysteme, wie z. B. Programmier- und Parametriergeräte;
- digitale Steuerungen und Automatisierungskomponenten wie Leit- und Feldgeräte oder Speicherpro-grammierbare Steuerungen (SPSen), inklusive digitaler Sensor- und Aktorelemente;
- alle weiteren in der Prozesstechnik genutzten unterstützenden Informationssysteme, z. B. für die Aufgabe der ergänzenden Datenvisualisierung und zur Steuerung, Überwachung, Datenarchivierung, Langzeitprotokollierung, Berichtswesen und zur Dokumentation;
- in der Prozesstechnik eingesetzte Kommunikationstechnik, z. B. Netzwerk-, Telemetrie-, Fernwirk- und Fernsteuertechnik;
- Advanced-Metering-Infrastruktur-(AMI)-Komponenten, z. B. intelligente Zähler;
- Mess- und Zählvorrichtungen, z. B. zur Emissionswerterfassung;
- digitale Schutz- und Safety-Systeme, z. B. Schutzgeräte, Sicherheits-Steuerungen und Notfallsteuerungsmechanismen;
- Energiemanagementsysteme, z. B. für dezentrale Energieerzeugungssysteme, elektrische Ladeinfra-strukturen, in Privathaushalten, Wohngebäuden oder industriellen Kundeninstallationen;
- verteilte Komponenten von Smart-Grid-Umgebungen, z. B. in Energienetzen, Privathaushalten, Wohn-gebäuden oder industriellen Kundeninstallationen;
- alle Arten von Software, Firmware und Anwendungen, die auf den vorgenannten Systemen eingesetzt werden, z. B. Netzführungs-Anwendungen oder Ausfallmanagementsysteme;
- jegliche Lokalität mit den oben erwähnten Anlagen oder Systemen;
- Fernwartungssysteme für die oben aufgeführten Systeme.
Nicht im Geltungsbereich dieses Dokuments liegt der Bereich der Prozesssteuerung von Kernenergie-anlagen. Dieser Bereich wird von IEC 62645 abgedeckt.
Darüber hinaus enthält dieses Dokument eine Anforderung, um die in ISO/IEC 27001:2013 beschriebenen Risikobeurteilungs- und -behandlungsprozesse an die in diesem Dokument enthaltenen energiesektor-spezifischen Empfehlungen anzupassen.

Technologies de l'information - Techniques de sécurité - Mesures de sécurité de l'information pour l'industrie des opérateurs de l'énergie (ISO/IEC 27019:2017, Version corrigée 2019-08)

Le présent document contient des recommandations basées sur l'ISO/IEC 27002:2013 appliquées aux systèmes de contrôle des processus utilisés par l'industrie des opérateurs de l'énergie pour contrôler et surveiller la production, le transport, le stockage et la distribution de l'électricité, du gaz, du pétrole et de la chaleur, ainsi que pour le contrôle des processus support associés. Cela inclut en particulier:
—          les technologies de contrôle et de surveillance des processus centralisées et distribuées, des automates et des systèmes d'information utilisés pour leur fonctionnement, tels que les dispositifs de programmation et de paramétrage;
—          les contrôleurs numériques et les composants d'automates tels que les équipements de contrôle et de terrain ou les automates programmables (PLC), y compris les capteurs et actionneurs numériques;
—          tous les autres systèmes d'information support utilisés dans le domaine du contrôle des processus, par exemple pour les tâches de visualisation de données supplémentaires et à des fins de contrôle, de surveillance, d'archivage de données et de logs (historian logging), de génération de rapports et de documentation;
—          les technologies de communication utilisées dans le domaine du contrôle des processus, par exemple les réseaux, la télémétrie, les applications de télé-conduite et les technologies de contrôle à distance;
—          les composants des infrastructures de comptage communicants, tels que les compteurs intelligents;
—          les équipements de mesure, destinés par exemple à mesurer les valeurs d'émission;
—          les systèmes de protection et de sûreté numériques, tels que les relais de protection, les automates programmables de sûreté ou les régulateurs d'urgence;
—          les systèmes de management de l'énergie, par exemple, pour la production d'énergie décentralisée (DER, Distributed Energy Resources), les infrastructures de recharge électrique, chez les particuliers, dans les bâtiments d'habitation ou dans les installations de clients industriels;
—          les composants distribués des environnements de réseaux intelligents, par exemple dans les réseaux d'énergie, chez les particuliers, dans les bâtiments d'habitation ou dans les installations de clients industriels;
—          tous les logiciels, firmwares et applications installés sur les systèmes mentionnés ci-dessus, par exemple, des systèmes de gestion de la distribution (DMS, Distribution Management System) ou des systèmes de gestion des pannes (OMS, Outage Management System);
—          tous les locaux hébergeant les équipements et les systèmes mentionnés ci-dessus;
—          les systèmes de maintenance à distance pour les systèmes mentionnés ci-dessus.
Le présent document ne s'applique pas au domaine du contrôle de processus des installations nucléaires. Ce domaine est couvert par l'IEC 62645.
Le présent document contient également une exigence relative à l'adaptation de l'appréciation des risques et des processus de traitement décrits dans l'ISO/IEC 27001:2013 aux recommandations spécifiques à l'industrie des opérateurs de l'énergie fournies dans le présent document.

Informacijska tehnologija - Varnostne tehnike - Kontrole informacijske varnosti za energetske operaterje (ISO/IEC 27019:2017, popravljena različica 2019-08)

General Information

Status
Published
Publication Date
17-Mar-2020
Withdrawal Date
29-Sep-2020
Current Stage
6060 - Definitive text made available (DAV) - Publishing
Start Date
18-Mar-2020
Due Date
31-Oct-2021
Completion Date
18-Mar-2020

Buy Standard

Standard
EN ISO/IEC 27019:2020
English language
46 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Standard
EN ISO/IEC 27019:2020
English language
46 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-maj-2020
Informacijska tehnologija - Varnostne tehnike - Kontrole informacijske varnosti za
energetske operaterje (ISO/IEC 27019:2017, popravljena različica 2019-08)
Information technology - Security techniques - Information security controls for the
energy utility industry (ISO/IEC 27019:2017, Corrected version 2019-08)
Informationstechnik - Sicherheitsverfahren - Informationssicherheitsmaßnahmen für die
Energieversorgung (ISO/IEC 27019:2017, korrigierte Fassung 2019-08)
Technologies de l'information - Techniques de sécurité - Mesures de sécurité de
l'information pour l'industrie des opérateurs de l'énergie (ISO/IEC 27019:2017, Version
corrigée 2019-08)
Ta slovenski standard je istoveten z: EN ISO/IEC 27019:2020
ICS:
03.100.70 Sistemi vodenja Management systems
27.010 Prenos energije in toplote na Energy and heat transfer
splošno engineering in general
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN ISO/IEC 27019
NORME EUROPÉENNE
EUROPÄISCHE NORM
March 2020
ICS 03.100.70
English version
Information technology - Security techniques - Information
security controls for the energy utility industry (ISO/IEC
27019:2017, Corrected version 2019-08)
Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -
- Mesures de sécurité de l'information pour l'industrie Informationssicherheitsmaßnahmen für die
des opérateurs de l'énergie (ISO/IEC 27019:2017, Energieversorgung (ISO/IEC 27019:2017, korrigierte
Version corrigée 2019-08) Fassung 2019-08)
This European Standard was approved by CEN on 2 March 2020.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 27019:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3

European foreword
The text of ISO/IEC 27019:2017 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by September 2020, and conflicting national standards
shall be withdrawn at the latest by September 2020.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27019:2017 has been approved by CEN as EN ISO/IEC 27019:2020 without any
modification.
INTERNATIONAL ISO/IEC
STANDARD 27019
First edition
2017-10
Corrected version
2019-08
Information technology — Security
techniques — Information security
controls for the energy utility industry
Technologies de l'information — Techniques de sécurité — Mesures
de sécurité de l'information pour l'industrie des opérateurs de
l'énergie
Reference number
ISO/IEC 27019:2017(E)
©
ISO/IEC 2017
ISO/IEC 27019:2017(E)
© ISO/IEC 2017
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2017 – All rights reserved

ISO/IEC 27019:2017(E)
Contents Page
Foreword .vii
0 .
Introduction .viii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Structure of the document. 4
4.1 General . 4
4.2 Refinement of ISO/IEC 27001:2013 requirements . 4
4.3 Energy utility industry specific guidance related to ISO/IEC 27002:2013 . 4
5 Information security policies . 4
6 Organization of information security . 4
6.1 Internal organization . 4
6.1.1 Information security roles and responsibilities . 4
6.1.2 Segregation of duties . 5
6.1.3 Contact with authorities . 5
6.1.4 Contact with special interest groups . 5
6.1.5 Information security in project management . 5
6.1.6 ENR – Identification of risks related to external parties . 5
6.1.7 ENR – Addressing security when dealing with customers . 6
6.2 Mobile devices and teleworking . 6
6.2.1 Mobile device policy . 6
6.2.2 Teleworking. 7
7 Human resource security . 7
7.1 Prior to employment . 7
7.1.1 Screening . 7
7.1.2 Terms and conditions of employment . 8
7.2 During employment . 8
7.2.1 Management responsibilities . 8
7.2.2 Information security awareness, education and training . 8
7.2.3 Disciplinary process . . 8
7.3 Termination and change of employment . 8
8 Asset management . 8
8.1 Responsibility for assets . 8
8.1.1 Inventory of assets . 8
8.1.2 Ownership of assets . 9
8.1.3 Acceptable use of assets . 9
8.1.4 Return of assets . 9
8.2 Information classification . 9
8.2.1 Classification of information . 9
8.2.2 Labelling of information .10
8.2.3 Handling of assets .10
8.3 Media handling .10
9 Access control .10
9.1 Business requirements of access control .
...


SLOVENSKI STANDARD
01-maj-2020
Informacijska tehnologija - Varnostne tehnike - Kontrole informacijske varnosti za
energetske operaterje (ISO/IEC 27019:2017, popravljena verzija 2019-08)
Information technology - Security techniques - Information security controls for the
energy utility industry (ISO/IEC 27019:2017, Corrected version 2019-08)
Informationstechnik - Sicherheitsverfahren - Informationssicherheitsmaßnahmen für die
Energieversorgung (ISO/IEC 27019:2017, korrigierte Fassung 2019-08)
Technologies de l'information - Techniques de sécurité - Mesures de sécurité de
l'information pour l'industrie des opérateurs de l'énergie (ISO/IEC 27019:2017, Version
corrigée 2019-08)
Ta slovenski standard je istoveten z: EN ISO/IEC 27019:2020
ICS:
03.100.70 Sistemi vodenja Management systems
27.010 Prenos energije in toplote na Energy and heat transfer
splošno engineering in general
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN ISO/IEC 27019
NORME EUROPÉENNE
EUROPÄISCHE NORM
March 2020
ICS 03.100.70
English version
Information technology - Security techniques - Information
security controls for the energy utility industry (ISO/IEC
27019:2017, Corrected version 2019-08)
Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -
- Mesures de sécurité de l'information pour l'industrie Informationssicherheitsmaßnahmen für die
des opérateurs de l'énergie (ISO/IEC 27019:2017, Energieversorgung (ISO/IEC 27019:2017, korrigierte
Version corrigée 2019-08) Fassung 2019-08)
This European Standard was approved by CEN on 2 March 2020.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 27019:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3

European foreword
The text of ISO/IEC 27019:2017 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by September 2020, and conflicting national standards
shall be withdrawn at the latest by September 2020.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27019:2017 has been approved by CEN as EN ISO/IEC 27019:2020 without any
modification.
INTERNATIONAL ISO/IEC
STANDARD 27019
First edition
2017-10
Corrected version
2019-08
Information technology — Security
techniques — Information security
controls for the energy utility industry
Technologies de l'information — Techniques de sécurité — Mesures
de sécurité de l'information pour l'industrie des opérateurs de
l'énergie
Reference number
ISO/IEC 27019:2017(E)
©
ISO/IEC 2017
ISO/IEC 27019:2017(E)
© ISO/IEC 2017
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2017 – All rights reserved

ISO/IEC 27019:2017(E)
Contents Page
Foreword .vii
0 .
Introduction .viii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Structure of the document. 4
4.1 General . 4
4.2 Refinement of ISO/IEC 27001:2013 requirements . 4
4.3 Energy utility industry specific guidance related to ISO/IEC 27002:2013 . 4
5 Information security policies . 4
6 Organization of information security . 4
6.1 Internal organization . 4
6.1.1 Information security roles and responsibilities . 4
6.1.2 Segregation of duties . 5
6.1.3 Contact with authorities . 5
6.1.4 Contact with special interest groups . 5
6.1.5 Information security in project management . 5
6.1.6 ENR – Identification of risks related to external parties . 5
6.1.7 ENR – Addressing security when dealing with customers . 6
6.2 Mobile devices and teleworking . 6
6.2.1 Mobile device policy . 6
6.2.2 Teleworking. 7
7 Human resource security . 7
7.1 Prior to employment . 7
7.1.1 Screening . 7
7.1.2 Terms and conditions of employment . 8
7.2 During employment . 8
7.2.1 Management responsibilities . 8
7.2.2 Information security awareness, education and training . 8
7.2.3 Disciplinary process . . 8
7.3 Termination and change of employment . 8
8 Asset management . 8
8.1 Responsibility for assets . 8
8.1.1 Inventory of assets . 8
8.1.2 Ownership of assets . 9
8.1.3 Acceptable use of assets . 9
8.1.4 Return of assets . 9
8.2 Information classification . 9
8.2.1 Classification of information . 9
8.2.2 Labelling of information .10
8.2.3 Handling of assets .10
8.3 Media handling .10
9 Access control .10
9.1 Business requirements of access control .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.