iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC 27011:2024

(Main)

Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for telecommunications organizations

Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for telecommunications organizations

This document provides guidelines supporting the implementation of information security controls in telecommunications organizations. The adoption of this document will allow telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant information security property.

Sécurité de l'information, cybersécurité et protection de la vie privée — Mesures de sécurité de l'information pour les organismes de télécommunications sur la base de l'ISO/IEC 27002

General Information

Status
Published
Publication Date
27-Mar-2024
ICS
35.030 - IT Security
Technical Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Drafting Committee
ISO/IEC JTC 1/SC 27/WG 1 - Information security management systems
Current Stage
6060 - International Standard published
Start Date
28-Mar-2024
Due Date
27-Jan-2024
Completion Date
28-Mar-2024
Ref Project

Relations

Revises
ISO/IEC 27011:2016 - Information technology — Security techniques — Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations
Effective Date
23-Apr-2020

Buy Standard

ISO/IEC 27011:2024 - Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for telecommunications organizations Released:28. 03. 2024ISO/IEC 27011:2024 - Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for telecommunications organizations Released:28. 03. 2024
PreviousNext
Standard
ISO/IEC 27011:2024 - Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for telecommunications organizations Released:28. 03. 2024
English language
28 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


International
Standard
ISO/IEC 27011
Third edition
Information security, cybersecurity
2024-03
and privacy protection —
Information security controls
based on ISO/IEC 27002 for
telecommunications organizations
Sécurité de l'information, cybersécurité et protection de la
vie privée — Mesures de sécurité de l'information pour les
organismes de télécommunications sur la base de l'ISO/IEC 27002
Reference number
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed
for the different types of document should be noted (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had
not received notice of (a) patent(s) which may be required to implement this document. However,
implementers are cautioned that this may not represent the latest information, which may be obtained
from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall
not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms
and expressions related to conformity assessment, as well as information about ISO's adherence
to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT)
see www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by ITU-T (as ITU-T Recommendation X.1051) and drafted in accordance
with its editorial rules, in collaboration with Joint Technical Committee ISO/IEC JTC 1, Information
technology, Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This third edition cancels and replaces the second edition (ISO/IEC 27011-1:2016), which has been
technically revised. It also incorporates the Technical Corrigendum ISO/IEC 27011-1:2016/Cor 1:2018.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html and www.iec.ch/national-
committees.
© ISO/IEC 2024 – All rights reserved
iii
INTERNATIONAL STANDARD ISO/IEC 27011
RECOMMENDATION ITU-T X.1051
Information security, cybersecurity and privacy protection – Information security controls
based on ISO/IEC 27002 for telecommunications organizations
Summary
This Recommendation | International Standard:
a) establishes guidelines and general principles for initiating, implementing, maintaining and improving
information security controls in telecommunications organizations based on ISO/IEC 27002;
b) provides an implementation baseline of information security controls within telecommunications
organizations to ensure the confidentiality, integrity and availability of telecommunications facilities,
services and information handled, processed or stored by the facilities and services.
As a result of implementing this Recommendation | International Standard, telecommunications organizations, both within
and between jurisdictions, will:
a) be able to ensure the confidentiality, integrity and availability of global telecommunications facilities,
services and the information handled, processed or stored within global facilities and services;
b) have adopted secure collaborative processes and controls ensuring the lowering of risks in the delivery of
telecommunications services;
c) be able to deliver information security in an effective and efficient manner;
d) have adopted a consistent holistic approach to information security;
e) be able to improve the security culture of organizations, raise staff awareness and increase public trust.
*
History
Edition Recommendation Approval Study Group Unique ID
1.0 ITU-T X.1051 2004-07-29 17 11.1002/1000/7286
2.0 ITU-T X.1051 2008-02-13 17 11.1002/1000/9332
3.0 ITU-T X.1051 2016-04-29 17 11.1002/1000/12845
3.1   ITU-T X.1051 (2016) Cor. 1 2017-09-06 17 11.1002/1000/13407
4.0 ITU-T X.1051 2023-06-13 17 11.1002/1000/15559
Keywords
Information security controls and telecommunications extended controls, information security management, information
security risk assessment, information security risk treatment, ISO/IEC 27002.
*
To access the Recommendation, type the URL https://handle.itu.int/ in the address field of your web
browser, followed by the Recommendation's unique ID.
© ISO/IEC 2024 – All rights reserved
Rec. ITU-T X.1051 (06/2023) v
FOREWORD
The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of
telecommunications, information and communication technologies (ICTs). The ITU Telecommunication
Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical,
operating and tariff questions and issuing Recommendations on them with a view to standardizing
telecommunications on a worldwide basis.
The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes
the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics.
The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1.
In some areas of information technology which fall within ITU-T's purview, the necessary standards are
prepared on a collaborative basis with ISO and IEC.
NOTE
In this Recommendation, the expression "Administration" is used for conciseness to indicate both a
telecommunication administration and a recognized operating agency.
Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain
mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the
Recommendation is achieved when all of these mandatory provisions are met. The words "shall" or some other
obligatory language such as "must" and the negative equivalents are used to express requirements. The use of
such words does not suggest that compliance with the Recommendation is required of any party.
INTELLECTUAL PROPERTY RIGHTS
ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve
the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or
applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of
the Recommendation development process.
As of the date of approval of this Recommendation, ITU had not received notice of intellectual property,
protected by patents/software copyrights, which may be required to implement this Recommendation.
However, implementers are cautioned that this may not represent the latest information and are therefore
strongly urged to consult the appropriate ITU-T databases available via the ITU-T website at
http://www.itu.int/ITU-T/ipr/.
© ITU 2024
All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior
written permission of ITU.
vi Rec. ITU-T X.1051 (06/2023)
© ISO/IEC 2024 – All rights reserved

CONTENTS
Page
1 Scope . 1
2 Normative references . 1
3 Definitions and abbreviations . 1
3.1 Definitions . 1
3.2 Abbreviations . 2
4 Overview . 2
4.1 Structure of this Recommendation | International Standard . 2
4.2 Information security management systems in telecommunications organizations . 3
5 Organizational controls . 5
5.1 Policies for information security . 5
5.2 Information security roles and responsibilities . 5
5.3 Segregation of duties . 6
5.4 Management responsibilities . 6
5.5 Contact with authorities . 6
5.6 Contact with special interest groups . 6
5.7 Threat intelligence . 6
5.8 Information security in project management . 6
5.9 Inventory of information and other associated assets . 6
5.10 Acceptable use of information and other associated assets . 6
5.11 Return of assets . 6
5.12 Classification of information . 7
5.13 Labelling of information . 7
5.14 Information transfer. 7
5.15 Access control . 7
5.16 Identity management . 7
5.17 Authentication information . 7
5.18 Access rights . 7
5.19 Information security in supplier relationships . 7
5.20 Addressing information security within supplier agreements . 8
5.21 Managing information security in the ICT supply chain . 8
5.22 Monitoring, review and change management of supplier services . 8
5.23 Information security for use of cloud services . 8
5.24 Information security incident management planning and preparation . 8
5.25 Assessment and decision on information security events. 9
5.26 Response to information security incidents . 9
5.27 Learning from information security incidents . 9
5.28 Collection of evidence . 9
5.29 Information security during disruption . 9
5.30 ICT readiness for business continuity . 10
5.31 Legal, statutory, regulatory and contractual requirements . 10
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 27554:2024(Main)
Information security, cybersecurity and privacy protection — Application of ISO 31000 for assessment of identity-related risk

This document provides guidelines for identity-related risk, as an extension of ISO 31000:2018. More specifically, it uses the process outlined in ISO 31000 to guide users in establishing context and assessing risk, including providing risk scenarios for processes and implementations that are exposed to identity-related risk. This document is applicable to the risk assessment of processes and services that rely on or are related to identity. This document does not include aspects of risk related to general issues of delivery, technology or security.

  • Standard
    18 pages
    English language
    sale 15% off
  • Draft
    18 pages
    English language
    sale 15% off
  • Draft
    18 pages
    English language
    sale 15% off
ISO
ISO/IEC 27403:2024(Main)
Cybersecurity – IoT security and privacy – Guidelines for IoT-domotics

This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

  • Standard
    39 pages
    English language
    sale 15% off
ISO
ISO/IEC 14888-4:2024(Main)
Information security — Digital signatures with appendix — Part 4: Stateful hash-based mechanisms

This document specifies stateful digital signature mechanisms with appendix, where the level of security is determined by the security properties of the underlying hash function. This document also provides requirements for implementing basic state management, which is needed for the secure deployment of the stateful schemes described in this document.

  • Standard
    56 pages
    English language
    sale 15% off
ISO
ISO/IEC TR 5891:2024(Main)
Information security, cybersecurity and privacy protection — Hardware monitoring technology for hardware security assessment

This document surveys and summarizes the existing hardware monitoring methods, including research efforts and industrial applications. The explored monitoring technologies are classified by applied area, carrier type, target entity, objective pattern, and method of deployment. Moreover, this document summarizes the possible ways of utilizing monitoring technologies for hardware security assessment with some existing state-of-the-art security assessment approaches. The hardware mentioned in this document refers only to the core processing hardware, such as the central processing unit (CPU), microcontroller unit (MCU), and system on a chip (SoC), in the von Neumann system and does not include single-input or single-output devices such as memory or displays. The hardware monitoring technology discussed in this document has the following considerations and restrictions: — the monitored target is for the post-silicon phase, not for the design-house phase (e.g. an RTL or netlist design); — monitoring is only applied to the runtime system.

  • Technical report
    32 pages
    English language
    sale 15% off
ISO
ISO/IEC DIS 27561(Main)
Information security, cybersecurity and privacy protection — Privacy operationalisation model and method for engineering (POMME)

This document describes a model and method to operationalize ISO/IEC 29100 privacy principles into sets of controls and functional capabilities. The method is described as a process following ISO/IEC/IEEE It is designed for use with other standards and privacy It supports networked, interdependent applications and This document is intended for engineers and other practitioners developing systems controlling or processing PII.

  • Standard
    29 pages
    English language
    sale 15% off
ISO
ISO/IEC 4922-2:2024(Main)
Information security — Secure multiparty computation — Part 2: Mechanisms based on secret sharing

This document specifies the processes for secure multiparty computation mechanisms based on the secret sharing techniques which are specified in ISO/IEC 19592-2. Secure multiparty computation based on secret sharing can be used for confidential data processing. Examples of possible applications include collaborative data analytics or machine learning where data are kept secret, secure auctions where each bidding price is hidden, and performing cryptographic operations where the secrecy of the private keys is maintained. This document specifies the mechanisms including but not limited to addition, subtraction, multiplication by a constant, shared random number generation, and multiplication with their parameters and properties. This document describes how to perform a secure function evaluation using these mechanisms and secret sharing techniques.

  • Standard
    33 pages
    English language
    sale 15% off
ISO
ISO/IEC 27006-1:2024(Main)
Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 1: General

This document specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021-1. The requirements contained in this document are demonstrated in terms of competence and reliability by bodies providing ISMS certification. The guidance contained in this document provides additional interpretation of these requirements for bodies providing ISMS certification. NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Standard
    47 pages
    English language
    sale 15% off
  • Standard
    53 pages
    French language
    sale 15% off
ISO
ISO/IEC 27001:2022/Amd 1:2024(Amendment)
Information security, cybersecurity and privacy protection — Information security management systems — Requirements — Amendment 1: Climate action changes
  • Standard
    1 page
    English language
    sale 15% off
  • Standard
    1 page
    French language
    sale 15% off
ISO
ISO/IEC 29100:2024(Main)
Information technology — Security techniques — Privacy framework

This document provides a privacy framework which: — specifies a common privacy terminology; — defines the actors and their roles in processing personally identifiable information (PII); — describes privacy safeguarding considerations; — provides references to known privacy principles for information technology. This document is applicable to natural persons and organizations involved in specifying, procuring, architecting, designing, developing, testing, maintaining, administering, and operating information and communication technology systems or services where privacy controls are required for the processing of PII.

  • Standard
    22 pages
    English language
    sale 15% off
ISO
ISO/IEC 27040:2024(Main)
Information technology — Security techniques — Storage security

This document provides detailed technical requirements and guidance on how organizations can achieve an appropriate level of risk mitigation by employing a well-proven and consistent approach to the planning, design, documentation, and implementation of data storage security. Storage security applies to the protection of data both while stored in information and communications technology (ICT) systems and while in transit across the communication links associated with storage. Storage security includes the security of devices and media, management activities related to the devices and media, applications and services, and controlling or monitoring user activities during the lifetime of devices and media, and after end of use or end of life. Storage security is relevant to anyone involved in owning, operating, or using data storage devices, media, and networks. This includes senior managers, acquirers of storage products and services, and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for information or storage security, storage operation, or who are responsible for an organization’s overall security programme and security policy development. It is also relevant to anyone involved in the planning, design, and implementation of the architectural aspects of storage network security. This document provides an overview of storage security concepts and related definitions. It includes requirements and guidance on the threats, design, and control aspects associated with typical storage scenarios and storage technology areas. In addition, it provides references to other international standards and technical reports that address existing practices and techniques that can be applied to storage security.

  • Standard
    85 pages
    English language
    sale 15% off