SIST ISO/IEC 27002:2013
(Main)Information technology -- Security techniques -- Code of practice for information security controls
Information technology -- Security techniques -- Code of practice for information security controls
ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).
It is designed to be used by organizations that intend to:
select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;
implement commonly accepted information security controls;
develop their own information security management guidelines.
Technologies de l'information -- Techniques de sécurité -- Code de bonne pratique pour le management de la sécurité de l'information
L'ISO 27002:2013 donne des lignes directrices en matière de normes organisationnelles relatives à la sécurité de l'information et des bonnes pratiques de management de la sécurité de l'information, incluant la sélection, la mise en ?uvre et la gestion de mesures de sécurité prenant en compte le ou les environnement(s) de risques de sécurité de l'information de l'organisation.
L'ISO 27002:2013 est élaborée à l'intention des organisations désireuses de sélectionner les mesures nécessaires dans le cadre du processus de mise en ?uvre d'un système de management de la sécurité de l'information (SMSI) selon l'ISO/CEI 27001; de mettre en ?uvre des mesures de sécurité de l'information largement reconnues; et d'élaborer leurs propres lignes directrices de management de la sécurité de l'information.
Informacijska tehnologija - Varnostne tehnike - Pravila obnašanja pri kontrolah informacijske varnosti
Ta mednarodni standard podaja smernice za standarde informacijske varnosti organizacij in načine uporabe upravljanja informacijske varnosti, kar vključuje izbiro, izvajanje in upravljanje kontrol, pri čemer upošteva tveganja za informacijsko varnost v okolju organizacije.
Ta mednarodni standard lahko uporabljajo organizacije, ki želijo:
a) izbirati kontrole znotraj procesa izvajanja sistemov upravljanja informacijske varnosti na osnovi standarda ISO/IEC 27001;
b) izvajati splošno sprejete kontrole informacijske varnosti;
c) razvijati lastne smernice za upravljanje informacijske varnosti.
General Information
Relations
Standards Content (Sample)
SLOVENSKI STANDARD
01-november-2013
Informacijska tehnologija - Varnostne tehnike - Pravila obnašanja pri kontrolah
informacijske varnosti
Information technology -- Security techniques -- Code of practice for information security
controls
Technologies de l'information -- Techniques de sécurité -- Code de bonne pratique pour
le management de la sécurité de l'information
Ta slovenski standard je istoveten z: ISO/IEC 27002:2013
ICS:
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
INTERNATIONAL ISO/IEC
STANDARD 27002
Second edition
2013-10-01
Information technology — Security
techniques — Code of practice for
information security controls
Technologies de l’information — Techniques de sécurité — Code de
bonne pratique pour le management de la sécurité de l’information
Reference number
©
ISO/IEC 2013
© ISO/IEC 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2013 – All rights reserved
Contents Page
Foreword .v
0 Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Structure of this standard . 1
4.1 Clauses . 1
4.2 Control categories . 1
5 Information security policies . 2
5.1 Management direction for information security . 2
6 Organization of information security . 4
6.1 Internal organization . 4
6.2 Mobile devices and teleworking . 6
7 Human resource security . 9
7.1 Prior to employment . 9
7.2 During employment .10
7.3 Termination and change of employment .13
8 Asset management .13
8.1 Responsibility for assets .13
8.2 Information classification .15
8.3 Media handling .17
9 Access control .19
9.1 Business requirements of access control .19
9.2 User access management .21
9.3 User responsibilities .24
9.4 System and application access control .25
10 Cryptography .28
10.1 Cryptographic controls .28
11 Physical and environmental security .30
11.1 Secure areas .30
11.2 Equipment .33
12 Operations security .38
12.1 Operational procedures and responsibilities .38
12.2 Protection from malware .41
12.3 Backup .42
12.4 Logging and monitoring .43
12.5 Control of operational software .45
12.6 Technical vulnerability management .46
12.7 Information systems audit considerations .48
13 Communications security .49
13.1 Network security management .49
13.2 Information transfer .50
14 System acquisition, development and maintenance .54
14.1 Security requirements of information systems .54
14.2 Security in development and support processes .57
14.3 Test data .62
15 Supplier relationships .62
15.1 Information security in supplier relationships .62
© ISO/IEC 2013 – All rights reserved iii
15.2 Supplier service delivery management .66
16 Information security incident management .67
16.1 Management of information security incidents and improvements .67
17 Information security aspects of business continuity management .71
17.1 Information security continuity .71
17.2 Redundancies .73
18 Compliance .74
18.1 Compliance with legal and contractual requirements .74
18.2 Information security reviews .77
Bibliography .79
iv © ISO/IEC 2013 – All rights reserved
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
ISO/IEC 27002 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
This second edition cancels and replaces the first edition (ISO/IEC 27002:2005), which has been
technically and structurally revised.
© ISO/IEC 2013 – All rights reserved v
0 Introduction
0.1 Background and context
This International Standard is designed for organizations to use as a reference for selecting controls
within
...
INTERNATIONAL ISO/IEC
STANDARD 27002
Second edition
2013-10-01
Information technology — Security
techniques — Code of practice for
information security controls
Technologies de l’information — Techniques de sécurité — Code de
bonne pratique pour le management de la sécurité de l’information
Reference number
©
ISO/IEC 2013
© ISO/IEC 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2013 – All rights reserved
Contents Page
Foreword .v
0 Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Structure of this standard . 1
4.1 Clauses . 1
4.2 Control categories . 1
5 Information security policies . 2
5.1 Management direction for information security . 2
6 Organization of information security . 4
6.1 Internal organization . 4
6.2 Mobile devices and teleworking . 6
7 Human resource security . 9
7.1 Prior to employment . 9
7.2 During employment .10
7.3 Termination and change of employment .13
8 Asset management .13
8.1 Responsibility for assets .13
8.2 Information classification .15
8.3 Media handling .17
9 Access control .19
9.1 Business requirements of access control .19
9.2 User access management .21
9.3 User responsibilities .24
9.4 System and application access control .25
10 Cryptography .28
10.1 Cryptographic controls .28
11 Physical and environmental security .30
11.1 Secure areas .30
11.2 Equipment .33
12 Operations security .38
12.1 Operational procedures and responsibilities .38
12.2 Protection from malware .41
12.3 Backup .42
12.4 Logging and monitoring .43
12.5 Control of operational software .45
12.6 Technical vulnerability management .46
12.7 Information systems audit considerations .48
13 Communications security .49
13.1 Network security management .49
13.2 Information transfer .50
14 System acquisition, development and maintenance .54
14.1 Security requirements of information systems .54
14.2 Security in development and support processes .57
14.3 Test data .62
15 Supplier relationships .62
15.1 Information security in supplier relationships .62
© ISO/IEC 2013 – All rights reserved iii
15.2 Supplier service delivery management .66
16 Information security incident management .67
16.1 Management of information security incidents and improvements .67
17 Information security aspects of business continuity management .71
17.1 Information security continuity .71
17.2 Redundancies .73
18 Compliance .74
18.1 Compliance with legal and contractual requirements .74
18.2 Information security reviews .77
Bibliography .79
iv © ISO/IEC 2013 – All rights reserved
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
ISO/IEC 27002 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
This second edition cancels and replaces the first edition (ISO/IEC 27002:2005), which has been
technically and structurally revised.
© ISO/IEC 2013 – All rights reserved v
0 Introduction
0.1 Background and context
This International Standard is designed for organizations to use as a reference for selecting controls
within the process of implementing an Information Security Management System (ISMS) based on
[10]
ISO/IEC 27001 or as a guidance document for organizations implementing commonly accepted
information security controls. This standard is also intended for use in developing industry- and
organization-specific information security management guidelines, taking into consideration their
specific information security risk environment(s).
Organizations of all types and sizes (including public and private sector, commercial and non-profit)
collect, process, store and transmit information in many forms including electronic, physical and verbal
(e.g. conversations and presentations).
The value of information goes beyond the written words, numbers and images: knowledge, concepts, ideas
and brands are examples of intangible forms of information. In an interconnected world, information and
related processes, systems, networks and personnel involved in their operation, handling and pr
...
ISO/IEC
Information
technology
Security techniques
Code of practice
for information
security controls
Second edition
2013-10-01
Our vision Our process
To be the world’s leading provider of high qual- Our standards are developed by experts
ity, globally relevant International Standards all over the world who work on a volunteer
through its members and stakeholders. or part-time basis. We sell International
Standards to recover the costs of organizing
this process and making standards widely
Our mission
available.
ISO develops high quality voluntary
Please respect our licensing terms and
International Standards that facilitate interna-
copyright to ensure this system remains
tional exchange of goods and services, support
independent.
sustainable and equitable economic growth,
If you would like to contribute to the devel-
promote innovation and protect health, safety
opment of ISO standards, please contact the
and the environment.
ISO Member Body in your country:
www.iso.org/iso/home/about/iso_mem-
bers.htm
This document has been prepared by:
ISO/IEC JTC 1, Information technology, SC 27,
IT Security techniques. All rights reserved. Unless otherwise speci-
fied, no part of this publication may be repro-
Committee members:
duced or utilized otherwise in any form or
ABNT, AENOR, AFNOR, ANSI, ASI, ASRO, BIS,
by any means, electronic or mechanical,
BSI, BSJ, CODINORM, CYS, DGN, DIN, DS, DSM,
including photocopy, or posting on the inter-
DTR, ESMA, EVS, GOST R, IANOR, ILNAS,
net or intranet, without prior permission.
IMANOR, INDECOPI, INN, IRAM, ISRM, JISC,
Permission can be requested from either ISO
KATS, KAZMEMST, KEBS, MSB, NBN, NEN,
at the address below or ISO’s member body
NSAI, PKN, SA, SABS, SAC, SCC, SFS, SII, SIS,
in the country of the requester:
SIST, SLSI, SN, SNV, SNZ, SPRING SG, SUTN,
© ISO/IEC 2013, Published in Switzerland
TISI, UNI, UNIT, UNMZ, (ISC)2, CCETT, Cloud
security alliance, ECBS, Ecma International,
ISO copyright office
ENISA, EPC, ISACA, ISSEA, ITU, Mastercard,
Case postale 56 • CH-1211 Geneva 20
Mastercard - Europe.
Tel. +41 22 749 01 11
Fax. +41 22 749 09 47
This list reflects contributing members at the
E-mail copyright@iso.org
time of publication.
Web www.iso.org
Cover photo credit: ISO/CS, 2013
© ISO/IEC 2013 – All rights reserved
ISO/IEC 270 02 : 2 013
Executive summary
• Organizations of all types and sizes col- It brings these controls together as a
lect, process, store and transmit infor- code of practice based on the controls
mation in many forms. This information that are commonly applied in many dif-
is valuable to an organization’s business ferent organizations.
and operations. • Effective information security also
• In today’s interconnected and mobile assures management and other stake-
world, information is processed us- holders that the organization’s assets
ing systems and networks that employ are safe, thereby acting as a business
state-of-the-art technology. It is vital to enabler.
protect this information against both • Other International Standards in the
deliberate and accidental threats and ISO/IEC 27000 family give complemen-
vulnerabilities. tary advice or requirements on other
• ISO/IEC 27002 helps organizations to aspects of the overall process of manag-
keep secure both their information as- ing information security.
sets and those of their customers.
• It offers organizations a wide selection
of security controls, together with ac-
companying implementation guidance.
© ISO/IEC 2013 – All rights reserved
Contents Page
Our vision .2
Our mission .2
Our process .2
Executive summary .3
Foreword .6
0 Introduction .7
1 Scope .10
2 Normative references .10
3 Terms and definitions .10
4 Structure of this standard .10
4.1 Clauses .10
4.2 Control categories .10
5 Information security policies .11
5.1 Management direction for information security .11
6 Organization of information security .12
6.1 Internal organization .12
6.2 Mobile devices and teleworking .14
7 Human resource security .17
7.1 Prior to employment .17
7.2 During employment .18
7.3 Termination and change of employment .20
8 Asset management .21
8.1 Responsibility for assets .21
8.2 Information classification .23
8.3 Media handling .24
9 Access control .26
9.1 Business requirements of access control .26
9.2 User access management .28
9.3 User responsibilities .31
9.4 System and application access control .32
10 Cryptography .35
10.1 Cryptographic controls .35
11 Physical and environmental security .37
11.1 Secure areas .37
11.2 Equipment .40
12 Operations security .44
12.1 Operational procedures and responsibilities .44
12.2 Protection from malware .47
12.3 Backup .48
12.4 Logging and monitoring .49
12.5 Control of operational software .50
12.6 Technical vulnerability management .51
© ISO/IEC 2013 – All rights reserved
12.7 Information systems audit considerations .53
13 Communications security .54
13.1 Network security management .54
13.2 Information transfer .55
14 System acquisition, development and maintenance .58
14.1 Security requirements of information systems .58
14.2 Security in development and support processes .61
14.3 Test data .66
15 Supplier relationships .66
15.1 Information security in supplier relationships .66
15.2 Supplier service delivery management .70
16 Information security incident management .71
16.1 Management of information security incidents and improvements .71
17 Information security aspects of business continuity management .75
17.1 Information security continuity .75
17.2 Redundancies .
...
INTERNATIONAL ISO/IEC
STANDARD 27002
Redline version
compares second edition
to first edition
Information technology — Security
techniques — Code of practice for
information security controls
Technologies de l’information — Techniques de sécurité — Code de
bonne pratique pour le management de la sécurité de l’information
Reference number
ISO/IEC 27002:redline:2014(E)
©
ISO/IEC 2014
ISO/IEC 27002:redline:2014(E)
IMPORTANT — PLEASE NOTE
This is a mark-up copy and uses the following colour coding:
Text example 1 — indicates added text (in green)
Text example 2 — indicates removed text (in red)
— indicates added graphic figure
— indicates removed graphic figure
1.x . — Heading numbers containg modifications are highlighted in yellow in
the Table of Contents
DISCLAIMER
This Redline version provides you with a quick and easy way to compare the main changes
between this edition of the standard and its previous edition. It doesn’t capture all single
changes such as punctuation but highlights the modifications providing customers with
the most valuable information. Therefore it is important to note that this Redline version is
not the official ISO standard and that the users must consult with the clean version of the
standard, which is the official standard, for implementation purposes.
© ISO 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved
ISO/IEC 27002:redline:2014(E)
Contents Page
Foreword .vi
Foreword .vii
0 Introduction .viii
0.1 What is information security? .viii
0.2 Why information security is needed? .viii
0.3 How to establish security requirements . ix
0.4 Assessing security risks . ix
0.5 Selecting controls . ix
0.6 Information security starting point .x
0.7 Critical success factors .x
0.8 Developing your own guidelines . xi
1 Scope . 1
2 Normative references . 1
2 3 Terms and definitions . 1
3 4 Structure of this standard .3
3.1 4.1 Clauses . 3
3.2 4.2 Main security Control categories . 4
4 Risk assessment and treatment . 4
4.1 Assessing security risks . 4
4.2 Treating security risks . 5
5 Security policy Information security policies . 6
5.1 Information security policy Management direction for information security . 6
6 Organization of information security . 8
6.1 Internal organization . 8
6.2 External parties .13
7 Asset management .18
7.1 Responsibility for assets .18
7.2 Information classification .20
8 Human resources security.21
8.1 Prior to employment .21
8.2 During employment .23
8.3 Termination or change of employment .24
9 Physical and environmental security .26
9.1 Secure areas .26
9.2 Equipment security .29
10 Communications and operations management .33
10.1 Operational procedures and responsibilities .33
10.2 Third party service delivery management .35
10.3 System planning and acceptance .37
10.4 Protection against malicious and mobile code .38
10.5 Back-up .40
10.6 Network security management .40
10.7 Media handling .42
10.8 Exchange of information.44
10.9 Electronic commerce services .48
10.10 Monitoring .50
11 6 Access control Organization of information security .54
11.1 Business requirement for access control .54
11.2 User access management .55
ISO/IEC 27002:redline:2014(E)
11.3 User responsibilities .57
11.4 6.1 . Network access
control Internal organization .59
11.5 Operating system access control .64
11.6 Application and information access control .68
11.7 6.2 . Mobile computing devices
and teleworking .69
7 Human resource security .72
7.1 Prior to employment .72
7.2 During employment .73
7.3 Termination and change of employment .76
8 Asset management .76
8.1 Responsibility for assets .76
8.2 Information classification .78
8.3 Media handling .80
9 Access control .82
9.1 Business requirements of access control .82
9.2 User access management .84
9.3 User responsibilities .
...
NORME ISO/CEI
INTERNATIONALE 27002
Deuxième édition
2013-10-01
Technologies de l’information —
Techniques de sécurité — Code de
bonne pratique pour le management
de la sécurité de l’information
Information technology — Security techniques — Code of practice for
information security controls
Numéro de référence
ISO/CEI 27002:2013(F)
©
ISO/CEI 2013
ISO/CEI 27002:2013(F)
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO/CEI 2013
Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni utilisée
sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie, l’affichage sur
l’internet ou sur un Intranet, sans autorisation écrite préalable. Les demandes d’autorisation peuvent être adressées à l’ISO à
l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Publié en Suisse
ii © ISO/CEI 2013 – Tous droits réservés
ISO/CEI 27002:2013(F)
Sommaire Page
Avant-propos .v
0 Introduction .vi
1 Domaine d’application . 1
2 Références normatives . 1
3 Termes et définitions . 1
4 Structure de la présente norme . 1
4.1 Articles . 1
4.2 Catégories de mesures . 2
5 Politiques de sécurité de l’information . 2
5.1 Orientations de la direction en matière de sécurité de l’information . 2
6 Organisation de la sécurité de l’information . 4
6.1 Organisation interne . 4
6.2 Appareils mobiles et télétravail . 7
7 La sécurité des ressources humaines . 9
7.1 Avant l’embauche . 9
7.2 Pendant la durée du contrat .11
7.3 Rupture, terme ou modification du contrat de travail .14
8 Gestion des actifs.15
8.1 Responsabilités relatives aux actifs .15
8.2 Classification de l’information .16
8.3 Manipulation des supports . .19
9 Contrôle d’accès .21
9.1 Exigences métier en matière de contrôle d’accès .21
9.2 Gestion de l’accès utilisateur .23
9.3 Responsabilités des utilisateurs .27
9.4 Contrôle de l’accès au système et aux applications .28
10 Cryptographie .31
10.1 Mesures cryptographiques .31
11 Sécurité physique et environnementale .34
11.1 Zones sécurisées .34
11.2 Matériels .37
12 Sécurité liée à l’exploitation .42
12.1 Procédures et responsabilités liées à l’exploitation.42
12.2 Protection contre les logiciels malveillants .46
12.3 Sauvegarde .47
12.4 Journalisation et surveillance .48
12.5 Maîtrise des logiciels en exploitation .50
12.6 Gestion des vulnérabilités techniques .51
12.7 Considérations sur l’audit du système d’information .53
13 Sécurité des communications .54
13.1 Management de la sécurité des réseaux .54
13.2 Transfert de l’information .56
14 Acquisition, développement et maintenance des systèmes d’information .60
14.1 Exigences de sécurité applicables aux systèmes d’information .60
14.2 Sécurité des processus de développement et d’assistance technique .63
14.3 Données de test .68
15 Relations avec les fournisseurs .69
15.1 Sécurité de l’information dans les relations avec les fournisseurs .69
© ISO/CEI 2013 – Tous droits réservés iii
ISO/CEI 27002:2013(F)
15.2 Gestion de la prestation du service .72
16 Gestion des incidents liés à la sécurité de l’information .74
16.1 Gestion des incidents liés à la sécurité de l’information et améliorations .74
17 Aspects de la sécurité de l’information dans la gestion de la continuité de l’activité .78
17.1 Continuité de la sécurité de l’information .78
17.2 Redondances .80
18 Conformité .81
18.1 Conformité aux obligations légales et réglementaires .81
18.2 Revue de la sécurité de l’information .84
Bibliographie .87
iv © ISO/CEI 2013 – Tous droits réservés
ISO/CEI 27002:2013(F)
Avant-propos
L’ISO (Organisation internationale de normalisation) et la CEI (Commission électrotechnique
internationale) forment le système spécialisé de la normalisation mondiale. Les organismes nationaux
membres de l’ISO ou de la CEI participent au développement de Normes internationales par l’intermédiaire
des comités techniques créés par l’organisation concernée afin de s’occuper des domaines particuliers
de l’activité technique. Les comités techniques de l’ISO et de la CEI collaborent dans des domaines
d’intérêt commun. D’autres organisations internationales, gouvernementales et non gouvernementales,
en liaison avec l’ISO et la CEI participent également aux travaux. Dans le domaine des technologies de
l’information, l’ISO et la CEI ont créé un comité technique mixte, l’ISO/CEI JTC 1.
Les Normes internationales sont rédigées conformément aux règles données dans les Directives
ISO/CEI, Partie 2.
La tâche principale du comité technique mixte est d’élaborer les Normes internationales. Les projets de
Normes internationales adoptés par le comité technique mixte sont soumis aux organismes nationaux
pour vote. Leur publication comme Normes internationales requiert l’approbation de 75 % au moins des
organismes nationaux votants.
L’attention est appelée sur le fait que certains des éléments du présent document peuvent faire l’objet de
droits de propriété intellectuelle ou de droits analogues. L’ISO ne saurait être tenue pour responsable de
ne pas avoir identifié de tels droits de propriété et averti de leur existence.
L’ISO/CEI 27002 a été élaborée par le comité technique ISO/CEI TC JTC 1, Technologies de l’information,
sous-comité SC 27, Techniques de sécurité des technologies de l’information.
Cette deuxième édition annule et remplace la première édition (ISO/CEI 27002:2005), qui a fait l’objet
d’une révision technique et structurelle.
© ISO/CEI 2013 – Tous droits réservés v
ISO/CEI 27002:2013(F)
0 Introduction
0.1 Historique et contexte
La présente Norme internationale a pour objet de servir d’outil de référence permettant aux
organisations de sélectionner les mesures nécessaires dans le cadre d’un processus de mise en œuvre
[10]
d’un système de management de la sécurité de l’information (SMSI) selon l’ISO/CEI 27001 ou de
guide pour les organisations mettant en œuvre des mesures de sécurité de l’information largement
reconnues. La présente norme a également pour objet d’élaborer des lignes directrices de management
de la sécurité de l’information spécifiques aux organisations et aux entreprises, en tenant compte de
leur(s) environnement(s) particulier(s) de risques de sécurité de l’information.
Des organisations de tous types et de toutes dimensions (incluant le secteur public et le secteur privé, à but
lucratif ou non lucratif) collectent, traitent, stockent et transmettent l’information sous de nombreuses
formes, notamment électronique, physique et verbale (par exemple, au cours de conversations et de
p
...
SLOVENSKI SIST ISO/IEC 27002
STANDARD november 2013
Informacijska tehnologija – Varnostne tehnike – Pravila obnašanja pri
kontrolah informacijske varnosti
Information technology – Security techniques – Code of practice for information
security controls
Technologies de l'information – Techniques de sécurité – Code de bonne
pratique pour le management de la sécurité de l'information
Referenčna oznaka
ICS 35.040 SIST ISO/IEC 27002:2013 (sl)
Nadaljevanje na straneh od 2 do 84
© 2014-02. Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
SIST ISO/IEC 27002 : 2013
NACIONALNI UVOD
Standard SIST ISO/IEC 27002 (sl), Informacijska tehnologija – Varnostne tehnike – Pravila obnašanja
pri upravljanju informacijske varnosti, 2013, ima status slovenskega standarda in je istoveten
mednarodnemu standardu ISO/IEC 27002 (en), Information technology – Security techniques – Code
of practice for information security management, druga izdaja, 2013-10-01.
NACIONALNI PREDGOVOR
Mednarodni standard ISO/IEC 27002:2013 je pripravil pododbor združenega tehničnega odbora
Mednarodne organizacije za standardizacijo in Mednarodne elektrotehniške komisije ISO/IEC JTC
1/SC 27 Varnostne tehnike v informacijski tehnologiji.
Slovenski standard SIST ISO/IEC 27002:2013 je prevod mednarodnega standarda ISO/IEC
27002:2013. V primeru spora glede besedila slovenskega prevoda je odločilen izvirni mednarodni
standard v angleškem jeziku. Slovenski standard SIST ISO/IEC 27002:2013 je pripravil tehnični odbor
SIST/TC ITC Informacijska tehnologija.
Odločitev za izdajo tega standarda je dne 25. oktobra 2013 sprejel SIST/TC ITC Informacijska
tehnologija.
ZVEZA Z NACIONALNIMI STANDARDI
S prevzemom tega evropskega standarda veljajo za omejeni namen referenčnih standardov vsi
standardi, navedeni v izvirniku, razen standardov, ki so že sprejeti v nacionalno standardizacijo:
SIST ISO/IEC 27000 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Pregled in izrazoslovje
OSNOVA ZA IZDAJO STANDARDA
– privzem standarda ISO/IEC 27002:2013
PREDHODNA IZDAJA
– SIST ISO/IEC 27002:2008
OPOMBI
– Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO/IEC
27002:2013 to pomeni “slovenski standard”.
– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
SIST ISO/IEC 27002 : 2013
VSEBINA Stran
Predgovor .7
0 Uvod .8
0.1 Ozadje in kontekst.8
0.2 Zahteve informacijske varnosti.8
0.3 Izbiranje kontrol .9
0.4 Razvijanje lastnih smernic.9
0.5 Razmisleki o življenjskem ciklu .9
0.6 Sorodni standardi .9
1 Področje uporabe .10
2 Zveze s standardi .10
3 Izrazi in definicije .10
4 Struktura tega standarda.10
4.1 Točke.10
4.2 Kategorije kontrol.10
5 Informacijske varnostne politike .11
5.1 Usmeritev vodstva za informacijsko varnost.11
5.1.1 Politike za informacijsko varnost .11
5.1.2 Pregled politik za informacijsko varnost.12
6 Organiziranje informacijske varnosti .12
6.1 Notranja organizacija.12
6.1.1 Vloge in odgovornosti na področju informacijske varnosti.12
6.1.2 Razmejitev dolžnosti .13
6.1.3 Stik s pristojnimi organi .13
6.1.4 Stik s specifičnimi interesnimi skupinami .14
6.1.5 Informacijska varnost v upravljanju projektov .14
6.2 Mobilne naprave in delo na daljavo.15
6.2.1 Politika na področju mobilnih naprav .15
6.2.2 Delo na daljavo.16
7 Varnost človeških virov.17
7.1 Pred zaposlovanjem.17
7.1.1 Preverjanje .17
7.1.2 Določila in pogoji za zaposlitev .18
7.2 Med zaposlitvijo.19
7.2.1 Odgovornosti vodstva.19
7.2.2 Ozaveščenost, izobraževanje in usposabljanje o informacijski varnosti .19
7.2.3 Disciplinski proces.20
7.3 Prekinitev ali sprememba zaposlitve.21
7.3.1 Prekinitev ali sprememba zaposlitveniih odgovornosti .21
8 Upravljanje dobrin.21
8.1 Odgovornost za dobrine.21
8.1.1 Popis dobrin.21
8.1.2 Lastništvo nad dobrinami .22
8.1.3 Sprejemljiva uporaba dobrin.22
SIST ISO/IEC 27002 : 2013
8.1.4 Vračilo dobrin.23
8.2 Razvrstitev informacij .23
8.2.1 Razvrstitev informacij .23
8.2.2 Označevanje informacij.24
8.2.3 Ravnanje z dobrinami.24
8.3 Ravnanje z nosilci podatkov/informacij .25
8.3.1 Upravljanje izmenljivih nosilcev podatkov/informacij .25
8.3.2 Odstranjevanje nosilcev podatkov/informacij.25
8.3.3 Prenos fizičnih nosilcev podatkov/informacij.26
9 Nadzor dostopa .27
9.1 Nadzor dostopa .27
9.1.1 Politika nadzora dostopa.27
9.1.2 Dostop do omrežij in omrežnih storitev.28
9.2 Upravljanje uporabniškega dostopa.28
9.2.1 Registracija in izbris registracije uporabnika.28
9.2.2 Zagotavljanje dostopa uporabnikom .29
9.2.3 Upravljanje posebnih pravic dostopa .29
9.2.4 Upravljanje tajnih informacij uporabnikov za preverjanje verodostojnosti .30
9.2.5 Pregled uporabniških pravic dostopa.31
9.2.6 Preklic ali prilagoditev pravic dostopa .31
9.3 Odgovornosti uporabnikov .32
9.3.1 Uporaba tajnih informacij za preverjanje verodostojnosti .32
9.4 Nadzor dostopa do sistemov in aplikacij .33
9.4.1 Omejitev dostopa do informacij.33
9.4.2 Varni postopki prijave .33
9.4.3 Sistem upravljanja gesel .34
9.4.4 Uporaba posebnih pomožnih programov.34
9.4.5 Nadzor dostopa do programske izvorne kode .35
10 Kriptografija .36
10.1 Kriptografske kontrole .36
10.1.1 Politika uporabe kriptografskih kontrol .36
10.1.2 Upravljanje ključev .37
11 Fizična in okoljska varnost .38
11.1 Varovana območja .38
11.1.1 Varovanje fizičnih meja območja.38
11.1.2 Kontrole fizičnega vstopa .39
11.1.3 Varovanje pisarn, sob in naprav.39
11.1.4 Zaščita pred zunanjimi in okoljskimi grožnjami .40
11.1.5 Delo na varovanih območjih.40
11.1.6 Dostavne in nakladalne površine .40
11.2 Oprema.40
11.2.1 Namestitev in zaščita opreme .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.