iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC 17799:2005

(Main)

Information technology — Security techniques — Code of practice for information security management

Information technology — Security techniques — Code of practice for information security management

ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management: security policy; organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development and maintenance; information security incident management; business continuity management; compliance. The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.

Technologies de l'information — Techniques de sécurité — Code de bonne pratique pour la gestion de la sécurité de l'information

L'ISO/CEI 17799:2005 établit des lignes directrices et des principes généraux pour préparer, mettre en oeuvre, entretenir et améliorer la gestion de la sécurité de l'information au sein d'un organisme. Les objectifs esquissés fournissent une orientation générale sur les buts acceptés communément dans la gestion de la sécurité de l'information. L'ISO/CEI 17799:2005 est un code de bonne pratique pour les objectifs et mesures, dans les catégories suivantes de la gestion de la sécurité de l'information: politique de sécurité; organisation de la sécurité de l'information; gestion des biens; sécurité liée aux ressources humaines; sécurité physique et environnementale; gestion opérationnelle et gestion de la communication; contrôle d'accès; acquisition, développement et maintenance des systèmes d'information; gestion des incidents liés à la sécurité de l'information; gestion de la continuité de l'activité; conformité. Les objectifs et mesures décrits dans l'ISO/CEI 17799:2005 sont destinés à être mis en oeuvre pour répondre aux exigences identifiées par une évaluation du risque. L'ISO/CEI 17799:2005 est prévue comme base commune et ligne directrice pratique pour élaborer les référentiels de sécurité de l'organisation, mettre en oeuvre les pratiques efficaces de la gestion de la sécurité, et participer au développement de la confiance dans les activités entre organismes.

Information technology -- Security techniques -- Code of practice for information security management

General Information

Status
Withdrawn
Publication Date
09-Jun-2005
Withdrawal Date
09-Jun-2005
ICS
35.030 - IT Security
35.040 - Information coding
Technical Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Drafting Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Current Stage
9599 - Withdrawal of International Standard
Completion Date
03-Jun-2010
Ref Project
oSIST ISO/IEC 17799:2005 - Information technology -- Security techniques -- Code of practice for information security management

Relations

Revised
ISO/IEC 27002:2005 - Information technology — Security techniques — Code of practice for information security management
Effective Date
15-Apr-2008
Revises
ISO/IEC 17799:2000 - Information technology — Code of practice for information security management
Effective Date
15-Apr-2008
Revised
SIST ISO/IEC 17799:2003 - Information technology -- Code of practice for information security management
Effective Date
12-May-2008

Buy Standard

ISO/IEC 17799:2005 - Information technology -- Security techniques -- Code of practice for information security managementISO/IEC 17799:2005 - Information technology -- Security techniques -- Code of practice for information security management
PreviousNext
Standard
ISO/IEC 17799:2005 - Information technology -- Security techniques -- Code of practice for information security management
English language
115 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/IEC 17799:2005 - Technologies de l'information -- Techniques de sécurité -- Code de bonne pratique pour la gestion de la sécurité de l'informationISO/IEC 17799:2005 - Technologies de l'information -- Techniques de sécurité -- Code de bonne pratique pour la gestion de la sécurité de l'information
PreviousNext
Standard
ISO/IEC 17799:2005 - Technologies de l'information -- Techniques de sécurité -- Code de bonne pratique pour la gestion de la sécurité de l'information
French language
112 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/IEC 17799:2005ISO/IEC 17799:2005
PreviousNext
Draft
ISO/IEC 17799:2005
English language
115 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

INTERNATIONAL ISO/IEC
STANDARD 17799
Second edition
2005-06-15


Information technology — Security
techniques — Code of practice for
information security management
Technologies de l'information — Techniques de sécurité — Code de
pratique pour la gestion de sécurité d'information




Reference number
ISO/IEC 17799:2005(E)
©
ISO/IEC 2005

---------------------- Page: 1 ----------------------
ISO/IEC 17799:2005(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO/IEC 2005
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2005 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC17799:2005(E)
Contents                                                Page

FOREWORD. VII
0 INTRODUCTION . VIII
0.1 WHAT IS INFORMATION SECURITY?.VIII

0.2 WHY INFORMATION SECURITY IS NEEDED? .VIII
0.3 HOW TO ESTABLISH SECURITY REQUIREMENTS .IX
0.4 ASSESSING SECURITY RISKS . IX
0.5 SELECTING CONTROLS. IX
0.6 INFORMATION SECURITY STARTING POINT. IX
0.7 CRITICAL SUCCESS FACTORS . X
0.8 DEVELOPING YOUR OWN GUIDELINES . XI
1 SCOPE. 1
2 TERMS AND DEFINITIONS . 1
3 STRUCTURE OF THIS STANDARD. 4
3.1 CLAUSES . 4
3.2 MAIN SECURITY CATEGORIES. 4
4 RISK ASSESSMENT AND TREATMENT . 5
4.1 ASSESSING SECURITY RISKS . 5
4.2 TREATING SECURITY RISKS. 5
5 SECURITY POLICY . 7
5.1 INFORMATION SECURITY POLICY. 7
5.1.1 Information security policy document . 7
5.1.2 Review of the information security policy. 8
6 ORGANIZATION OF INFORMATION SECURITY. 9
6.1 INTERNAL ORGANIZATION. 9
6.1.1 Management commitment to information security. 9
6.1.2 Information security co-ordination. 10
6.1.3 Allocation of information security responsibilities. 10
6.1.4 Authorization process for information processing facilities. 11
6.1.5 Confidentiality agreements. 11
6.1.6 Contact with authorities . 12
6.1.7 Contact with special interest groups . 12
6.1.8 Independent review of information security . 13
6.2 EXTERNAL PARTIES . 14
6.2.1 Identification of risks related to external parties. 14
6.2.2 Addressing security when dealing with customers . 15
6.2.3 Addressing security in third party agreements . 16
7 ASSET MANAGEMENT. 19
7.1 RESPONSIBILITY FOR ASSETS. 19
7.1.1 Inventory of assets . 19
7.1.2 Ownership of assets . 20
7.1.3 Acceptable use of assets. 20
7.2 INFORMATION CLASSIFICATION. 21
7.2.1 Classification guidelines. 21
7.2.2 Information labeling and handling. 21
8 HUMAN RESOURCES SECURITY . 23
8.1 PRIOR TO EMPLOYMENT . 23
8.1.1 Roles and responsibilities . 23
© ISO/IEC 2005 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 17799:2005(E)
8.1.2 Screening . 23

8.1.3 Terms and conditions of employment . 24
8.2 DURING EMPLOYMENT . 25
8.2.1 Management responsibilities . 25
8.2.2 Information security awareness, education, and training . 26
8.2.3 Disciplinary process . 26
8.3 TERMINATION OR CHANGE OF EMPLOYMENT. 27
8.3.1 Termination responsibilities . 27
8.3.2 Return of assets. 27
8.3.3 Removal of access rights . 28
9 PHYSICAL AND ENVIRONMENTAL SECURITY . 29
9.1 SECURE AREAS . 29
9.1.1 Physical security perimeter . 29
9.1.2 Physical entry controls . 30
9.1.3 Securing offices, rooms, and facilities . 30
9.1.4 Protecting against external and environmental threats. 31
9.1.5 Working in secure areas . 31
9.1.6 Public access, delivery, and loading areas. 32
9.2 EQUIPMENT SECURITY. 32
9.2.1 Equipment siting and protection. 32
9.2.2 Supporting utilities . 33
9.2.3 Cabling security. 34
9.2.4 Equipment maintenance. 34
9.2.5 Security of equipment off-premises. 35
9.2.6 Secure disposal or re-use of equipment. 35
9.2.7 Removal of property . 36
10 COMMUNICATIONS AND OPERATIONS MANAGEMENT. 37
10.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES . 37
10.1.1 Documented operating procedures. 37
10.1.2 Change management . 37
10.1.3 Segregation of duties . 38
10.1.4 Separation of development, test, and operational facilities. 38
10.2 THIRD PARTY SERVICE DELIVERY MANAGEMENT . 39
10.2.1 Service delivery. 39
10.2.2 Monitoring and review of third party services. 40
10.2.3 Managing changes to third party services. 40
10.3 SYSTEM PLANNING AND ACCEPTANCE. 41
10.3.1 Capacity management . 41
10.3.2 System acceptance . 41
10.4 PROTECTION AGAINST MALICIOUS AND MOBILE CODE. 42
10.4.1 Controls against malicious code. 42
10.4.2 Controls against mobile code . 43
10.5 BACK-UP . 44
10.5.1 Information back-up . 44
10.6 NETWORK SECURITY MANAGEMENT. 45
10.6.1 Network controls. 45
10.6.2 Security of network services . 46
10.7 MEDIA HANDLING . 46
10.7.1 Management of removable media. 46
10.7.2 Disposal of media . 47
10.7.3 Information handling procedures . 47
10.7.4 Security of system documentation. 48
10.8 EXCHANGE OF INFORMATION . 48
10.8.1 Information exchange policies and procedures. 49
10.8.2 Exchange agreements . 50
10.8.3 Physical media in transit . 51
10.8.4 Electronic messaging. 52
10.8.5 Business information systems . 52
iv © ISO/IEC 2005 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 17799:2005(E)
10.9 ELECTRONIC COMMERCE SERVICES . 53

10.9.1 Electronic commerce . 53
10.9.2 On-Line Transactions . 54
10.9.3 Publicly available information . 55
10.10 MONITORING. 55
10.10.1 Audit logging . 55
10.10.2 Monitoring system use . 56
10.10.3 Protection of log information . 57
10.10.4 Administrator and operator logs . 58
10.10.5 Fault logging . 58
10.10.6 Clock synchronization . 58
11 ACCESS CONTROL . 60
11.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL . 60
11.1.1 Access control policy . 60
11.2 USER ACCESS MANAGEMENT. 61
11.2.1 User registration. 61
11.2.2 Privilege management . 62
11.2.3 User password management. 62
11.2.4 Review of user access rights . 63
11.3 USER RESPONSIBILITIES. 63
11.3.1 Password use . 64
11.3.2 Unattended user equipment . 64
11.3.3 Clear desk and clear screen policy. 65
11.4 NETWORK ACCESS CONTROL. 65
11.4.1 Policy on use of network services . 66
11.4.2 User authentication for external connections. 66
11.4.3 Equipment identification in networks . 67
11.4.4 Remote diagnostic and configuration port protection . 67
11.4.5 Segregation in networks . 68
11.4.6 Network connection control. 68
11.4.7 Network routing control . 69
11.5 OPERATING SYSTEM ACCESS CONTROL. 69
11.5.1 Secure log-on procedures . 69
11.5.2 User identification and authentication . 70
11.5.3 Password management system. 71
11.5.4 Use of system utilities . 72
11.5.5 Session time-out. 72
11.5.6 Limitation of connection time . 72
11.6 APPLICATION AND INFORMATION ACCESS CONTROL . 73
11.6.1 Information access restriction . 73
11.6.2 Sensitive system isolation . 74
11.7 MOBILE COMPUTING AND TELEWORKING. 74
11.7.1 Mobile computing and communications . 74
11.7.2 Teleworking . 75
12 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE. 77
12.1 SECURITY REQUIREMENTS OF INFORMATION SYSTEMS. 77
12.1.1 Security requirements analysis and specification. 77
12.2 CORRECT PROCESSING IN APPLICATIONS . 78
12.2.1 Input data validation. 78
12.2.2 Control of internal processing. 78
12.2.3 Message integrity. 79
12.2.4 Output data validation. 79
12.3 CRYPTOGRAPHIC CONTROLS . 80
12.3.1 Policy on the use of cryptographic controls . 80
12.3.2 Key management. 81
12.4 SECURITY OF SYSTEM FILES. 83
12.4.1 Control of operational software . 83
12.4.2 Protection of system test data . 84
© ISO/IEC 2005 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 17799:2005(E)
12.4.3 Access control to program source code. 84
12.5 SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES . 85
12.5.1 Change control procedures . 85
12.5.2 Technical review of applications after operating system changes. 86
12.5.3 Restrictions on changes to software packages. 86
12.5.4 Information leakage. 87
12.5.5 Outsourced software development. 87
12.6 TECHNICAL VULNERABILITY MANAGEMENT . 88
12.6.1 Control of technical vulnerabilities . 88
13 INFORMATION SECURITY INCIDENT MANAGEMENT . 90
13.1 REPORTING INFORMATION SECURITY EVENTS AND WEAKNESSES. 90
13.1.1 Reporting information security events. 90
13.1.2 Reporting security weaknesses . 91
13.2 MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS . 91
13.2.1 Responsibilities and procedures . 92
13.2.2 Learning from information security incidents . 93
13.2.3 Collection of evidence. 93
14 BUSINESS CONTINUITY MANAGEMENT . 95
14.1 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT . 95
14.1.1 Including information security in the business continuity management process. 95
14.1.2 Business continuity and risk assessment. 96
14.1.3 Developing and implementing continuity plans including information security . 96
14.1.4 Business continuity planning framework. 97
14.1.5 Testing, maintaining and re-assessing business continuity plans. 98
15 COMPLIANCE. 100
15.1 COMPLIANCE WITH LEGAL REQUIREMENTS . 100
15.1.1 Identification of applicable legislation . 100
15.1.2 Intellectual property rights (IPR) . 100
15.1.3 Protection of organizational records. 101
15.1.4 Data protection and privacy of personal information . 102
15.1.5 Prevention of misuse of information processing facilities . 102
15.1.6 Regulation of cryptographic controls .
...

NORME ISO/CEI
INTERNATIONALE 17799
Deuxième édition
2005-06-15


Technologies de l'information —
Techniques de sécurité — Code de bonne
pratique pour la gestion de la sécurité de
l'information
Information technology — Security techniques — Code of practice for
information security management




Numéro de référence
ISO/CEI 17799:2005(F)
©
ISO/CEI 2005

---------------------- Page: 1 ----------------------
ISO/CEI 17799:2005(F)
PDF – Exonération de responsabilité
Le présent fichier PDF peut contenir des polices de caractères intégrées. Conformément aux conditions de licence d'Adobe, ce fichier
peut être imprimé ou visualisé, mais ne doit pas être modifié à moins que l'ordinateur employé à cet effet ne bénéficie d'une licence
autorisant l'utilisation de ces polices et que celles-ci y soient installées. Lors du téléchargement de ce fichier, les parties concernées
acceptent de fait la responsabilité de ne pas enfreindre les conditions de licence d'Adobe. Le Secrétariat central de l'ISO décline toute
responsabilité en la matière.
Adobe est une marque déposée d'Adobe Systems Incorporated.
Les détails relatifs aux produits logiciels utilisés pour la création du présent fichier PDF sont disponibles dans la rubrique General Info
du fichier; les paramètres de création PDF ont été optimisés pour l'impression. Toutes les mesures ont été prises pour garantir
l'exploitation de ce fichier par les comités membres de l'ISO. Dans le cas peu probable où surviendrait un problème d'utilisation,
veuillez en informer le Secrétariat central à l'adresse donnée ci-dessous.


©  ISO/CEI 2005
Droits de reproduction réservés. Sauf prescription différente, aucune partie de cette publication ne peut être reproduite ni utilisée sous
quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et les microfilms, sans l'accord écrit
de l'ISO à l'adresse ci-après ou du comité membre de l'ISO dans le pays du demandeur.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax. + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Publié en Suisse

ii © ISO/CEI 2005 – Tous droits réservés

---------------------- Page: 2 ----------------------
ISO/CEI 17799:2005(F)
Sommaire Page
Avant-propos. vii
0 Introduction . viii
1 Domaine d'application. 1
2 Termes et définitions. 1
3 Structure de la présente Norme internationale .3
3.1 Articles. 3
3.2 Principales rubriques. 4
4 Appréciation et traitement du risque. 4
4.1 Appréciation du risque lié à la sécurité. 4
4.2 Traitement du risque lié à la sécurité . 5
5 Politique de sécurité. 6
5.1 Politique de sécurité de l’information. 6
5.1.1 Document de politique de sécurité de l’information. 6
5.1.2 Réexamen de la politique de sécurité de l’information . 7
6 Organisation de la sécurité de l’information . 8
6.1 Organisation interne. 8
6.1.1 Engagement de la direction vis-à-vis de la sécurité de l’information . 8
6.1.2 Coordination de la sécurité de l’information . 9
6.1.3 Attribution des responsabilités en matière de sécurité de l’information . 9
6.1.4 Système d’autorisation concernant les moyens de traitement de l’information . 10
6.1.5 Engagements de confidentialité. 10
6.1.6 Relations avec les autorités . 11
6.1.7 Relations avec des groupes de spécialistes . 12
6.1.8 Revue indépendante de la sécurité de l’information . 12
6.2 Tiers. 13
6.2.1 Identification des risques provenant des tiers . 13
6.2.2 La sécurité et les clients . 15
6.2.3 La sécurité dans les accords conclus avec des tiers. 16
7 Gestion des biens. 18
7.1 Responsabilités relatives aux biens. 18
7.1.1 Inventaire des biens . 19
7.1.2 Propriété des biens. 20
7.1.3 Utilisation correcte des biens. 20
7.2 Classification des informations . 21
7.2.1 Lignes directrices pour la classification . 21
7.2.2 Marquage et manipulation de l’information . 22
8 Sécurité liée aux ressources humaines . 22
8.1 Avant le recrutement . 22
8.1.1 Rôles et responsabilités. 22
8.1.2 Sélection. 23
8.1.3 Conditions d’embauche . 24
8.2 Pendant la durée du contrat . 25
8.2.1 Responsabilités de la direction. 25
8.2.2 Sensibilisation, qualification et formations en matière de sécurité de l’information. 26
8.2.3 Processus disciplinaire. 26
8.3 Fin ou modification de contrat . 27
8.3.1 Responsabilités en fin de contrat . 27
8.3.2 Restitution des biens. 27
© ISO/CEI 2005 – Tous droits réservés iii

---------------------- Page: 3 ----------------------
ISO/CEI 17799:2005(F)
8.3.3 Retrait des droits d’accès . 28
9 Sécurité physique et environnementale . 29
9.1 Zones sécurisées. 29
9.1.1 Périmètre de sécurité physique. 29
9.1.2 Contrôles physiques des accès . 30
9.1.3 Sécurisation des bureaux, des salles et des équipements . 30
9.1.4 Protection contre les menaces extérieures et environnementales . 31
9.1.5 Travail dans les zones sécurisées . 31
9.1.6 Zones d’accès public, de livraison et de chargement. 32
9.2 Sécurité du matériel. 32
9.2.1 Choix de l’emplacement et protection du matériel.33
9.2.2 Services généraux. 33
9.2.3 Sécurité du câblage . 34
9.2.4 Maintenance du matériel . 35
9.2.5 Sécurité du matériel hors des locaux . 35
9.2.6 Mise au rebut ou recyclage sécurisé(e) du matériel . 36
9.2.7 Sortie d’un bien . 36
10 Gestion de l’exploitation et des télécommunications. 37
10.1 Procédures et responsabilités liées à l’exploitation .37
10.1.1 Procédures d’exploitation documentées. 37
10.1.2 Gestion des modifications . 38
10.1.3 Séparation des tâches . 38
10.1.4 Séparation des équipements de développement, de test et d’exploitation. 39
10.2 Gestion de la prestation de service par un tiers. 40
10.2.1 Prestation de service . 40
10.2.2 Surveillance et réexamen des services tiers. 40
10.2.3 Gestion des modifications dans les services tiers . 41
10.3 Planification et acceptation du système. 42
10.3.1 Dimensionnement . 42
10.3.2 Acceptation du système. 42
10.4 Protection contre les codes malveillant et mobile .43
10.4.1 Mesures contre les codes malveillants . 43
10.4.2 Mesures contre le code mobile. 44
10.5 Sauvegarde. 45
10.5.1 Sauvegarde des informations. 45
10.6 Gestion de la sécurité des réseaux. 46
10.6.1 Mesures sur les réseaux . 46
10.6.2 Sécurité des services réseau. 47
10.7 Manipulation des supports . 48
10.7.1 Gestion des supports amovibles. 48
10.7.2 Mise au rebut des supports . 48
10.7.3 Procédures de manipulation des informations. 49
10.7.4 Sécurité de la documentation système . 50
10.8 Échange des informations . 50
10.8.1 Politiques et procédures d’échange des informations . 50
10.8.2 Accords d’échange. 52
10.8.3 Supports physiques en transit . 53
10.8.4 Messagerie électronique. 54
10.8.5 Systèmes d’information d’entreprise. 54
10.9 Services de commerce électronique. 55
10.9.1 Commerce électronique. 55
10.9.2 Transactions en ligne . 56
10.9.3 Informations à disposition du public . 57
10.10 Surveillance. 58
10.10.1 Rapport d’audit. 58
10.10.2 Surveillance de l’exploitation du système. 59
10.10.3 Protection des informations journalisées . 60
10.10.4 Journal administrateur et journal des opérations . 61
10.10.5 Rapports de défaut . 61
iv © ISO/CEI 2005 – Tous droits réservés

---------------------- Page: 4 ----------------------
ISO/CEI 17799:2005(F)
10.10.6 Synchronisation des horloges . 62
11 Contrôle d’accès. 62
11.1 Exigences métier relatives au contrôle d’accès. 62
11.1.1 Politique de contrôle d’accès . 62
11.2 Gestion de l’accès utilisateur . 63
11.2.1 Enregistrement des utilisateurs . 64
11.2.2 Gestion des privilèges. 65
11.2.3 Gestion du mot de passe utilisateur. 65
11.2.4 Réexamen des droits d’accès utilisateurs . 66
11.3 Responsabilités utilisateurs . 67
11.3.1 Utilisation du mot de passe . 67
11.3.2 Matériel utilisateur laissé sans surveillance. 68
11.3.3 Politique du bureau propre et de l’écran vide . 68
11.4 Contrôle d’accès au réseau . 69
11.4.1 Politique relative à l’utilisation des services en réseau . 69
11.4.2 Authentification de l’utilisateur pour les connexions externes. 70
11.4.3 Identification des matériels en réseau. 71
11.4.4 Protection des ports de diagnostic et de configuration à distance . 71
11.4.5 Cloisonnement des réseaux . 71
11.4.6 Mesure relative à la connexion réseau. 72
11.4.7 Contrôle du routage réseau. 73
11.5 Contrôle d’accès au système d’exploitation. 73
11.5.1 Ouverture de sessions sécurisées . 73
11.5.2 Identification et authentification de l’utilisateur. 74
11.5.3 Système de gestion des mots de passe. 75
11.5.4 Emploi des utilitaires système . 76
11.5.5 Déconnexion automatique des sessions inactives. 77
11.5.6 Limitation du temps de connexion . 77
11.6 Contrôle d’accès aux applications et à l’information . 77
11.6.1 Restriction d’accès à l’information. 78
11.6.2 Isolement des systèmes sensibles. 78
11.7 Informatique mobile et télétravail . 79
11.7.1 Informatique mobile et télécommunications . 79
11.7.2 Télétravail. 80
12 Acquisition, développement et maintenance des systèmes d’information. 81
12.1 Exigences de sécurité applicables aux systèmes d’information . 81
12.1.1 Analyse et spécification des exigences de sécurité.82
12.2 Bon fonctionnement des applications. 82
12.2.1 Validation des données d’entrée. 83
12.2.2 Mesure relative au traitement interne. 83
12.2.3 Intégrité des messages . 84
12.2.4 Validation des données de sortie. 85
12.3 Mesures cryptographiques. 85
12.3.1 Politique d’utilisation des mesures cryptographiques. 85
12.3.2 Gestion des clés. 87
12.4 Sécurité des fichiers système . 88
12.4.1 Mesure relative aux logiciels en exploitation . 88
12.4.2 Protection des données système d’essai . 89
12.4.3 Contrôle d’accès au code source du programme . 90
12.5 Sécurité en matière de développement et d’assistance technique. 91
12.5.1 Procédures de contrôle des modifications. 91
12.5.2 Réexamen technique des applications après modification du système d’exploitation. 92
12.5.3 Restrictions relatives à la modification des progiciels. 92
12.5.4 Fuite d’informations . 93
12.5.5 Externalisation du développement logiciel. 93
12.6 Gestion des vulnérabilités techniques. 94
12.6.1 Mesure relative aux vulnérabilités techniques . 94
13 Gestion des incidents liés à la sécurité de l’information . 95
© ISO/CEI 2005 – Tous droits réservés v

---------------------- Page: 5 ----------------------
ISO/CEI 17799:2005(F)
13.1 Signalement des événements et des failles liés à la sécurité de l’information. 95
13.1.1 Signalement des événements liés à la sécurité de l’information. 96
13.1.2 Signalement des failles de sécurité . 97
13.2 Gestion des améliorations et incidents liés à la sécurité de l’information. 97
13.2.1 Responsabilités et procédures. 98
13.2.2 Exploitation des incidents liés à la sécurité de l’information déjà survenus . 99
13.2.3 Collecte de preuves . 99
14 Gestion du plan de continuité de l’activité. 100
14.1 Aspects de la sécurité de l’information en matière de gestion de la continuité de l’activité . 100
14.1.1 Intégration de la sécurité de l’information dans le processus de gestion du plan de
continuité de l’activité . 101
14.1.2 Continuité de l’activité et appréciation du risque. 101
14.1.3 Élaboration et mise en œuvre des plans de continuité intégrant la sécurité de
l’information. 102
14.1.4 Cadre de la planification de la continuité de l’activité . 103
14.1.5 Mise à l’essai, gestion et appréciation constante des plans de continuité de l’activité . 104
15 Conformité . 105
15.1 Conformité avec les exigences légales . 105
15.1.1 Identification de la législation en vigueur . 105
15.1.2 Droits de propriété intellectuelle . 105
15.1.3 Protection des enregistrements de l’organisme. 106
15.1.4 Protection des données et confidentialité des informations relatives à la vie privée. 107
15.1.5 Mesure préventive à l’égard du mauvais usage des moyens de traitement de l’information . 108
15.1.6 Réglementation relative aux mesures cryptographiques. 109
15.2 Conformité avec les politiques et normes de sécurité et conformité technique . 109
15.2.1 Conformité avec les politiques et les normes de sécurité . 109
15.2.2 Vérification de la conformité technique. 110
15.3 Prises en compte de l’audit du système d’information . 110
15.3.1 Contrôles de l’audit du système d’information.
...

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Information technology -- Security techniques -- Code of practice for information security managementTechnologies de l'information -- Techniques de sécurité -- Code de bonne pratique pour la gestion de la sécurité de l'informationInformation technology -- Security techniques -- Code of practice for information security management35.040Nabori znakov in kodiranje informacijCharacter sets and information codingICS:Ta slovenski standard je istoveten z:ISO/IEC 17799:2005oSIST ISO/IEC 17799:2005en01-september-2005oSIST ISO/IEC 17799:2005SLOVENSKI
STANDARD



oSIST ISO/IEC 17799:2005



Reference numberISO/IEC 17799:2005(E)© ISO/IEC 2005
INTERNATIONAL STANDARD ISO/IEC17799Second edition2005-06-15Information technology — Security techniques — Code of practice for information security management Technologies de l'information — Techniques de sécurité — Code de pratique pour la gestion de sécurité d'information
oSIST ISO/IEC 17799:2005



ISO/IEC 17799:2005(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
©
ISO/IEC 2005 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 • CH-1211 Geneva 20 Tel.
+ 41 22 749 01 11 Fax
+ 41 22 749 09 47 E-mail
copyright@iso.org Web
www.iso.org Published in Switzerland
ii © ISO/IEC 2005 – All rights reserved
oSIST ISO/IEC 17799:2005



ISO/IEC17799:2005(E) © ISO/IEC 2005 – All rights reserved iii
Contents
Page
FOREWORD. VII 0 INTRODUCTION . VIII 0.1 WHAT IS INFORMATION SECURITY?.VIII 0.2 WHY INFORMATION SECURITY IS NEEDED? .VIII 0.3 HOW TO ESTABLISH SECURITY REQUIREMENTS .IX 0.4 ASSESSING SECURITY RISKS . IX 0.5 SELECTING CONTROLS. IX 0.6 INFORMATION SECURITY STARTING POINT. IX 0.7 CRITICAL SUCCESS FACTORS . X 0.8 DEVELOPING YOUR OWN GUIDELINES . XI 1 SCOPE. 1 2 TERMS AND DEFINITIONS . 1 3 STRUCTURE OF THIS STANDARD. 4 3.1 CLAUSES . 4 3.2 MAIN SECURITY CATEGORIES. 4 4 RISK ASSESSMENT AND TREATMENT. 5 4.1 ASSESSING SECURITY RISKS . 5 4.2 TREATING SECURITY RISKS. 5 5 SECURITY POLICY . 7 5.1 INFORMATION SECURITY POLICY.
7 5.1.1 Information security policy document . 7 5.1.2 Review of the information security policy. 8 6 ORGANIZATION OF INFORMATION SECURITY. 9 6.1 INTERNAL ORGANIZATION. 9 6.1.1 Management commitment to information security.
9 6.1.2 Information security co-ordination. 10 6.1.3 Allocation of information security responsibilities. 10 6.1.4 Authorization process for information processing facilities. 11 6.1.5 Confidentiality agreements. 11 6.1.6 Contact with authorities . 12 6.1.7 Contact with special interest groups .12 6.1.8 Independent review of information security . 13 6.2 EXTERNAL PARTIES . 14 6.2.1 Identification of risks related to external parties. 14 6.2.2 Addressing security when dealing with customers . 15 6.2.3 Addressing security in third party agreements . 16 7 ASSET MANAGEMENT. 19 7.1 RESPONSIBILITY FOR ASSETS. 19 7.1.1 Inventory of assets . 19 7.1.2 Ownership of assets. 20 7.1.3 Acceptable use of assets. 20 7.2 INFORMATION CLASSIFICATION. 21 7.2.1 Classification guidelines. 21 7.2.2 Information labeling and handling.21 8 HUMAN RESOURCES SECURITY. 23 8.1 PRIOR TO EMPLOYMENT . 23 8.1.1 Roles and responsibilities. 23 oSIST ISO/IEC 17799:2005



ISO/IEC 17799:2005(E) iv © ISO/IEC 2005 – All rights reserved
8.1.2 Screening . 23 8.1.3 Terms and conditions of employment . 24 8.2 DURING EMPLOYMENT . 25 8.2.1 Management responsibilities. 25 8.2.2 Information security awareness, education, and training . 26 8.2.3 Disciplinary process. 26 8.3 TERMINATION OR CHANGE OF EMPLOYMENT. 27 8.3.1 Termination responsibilities . 27 8.3.2 Return of assets. 27 8.3.3 Removal of access rights . 28 9 PHYSICAL AND ENVIRONMENTAL SECURITY . 29 9.1 SECURE AREAS . 29 9.1.1 Physical security perimeter . 29 9.1.2 Physical entry controls . 30 9.1.3 Securing offices, rooms, and facilities. 30 9.1.4 Protecting against external and environmental threats. 31 9.1.5 Working in secure areas. 31 9.1.6 Public access, delivery, and loading areas. 32 9.2 EQUIPMENT SECURITY. 32 9.2.1 Equipment siting and protection. 32 9.2.2 Supporting utilities . 33 9.2.3 Cabling security. 34 9.2.4 Equipment maintenance. 34 9.2.5 Security of equipment off-premises. 35 9.2.6 Secure disposal or re-use of equipment. 35 9.2.7 Removal of property . 36 10 COMMUNICATIONS AND OPERATIONS MANAGEMENT. 37 10.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES . 37 10.1.1 Documented operating procedures. 37 10.1.2 Change management . 37 10.1.3 Segregation of duties . 38 10.1.4 Separation of development, test, and operational facilities. 38 10.2 THIRD PARTY SERVICE DELIVERY MANAGEMENT . 39 10.2.1 Service delivery. 39 10.2.2 Monitoring and review of third party services. 40 10.2.3 Managing changes to third party services. 40 10.3 SYSTEM PLANNING AND ACCEPTANCE. 41 10.3.1 Capacity management . 41 10.3.2 System acceptance . 41 10.4 PROTECTION AGAINST MALICIOUS AND MOBILE CODE. 42 10.4.1 Controls against malicious code. 42 10.4.2 Controls against mobile code . 43 10.5 BACK-UP . 44 10.5.1 Information back-up . 44 10.6 NETWORK SECURITY MANAGEMENT. 45 10.6.1 Network controls. 45 10.6.2 Security of network services . 46 10.7 MEDIA HANDLING . 46 10.7.1 Management of removable media. 46 10.7.2 Disposal of media . 47 10.7.3 Information handling procedures.47 10.7.4 Security of system documentation. 48 10.8 EXCHANGE OF INFORMATION . 48 10.8.1 Information exchange policies and procedures. 49 10.8.2 Exchange agreements. 50 10.8.3 Physical media in transit . 51 10.8.4 Electronic messaging. 52 10.8.5 Business information systems . 52 oSIST ISO/IEC 17799:2005



ISO/IEC 17799:2005(E) © ISO/IEC 2005 – All rights reserved v
10.9 ELECTRONIC COMMERCE SERVICES . 53 10.9.1 Electronic commerce . 53 10.9.2 On-Line Transactions. 54 10.9.3 Publicly available information . 55 10.10 MONITORING. 55 10.10.1 Audit logging . 55 10.10.2 Monitoring system use. 56 10.10.3 Protection of log information .57 10.10.4 Administrator and operator logs . 58 10.10.5 Fault logging . 58 10.10.6 Clock synchronization . 58 11 ACCESS CONTROL . 60 11.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL . 60 11.1.1 Access control policy. 60 11.2 USER ACCESS MANAGEMENT. 61 11.2.1 User registration. 61 11.2.2 Privilege management . 62 11.2.3 User password management. 62 11.2.4 Review of user access rights. 63 11.3 USER RESPONSIBILITIES. 63 11.3.1 Password use. 64 11.3.2 Unattended user equipment . 64 11.3.3 Clear desk and clear screen policy. 65 11.4 NETWORK ACCESS CONTROL. 65 11.4.1 Policy on use of network services. 66 11.4.2 User authentication for external connections. 66 11.4.3 Equipment identification in networks . 67 11.4.4 Remote diagnostic and configuration port protection . 67 11.4.5 Segregation in networks . 68 11.4.6 Network connection control. 68 11.4.7 Network routing control . 69 11.5 OPERATING SYSTEM ACCESS CONTROL. 69 11.5.1 Secure log-on procedures. 69 11.5.2 User identification and authentication . 70 11.5.3 Password management system.71 11.5.4 Use of system utilities . 72 11.5.5 Session time-out. 72 11.5.6 Limitation of connection time . 72 11.6 APPLICATION AND INFORMATION ACCESS CONTROL . 73 11.6.1 Information access restriction . 73 11.6.2 Sensitive system isolation . 74 11.7 MOBILE COMPUTING AND TELEWORKING. 74 11.7.1 Mobile computing and communications. 74 11.7.2 Teleworking . 75 12 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE. 77 12.1 SECURITY REQUIREMENTS OF INFORMATION SYSTEMS. 77 12.1.1 Security requirements analysis and specification. 77 12.2 CORRECT PROCESSING IN APPLICATIONS . 78 12.2.1 Input data validation. 78 12.2.2 Control of internal processing. 78 12.2.3 Message integrity. 79 12.2.4 Output data validation. 79 12.3 CRYPTOGRAPHIC CONTROLS . 80 12.3.1 Policy on the use of cryptographic controls . 80 12.3.2 Key management. 81 12.4 SECURITY OF SYSTEM FILES. 83 12.4.1 Control of operational software . 83 12.4.2 Protection of system test data. 84 oSIST ISO/IEC 17799:2005



ISO/IEC 17799:2005(E) vi © ISO/IEC 2005 – All rights reserved 12.4.3 Access control to program source code. 84 12.5 SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES . 85 12.5.1 Change control procedures . 85 12.5.2 Technical review of applications after operating system changes. 86 12.5.3 Restrictions on changes to software packages. 86 12.5.4 Information leakage. 87 12.5.5 Outsourced software development. 87 12.6 TECHNICAL VULNERABILITY MANAGEMENT . 88 12.6.1 Control of technical vulnerabilities . 88 13 INFORMATION SECURITY INCIDENT MANAGEMENT . 90 13.1 REPORTING INFORMATION SECURITY EVENTS AND WEAKNESSES. 90 13.1.1 Reporting information security events. 90 13.1.2 Reporting security weaknesses . 91 13.2 MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS . 91 13.2.1 Responsibilities and procedures. 92 13.2.2 Learning from information security incidents . 93 13.2.3 Collection of evidence. 93 14 BUSINESS CONTINUITY MANAGEMENT . 95 14.1 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT . 95 14.1.1 Including information security in the business continuity management process. 95 14.1.2 Business continuity and risk assessment. 96 14.1.3 Developing and implementing continuity plans including information security . 96 14.1.4 Business continuity planning framework. 97 14.1.5 Testing, maintaining and re-assessing business continuity plans. 98 15 COMPLIANCE. 100 15.1 COMPLIANCE WITH LEGAL REQUIREMENTS . 100 15.1.1 Identification of applicable legislation. 100 15.1.2 Intellectual property rights (IPR) . 100 15.1.3 Protection of organizational records. 101 15.1.4 Data protection and privacy of personal information . 102 15.1.5 Pre
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 18032:2020(Main)
Information security — Prime number generation

This document specifies methods for generating and testing prime numbers as required in cryptographic protocols and algorithms. Firstly, this document specifies methods for testing whether a given number is prime. The testing methods included in this document are divided into two groups: — probabilistic primality tests, which have a small error probability. All probabilistic tests described here can declare a composite to be a prime; — deterministic methods, which are guaranteed to give the right verdict. These methods use so-called primality certificates. Secondly, this document specifies methods to generate prime numbers. Again, both probabilistic and deterministic methods are presented. NOTE It is possible that readers with a background in algorithm theory have already had previous encounters with probabilistic and deterministic algorithms. The deterministic methods in this document internally still make use of random bits (to be generated via methods described in ISO/IEC 18031), and "deterministic" only refers to the fact that the output is correct with probability one. Annex A provides error probabilities that are utilized by the Miller-Rabin primality test. Annex B describes variants of the methods for generating primes so that particular cryptographic requirements can be met. Annex C defines primitives utilized by the prime generation and verification methods.

  • Standard
    33 pages
    English language
    sale 15% off
  • Draft
    33 pages
    English language
    sale 15% off
ISO
ISO/IEC 24761:2019(Main)
Information technology — Security techniques — Authentication context for biometrics

This document defines the structure and the data elements of Authentication Context for Biometrics (ACBio), which is used for checking the validity of the result of a biometric enrolment and verification process executed at a remote site. This document allows any ACBio instance to accompany any biometric processes related to enrolment and verification. The specification of ACBio is applicable not only to single modal biometric enrolment and verification but also to multimodal fusion. The real-time information of presentation attack detection is not provided in this document. Only the assurance information of presentation attack detection (PAD) mechanism can be contained in the BPU report. Biometric identification is out of the scope of this document. This document specifies the cryptographic syntax of an ACBio instance. The cryptographic syntax of an ACBio instance is defined in this document applying a data structure specified in Cryptographic Message Syntax (CMS) schema whose concrete values can be represented using a compact binary encoding. This document does not define protocols to be used between entities such as BPUs, claimant, and validator. Its concern is entirely with the content and encoding of the ACBio instances for the various processing activities.

  • Standard
    75 pages
    English language
    sale 15% off
ISO
ISO/IEC 30111:2019(Main)
Information technology — Security techniques — Vulnerability handling processes

This document provides requirements and recommendations for how to process and remediate reported potential vulnerabilities in a product or service. This document is applicable to vendors involved in handling vulnerabilities.

  • Standard
    13 pages
    English language
    sale 15% off
  • Standard
    15 pages
    French language
    sale 15% off
ISO
ISO/IEC 9798-2:2019(Main)
IT Security techniques — Entity authentication — Part 2: Mechanisms using authenticated encryption

This document specifies entity authentication mechanisms using authenticated encryption algorithms. Four of the mechanisms provide entity authentication between two entities where no trusted third party is involved; two of these are mechanisms to unilaterally authenticate one entity to another, while the other two are mechanisms for mutual authentication of two entities. The remaining mechanisms require an on-line trusted third party for the establishment of a common secret key. They also realize mutual or unilateral entity authentication. Annex A defines Object Identifiers for the mechanisms specified in this document.

  • Standard
    15 pages
    English language
    sale 15% off
ISO
ISO/IEC 9798-3:2019(Main)
IT Security techniques — Entity authentication — Part 3: Mechanisms using digital signature techniques

This document specifies entity authentication mechanisms using digital signatures based on asymmetric techniques. A digital signature is used to verify the identity of an entity. Ten mechanisms are specified in this document. The first five mechanisms do not involve an on-line trusted third party and the last five make use of on-line trusted third parties. In both of these two categories, two mechanisms achieve unilateral authentication and the remaining three achieve mutual authentication. Annex A defines the object identifiers assigned to the entity authentication mechanisms specified in this document.

  • Standard
    25 pages
    English language
    sale 15% off
ISO
ISO/IEC TS 27008:2019(Main)
Information technology — Security techniques — Guidelines for the assessment of information security controls

This document provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organization's established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organization. This document offers guidance on how to review and assess information security controls being managed through an Information Security Management System specified by ISO/IEC 27001. It is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations conducting information security reviews and technical compliance checks.

  • Technical specification
    91 pages
    English language
    sale 15% off
ISO
ISO/IEC 10118-3:2018(Main)
IT Security techniques — Hash-functions — Part 3: Dedicated hash-functions

This document specifies dedicated hash-functions, i.e. specially designed hash-functions. The hash-functions in this document are based on the iterative use of a round-function. Distinct round-functions are specified, giving rise to distinct dedicated hash-functions. The use of Dedicated Hash-Functions 1, 2 and 3 in new digital signature implementations is deprecated. NOTE As a result of their short hash-code length and/or cryptanalytic results, Dedicated Hash-Functions 1, 2 and 3 do not provide a sufficient level of collision resistance for future digital signature applications and they are therefore, only usable for legacy applications. However, for applications where collision resistance is not required, such as in hash-functions as specified in ISO/IEC 9797‑2, or in key derivation functions specified in ISO/IEC 11770‑6, their use is not deprecated. Numerical examples for dedicated hash-functions specified in this document are given in Annex B as additional information. For information purposes, SHA-3 extendable-output functions are specified in Annex C.

  • Standard
    398 pages
    English language
    sale 15% off
ISO
ISO/IEC 29147:2018(Main)
Information technology — Security techniques — Vulnerability disclosure

This document provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1[1]. Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated vulnerability disclosure is especially important when multiple vendors are affected. This document provides: — guidelines on receiving reports about potential vulnerabilities; — guidelines on disclosing vulnerability remediation information; — terms and definitions that are specific to vulnerability disclosure; — an overview of vulnerability disclosure concepts; — techniques and policy considerations for vulnerability disclosure; — examples of techniques, policies (Annex A), and communications (Annex B). Other related activities that take place between receiving and disclosing vulnerability reports are described in ISO/IEC 30111. This document is applicable to vendors who choose to practice vulnerability disclosure to reduce risk to users of vendors' products and services.

  • Standard
    32 pages
    English language
    sale 15% off
  • Standard
    34 pages
    French language
    sale 15% off
ISO
ISO/IEC TS 19608:2018(Main)
Guidance for developing security and privacy functional requirements based on ISO/IEC 15408

This document provides guidance for: — selecting and specifying security functional requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII); — the procedure to define both privacy and security functional requirements in a coordinated manner; and — developing privacy functional requirements as extended components based on the privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2. The intended audience for this document are: — developers who implement products or systems that deal with PII and want to undergo a security evaluation of those products using ISO/IEC 15408. They will get guidance how to select security functional requirements for the Security Target of their product or system that map to the privacy principles defined in ISO/IEC 29100; — authors of Protection Profiles that address the protection of PII; and — evaluators that use ISO/IEC 15408 and ISO/IEC 18045 for a security evaluation. This document is intended to be fully consistent with ISO/IEC 15408; however, in the event of any inconsistency between this document and ISO/IEC 15408, the latter, as a normative standard, takes precedence.

  • Technical specification
    48 pages
    English language
    sale 15% off
ISO
ISO/IEC 27050-2:2018(Main)
Information technology — Electronic discovery — Part 2: Guidance for governance and management of electronic discovery

This document provides guidance for technical and non-technical personnel at senior management levels within an organization, including those with responsibility for compliance with statuary and regulatory requirements, and industry standards. It describes how such personnel can identify and take ownership of risks related to electronic discovery, set policy and achieve compliance with corresponding external and internal requirements. It also suggests how to produce such policies in a form which can inform process control. Furthermore, it provides guidance on how to implement and control electronic discovery in accordance with the policies.

  • Standard
    9 pages
    English language
    sale 15% off