ISO/IEC 27002:2013
(Main)Information technology — Security techniques — Code of practice for information security controls
Information technology — Security techniques — Code of practice for information security controls
ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s). It is designed to be used by organizations that intend to: select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001; implement commonly accepted information security controls; develop their own information security management guidelines.
Technologies de l'information — Techniques de sécurité — Code de bonne pratique pour le management de la sécurité de l'information
L'ISO 27002:2013 donne des lignes directrices en matière de normes organisationnelles relatives à la sécurité de l'information et des bonnes pratiques de management de la sécurité de l'information, incluant la sélection, la mise en ?uvre et la gestion de mesures de sécurité prenant en compte le ou les environnement(s) de risques de sécurité de l'information de l'organisation. L'ISO 27002:2013 est élaborée à l'intention des organisations désireuses de sélectionner les mesures nécessaires dans le cadre du processus de mise en ?uvre d'un système de management de la sécurité de l'information (SMSI) selon l'ISO/CEI 27001; de mettre en ?uvre des mesures de sécurité de l'information largement reconnues; et d'élaborer leurs propres lignes directrices de management de la sécurité de l'information.
Informacijska tehnologija - Varnostne tehnike - Pravila obnašanja pri kontrolah informacijske varnosti
Ta mednarodni standard podaja smernice za standarde informacijske varnosti organizacij in načine uporabe upravljanja informacijske varnosti, kar vključuje izbiro, izvajanje in upravljanje kontrol, pri čemer upošteva tveganja za informacijsko varnost v okolju organizacije.
Ta mednarodni standard lahko uporabljajo organizacije, ki želijo:
a) izbirati kontrole znotraj procesa izvajanja sistemov upravljanja informacijske varnosti na osnovi standarda ISO/IEC 27001;
b) izvajati splošno sprejete kontrole informacijske varnosti;
c) razvijati lastne smernice za upravljanje informacijske varnosti.
General Information
Relations
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 27002
Redline version
compares second edition
to first edition
Information technology — Security
techniques — Code of practice for
information security controls
Technologies de l’information — Techniques de sécurité — Code de
bonne pratique pour le management de la sécurité de l’information
Reference number
ISO/IEC 27002:redline:2014(E)
©
ISO/IEC 2014
---------------------- Page: 1 ----------------------
ISO/IEC 27002:redline:2014(E)
IMPORTANT — PLEASE NOTE
This is a mark-up copy and uses the following colour coding:
Text example 1 — indicates added text (in green)
Text example 2 — indicates removed text (in red)
— indicates added graphic figure
— indicates removed graphic figure
1.x . — Heading numbers containg modifications are highlighted in yellow in
the Table of Contents
DISCLAIMER
This Redline version provides you with a quick and easy way to compare the main changes
between this edition of the standard and its previous edition. It doesn’t capture all single
changes such as punctuation but highlights the modifications providing customers with
the most valuable information. Therefore it is important to note that this Redline version is
not the official ISO standard and that the users must consult with the clean version of the
standard, which is the official standard, for implementation purposes.
COPYRIGHT PROTECTED DOCUMENT
© ISO 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27002:redline:2014(E)
Contents Page
Foreword .vi
Foreword .vii
0 Introduction .viii
0.1 What is information security? .viii
0.2 Why information security is needed? .viii
0.3 How to establish security requirements . ix
0.4 Assessing security risks . ix
0.5 Selecting controls . ix
0.6 Information security starting point .x
0.7 Critical success factors .x
0.8 Developing your own guidelines . xi
1 Scope . 1
2 Normative references . 1
2 3 Terms and definitions . 1
3 4 Structure of this standard .3
3.1 4.1 Clauses . 3
3.2 4.2 Main security Control categories . 4
4 Risk assessment and treatment . 4
4.1 Assessing security risks . 4
4.2 Treating security risks . 5
5 Security policy Information security policies . 6
5.1 Information security policy Management direction for information security . 6
6 Organization of information security . 8
6.1 Internal organization . 8
6.2 External parties .13
7 Asset management .18
7.1 Responsibility for assets .18
7.2 Information classification .20
8 Human resources security.21
8.1 Prior to employment .21
8.2 During employment .23
8.3 Termination or change of employment .24
9 Physical and environmental security .26
9.1 Secure areas .26
9.2 Equipment security .29
10 Communications and operations management .33
10.1 Operational procedures and responsibilities .33
10.2 Third party service delivery management .35
10.3 System planning and acceptance .37
10.4 Protection against malicious and mobile code .38
10.5 Back-up .40
10.6 Network security management .40
10.7 Media handling .42
10.8 Exchange of information.44
10.9 Electronic commerce services .48
10.10 Monitoring .50
11 6 Access control Organization of information security .54
11.1 Business requirement for access control .54
11.2 User access management .55
© ISO 2014 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27002:redline:2014(E)
11.3 User responsibilities .57
11.4 6.1 . Network access
control Internal organization .59
11.5 Operating system access control .64
11.6 Application and information access control .68
11.7 6.2 . Mobile computing devices
and teleworking .69
7 Human resource security .72
7.1 Prior to employment .72
7.2 During employment .73
7.3 Termination and change of employment .76
8 Asset management .76
8.1 Responsibility for assets .76
8.2 Information classification .78
8.3 Media handling .80
9 Access control .82
9.1 Business requirements of access control .82
9.2 User access management .84
9.3 User responsibilities .87
9.4 System and application access control .88
10 Cryptography .91
10.1 Cryptographic controls .91
11 Physical and environmental security .94
11.1 Secure areas .94
11.2 Equipment .97
12 Operations security .101
12.1 Operational procedures and responsibilities .101
12.2 Protection from malware .104
12.3 Backup .106
12.4 Logging and monitoring .106
12.5 Control of operational software .109
12.6 Technical vulnerability management .109
12.7 Information systems audit considerations .111
13 Communications security .112
13.1 Network security management .112
13.2 Information transfer .114
12 14 Information systems System acquisition, development and maintenance .117
12.1 14.1 . Security requirements of
information systems .117
12.2 Correct processing in applications .120
12.3 Cryptographic controls .122
12.4 Security of system files .125
12.5 14.2 . Security in development and
support processes .127
12.6 14.3 . Technical Vulnerability
Management Test data .132
15 Supplier relationships .134
15.1 Information security in supplier relationships .134
15.2 Supplier service delivery management .137
13 16 Information security incident management .139
13.1 Reporting information security events and weaknesses .139
13.2 16.1 . Management of information security incidents
and improvements .140
iv © ISO 2014 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27002:redline:2014(E)
14 17 Business Information security aspects of business continuity management.145
14.1 17.1 . Information security aspects of business continuity
management continuity .145
17.2 Redundancies .150
15 18 Compliance .151
15.1 18.1 .Compliance with legal and
contractual requirements .151
15.2 18.2 . Compliance with security policies and standards, and technical compliance Information
security reviews .155
15.3 Information systems audit considerations .157
Bibliography .158
© ISO 2014 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 27002:redline:2014(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
TheISO/IEC 27002 main task of the joint technical committee is to prepare International Standards.
Draft International Standards adopted by the joint technical committeewas prepared by Joint Technical
Committee ISO/IEC JTC 1, are circulatedInformation technology to national bodies, Subcommittee SC
27, for voting. Publication IT Security techniquesas an International Standard requires approval by at
least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27002 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This first edition ofsecond edition cancels and replaces the first edition (ISO/IEC 27002:2005), ISO/IEC 27002
compriseswhich has ISO/IEC 17799:2005been technically and ISO/IEC 17799:2005/Cor.1:2007. It s technical
content is identical to that of structurally revisedISO/IEC 17799:2005.ISO/IEC 17799:2005/Cor.1:2007
changes the reference number of the standard from 17799 to 27002. ISO/IEC 17799:2005 and
ISO/IEC 17799:2005/Cor.1:2007 are provisionally retained until publication of the second edition of
ISO/IEC 27002.
vi © ISO 2014 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC 27002:redline:2014(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies
casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 17799 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This second edition cancels and replaces the first edition (ISO/IEC 17799:2000), which has been
technically revised.
A family of Information Security Management System (ISMS) International Standards is being developed
within ISO/IEC JTC 1/SC 27. The family includes International Standards on information security
management system requirements, risk management, metrics and measurement, and implementation
guidance. This family will adopt a numbering scheme using the series of numbers 27000 et seq.
From 2007, it is proposed to incorporate the new edition of ISO/IEC 17799 into this new numbering
scheme as ISO/IEC 27002.
© ISO 2014 – All rights reserved vii
---------------------- Page: 7 ----------------------
ISO/IEC 27002:redline:2014(E)
0 Introduction
0.1 What is information security?
Information is an asset that, like other important business assets, is essential to an organization’s
business and consequently needs to be suitably protected. This is especially important in the increasingly
interconnected business environment. As a result of this increasing interconnectivity, information is
now exposed to a growing number and a wider variety of threats and vulnerabilities (see also OECD
Guidelines for the Security of Information Systems and Networks).
Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted
by post or by using electronic means, shown on films, or spoken in conversation. Whatever form the
information takes, or means by which it is shared or stored, it should always be appropriately protected.
Information security is the protection of information from a wide range of threats in order to ensure
business continuity, minimize business risk, and maximize return on investments and business
opportunities.
Information security is achieved by implementing a suitable set of controls, including policies, processes,
procedures, organizational structures and software and hardware functions. These controls need to
be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the
specific security and business objectives of the organization are met. This should be done in conjunction
with other business management processes.
0.1 Background and context
0.2 Why information security is needed?
Information and the supporting processes, systems, and networks are important business assets.
Defining, achieving, maintaining, and improving information security may be essential to maintain
competitive edge, cash flow, profitability, legal compliance, and commercial image.
Organizations and their information systems and networks are faced with security threats from a
wide range of sources, including computer-assisted fraud, espionage,
...
ISO/IEC
27002
Information
technology
Security techniques
Code of practice
for information
security controls
Second edition
2013-10-01
---------------------- Page: 1 ----------------------
Our vision Our process
To be the world’s leading provider of high qual- Our standards are developed by experts
ity, globally relevant International Standards all over the world who work on a volunteer
through its members and stakeholders. or part-time basis. We sell International
Standards to recover the costs of organizing
this process and making standards widely
Our mission
available.
ISO develops high quality voluntary
Please respect our licensing terms and
International Standards that facilitate interna-
copyright to ensure this system remains
tional exchange of goods and services, support
independent.
sustainable and equitable economic growth,
If you would like to contribute to the devel-
promote innovation and protect health, safety
opment of ISO standards, please contact the
and the environment.
ISO Member Body in your country:
www.iso.org/iso/home/about/iso_mem-
bers.htm
This document has been prepared by:
Copyright protected document
ISO/IEC JTC 1, Information technology, SC 27,
IT Security techniques. All rights reserved. Unless otherwise speci-
fied, no part of this publication may be repro-
Committee members:
duced or utilized otherwise in any form or
ABNT, AENOR, AFNOR, ANSI, ASI, ASRO, BIS,
by any means, electronic or mechanical,
BSI, BSJ, CODINORM, CYS, DGN, DIN, DS, DSM,
including photocopy, or posting on the inter-
DTR, ESMA, EVS, GOST R, IANOR, ILNAS,
net or intranet, without prior permission.
IMANOR, INDECOPI, INN, IRAM, ISRM, JISC,
Permission can be requested from either ISO
KATS, KAZMEMST, KEBS, MSB, NBN, NEN,
at the address below or ISO’s member body
NSAI, PKN, SA, SABS, SAC, SCC, SFS, SII, SIS,
in the country of the requester:
SIST, SLSI, SN, SNV, SNZ, SPRING SG, SUTN,
© ISO/IEC 2013, Published in Switzerland
TISI, UNI, UNIT, UNMZ, (ISC)2, CCETT, Cloud
security alliance, ECBS, Ecma International,
ISO copyright office
ENISA, EPC, ISACA, ISSEA, ITU, Mastercard,
Case postale 56 • CH-1211 Geneva 20
Mastercard - Europe.
Tel. +41 22 749 01 11
Fax. +41 22 749 09 47
This list reflects contributing members at the
E-mail copyright@iso.org
time of publication.
Web www.iso.org
Cover photo credit: ISO/CS, 2013
© ISO/IEC 2013 – All rights reserved
2
---------------------- Page: 2 ----------------------
ISO/IEC 270 02 : 2 013
Executive summary
• Organizations of all types and sizes col- It brings these controls together as a
lect, process, store and transmit infor- code of practice based on the controls
mation in many forms. This information that are commonly applied in many dif-
is valuable to an organization’s business ferent organizations.
and operations. • Effective information security also
• In today’s interconnected and mobile assures management and other stake-
world, information is processed us- holders that the organization’s assets
ing systems and networks that employ are safe, thereby acting as a business
state-of-the-art technology. It is vital to enabler.
protect this information against both • Other International Standards in the
deliberate and accidental threats and ISO/IEC 27000 family give complemen-
vulnerabilities. tary advice or requirements on other
• ISO/IEC 27002 helps organizations to aspects of the overall process of manag-
keep secure both their information as- ing information security.
sets and those of their customers.
• It offers organizations a wide selection
of security controls, together with ac-
companying implementation guidance.
© ISO/IEC 2013 – All rights reserved
3
---------------------- Page: 3 ----------------------
ISO/IEC 27002:2013
Contents Page
Our vision .2
Our mission .2
Our process .2
Copyright protected document .2
Executive summary .3
Foreword .6
0 Introduction .7
1 Scope .10
2 Normative references .10
3 Terms and definitions .10
4 Structure of this standard .10
4.1 Clauses .10
4.2 Control categories .10
5 Information security policies .11
5.1 Management direction for information security .11
6 Organization of information security .12
6.1 Internal organization .12
6.2 Mobile devices and teleworking .14
7 Human resource security .17
7.1 Prior to employment .17
7.2 During employment .18
7.3 Termination and change of employment .20
8 Asset management .21
8.1 Responsibility for assets .21
8.2 Information classification .23
8.3 Media handling .24
9 Access control .26
9.1 Business requirements of access control .26
9.2 User access management .28
9.3 User responsibilities .31
9.4 System and application access control .32
10 Cryptography .35
10.1 Cryptographic controls .35
11 Physical and environmental security .37
11.1 Secure areas .37
11.2 Equipment .40
12 Operations security .44
12.1 Operational procedures and responsibilities .44
12.2 Protection from malware .47
12.3 Backup .48
12.4 Logging and monitoring .49
12.5 Control of operational software .50
12.6 Technical vulnerability management .51
© ISO/IEC 2013 – All rights reserved
4
---------------------- Page: 4 ----------------------
ISO/IEC 27002:2013
12.7 Information systems audit considerations .53
13 Communications security .54
13.1 Network security management .54
13.2 Information transfer .55
14 System acquisition, development and maintenance .58
14.1 Security requirements of information systems .58
14.2 Security in development and support processes .61
14.3 Test data .66
15 Supplier relationships .66
15.1 Information security in supplier relationships .66
15.2 Supplier service delivery management .70
16 Information security incident management .71
16.1 Management of information security incidents and improvements .71
17 Information security aspects of business continuity management .75
17.1 Information security continuity .75
17.2 Redundancies .77
18 Compliance .77
18.1 Compliance with legal and contractual requirements .77
18.2 Information security reviews .80
Bibliography .82
© ISO/IEC 2013 – All rights reserved
5
---------------------- Page: 5 ----------------------
ISO/IEC 270 02 : 2 013
Foreword
ISO (the International Organization for International Standards are drafted in accord-
Standardization) and IEC (the International ance with the rules given in the ISO/IEC
Electrotechnical Commission) form the special- Directives, Part 2.
ized system for worldwide standardization.
ISO/IEC 27002 was prepared by Joint Technical
National bodies that are members of ISO or IEC
Committee ISO/IEC JTC 1, Information technol-
participate in the development of International
ogy, Subcommittee SC 27, IT Security techniques.
Standards through technical committees estab-
lished by the respective organization to deal
Attention is drawn to the possibility that some
with particular fields of technical activity. ISO
of the elements of this document may be the
and IEC technical committees collaborate in
subject of patent rights. ISO shall not be held
fields of mutual interest. Other international
responsible for identifying any or all such pat-
organizations, governmental and non-govern-
ent rights.
mental, in liaison with ISO and IEC, also take
part in the work. In the field of information
This second edition cancels and replaces the
technology, ISO and IEC have established a joint
first edition (ISO/IEC 27002:2005), which has
technical committee, ISO/IEC JTC 1.
been technically and structurally revised.
© ISO/IEC 2013 – All rights reserved
6
---------------------- Page: 6 ----------------------
ISO/IEC 270 02 : 2 013
0 Introduction
0.1 Background and context Information security is achieved by implement-
ing a suitable set of controls, including policies,
This International Standard is designed for
processes, procedures, organizational struc-
organizations to use as a reference for selecting
tures and software and hardware functions.
controls within the process of implementing
These controls need to be established, imple-
an Information Security Management System
mented, monitored, reviewed and improved,
[10]
(ISMS) based on ISO/IEC 27001 or as a guid-
where necessary, to ensure that the specific
ance document for organizations implementing
security and business objectives of the organiza-
commonly accepted information security con-
tion are met. An ISMS such as that specified in
trols. This standard is also intended for use in
[10]
ISO/IEC 27001 takes a holistic, coordinated
developing industry- and organization-specific
view of the organization’s information security
information security management guidelines,
risks in order to implement a comprehensive
taking into consideration their specific infor-
suite of information security controls under
mation security risk environment(s).
the overall framework of a coherent manage-
ment system.
Organizations of all types and sizes (includ-
ing public and private sector, commercial and
Many information systems have not been
non-profit) collect, process, store and transmit
designed to be secure in the sense of
information in many forms including electronic,
[10]
ISO/IEC 27001 and this standard. The secu-
physical and verbal (e.g. conversations and
rity that can be achieved through technical
presentations).
means is limited and should be supported
by appropriate management and procedures.
The value of information goes beyond the writ-
Identifying which controls should be in place
ten words, numbers and images: knowledge,
requires careful planning and attention to
concepts, ideas and brands are examples of
detail. A successful ISMS requires support by
intangible forms of information. In an inter-
all employees in the organization. It can also
connected world, information and related
require participation from shareholders, suppli-
processes, systems, networks and personnel
ers or other external parties. Specialist advice
involved in their operation, handling and pro-
from external parties can also be needed.
tection are assets that, like other important
business assets, are valuable to an organiza-
In a more general sense, effective information
tion’s business and consequently deserve or
security also assures management and other
require protection against various hazards.
stakeholders that the organization’s assets are
reasonably safe and protected against harm,
Assets are subject to both deliberate and acci-
thereby acting as a business enabler.
dental threats while the related processes,
systems, networks and people have inherent
0.2 Information security requirements
vulnerabilities. Changes to business processes
and systems or other external changes (such It is essential that an organization identifies its
as new laws and regulations) may create new security requirements. There are three main
information security risks. Therefore, given sources of security requirements:
the multitude of ways in which threats could
a) the assessment of risks to the organiza-
take advantage of vulnerabilities to harm the
tion, taking into account the organiza-
organization, information security risks are
tion’s overall business strategy and
always present. Effective information security
objectives. Through a risk assessment,
reduces these risks by protecting the organi-
threats to assets are identified, vulner-
zation against threats and vulnerabilities, and
ability to and likelihood of occurrence
then reduces impacts to its assets.
© ISO/IEC 2013 – All rights reserved
7
---------------------- Page: 7 ----------------------
ISO/IEC 270 02 : 2 013
is evaluated and potential impact is guidance. More information about selecting
estimated; controls and other risk treatment options can
[11]
be found in ISO/IEC 27005.
b) the legal, statutory, regulatory and con-
tractual requirements that an organiza-
0.4 Developing your own guidelines
tion, its trading partners, contractors
This International Standard may be regarded
and service providers have to satisfy,
as a starting point for developing organization-
and their socio-cultural environment;
specific guidelines. Not all of the controls and
c) the set of principles, objectives and busi-
guidance in this code of practice may be appli-
ness requirements for information han-
cable. Furthermore, additional controls and
dling, processing, storing, communicat-
guidelines not included in this standard may
ing and archiving that an organization
be required. When documents are developed
has developed to support its operations.
containing additional guidelines or controls,
it may be useful to include cross-references
Resources employed in implementing controls
to clauses in this standard where applicable
need to be balanced against the business harm
to facilitate compliance checking by auditors
likely to result from security issues in the
and business partners.
absence of those controls. The results of a risk
assessment will help guide and determine the
0.5 Lifecycle considerations
appropriate management action and priorities
for managing information security risks and
Information has a natural lifecycle, from crea-
for implementing controls selected to protect
tion and origination through storage, pro-
against these risks.
cessing, use and transmission to its eventual
destruction or decay. The value of, and risks to,
[11]
ISO/IEC 27005 provides information security
assets may vary during their lifetime (e.g. unau-
risk management guidance, including advice on
thorized disclosure or theft of a company’s
risk assessment, risk treatment, risk accept-
financial accounts is far less significant after
ance, risk communication, risk monitoring and
they have been formally published) but infor-
risk review.
mation security remains important to some
extent at all stages.
0.3 Selecting controls
Information systems have lifecycles within
Controls can be selected from this standard or
which they are conceived, specified, designed,
from other control sets, or new controls can be
developed, tested, implemented, used, main-
designed to meet specific needs as appropriate.
tained and eventually retired from service and
The selection of controls is dependent upon
disposed of. Information security should be
organizational decisions based on the criteria
taken into account at every stage. New system
for risk acceptance, risk treatment options and
developments and changes to existing systems
the general risk management approach applied
present opportunities for organizations to
to the organization, and should also be sub-
update and improve security controls, taking
ject to all relevant national and international
actual incidents and current and projected
legislation and regulations. Control selection
information security risks into account.
also depends on the manner in which controls
0.6 Related standards
interact to provide defence in depth.
While this standard offers guidance on a
Some of the controls in this standard can be
broad range of information security controls
considered as guiding principles for information
that are commonly applied in many different
security management and applicable for most
organizations, the remaining standards in the
organizations. The controls are explained in
ISO/IEC 27000 family provide complementary
more detail below along with implementation
advice or requirements on other aspects of
© ISO/IEC 2013 – All rights reserved
8
---------------------- Page: 8 ----------------------
ISO/IEC 270 02 : 2 013
the overall process of managing information ISO/IEC 27000 provides a glossary, formally
security. defining most of the terms used throughout
the ISO/IEC 27000 family of standards, and
Refer to ISO/IEC 27000 for a general introduc-
describes the scope and objectives for each
tion to both ISMSs and the family of standards.
member of the family.
© ISO/IEC 2013 – All rights reserved
9
---------------------- Page: 9 ----------------------
ISO/IEC 270 02 : 2 013
1 Scope 4.1 Clauses
Each clause defining security controls contains
This International Standard gives guidelines
one or more main security categories.
for organizational information security stand-
ards and information security management
The order of the clauses in this standard does
practices including the selection, implementa-
not imply their importance. Depending on the
tion and management of controls taking into
circumstances, security controls from any or
consideration the organization’s information
all clauses could be important, therefore each
security risk environment(s).
organization applying this standard should
This International Standard is designed to be identify applicable controls, how important
used by organizations that intend to: these are and their application to individual
business processes. Furthermore, lists in this
a) select controls within the process
standard are not in priority order.
of implementing an Information
Security Management System based on
4.2 Control categories
[10]
ISO/IEC 27001;
Each main security control category contains:
b) implement commonly accepted informa-
tion security controls;
a) a control objective stating what is to be
c) develop their own information security achieved;
management guidelines.
b) one or more controls that can be applied
to achieve the control objective.
2 Normative references
Control descriptions are structured as follows:
The following documents, in whole or in part,
Control
are normatively referenced in this document
and are indispensable for its application. For
Defines the specific control statement, to satisfy
dated references, only the edition cited applies.
the control objective.
For undated references, the latest edition of the
Implementation guidance
referenced document (including any amend-
ments) applies.
Provides more detailed information to support
the implementation of the control and meeting
ISO/IEC 27000, Information technology —
the control objective. The guidance may not be
Security techniques — Information security man-
entirely suitable or sufficient in all situations
agement systems — Overview and vocabulary
and may not fulfil the organization’s specific
control requirements. .
3 Terms and definitions
Other information
For the purposes of this document, the terms
Provides further information that may need to
and definitions given in ISO/IEC 27000 apply.
be considered, for example legal considerations
and references to other standards. If there is
no other information to be provided this part
4 Structure of this standard
is not shown.
This standard contains 14 security control
clauses collectively containing a total of 35
main security categories and 114 controls.
© ISO/IEC 2013 – All rights reserved
10
---------------------- Page: 10 ----------------------
ISO/IEC 270 02 : 2 013
At a lower level, the information security policy
5 Information security
should be supported by topic-specific policies,
policies
which further mandate the implementation of
information security controls and are typically
5.1 Management direction for
structured to address the needs of certain tar-
get groups within an organization or to cover
information security
certain topics.
Objective: To provide management direc-
Examples of such policy topics include:
tion and support for information security in
accordance with business requirements and
a) access control (see Clause 9);
relevant laws and regulations.
b) information classification (and handling)
(see 8.2);
5.1.1 Policies for information security
c) physical and environmental security (see
Control
Clause 11);
A set of policies for information security should
d) end user oriented topics such as:
be defined, approved by management, published
1) acceptable use of assets (see 8.1.3);
and communicated to employees and relevant
external parties.
2) clear desk and clear screen (see
11.2.9);
Implementation guidance
3) information transfer (see 13.2.1);
At the highest level, organizations should
define an “information security policy” which 4) mobile devices and teleworking (see
6.2);
is approved by management and which sets
out the orga
...
INTERNATIONAL ISO/IEC
STANDARD 27002
Second edition
2013-10-01
Information technology — Security
techniques — Code of practice for
information security controls
Technologies de l’information — Techniques de sécurité — Code de
bonne pratique pour le management de la sécurité de l’information
Reference number
ISO/IEC 27002:2013(E)
©
ISO/IEC 2013
---------------------- Page: 1 ----------------------
ISO/IEC 27002:2013(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2013 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27002:2013(E)
Contents Page
Foreword .v
0 Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Structure of this standard . 1
4.1 Clauses . 1
4.2 Control categories . 1
5 Information security policies . 2
5.1 Management direction for information security . 2
6 Organization of information security . 4
6.1 Internal organization . 4
6.2 Mobile devices and teleworking . 6
7 Human resource security . 9
7.1 Prior to employment . 9
7.2 During employment .10
7.3 Termination and change of employment .13
8 Asset management .13
8.1 Responsibility for assets .13
8.2 Information classification .15
8.3 Media handling .17
9 Access control .19
9.1 Business requirements of access control .19
9.2 User access management .21
9.3 User responsibilities .24
9.4 System and application access control .25
10 Cryptography .28
10.1 Cryptographic controls .28
11 Physical and environmental security .30
11.1 Secure areas .30
11.2 Equipment .33
12 Operations security .38
12.1 Operational procedures and responsibilities .38
12.2 Protection from malware .41
12.3 Backup .42
12.4 Logging and monitoring .43
12.5 Control of operational software .45
12.6 Technical vulnerability management .46
12.7 Information systems audit considerations .48
13 Communications security .49
13.1 Network security management .49
13.2 Information transfer .50
14 System acquisition, development and maintenance .54
14.1 Security requirements of information systems .54
14.2 Security in development and support processes .57
14.3 Test data .62
15 Supplier relationships .62
15.1 Information security in supplier relationships .62
© ISO/IEC 2013 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27002:2013(E)
15.2 Supplier service delivery management .66
16 Information security incident management .67
16.1 Management of information security incidents and improvements .67
17 Information security aspects of business continuity management .71
17.1 Information security continuity .71
17.2 Redundancies .73
18 Compliance .74
18.1 Compliance with legal and contractual requirements .74
18.2 Information security reviews .77
Bibliography .79
iv © ISO/IEC 2013 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27002:2013(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
ISO/IEC 27002 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
This second edition cancels and replaces the first edition (ISO/IEC 27002:2005), which has been
technically and structurally revised.
© ISO/IEC 2013 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 27002:2013(E)
0 Introduction
0.1 Background and context
This International Standard is designed for organizations to use as a reference for selecting controls
within the process of implementing an Information Security Management System (ISMS) based on
[10]
ISO/IEC 27001 or as a guidance document for organizations implementing commonly accepted
information security controls. This standard is also intended for use in developing industry- and
organization-specific information security management guidelines, taking into consideration their
specific information security risk environment(s).
Organizations of all types and sizes (including public and private sector, commercial and non-profit)
collect, process, store and transmit information in many forms including electronic, physical and verbal
(e.g. conversations and presentations).
The value of information goes beyond the written words, numbers and images: knowledge, concepts, ideas
and brands are examples of intangible forms of information. In an interconnected world, information and
related processes, systems, networks and personnel involved in their operation, handling and protection
are assets that, like other important business assets, are valuable to an organization’s business and
consequently deserve or require protection against various hazards.
Assets are subject to both deliberate and accidental threats while the related processes, systems,
networks and people have inherent vulnerabilities. Changes to business processes and systems or
other external changes (such as new laws and regulations) may create new information security risks.
Therefore, given the multitude of ways in which threats could take advantage of vulnerabilities to harm
the organization, information security risks are always present. Effective information security reduces
these risks by protecting the organization against threats and vulnerabilities, and then reduces impacts
to its assets.
Information security is achieved by implementing a suitable set of controls, including policies, processes,
procedures, organizational structures and software and hardware functions. These controls need to
be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the
specific security and business objectives of the organization are met. An ISMS such as that specified in
[10]
ISO/IEC 27001 takes a holistic, coordinated view of the organization’s information security risks in
order to implement a comprehensive suite of information security controls under the overall framework
of a coherent management system.
[10]
Many information systems have not been designed to be secure in the sense of ISO/IEC 27001 and this
standard. The security that can be achieved through technical means is limited and should be supported
by appropriate management and procedures. Identifying which controls should be in place requires
careful planning and attention to detail. A successful ISMS requires support by all employees in the
organization. It can also require participation from shareholders, suppliers or other external parties.
Specialist advice from external parties can also be needed.
In a more general sense, effective information security also assures management and other stakeholders
that the organization’s assets are reasonably safe and protected against harm, thereby acting as a
business enabler.
0.2 Information security requirements
It is essential that an organization identifies its security requirements. There are three main sources of
security requirements:
a) the assessment of risks to the organization, taking into account the organization’s overall business
strategy and objectives. Through a risk assessment, threats to assets are identified, vulnerability to
and likelihood of occurrence is evaluated and potential impact is estimated;
b) the legal, statutory, regulatory and contractual requirements that an organization, its trading
partners, contractors and service providers have to satisfy, and their socio-cultural environment;
vi © ISO/IEC 2013 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC 27002:2013(E)
c) the set of principles, objectives and business requirements for information handling, processing,
storing, communicating and archiving that an organization has developed to support its operations.
Resources employed in implementing controls need to be balanced against the business harm likely
to result from security issues in the absence of those controls. The results of a risk assessment will
help guide and determine the appropriate management action and priorities for managing information
security risks and for implementing controls selected to protect against these risks.
[11]
ISO/IEC 27005 provides information security risk management guidance, including advice on risk
assessment, risk treatment, risk acceptance, risk communication, risk monitoring and risk review.
0.3 Selecting controls
Controls can be selected from this standard or from other control sets, or new controls can be designed
to meet specific needs as appropriate.
The selection of controls is dependent upon organizational decisions based on the criteria for risk
acceptance, risk treatment options and the general risk management approach applied to the organization,
and should also be subject to all relevant national and international legislation and regulations. Control
selection also depends on the manner in which controls interact to provide defence in depth.
Some of the controls in this standard can be considered as guiding principles for information security
management and applicable for most organizations. The controls are explained in more detail below
along with implementation guidance. More information about selecting controls and other risk treatment
[11]
options can be found in ISO/IEC 27005.
0.4 Developing your own guidelines
This International Standard may be regarded as a starting point for developing organization-specific
guidelines. Not all of the controls and guidance in this code of practice may be applicable. Furthermore,
additional controls and guidelines not included in this standard may be required. When documents are
developed containing additional guidelines or controls, it may be useful to include cross-references to clauses
in this standard where applicable to facilitate compliance checking by auditors and business partners.
0.5 Lifecycle considerations
Information has a natural lifecycle, from creation and origination through storage, processing, use and
transmission to its eventual destruction or decay. The value of, and risks to, assets may vary during their
lifetime (e.g. unauthorized disclosure or theft of a company’s financial accounts is far less significant after
they have been formally published) but information security remains important to some extent at all stages.
Information systems have lifecycles within which they are conceived, specified, designed, developed,
tested, implemented, used, maintained and eventually retired from service and disposed of. Information
security should be taken into account at every stage. New system developments and changes to existing
systems present opportunities for organizations to update and improve security controls, taking actual
incidents and current and projected information security risks into account.
0.6 Related standards
While this standard offers guidance on a broad range of information security controls that are
commonly applied in many different organizations, the remaining standards in the ISO/IEC 27000
family provide complementary advice or requirements on other aspects of the overall process of
managing information security.
Refer to ISO/IEC 27000 for a general introduction to both ISMSs and the family of standards. ISO/IEC 27000
provides a glossary, formally defining most of the terms used throughout the ISO/IEC 27000 family of
standards, and describes the scope and objectives for each member of the family.
© ISO/IEC 2013 – All rights reserved vii
---------------------- Page: 7 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27002:2013(E)
Information technology — Security techniques — Code of
practice for information security controls
1 Scope
This International Standard gives guidelines for organizational information security standards and
information security management practices including the selection, implementation and management
of controls taking into consideration the organization’s information security risk environment(s).
This International Standard is designed to be used by organizations that intend to:
a) select controls within the process of implementing an Information Security Management System
[10]
based on ISO/IEC 27001;
b) implement commonly accepted information security controls;
c) develop their own information security management guidelines.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 apply.
4 Structure of this standard
This standard contains 14 security control clauses collectively containing a total of 35 main security
categories and 114 controls.
4.1 Clauses
Each clause defining security controls contains one or more main security categories.
The order of the clauses in this standard does not imply their importance. Depending on the circumstances,
security controls from any or all clauses could be important, therefore each organization applying this
standard should identify applicable controls, how important these are and their application to individual
business processes. Furthermore, lists in this standard are not in priority order.
4.2 Control categories
Each main security control category contains:
a) a control objective stating what is to be achieved;
b) one or more controls that can be applied to achieve the control objective.
© ISO/IEC 2013 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO/IEC 27002:2013(E)
Control descriptions are structured as follows:
Control
Defines the specific control statement, to satisfy the control objective.
Implementation guidance
Provides more detailed information to support the implementation of the control and meeting the
control objective. The guidance may not be entirely suitable or sufficient in all situations and may not
fulfil the organization’s specific control requirements. .
Other information
Provides further information that may need to be considered, for example legal considerations and
references to other standards. If there is no other information to be provided this part is not shown.
5 Information security policies
5.1 Management direction for information security
Objective: To provide management direction and support for information security in accordance with
business requirements and relevant laws and regulations.
5.1.1 Policies for information security
Control
A set of policies for information security should be defined, approved by management, published and
communicated to employees and relevant external parties.
Implementation guidance
At the highest level, organizations should define an “information security policy” which is approved by
management and which sets out the organization’s approach to managing its information security objectives.
Information security policies should address requirements created by:
a) business strategy;
b) regulations, legislation and contracts;
c) the current and projected information security threat environment.
The information security policy should contain statements concerning:
a) definition of information security, objectives and principles to guide all activities relating to
information security;
b) assignment of general and specific responsibilities for information security management to
defined roles;
c) processes for handling deviations and exceptions.
At a lower level, the information security policy should be supported by topic-specific policies, which
further mandate the implementation of information security controls and are typically structured to
address the needs of certain target groups within an organization or to cover certain topics.
Examples of such policy topics include:
a) access control (see Clause 9);
2 © ISO/IEC 2013 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 27002:2013(E)
b) information classification (and handling) (see 8.2);
c) physical and environmental security (see Clause 11);
d) end user oriented topics such as:
1) acceptable use of assets (see 8.1.3);
2) clear desk and clear screen (see 11.2.9);
3) information transfer (see 13.2.1);
4) mobile devices and teleworking (see 6.2);
5) restrictions on software installations and use (see 12.6.2);
e) backup (see 12.3);
f) information transfer (see 13.2);
g) protection from malware (see 12.2);
h) management of technical vulnerabilities (see 12.6.1);
i) cryptographic controls (see Clause 10);
j) communications security (see Clause 13);
k) privacy and protection of personally identifiable information (see 18.1.4);
l) supplier relationships (see Clause 15).
These policies should be communicated to employees and relevant external parties in a form that is
relevant, accessible and understandable to the intended reader, e.g. in the context of an “information
security awareness, education and training programme” (see 7.2.2).
Other information
The need for internal policies for information security varies across organizations. Internal policies
are especially useful in larger and more complex organizations where those defining and approving
the expected levels of control are segregated from those implementing the controls or in situations
where a policy applies to many different people or functions in the organization. Policies for information
security can be issued in a single “information security policy” document or as a set of individual but
related documents.
If any of the information security policies are distributed outside the organization, care should be taken
not to disclose confidential information.
Some organizations use other terms for these policy documents, such as “Standards”, “Directives” or “Rules”.
5.1.2 Review of the policies for information security
Control
The policies for information security should be reviewed at planned intervals or if significant changes
occur to ensure their continuing suitability, adequacy and effectiveness.
Implementation guidance
Each policy should have an owner who has approved management responsibility for the development,
review and evaluation of the policies. The review should include assessing opportunities for improvement
of the organization’s policies and approach to managing information security in response to changes to
the organizational environment, business circumstances, legal conditions or technical environment.
© ISO/IEC 2013 – All rights reserved 3
---------------------- Page: 10 ----------------------
ISO/IEC 27002:2013(E)
The review of policies for information security should take the results of management reviews into account.
Management approval for a revised policy should be obtained.
6 Organization of information security
6.1 Internal organization
Objective: To establish a management framework to initiate and control the implementation and
operation of information security within the organization.
6.1.1 Information security roles and responsibilities
Control
All information security responsibilities should be defined and allocated.
Implementation guidance
Allocation of information security responsibilities should be done in accordance with the information
security
...
SLOVENSKI STANDARD
SIST ISO/IEC 27002:2013
01-november-2013
Informacijska tehnologija - Varnostne tehnike - Pravila obnašanja pri kontrolah
informacijske varnosti
Information technology -- Security techniques -- Code of practice for information security
controls
Technologies de l'information -- Techniques de sécurité -- Code de bonne pratique pour
le management de la sécurité de l'information
Ta slovenski standard je istoveten z: ISO/IEC 27002:2013
ICS:
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
SIST ISO/IEC 27002:2013 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST ISO/IEC 27002:2013
---------------------- Page: 2 ----------------------
SIST ISO/IEC 27002:2013
INTERNATIONAL ISO/IEC
STANDARD 27002
Second edition
2013-10-01
Information technology — Security
techniques — Code of practice for
information security controls
Technologies de l’information — Techniques de sécurité — Code de
bonne pratique pour le management de la sécurité de l’information
Reference number
ISO/IEC 27002:2013(E)
©
ISO/IEC 2013
---------------------- Page: 3 ----------------------
SIST ISO/IEC 27002:2013
ISO/IEC 27002:2013(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2013 – All rights reserved
---------------------- Page: 4 ----------------------
SIST ISO/IEC 27002:2013
ISO/IEC 27002:2013(E)
Contents Page
Foreword .v
0 Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Structure of this standard . 1
4.1 Clauses . 1
4.2 Control categories . 1
5 Information security policies . 2
5.1 Management direction for information security . 2
6 Organization of information security . 4
6.1 Internal organization . 4
6.2 Mobile devices and teleworking . 6
7 Human resource security . 9
7.1 Prior to employment . 9
7.2 During employment .10
7.3 Termination and change of employment .13
8 Asset management .13
8.1 Responsibility for assets .13
8.2 Information classification .15
8.3 Media handling .17
9 Access control .19
9.1 Business requirements of access control .19
9.2 User access management .21
9.3 User responsibilities .24
9.4 System and application access control .25
10 Cryptography .28
10.1 Cryptographic controls .28
11 Physical and environmental security .30
11.1 Secure areas .30
11.2 Equipment .33
12 Operations security .38
12.1 Operational procedures and responsibilities .38
12.2 Protection from malware .41
12.3 Backup .42
12.4 Logging and monitoring .43
12.5 Control of operational software .45
12.6 Technical vulnerability management .46
12.7 Information systems audit considerations .48
13 Communications security .49
13.1 Network security management .49
13.2 Information transfer .50
14 System acquisition, development and maintenance .54
14.1 Security requirements of information systems .54
14.2 Security in development and support processes .57
14.3 Test data .62
15 Supplier relationships .62
15.1 Information security in supplier relationships .62
© ISO/IEC 2013 – All rights reserved iii
---------------------- Page: 5 ----------------------
SIST ISO/IEC 27002:2013
ISO/IEC 27002:2013(E)
15.2 Supplier service delivery management .66
16 Information security incident management .67
16.1 Management of information security incidents and improvements .67
17 Information security aspects of business continuity management .71
17.1 Information security continuity .71
17.2 Redundancies .73
18 Compliance .74
18.1 Compliance with legal and contractual requirements .74
18.2 Information security reviews .77
Bibliography .79
iv © ISO/IEC 2013 – All rights reserved
---------------------- Page: 6 ----------------------
SIST ISO/IEC 27002:2013
ISO/IEC 27002:2013(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
ISO/IEC 27002 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
This second edition cancels and replaces the first edition (ISO/IEC 27002:2005), which has been
technically and structurally revised.
© ISO/IEC 2013 – All rights reserved v
---------------------- Page: 7 ----------------------
SIST ISO/IEC 27002:2013
ISO/IEC 27002:2013(E)
0 Introduction
0.1 Background and context
This International Standard is designed for organizations to use as a reference for selecting controls
within the process of implementing an Information Security Management System (ISMS) based on
[10]
ISO/IEC 27001 or as a guidance document for organizations implementing commonly accepted
information security controls. This standard is also intended for use in developing industry- and
organization-specific information security management guidelines, taking into consideration their
specific information security risk environment(s).
Organizations of all types and sizes (including public and private sector, commercial and non-profit)
collect, process, store and transmit information in many forms including electronic, physical and verbal
(e.g. conversations and presentations).
The value of information goes beyond the written words, numbers and images: knowledge, concepts, ideas
and brands are examples of intangible forms of information. In an interconnected world, information and
related processes, systems, networks and personnel involved in their operation, handling and protection
are assets that, like other important business assets, are valuable to an organization’s business and
consequently deserve or require protection against various hazards.
Assets are subject to both deliberate and accidental threats while the related processes, systems,
networks and people have inherent vulnerabilities. Changes to business processes and systems or
other external changes (such as new laws and regulations) may create new information security risks.
Therefore, given the multitude of ways in which threats could take advantage of vulnerabilities to harm
the organization, information security risks are always present. Effective information security reduces
these risks by protecting the organization against threats and vulnerabilities, and then reduces impacts
to its assets.
Information security is achieved by implementing a suitable set of controls, including policies, processes,
procedures, organizational structures and software and hardware functions. These controls need to
be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the
specific security and business objectives of the organization are met. An ISMS such as that specified in
[10]
ISO/IEC 27001 takes a holistic, coordinated view of the organization’s information security risks in
order to implement a comprehensive suite of information security controls under the overall framework
of a coherent management system.
[10]
Many information systems have not been designed to be secure in the sense of ISO/IEC 27001 and this
standard. The security that can be achieved through technical means is limited and should be supported
by appropriate management and procedures. Identifying which controls should be in place requires
careful planning and attention to detail. A successful ISMS requires support by all employees in the
organization. It can also require participation from shareholders, suppliers or other external parties.
Specialist advice from external parties can also be needed.
In a more general sense, effective information security also assures management and other stakeholders
that the organization’s assets are reasonably safe and protected against harm, thereby acting as a
business enabler.
0.2 Information security requirements
It is essential that an organization identifies its security requirements. There are three main sources of
security requirements:
a) the assessment of risks to the organization, taking into account the organization’s overall business
strategy and objectives. Through a risk assessment, threats to assets are identified, vulnerability to
and likelihood of occurrence is evaluated and potential impact is estimated;
b) the legal, statutory, regulatory and contractual requirements that an organization, its trading
partners, contractors and service providers have to satisfy, and their socio-cultural environment;
vi © ISO/IEC 2013 – All rights reserved
---------------------- Page: 8 ----------------------
SIST ISO/IEC 27002:2013
ISO/IEC 27002:2013(E)
c) the set of principles, objectives and business requirements for information handling, processing,
storing, communicating and archiving that an organization has developed to support its operations.
Resources employed in implementing controls need to be balanced against the business harm likely
to result from security issues in the absence of those controls. The results of a risk assessment will
help guide and determine the appropriate management action and priorities for managing information
security risks and for implementing controls selected to protect against these risks.
[11]
ISO/IEC 27005 provides information security risk management guidance, including advice on risk
assessment, risk treatment, risk acceptance, risk communication, risk monitoring and risk review.
0.3 Selecting controls
Controls can be selected from this standard or from other control sets, or new controls can be designed
to meet specific needs as appropriate.
The selection of controls is dependent upon organizational decisions based on the criteria for risk
acceptance, risk treatment options and the general risk management approach applied to the organization,
and should also be subject to all relevant national and international legislation and regulations. Control
selection also depends on the manner in which controls interact to provide defence in depth.
Some of the controls in this standard can be considered as guiding principles for information security
management and applicable for most organizations. The controls are explained in more detail below
along with implementation guidance. More information about selecting controls and other risk treatment
[11]
options can be found in ISO/IEC 27005.
0.4 Developing your own guidelines
This International Standard may be regarded as a starting point for developing organization-specific
guidelines. Not all of the controls and guidance in this code of practice may be applicable. Furthermore,
additional controls and guidelines not included in this standard may be required. When documents are
developed containing additional guidelines or controls, it may be useful to include cross-references to clauses
in this standard where applicable to facilitate compliance checking by auditors and business partners.
0.5 Lifecycle considerations
Information has a natural lifecycle, from creation and origination through storage, processing, use and
transmission to its eventual destruction or decay. The value of, and risks to, assets may vary during their
lifetime (e.g. unauthorized disclosure or theft of a company’s financial accounts is far less significant after
they have been formally published) but information security remains important to some extent at all stages.
Information systems have lifecycles within which they are conceived, specified, designed, developed,
tested, implemented, used, maintained and eventually retired from service and disposed of. Information
security should be taken into account at every stage. New system developments and changes to existing
systems present opportunities for organizations to update and improve security controls, taking actual
incidents and current and projected information security risks into account.
0.6 Related standards
While this standard offers guidance on a broad range of information security controls that are
commonly applied in many different organizations, the remaining standards in the ISO/IEC 27000
family provide complementary advice or requirements on other aspects of the overall process of
managing information security.
Refer to ISO/IEC 27000 for a general introduction to both ISMSs and the family of standards. ISO/IEC 27000
provides a glossary, formally defining most of the terms used throughout the ISO/IEC 27000 family of
standards, and describes the scope and objectives for each member of the family.
© ISO/IEC 2013 – All rights reserved vii
---------------------- Page: 9 ----------------------
SIST ISO/IEC 27002:2013
---------------------- Page: 10 ----------------------
SIST ISO/IEC 27002:2013
INTERNATIONAL STANDARD ISO/IEC 27002:2013(E)
Information technology — Security techniques — Code of
practice for information security controls
1 Scope
This International Standard gives guidelines for organizational information security standards and
information security management practices including the selection, implementation and management
of controls taking into consideration the organization’s information security risk environment(s).
This International Standard is designed to be used by organizations that intend to:
a) select controls within the process of implementing an Information Security Management System
[10]
based on ISO/IEC 27001;
b) implement commonly accepted information security controls;
c) develop their own information security management guidelines.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 apply.
4 Structure of this standard
This standard contains 14 security control clauses collectively containing a total of 35 main security
categories and 114 controls.
4.1 Clauses
Each clause defining security controls contains one or more main security categories.
The order of the clauses in this standard does not imply their importance. Depending on the circumstances,
security controls from any or all clauses could be important, therefore each organization applying this
standard should identify applicable controls, how important these are and their application to individual
business processes. Furthermore, lists in this standard are not in priority order.
4.2 Control categories
Each main security control category contains:
a) a control objective stating what is to be achieved;
b) one or more controls that can be applied to achieve the control objective.
© ISO/IEC 2013 – All rights reserved 1
---------------------- Page: 11 ----------------------
SIST ISO/IEC 27002:2013
ISO/IEC 27002:2013(E)
Control descriptions are structured as follows:
Control
Defines the specific control statement, to satisfy the control objective.
Implementation guidance
Provides more detailed information to support the implementation of the control and meeting the
control objective. The guidance may not be entirely suitable or sufficient in all situations and may not
fulfil the organization’s specific control requirements. .
Other information
Provides further information that may need to be considered, for example legal considerations and
references to other standards. If there is no other information to be provided this part is not shown.
5 Information security policies
5.1 Management direction for information security
Objective: To provide management direction and support for information security in accordance with
business requirements and relevant laws and regulations.
5.1.1 Policies for information security
Control
A set of policies for information security should be defined, approved by management, published and
communicated to employees and relevant external parties.
Implementation guidance
At the highest level, organizations should define an “information security policy” which is approved by
management and which sets out the organization’s approach to managing its information security objectives.
Information security policies should address requirements created by:
a) business strategy;
b) regulations, legislation and contracts;
c) the current and projected information security threat environment.
The information security policy should contain statements concerning:
a) definition of information security, objectives and principles to guide all activities relating to
information security;
b) assignment of general and specific responsibilities for information security management to
defined roles;
c) processes for handling deviations and exceptions.
At a lower level, the information security policy should be supported by topic-specific policies, which
further mandate the implementation of information security controls and are typically structured to
address the needs of certain target groups within an organization or to cover certain topics.
Examples of such policy topics include:
a) access control (see Clause 9);
2 © ISO/IEC 2013 – All rights reserved
---------------------- Page: 12 ----------------------
SIST ISO/IEC 27002:2013
ISO/IEC 27002:2013(E)
b) information classification (and handling) (see 8.2);
c) physical and environmental security (see Clause 11);
d) end user oriented topics such as:
1) acceptable use of assets (see 8.1.3);
2) clear desk and clear screen (see 11.2.9);
3) information transfer (see 13.2.1);
4) mobile devices and teleworking (see 6.2);
5) restrictions on software installations and use (see 12.6.2);
e) backup (see 12.3);
f) information transfer (see 13.2);
g) protection from malware (see 12.2);
h) management of technical vulnerabilities (see 12.6.1);
i) cryptographic controls (see Clause 10);
j) communications security (see Clause 13);
k) privacy and protection of personally identifiable information (see 18.1.4);
l) supplier relationships (see Clause 15).
These policies should be communicated to employees and relevant external parties in a form that is
relevant, accessible and understandable to the intended reader, e.g. in the context of an “information
security awareness, education and training programme” (see 7.2.2).
Other information
The need for internal policies for information security varies across organizations. Internal policies
are especially useful in larger and more complex organizations where those defining and approving
the expected levels of control are segregated from those implementing the controls or in situations
where a policy applies to many different people or functions in the organization. Policies for information
security can be issued in a single “information security policy” document or as a set of individual but
related documents.
If any of the information security policies are distributed outside the organization, care should be taken
not to disclose confidential information.
Some organizations use other terms for these policy documents, such as “Standards”, “Directives” or “Rules”.
5.1.2 Review of the policies for information security
Control
The policies for information security should be reviewed at planned intervals or if significant changes
occur to ensure their continuing suitability, adequacy and effectiveness.
Implementation guidance
Each policy shou
...
NORME ISO/CEI
INTERNATIONALE 27002
Deuxième édition
2013-10-01
Technologies de l’information —
Techniques de sécurité — Code de
bonne pratique pour le management
de la sécurité de l’information
Information technology — Security techniques — Code of practice for
information security controls
Numéro de référence
ISO/CEI 27002:2013(F)
©
ISO/CEI 2013
---------------------- Page: 1 ----------------------
ISO/CEI 27002:2013(F)
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO/CEI 2013
Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni utilisée
sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie, l’affichage sur
l’internet ou sur un Intranet, sans autorisation écrite préalable. Les demandes d’autorisation peuvent être adressées à l’ISO à
l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Publié en Suisse
ii © ISO/CEI 2013 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO/CEI 27002:2013(F)
Sommaire Page
Avant-propos .v
0 Introduction .vi
1 Domaine d’application . 1
2 Références normatives . 1
3 Termes et définitions . 1
4 Structure de la présente norme . 1
4.1 Articles . 1
4.2 Catégories de mesures . 2
5 Politiques de sécurité de l’information . 2
5.1 Orientations de la direction en matière de sécurité de l’information . 2
6 Organisation de la sécurité de l’information . 4
6.1 Organisation interne . 4
6.2 Appareils mobiles et télétravail . 7
7 La sécurité des ressources humaines . 9
7.1 Avant l’embauche . 9
7.2 Pendant la durée du contrat .11
7.3 Rupture, terme ou modification du contrat de travail .14
8 Gestion des actifs.15
8.1 Responsabilités relatives aux actifs .15
8.2 Classification de l’information .16
8.3 Manipulation des supports . .19
9 Contrôle d’accès .21
9.1 Exigences métier en matière de contrôle d’accès .21
9.2 Gestion de l’accès utilisateur .23
9.3 Responsabilités des utilisateurs .27
9.4 Contrôle de l’accès au système et aux applications .28
10 Cryptographie .31
10.1 Mesures cryptographiques .31
11 Sécurité physique et environnementale .34
11.1 Zones sécurisées .34
11.2 Matériels .37
12 Sécurité liée à l’exploitation .42
12.1 Procédures et responsabilités liées à l’exploitation.42
12.2 Protection contre les logiciels malveillants .46
12.3 Sauvegarde .47
12.4 Journalisation et surveillance .48
12.5 Maîtrise des logiciels en exploitation .50
12.6 Gestion des vulnérabilités techniques .51
12.7 Considérations sur l’audit du système d’information .53
13 Sécurité des communications .54
13.1 Management de la sécurité des réseaux .54
13.2 Transfert de l’information .56
14 Acquisition, développement et maintenance des systèmes d’information .60
14.1 Exigences de sécurité applicables aux systèmes d’information .60
14.2 Sécurité des processus de développement et d’assistance technique .63
14.3 Données de test .68
15 Relations avec les fournisseurs .69
15.1 Sécurité de l’information dans les relations avec les fournisseurs .69
© ISO/CEI 2013 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO/CEI 27002:2013(F)
15.2 Gestion de la prestation du service .72
16 Gestion des incidents liés à la sécurité de l’information .74
16.1 Gestion des incidents liés à la sécurité de l’information et améliorations .74
17 Aspects de la sécurité de l’information dans la gestion de la continuité de l’activité .78
17.1 Continuité de la sécurité de l’information .78
17.2 Redondances .80
18 Conformité .81
18.1 Conformité aux obligations légales et réglementaires .81
18.2 Revue de la sécurité de l’information .84
Bibliographie .87
iv © ISO/CEI 2013 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO/CEI 27002:2013(F)
Avant-propos
L’ISO (Organisation internationale de normalisation) et la CEI (Commission électrotechnique
internationale) forment le système spécialisé de la normalisation mondiale. Les organismes nationaux
membres de l’ISO ou de la CEI participent au développement de Normes internationales par l’intermédiaire
des comités techniques créés par l’organisation concernée afin de s’occuper des domaines particuliers
de l’activité technique. Les comités techniques de l’ISO et de la CEI collaborent dans des domaines
d’intérêt commun. D’autres organisations internationales, gouvernementales et non gouvernementales,
en liaison avec l’ISO et la CEI participent également aux travaux. Dans le domaine des technologies de
l’information, l’ISO et la CEI ont créé un comité technique mixte, l’ISO/CEI JTC 1.
Les Normes internationales sont rédigées conformément aux règles données dans les Directives
ISO/CEI, Partie 2.
La tâche principale du comité technique mixte est d’élaborer les Normes internationales. Les projets de
Normes internationales adoptés par le comité technique mixte sont soumis aux organismes nationaux
pour vote. Leur publication comme Normes internationales requiert l’approbation de 75 % au moins des
organismes nationaux votants.
L’attention est appelée sur le fait que certains des éléments du présent document peuvent faire l’objet de
droits de propriété intellectuelle ou de droits analogues. L’ISO ne saurait être tenue pour responsable de
ne pas avoir identifié de tels droits de propriété et averti de leur existence.
L’ISO/CEI 27002 a été élaborée par le comité technique ISO/CEI TC JTC 1, Technologies de l’information,
sous-comité SC 27, Techniques de sécurité des technologies de l’information.
Cette deuxième édition annule et remplace la première édition (ISO/CEI 27002:2005), qui a fait l’objet
d’une révision technique et structurelle.
© ISO/CEI 2013 – Tous droits réservés v
---------------------- Page: 5 ----------------------
ISO/CEI 27002:2013(F)
0 Introduction
0.1 Historique et contexte
La présente Norme internationale a pour objet de servir d’outil de référence permettant aux
organisations de sélectionner les mesures nécessaires dans le cadre d’un processus de mise en œuvre
[10]
d’un système de management de la sécurité de l’information (SMSI) selon l’ISO/CEI 27001 ou de
guide pour les organisations mettant en œuvre des mesures de sécurité de l’information largement
reconnues. La présente norme a également pour objet d’élaborer des lignes directrices de management
de la sécurité de l’information spécifiques aux organisations et aux entreprises, en tenant compte de
leur(s) environnement(s) particulier(s) de risques de sécurité de l’information.
Des organisations de tous types et de toutes dimensions (incluant le secteur public et le secteur privé, à but
lucratif ou non lucratif) collectent, traitent, stockent et transmettent l’information sous de nombreuses
formes, notamment électronique, physique et verbale (par exemple, au cours de conversations et de
présentations).
La valeur de l’information dépasse les mots, les chiffres et les images: la connaissance, les concepts,
les idées et les marques sont des exemples de formes d’information immatérielles. Dans un monde
interconnecté, l’information et les processus, systèmes et réseaux qui s’y rattachent, ainsi que le
personnel impliqué dans son traitement, ses manipulations et sa protection, sont des actifs précieux
pour l’activité d’une organisation, au même titre que d’autres actifs d’entreprise importants, et, par
conséquent, ils méritent ou nécessitent d’être protégés contre les divers risques encourus.
Les actifs sont exposés à des menaces tant accidentelles que délibérées, alors que les processus, les
systèmes, les réseaux et les personnes qui s’y rattachent présentent des vulnérabilités qui leur sont
propres. Des changements apportés aux processus et aux systèmes de l’organisation ou d’autres
changements externes (comme l’application de nouvelles lois et réglementations) peuvent engendrer
de nouveaux risques pour la sécurité de l’information. Par conséquent, étant donné que les menaces
disposent d’une multitude de possibilités d’exploitation des vulnérabilités pour nuire à l’organisation,
les risques de sécurité de l’information sont omniprésents. Une sécurité efficace de l’information réduit
ces risques en protégeant l’organisation contre les menaces et les vulnérabilités, ce qui réduit les
conséquences sur ses actifs.
La sécurité de l’information est assurée par la mise en œuvre de mesures adaptées, qui regroupent des
règles, des processus, des procédures, des structures organisationnelles et des fonctions matérielles
et logicielles. Ces mesures doivent être spécifiées, mises en œuvre, suivies, réexaminées et améliorées
aussi souvent que nécessaire, de manière à atteindre les objectifs spécifiques en matière de sécurité et
d’activité d’une organisation. Un système de management de la sécurité de l’information (SMSI) tel que
[10]
celui spécifié dans l’ISO/CEI 27001 appréhende les risques de sécurité de l’information de l’organisation
dans une vision globale et coordonnée, de manière à mettre en œuvre un ensemble complet de mesures
liées à la sécurité de l’information dans le cadre général d’un système de management cohérent.
Nombreux sont les systèmes d’information qui n’ont pas été conçus dans un souci de sécurité au sens
[10]
de l’ISO/CEI 27001 et de la présente norme. La sécurité qui peut être mise en œuvre par des moyens
techniques est limitée et il convient de la soutenir à l’aide de moyens de management et de procédures
adaptés. L’identification des mesures qu’il convient de mettre en place nécessite de procéder à une
planification minutieuse et de prêter attention aux détails. Un système de management de la sécurité
de l’information efficace requiert l’adhésion de tous les salariés de l’organisation. Il peut également
nécessiter la participation des actionnaires, des fournisseurs ou d’autres tiers. De même, l’avis de
spécialistes tiers peut se révéler nécessaire.
De manière plus générale, une sécurité de l’information efficace garantit également à la direction et aux
parties tiers que les actifs de l’organisation sont, dans des limites raisonnables, sécurisés et à l’abri des
préjudices, et contribuent de ce fait au succès de l’organisation.
0.2 Exigences liées à la sécurité de l’information
vi © ISO/CEI 2013 – Tous droits réservés
---------------------- Page: 6 ----------------------
ISO/CEI 27002:2013(F)
Une organisation doit impérativement identifier ses exigences en matière de sécurité. Ces exigences
proviennent de trois sources principales:
a) l’appréciation du risque propre à l’organisation, prenant en compte sa stratégie et ses objectifs
généraux. L’appréciation du risque permet d’identifier les menaces pesant sur les actifs, d’analyser
les vulnérabilités, de mesurer la vraisemblance des attaques et d’en évaluer l’impact potentiel;
b) les exigences légales, statutaires, réglementaires et contractuelles auxquelles l’organisation et ses
partenaires commerciaux, contractants et prestataires de service, doivent répondre ainsi que leur
environnement socioculturel;
c) l’ensemble de principes, d’objectifs et d’exigences métier en matière de manipulation, de traitement,
de stockage, de communication et d’archivage de l’information que l’organisation s’est constitué
pour mener à bien ses activités.
Il est nécessaire de confronter les ressources mobilisées par la mise en œuvre des mesures avec les
dommages susceptibles de résulter de défaillances de la sécurité en l’absence de ces mesures. Les
résultats d’une appréciation du risque permettent de définir les actions de gestion appropriées et les
priorités en matière de gestion des risques liés à la sécurité de l’information, ainsi que de mettre en
œuvre les mesures identifiées destinées à contrer ces risques.
[11]
La norme ISO/CEI 27005 fournit des lignes directrices de gestion du risque lié à la sécurité de
l’information, y compris des conseils sur l’appréciation du risque, le traitement du risque, l’acceptation
du risque, la communication relative au risque, la surveillance du risque et la revue du risque.
0.3 Sélection des mesures
Selon les cas, il est possible de sélectionner les mesures dans la présente norme ou dans d’autres guides,
ou encore de spécifier de nouvelles mesures en vue de satisfaire des besoins spécifiques.
La sélection des mesures dépend des décisions prises par l’organisation en fonction de ses critères
d’acceptation du risque, de ses options de traitement du risque et de son approche de la gestion générale
du risque. Il convient également de prendre en considération les lois et règlements nationaux et
internationaux concernés. La sélection des mesures de sécurité dépend également de la manière dont
les mesures interagissent pour assurer une défense en profondeur.
Certaines mesures décrites dans la présente norme peuvent être considérées comme des principes
directeurs pour le management de la sécurité de l’information et être appliquées à la plupart des
organisations. Les mesures et des lignes directrices de mise en œuvre sont détaillées ci-dessous. De plus
amples informations sur la sélection des mesures et d’autres options de traitement du risque figurent
[11]
dans l’ISO/CEI 27005.
0.4 Mise au point de lignes directrices propres à l’organisation
La présente Norme internationale peut servir de base pour la mise au point de lignes directrices
spécifiques à une organisation. Une partie des mesures et lignes directrices de ce code de bonnes
pratiques peut ne pas être applicable. Par ailleurs, des mesures et des lignes directrices ne figurant
pas dans la présente norme peuvent être nécessaires. Lors de la rédaction de documents contenant des
lignes directrices ou des mesures supplémentaires, il peut être utile d’intégrer des références croisées
aux articles de la présente norme, le cas échéant, afin de faciliter la vérification de la conformité par les
auditeurs et les partenaires commerciaux.
0.5 Examen du cycle de vie
L’information est soumise à un cycle de vie naturel, depuis sa création et son origine en passant par
son stockage, son traitement, son utilisation, sa transmission, jusqu’à sa destruction finale ou son
obsolescence. La valeur des actifs et les risques qui y sont liés peuvent varier au cours de la durée de
vie de ces actifs (par exemple, une divulgation non autorisée ou le vol des comptes financiers d’une
entreprise revêt une importance bien moins grande après leur publication officielle), mais dans une
certaine mesure l‘importance de la sécurité de l’information subsiste à tous les stades.
© ISO/CEI 2013 – Tous droits réservés vii
---------------------- Page: 7 ----------------------
ISO/CEI 27002:2013(F)
Les systèmes d’information sont soumis à des cycles de vie durant lesquels ils sont pensés, caractérisés,
conçus, mis au point, testés, mis en œuvre, utilisés, entretenus et finalement retirés du service et mis
au rebut. Il convient que la sécurité de l’information soit prise en compte à tous les stades. La mise au
point de nouveaux systèmes et les changements apportés aux systèmes existants donnent l’occasion
aux organisations de mettre à jour les mesures de sécurité et de les améliorer en tenant compte des
incidents réels survenus et des risques de sécurité de l’information actuels et anticipés.
0.6 Normes associées
Alors que la présente Norme internationale propose des lignes directrices portant sur un vaste éventail
de mesures de sécurité liées à l’information d’utilisation courante dans nombre d’organisations
différentes, les autres normes de la famille ISO/CEI 27000 présentent des conseils complémentaires ou
des exigences relatifs à d’autres aspects de l’ensemble du processus de management de la sécurité de
l’information.
Se reporter à l’ISO/CEI 27000 pour une introduction générale aux systèmes de management de la
sécurité de l’information et à la famille de normes. L’ISO/CEI 27000 présente un glossaire, définissant
de manière formelle la plupart des termes utilisés dans la famille de normes ISO/CEI 27000, et décrit le
domaine d’application et les objectifs de chaque élément de cette famille.
viii © ISO/CEI 2013 – Tous droits réservés
---------------------- Page: 8 ----------------------
NORME INTERNATIONALE ISO/CEI 27002:2013(F)
Technologies de l’information — Techniques de sécurité —
Code de bonne pratique pour le management de la sécurité
de l’information
1 Domaine d’application
La présente Norme internationale donne des lignes directrices en matière de normes organisationnelles
relatives à la sécurité de l’information et des bonnes pratiques de management de la sécurité de
l’information, incluant la sélection, la mise en œuvre et la gestion de mesures de sécurité prenant en
compte le ou les environnement(s) de risques de sécurité de l’information de l’organisation.
La présente Norme internationale est élaborée à l’intention des organisations désireuses
a) de sélectionner les mesures nécessaires dans le cadre du processus de mise en œuvre d’un système
[10]
de management de la sécurité de l’information (SMSI) selon l’ISO/CEI 27001;
b) de mettre en œuvre des mesures de sécurité de l’information largement reconnues;
c) d’élaborer leurs propres lignes directrices de management de la sécurité de l’information.
2 Références normatives
Les documents suivants, en tout ou partie, sont référencés de manière normative dans le présent
document et sont indispensables à son application. Pour les références datées, seule l’édition citée
s’applique. Pour les références non datées, la dernière édition du document de référence s’applique (y
compris les éventuels amendements).
ISO/CEI 27000, Technologies de l’information — Techniques de sécurité — Systèmes de management de la
sécurité de l’information — Vue d’ensemble et vocabulaire
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions donnés dans l’ISO/CEI 27000 s’appliquent.
4 Structure de la présente norme
La présente norme contient 14 articles relatifs aux mesures de sécurité, comprenant un total de
35 catégories de sécurité principales et 114 mesures.
4.1 Articles
Chaque article définissant des mesures de sécurité contient une ou plusieurs catégories de sécurité
principales.
L’ordre des articles dans la présente norme n’est aucunement lié à leur importance. Selon les circonstances,
les mesures de sécurité, qu’elles figurent dans un article quel qu’il soit ou dans tous les articles, peuvent
s’avérer importantes: par conséquent, il convient que chaque organisation appliquant la présente norme
identifie les mesures appropriées, leur importance et leur application aux processus métier ciblés. Plus
généralement, les listes contenues dans la présente norme ne sont pas classées par ordre de priorité.
© ISO/CEI 2013 – Tous droits réservés 1
---------------------- Page: 9 ----------------------
ISO/CEI 27002:2013(F)
4.2 Catégories de mesures
Chaque catégorie principale de mesures comprend:
a) un objectif de sécurité identifiant le but à atteindre,
b) une ou plusieurs mesures pouvant être appliquées en vue d’atteindre l’objectif de sécurité.
La description des mesures est structurée de la manière suivante:
Mesure
Spécifie la mesure adaptée à l’objectif de sécurité.
Préconisations de mise en œuvre
Propose des informations détaillées pour mettre en œuvre la mesure et pour atteindre l’objectif de
sécurité. Les préconisations peuvent ne pas être tout à fait adaptées ou suffisantes dans toutes les
situations et peuvent ne pas répondre aux exigences spécifiques de l’organisation en matière de sécurité.
Informations supplémentaires
Présente des compléments d’information à considérer, par exemple des éléments juridiques et des
références à d’autres normes. En l’absence de compléments d’information, cette rubrique n’apparaît pas.
5 Politiques de sécurité de l’information
5.1 Orientations de la direction en matière de sécurité de l’information
Objectif: Apporter à la sécurité de l’information une orientation et un soutien de la part de la direc-
tion, conformément aux exigences métier et aux lois et règlements en vigueur.
5.1.1 Politiques de sécurité de l’information
Mesure
Il convient de définir un ensemble de politiques en matière de sécurité de l’information qui soit approuvé
par la direction, diffusé et communiqué aux salariés et aux tiers concernés.
Préconisations de mise en œuvre
Il convient que les organisations définissent, à leur plus haut niveau, une «politique de sécurité de
l’information», qui soit approuvée par la direction et qui décrive l’approche adoptée pour gérer les
objectifs de sécurité de l’information.
Il convient que les politiques de sécurité de l’information traitent des exigences créées par:
a) la stratégie d’entreprise;
b) les réglementations, la législation et les contrats;
c) l’environnement réel et anticipé des menaces liées à la sécurité de l’information.
Il convient que cette politique de sécurité de l’information comporte des précisions concernant:
a) une définition de la sécurité de l’information, ses objectifs et ses principes pour orienter toutes les
activités relatives à la sécurité de l’information;
b) l’attribution de responsabilités générales et spécifiques en matière de management de la sécurité de
l’information à des fonctions définies;
2 © ISO/CEI 2013 – Tous droits réservés
---------------------- Page: 10 ----------------------
ISO/CEI 27002:2013(F)
c) des processus de traitement des dérogations et des exceptions.
Il convient qu’à un niveau inférieur, la politique de sécurité de l’information soit étayée par des politiques
portant sur des thèmes spécifiques, qui imposent en outre la mise en œuvre de mesures de sécurité de
l’information et sont de manière générale structurées pour répondre aux besoins de certains groupes
cibles d’une organisation ou pour englober certains thèmes.
Voici
...
SLOVENSKI SIST ISO/IEC 27002
STANDARD november 2013
Informacijska tehnologija – Varnostne tehnike – Pravila obnašanja pri
kontrolah informacijske varnosti
Information technology – Security techniques – Code of practice for information
security controls
Technologies de l'information – Techniques de sécurité – Code de bonne
pratique pour le management de la sécurité de l'information
Referenčna oznaka
ICS 35.040 SIST ISO/IEC 27002:2013 (sl)
Nadaljevanje na straneh od 2 do 84
© 2014-02. Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST ISO/IEC 27002 : 2013
NACIONALNI UVOD
Standard SIST ISO/IEC 27002 (sl), Informacijska tehnologija – Varnostne tehnike – Pravila obnašanja
pri upravljanju informacijske varnosti, 2013, ima status slovenskega standarda in je istoveten
mednarodnemu standardu ISO/IEC 27002 (en), Information technology – Security techniques – Code
of practice for information security management, druga izdaja, 2013-10-01.
NACIONALNI PREDGOVOR
Mednarodni standard ISO/IEC 27002:2013 je pripravil pododbor združenega tehničnega odbora
Mednarodne organizacije za standardizacijo in Mednarodne elektrotehniške komisije ISO/IEC JTC
1/SC 27 Varnostne tehnike v informacijski tehnologiji.
Slovenski standard SIST ISO/IEC 27002:2013 je prevod mednarodnega standarda ISO/IEC
27002:2013. V primeru spora glede besedila slovenskega prevoda je odločilen izvirni mednarodni
standard v angleškem jeziku. Slovenski standard SIST ISO/IEC 27002:2013 je pripravil tehnični odbor
SIST/TC ITC Informacijska tehnologija.
Odločitev za izdajo tega standarda je dne 25. oktobra 2013 sprejel SIST/TC ITC Informacijska
tehnologija.
ZVEZA Z NACIONALNIMI STANDARDI
S prevzemom tega evropskega standarda veljajo za omejeni namen referenčnih standardov vsi
standardi, navedeni v izvirniku, razen standardov, ki so že sprejeti v nacionalno standardizacijo:
SIST ISO/IEC 27000 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Pregled in izrazoslovje
OSNOVA ZA IZDAJO STANDARDA
– privzem standarda ISO/IEC 27002:2013
PREDHODNA IZDAJA
– SIST ISO/IEC 27002:2008
OPOMBI
– Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO/IEC
27002:2013 to pomeni “slovenski standard”.
– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
2
---------------------- Page: 2 ----------------------
SIST ISO/IEC 27002 : 2013
VSEBINA Stran
Predgovor .7
0 Uvod .8
0.1 Ozadje in kontekst.8
0.2 Zahteve informacijske varnosti.8
0.3 Izbiranje kontrol .9
0.4 Razvijanje lastnih smernic.9
0.5 Razmisleki o življenjskem ciklu .9
0.6 Sorodni standardi .9
1 Področje uporabe .10
2 Zveze s standardi .10
3 Izrazi in definicije .10
4 Struktura tega standarda.10
4.1 Točke.10
4.2 Kategorije kontrol.10
5 Informacijske varnostne politike .11
5.1 Usmeritev vodstva za informacijsko varnost.11
5.1.1 Politike za informacijsko varnost .11
5.1.2 Pregled politik za informacijsko varnost.12
6 Organiziranje informacijske varnosti .12
6.1 Notranja organizacija.12
6.1.1 Vloge in odgovornosti na področju informacijske varnosti.12
6.1.2 Razmejitev dolžnosti .13
6.1.3 Stik s pristojnimi organi .13
6.1.4 Stik s specifičnimi interesnimi skupinami .14
6.1.5 Informacijska varnost v upravljanju projektov .14
6.2 Mobilne naprave in delo na daljavo.15
6.2.1 Politika na področju mobilnih naprav .15
6.2.2 Delo na daljavo.16
7 Varnost človeških virov.17
7.1 Pred zaposlovanjem.17
7.1.1 Preverjanje .17
7.1.2 Določila in pogoji za zaposlitev .18
7.2 Med zaposlitvijo.19
7.2.1 Odgovornosti vodstva.19
7.2.2 Ozaveščenost, izobraževanje in usposabljanje o informacijski varnosti .19
7.2.3 Disciplinski proces.20
7.3 Prekinitev ali sprememba zaposlitve.21
7.3.1 Prekinitev ali sprememba zaposlitveniih odgovornosti .21
8 Upravljanje dobrin.21
8.1 Odgovornost za dobrine.21
8.1.1 Popis dobrin.21
8.1.2 Lastništvo nad dobrinami .22
8.1.3 Sprejemljiva uporaba dobrin.22
3
---------------------- Page: 3 ----------------------
SIST ISO/IEC 27002 : 2013
8.1.4 Vračilo dobrin.23
8.2 Razvrstitev informacij .23
8.2.1 Razvrstitev informacij .23
8.2.2 Označevanje informacij.24
8.2.3 Ravnanje z dobrinami.24
8.3 Ravnanje z nosilci podatkov/informacij .25
8.3.1 Upravljanje izmenljivih nosilcev podatkov/informacij .25
8.3.2 Odstranjevanje nosilcev podatkov/informacij.25
8.3.3 Prenos fizičnih nosilcev podatkov/informacij.26
9 Nadzor dostopa .27
9.1 Nadzor dostopa .27
9.1.1 Politika nadzora dostopa.27
9.1.2 Dostop do omrežij in omrežnih storitev.28
9.2 Upravljanje uporabniškega dostopa.28
9.2.1 Registracija in izbris registracije uporabnika.28
9.2.2 Zagotavljanje dostopa uporabnikom .29
9.2.3 Upravljanje posebnih pravic dostopa .29
9.2.4 Upravljanje tajnih informacij uporabnikov za preverjanje verodostojnosti .30
9.2.5 Pregled uporabniških pravic dostopa.31
9.2.6 Preklic ali prilagoditev pravic dostopa .31
9.3 Odgovornosti uporabnikov .32
9.3.1 Uporaba tajnih informacij za preverjanje verodostojnosti .32
9.4 Nadzor dostopa do sistemov in aplikacij .33
9.4.1 Omejitev dostopa do informacij.33
9.4.2 Varni postopki prijave .33
9.4.3 Sistem upravljanja gesel .34
9.4.4 Uporaba posebnih pomožnih programov.34
9.4.5 Nadzor dostopa do programske izvorne kode .35
10 Kriptografija .36
10.1 Kriptografske kontrole .36
10.1.1 Politika uporabe kriptografskih kontrol .36
10.1.2 Upravljanje ključev .37
11 Fizična in okoljska varnost .38
11.1 Varovana območja .38
11.1.1 Varovanje fizičnih meja območja.38
11.1.2 Kontrole fizičnega vstopa .39
11.1.3 Varovanje pisarn, sob in naprav.39
11.1.4 Zaščita pred zunanjimi in okoljskimi grožnjami .40
11.1.5 Delo na varovanih območjih.40
11.1.6 Dostavne in nakladalne površine .40
11.2 Oprema.40
11.2.1 Namestitev in zaščita opreme .41
11.2.2 Podporna oskrba .41
11.2.3 Varnost ožičenja.42
11.2.4 Vzdrževanje opreme .42
4
---------------------- Page: 4 ----------------------
SIST ISO/IEC 27002 : 2013
11.2.5 Odstranitev dobrin .42
11.2.6 Varnost opreme in dobrin zunaj prostorov organizacije.43
11.2.7 Varna odstranitev ali ponovna uporaba opreme .43
11.2.8 Nenadzorovana uporabniška oprema.44
11.2.9 Politika čiste mize in praznega zaslona .44
12 Varnost operacij.45
12.1 Operativni postopki in odgovornosti .45
12.1.1 Dokumentirani postopki delovanja .45
12.1.2 Upravljanje sprememb .46
12.1.3 Upravljanje zmogljivosti.46
12.1.4 Ločevanje razvojnih, testnih in obratovalnih naprav .47
12.2 Zaščita pred zlonamerno programsko opremo .48
12.2.1 Kontrole proti zlonamerni programski opremi .48
12.3 Varnostno kopiranje .49
12.3.1 Varnostno kopiranje informacij.49
12.4 Beleženje in spremljanje .50
12.4.1 Beleženje dogodkov.50
12.4.2 Zaščita zabeleženih informacij .51
12.4.3 Beleženje aktivnosti administratorjev in operaterjev.51
12.4.4 Uskladitev ur.51
12.5 Nadzor operativne programske opreme.52
12.5.1 Namestitev programske opreme na operativne sisteme.52
12.6 Upravljanje tehničnih ranljivosti.53
12.6.1 Upravljanje tehničnih ranljivosti.53
12.6.2 Omejitve pri namestitvi programske opreme.54
12.7 Upoštevanje presoj informacijskih sistemov .54
12.7.1 Kontrole presoje informacijskih sistemov.55
13 Varnost komunikacije .55
13.1 Upravljanje varovanja omrežij .55
13.1.1 Omrežne kontrole.55
13.1.2 Varovanje omrežnih storitev.56
13.3.4 Ločevanje v omrežjih.56
13.2 Prenos informacij.57
13.2.1 Politike in postopki prenosa informacij.57
13.2.2 Dogovori o prenosu informacij .58
13.2.3 Elektronsko sporočanje.58
13.2.4 Dogovori o zaupnosti ali nerazkrivanju .59
14 Pridobivanje, razvoj in vzdrževanje sistemov.60
14.1 Varnostne zahteve informacijskih sistemov .60
14.1.1 Analiza in specifikacije informacijskih varnostnih zahtev.60
14.1.2 Varovanje aplikacijskih storitev v javnih omrežjih .61
14.1.3 Zaščita transakcij aplikacijskih storitev.62
14.2 Varnost v procesih razvoja in podpore.62
14.2.1 Varna razvojna politika.62
14.2.2 Postopki nadzora sprememb sistemov .63
5
---------------------- Page: 5 ----------------------
SIST ISO/IEC 27002 : 2013
14.2.3 Tehnični pregled aplikacij po spremembah operacijskih sistemov .64
14.2.4 Omejitve pri spremembah programskih paketov .64
14.2.5 Načela varnega sistemskega inženiringa .65
14.2.6 Varno razvojno okolje.65
14.2.7 Zunanje izvajanje razvoja .66
14.2.8 Testiranje sistemske varnosti.66
14.2.9 Testiranje prevzema sistema .67
14.3 Testni podatki .67
14.3.1 Zaščita testnih podatkov .67
15 Odnosi z dobavitelji .67
15.1 Informacijska varnost v odnosih z dobavitelji.67
15.1.1 Informacijska varnostna politika za odnose z dobavitelji .68
15.1.2 Obravnavanje varnosti v dogovorih z dobavitelji.69
15.1.3 Dobavna veriga informacijske in komunikacijske tehnologije .70
15.2 Upravljanje izvajanja storitev dobavitelja .70
15.2.1 Spremljanje in pregledovanje storitev dobaviteljev .71
15.2.2 Upravljanje sprememb storitev dobaviteljev.71
16 Upravljanje informacijskih varnostnih incidentov .72
16.1 Upravljanje informacijskih varnostnih incidentov in izboljšave.72
16.1.1 Odgovornosti in postopki.72
16.1.2 Poročanje o informacijskih varnostnih dogodkih.73
16.1.3 Poročanje o informacijskih varnostnih slabostih .74
16.1.4 Ocena informacijskih varnostnih dogodkov in odločitev o njih.74
16.1.5 Odgovor na informacijske varnostne incidente .74
16.1.6 Učenje iz informacijskih varnostnih incidentov.75
16.1.7 Zbiranje dokazov .75
17 Vidiki informacijske varnosti pri upravljanju neprekinjenega poslovanja .76
17.1 Neprekinjena informacijska varnost .76
17.1.1 Načrtovanje neprekinjene informacijske varnosti.76
17.1.2 Izvajanje neprekinjene informacijske varnosti.77
17.1.3 Preverjanje, pregledovanje in vrednotenje neprekinjene informacijske varnosti.77
17.2 Zadostno število .78
17.2.1 Razpoložljivost naprav za obdelavo informacij .78
18 Skladnost.78
18.1 Skladnost z zakonodajnimi in pogodbenimi zahtevami .78
18.1.1 Prepoznavanje veljavnih zakonskih in pogodbenih zahtev .78
18.1.2 Pravice intelektualne lastnine.79
18.1.3 Zaščita zapisov.80
18.1.4 Zasebnost in zaščita osebno določljivih podatkov .80
18.1.5 Uporaba kriptografskih kontrol .81
18.2 Pregledi informacijske varnosti .81
18.2.1 Neodvisni pregled informacijske varnosti.81
18.2.2 Skladnost z varnostnimi politikami in standardi .82
18.2.3 Pregled tehnične skladnosti .82
Literatura .84
6
---------------------- Page: 6 ----------------------
SIST ISO/IEC 27002 : 2013
Predgovor
ISO (Mednarodna organizacija za standardizacijo) in IEC (Mednarodna elektrotehniška komisija)
tvorita specializiran sistem za svetovno standardizacijo. Nacionalni organi, ki so člani ISO ali IEC,
sodelujejo pri pripravi mednarodnih standardov prek tehničnih odborov, ki jih za obravnavanje
določenih strokovnih področij ustanovi ustrezna organizacija. Tehnični odbori ISO in IEC sodelujejo na
področjih skupnega interesa. Pri delu sodelujejo tudi druge mednarodne, vladne in nevladne
organizacije, povezane z ISO in IEC. Na področju informacijske tehnologije sta ISO in IEC vzpostavila
združeni tehnični odbor ISO/IEC JTC 1.
Mednarodni standardi so pripravljeni v skladu s pravili iz 2. dela Direktiv ISO/IEC.
ISO/IEC 27002 je pripravil združeni tehnični odbor JTC ISO/IEC 1 Informacijska tehnologija, pododbor
SC 27 Varnostne tehnike IT.
Opozoriti je treba na možnost, da so lahko nekateri elementi tega dokumenta predmet patentnih
pravic. ISO ne prevzema odgovornosti za identifikacijo nekaterih ali vseh takih patentnih pravic.
Druga izdaja preklicuje in nadomešča prvo izdajo (ISO/IEC 27002:2005), ki je tehnično in strukturno
revidirana.
7
---------------------- Page: 7 ----------------------
SIST ISO/IEC 27002 : 2013
0 Uvod
0.1 Ozadje in kontekst
Ta mednarodni standard je zasnovan, da bi ga organizacije uporabljale kot referenco pri izbiri kontrol
znotraj procesa izvajanja sistema upravljanja informacijske varnosti (ISMS) na podlagi standarda
[10]
ISO/IEC 27001 ali kot dokument z napotki za organizacije, ki izvajajo splošno sprejete kontrole
informacijske varnosti. Ta standard je namenjen tudi za uporabo pri izdelavi smernic za upravljanje
informacijske varnosti znotraj panog in organizacij, pri čemer upošteva posebne značilnosti njihovega
okolja informacijskih varnostnih tveganj.
Organizacije vseh vrst in velikosti (vključno z javnim in zasebn
...
SLOVENSKI STANDARD
oSIST ISO/IEC FDIS 27002:2013
01-september-2013
Informacijska tehnologija - Varnostne tehnike - Pravila obnašanja pri nadzoru
informacijske varnosti
Information technology -- Security techniques -- Code of practice for information security
controls
Technologies de l'information -- Techniques de sécurité -- Code de bonne pratique pour
le management de la sécurité de l'information
Ta slovenski standard je istoveten z: ISO/IEC FDIS 27002
ICS:
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
oSIST ISO/IEC FDIS 27002:2013 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
oSIST ISO/IEC FDIS 27002:2013
---------------------- Page: 2 ----------------------
oSIST ISO/IEC FDIS 27002:2013
FINAL
INTERNATIONAL ISO/IEC
DRAFT
STANDARD FDIS
27002
ISO/IEC JTC 1/SC 27
Information technology — Security
Secretariat: DIN
techniques — Code of practice for
Voting begins on:
2013-07-03 information security controls
Voting terminates on:
Technologies de l’information — Techniques de sécurité — Code de
2013-09-03
bonne pratique pour le management de la sécurité de l’information
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO
ISO/IEC FDIS 27002:2013(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN
DARDS TO WHICH REFERENCE MAY BE MADE IN
©
NATIONAL REGULATIONS. ISO/IEC 2013
---------------------- Page: 3 ----------------------
oSIST ISO/IEC FDIS 27002:2013
ISO/IEC FDIS 27002:2013(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2013 – All rights reserved
---------------------- Page: 4 ----------------------
oSIST ISO/IEC FDIS 27002:2013
ISO/IEC FDIS 27002:2013(E)
Contents Page
Foreword .v
0 Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Structure of this standard . 1
4.1 Clauses . 1
4.2 Control categories . 1
5 Information security policies . 2
5.1 Management direction for information security . 2
6 Organization of information security . 4
6.1 Internal organization . 4
6.2 Mobile devices and teleworking . 6
7 Human resource security . 9
7.1 Prior to employment . 9
7.2 During employment .10
7.3 Termination and change of employment .13
8 Asset management .13
8.1 Responsibility for assets .13
8.2 Information classification .15
8.3 Media handling .17
9 Access control .19
9.1 Business requirements of access control .19
9.2 User access management .21
9.3 User responsibilities .24
9.4 System and application access control .25
10 Cryptography .28
10.1 Cryptographic controls .28
11 Physical and environmental security .30
11.1 Secure areas .30
11.2 Equipment .33
12 Operations security .38
12.1 Operational procedures and responsibilities .38
12.2 Protection from malware .41
12.3 Backup .42
12.4 Logging and monitoring .43
12.5 Control of operational software .45
12.6 Technical vulnerability management .46
12.7 Information systems audit considerations .48
13 Communications security .49
13.1 Network security management .49
13.2 Information transfer .50
14 System acquisition, development and maintenance .54
14.1 Security requirements of information systems .54
14.2 Security in development and support processes .57
14.3 Test data .62
15 Supplier relationships .62
15.1 Information security in supplier relationships .62
© ISO/IEC 2013 – All rights reserved iii
---------------------- Page: 5 ----------------------
oSIST ISO/IEC FDIS 27002:2013
ISO/IEC FDIS 27002:2013(E)
15.2 Supplier service delivery management .66
16 Information security incident management .67
16.1 Management of information security incidents and improvements .67
17 Information security aspects of business continuity management .71
17.1 Information security continuity .71
17.2 Redundancies .73
18 Compliance .74
18.1 Compliance with legal and contractual requirements .74
18.2 Information security reviews .77
Bibliography .80
iv © ISO/IEC 2013 – All rights reserved
---------------------- Page: 6 ----------------------
oSIST ISO/IEC FDIS 27002:2013
ISO/IEC FDIS 27002:2013(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
ISO/IEC 27002 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
This second edition cancels and replaces the first edition (ISO/IEC 27002:2005), which has been
technically and structurally revised.
© ISO/IEC 2013 – All rights reserved v
---------------------- Page: 7 ----------------------
oSIST ISO/IEC FDIS 27002:2013
ISO/IEC FDIS 27002:2013(E)
0 Introduction
0.1 Background and context
This International Standard is designed for organizations to use as a reference for selecting controls
within the process of implementing an Information Security Management System (ISMS) based on
[10]
ISO/IEC 27001 or as a guidance document for organizations implementing commonly accepted
information security controls. This standard is also intended for use in developing industry- and
organization-specific information security management guidelines, taking into consideration their
specific information security risk environment(s).
Organizations of all types and sizes (including public and private sector, commercial and non-profit)
collect, process, store and transmit information in many forms including electronic, physical and verbal
(e.g. conversations and presentations).
The value of information goes beyond the written words, numbers and images: knowledge, concepts, ideas
and brands are examples of intangible forms of information. In an interconnected world, information and
related processes, systems, networks and personnel involved in their operation, handling and protection
are assets that, like other important business assets, are valuable to an organization’s business and
consequently deserve or require protection against various hazards.
Assets are subject to both deliberate and accidental threats while the related processes, systems,
networks and people have inherent vulnerabilities. Changes to business processes and systems or
other external changes (such as new laws and regulations) may create new information security risks.
Therefore, given the multitude of ways in which threats could take advantage of vulnerabilities to harm
the organization, information security risks are always present. Effective information security reduces
these risks by protecting the organization against threats and vulnerabilities, and then reduces impacts
to its assets.
Information security is achieved by implementing a suitable set of controls, including policies, processes,
procedures, organizational structures and software and hardware functions. These controls need to
be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the
specific security and business objectives of the organization are met. An ISMS such as that specified in
[10]
ISO/IEC 27001 takes a holistic, coordinated view of the organization’s information security risks in
order to implement a comprehensive suite of information security controls under the overall framework
of a coherent management system.
[10]
Many information systems have not been designed to be secure in the sense of ISO/IEC 27001 and this
standard. The security that can be achieved through technical means is limited and should be supported
by appropriate management and procedures. Identifying which controls should be in place requires
careful planning and attention to detail. A successful ISMS requires support by all employees in the
organization. It can also require participation from shareholders, suppliers or other external parties.
Specialist advice from external parties can also be needed.
In a more general sense, effective information security also assures management and other stakeholders
that the organization’s assets are reasonably safe and protected against harm, thereby acting as a
business enabler.
0.2 Information security requirements
It is essential that an organization identifies its security requirements. There are three main sources of
security requirements:
a) assessing risks to the organization, taking into account the organization’s overall business strategy
and objectives. Through a risk assessment, threats to assets are identified, vulnerability to and
likelihood of occurrence is evaluated and potential impact is estimated;
b) legal, statutory, regulatory and contractual requirements that an organization, its trading partners,
contractors and service providers have to satisfy, and their socio-cultural environment;
vi © ISO/IEC 2013 – All rights reserved
---------------------- Page: 8 ----------------------
oSIST ISO/IEC FDIS 27002:2013
ISO/IEC FDIS 27002:2013(E)
c) set of principles, objectives and business requirements for information handling, processing,
storing, communicating and archiving that an organization has developed to support its operations.
Resources employed in implementing controls need to be balanced against the business harm likely
to result from security issues in the absence of those controls. The results of a risk assessment will
help guide and determine the appropriate management action and priorities for managing information
security risks and for implementing controls selected to protect against these risks.
[11]
ISO/IEC 27005 provides information security risk management guidance, including advice on risk
assessment, risk treatment, risk acceptance, risk communication, risk monitoring and risk review.
0.3 Selecting controls
Controls can be selected from this standard or from other control sets, or new controls can be designed
to meet specific needs as appropriate.
The selection of controls is dependent upon organizational decisions based on the criteria for risk
acceptance, risk treatment options and the general risk management approach applied to the organization,
and should also be subject to all relevant national and international legislation and regulations. Control
selection also depends on the manner in which controls interact to provide defence in depth.
Some of the controls in this standard can be considered as guiding principles for information security
management and applicable for most organizations. The controls are explained in more detail below
along with implementation guidance. More information about selecting controls and other risk treatment
[11]
options can be found in ISO/IEC 27005.
0.4 Developing your own guidelines
This International Standard may be regarded as a starting point for developing organization-specific
guidelines. Not all of the controls and guidance in this code of practice may be applicable. Furthermore,
additional controls and guidelines not included in this standard may be required. When documents are
developed containing additional guidelines or controls, it may be useful to include cross-references to clauses
in this standard where applicable to facilitate compliance checking by auditors and business partners.
0.5 Lifecycle considerations
Information has a natural lifecycle, from creation and origination through storage, processing, use and
transmission to its eventual destruction or decay. The value of, and risks to, assets may vary during their
lifetime (e.g. unauthorized disclosure or theft of a company’s financial accounts is far less significant after
they have been formally published) but information security remains important to some extent at all stages.
Information systems have lifecycles within which they are conceived, specified, designed, developed,
tested, implemented, used, maintained and eventually retired from service and disposed of. Information
security should be taken into account at every stage. New system developments and changes to existing
systems present opportunities for organizations to update and improve security controls, taking actual
incidents and current and projected information security risks into account.
0.6 Related standards
While this standard offers guidance on a broad range of information security controls that are
commonly applied in many different organizations, the remaining standards in the ISO/IEC 27000
family provide complementary advice or requirements on other aspects of the overall process of
managing information security.
Refer to ISO/IEC 27000 for a general introduction to both ISMSs and the family of standards. ISO/IEC 27000
provides a glossary, formally defining most of the terms used throughout the ISO/IEC 27000 family of
standards, and describes the scope and objectives for each member of the family.
© ISO/IEC 2013 – All rights reserved vii
---------------------- Page: 9 ----------------------
oSIST ISO/IEC FDIS 27002:2013
---------------------- Page: 10 ----------------------
oSIST ISO/IEC FDIS 27002:2013
FINAL DRAFT INTERNATIONAL STANDARD ISO/IEC FDIS 27002:2013(E)
Information technology — Security techniques — Code of
practice for information security controls
1 Scope
This International Standard gives guidelines for organizational information security standards and
information security management practices including the selection, implementation and management
of controls taking into consideration the organization’s information security risk environment(s).
This International Standard is designed to be used by organizations that intend to:
a) select controls within the process of implementing an Information Security Management System
[10]
based on ISO/IEC 27001;
b) implement commonly accepted information security controls;
c) develop their own information security management guidelines.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms a nd definiti ons
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 apply.
4 Structure of this standard
This standard contains 14 security control clauses collectively containing a total of 35 main security
categories and 113 controls.
4.1 Clauses
Each clause defining security controls contains one or more main security categories.
The order of the clauses in this standard does not imply their importance. Depending on the circumstances,
security controls from any or all clauses could be important, therefore each organization applying this
standard should identify applicable controls, how important these are and their application to individual
business processes. Furthermore, lists in this standard are not in priority order.
4.2 Control categories
Each main security control category contains:
a) a control objective stating what is to be achieved;
b) one or more controls that can be applied to achieve the control objective.
© ISO/IEC 2013 – All rights reserved 1
---------------------- Page: 11 ----------------------
oSIST ISO/IEC FDIS 27002:2013
ISO/IEC FDIS 27002:2013(E)
Control descriptions are structured as follows:
Control
Defines the specific control statement, to satisfy the control objective.
Implementation guidance
Provides more detailed information to support the implementation of the control and meeting the
control objectives. The guidance may not be entirely suitable or sufficient in all situations and may not
fulfil the organization’s specific control requirements. .
Other information
Provides further information that may need to be considered, for example legal considerations and
references to other standards. If there is no other information to be provided this part is not shown.
5 Information security policies
5.1 Management direction for information security
Objective: To provide management direction and support for information security in accordance with
business requirements and relevant laws and regulations.
5.1.1 Policies for information security
Control
A set of policies for information security should be defined, approved by management, published and
communicated to employees and relevant external parties.
Implementation guidance
At the highest level, organizations should define an “information security policy” which is approved by
management and which sets out the organization’s approach to managing its information security objectives.
Information security policies should address requirements created by:
a) business strategy;
b) regulations, legislation and contracts;
c) the current and projected information security threat environment.
The information security policy should contain statements concerning:
a) definition of information security, objectives and principles to guide all activities relating to
information security;
b) assignment of general and specific responsibilities for information security management to
defined roles;
c) processes for handling deviations and exceptions.
At a lower level, the information security policy should be supported by topic-specific policies, which
further mandate the implementation of information security controls and are typically structured to
address the needs of certain target groups within an organization or to cover certain topics.
Examples of such detailed policy topics include:
a) access control (see Clause 9);
2 © ISO/IEC 2013 – All rights reserved
---------------------- Page: 12 ----------------------
oSIST ISO/IEC FDIS 27002:2013
ISO/IEC FDIS 27002:2013(E)
b) information classification (and handling) (see 8.2);
c) physical and environmental security (see Clause 11);
d) end user oriented topics such as:
1) acceptable use of assets (see 8.1.3);
2) clear desk and clear screen (see 11.2.9);
3) information transfer (see 13.2.1);
4) mobile devices and teleworking (see 6.2);
5) restrictions on software installations and use (see 12.6.2);
e) backup (see 12.3);
f) information transfer (see 13.2);
g) protection from malware (see 12.2);
h) management of technical vulnerabilities (see 12.6.1);
i) cryptographic controls (see Clause 10);
j) communications security (see Clause 13);
k) privacy and protection of personally identifiable information (see 18.1.4);
l) supplier relationships (see Clause 15).
These policies should be communicated to employees and relevant external parties in a form that is
relevant, accessible and understandable to the intended reader, e.g. in the context of an “information
security awareness, education and training programme” (see 7.2.2).
Other information
The need for internal policies for information security varies across organizations. Internal policies
are especially useful in larger and more complex organizations where those defining and approving
the expected levels of control are segregated from those implementing the controls or in situations
where a policy applies to many different people or functions
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.