Information technology - Security techniques - Information security controls for the energy utility industry (ISO/IEC 27019:2017, Corrected version 2019-08)

EN-ISO/IEC 27019 provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following: - central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices; - digital controllers and automation components such as control and field devices or Programmable Logic Controllers (PLCs), including digital sensor and actuator elements; - all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes; - communication technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote control technology; - Advanced Metering Infrastructure (AMI) components, e.g. smart meters; - measurement devices, e.g. for emission values; - digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor mechanisms; - energy management systems, e.g. of Distributed Energy Resources (DER), electric charging infrastructures, in private households, residential buildings or industrial customer installations; - distributed components of smart grid environments, e.g. in energy grids, in private households, residential buildings or industrial customer installations; - all software, firmware and applications installed on above-mentioned systems, e.g. DMS (Distribution Management System) applications or OMS (Outage Management System); - any premises housing the above-mentioned equipment and systems; - remote maintenance systems for above-mentioned systems.

Informationstechnik - Sicherheitsverfahren - Informationssicherheitsmaßnahmen für die Energieversorgung (ISO/IEC 27019:2017, korrigierte Fassung 2019-08)

Dieses Dokument gibt auf Basis von ISO/IEC 27002:2013 Hinweise für Systeme der Prozesssteuerung der Energieversorgung, die zur Steuerung, Regelung und Überwachung von Gewinnung oder Erzeugung, Übertragung, Speicherung und Verteilung von Strom, Gas, Öl und Wärme und für die Steuerung von unterstützenden Prozessen dienen. Dies umfasst insbesondere:
- zentrale und dezentrale Prozesssteuerungs-, Leit-, Automatisierungs- und Überwachungstechnik sowie die für ihren Betrieb genutzten Informationssysteme, wie z. B. Programmier- und Parametriergeräte;
- digitale Steuerungen und Automatisierungskomponenten wie Leit- und Feldgeräte oder Speicherpro-grammierbare Steuerungen (SPSen), inklusive digitaler Sensor- und Aktorelemente;
- alle weiteren in der Prozesstechnik genutzten unterstützenden Informationssysteme, z. B. für die Aufgabe der ergänzenden Datenvisualisierung und zur Steuerung, Überwachung, Datenarchivierung, Langzeitprotokollierung, Berichtswesen und zur Dokumentation;
- in der Prozesstechnik eingesetzte Kommunikationstechnik, z. B. Netzwerk-, Telemetrie-, Fernwirk- und Fernsteuertechnik;
- Advanced-Metering-Infrastruktur-(AMI)-Komponenten, z. B. intelligente Zähler;
- Mess- und Zählvorrichtungen, z. B. zur Emissionswerterfassung;
- digitale Schutz- und Safety-Systeme, z. B. Schutzgeräte, Sicherheits-Steuerungen und Notfallsteuerungsmechanismen;
- Energiemanagementsysteme, z. B. für dezentrale Energieerzeugungssysteme, elektrische Ladeinfra-strukturen, in Privathaushalten, Wohngebäuden oder industriellen Kundeninstallationen;
- verteilte Komponenten von Smart-Grid-Umgebungen, z. B. in Energienetzen, Privathaushalten, Wohn-gebäuden oder industriellen Kundeninstallationen;
- alle Arten von Software, Firmware und Anwendungen, die auf den vorgenannten Systemen eingesetzt werden, z. B. Netzführungs-Anwendungen oder Ausfallmanagementsysteme;
- jegliche Lokalität mit den oben erwähnten Anlagen oder Systemen;
- Fernwartungssysteme für die oben aufgeführten Systeme.
Nicht im Geltungsbereich dieses Dokuments liegt der Bereich der Prozesssteuerung von Kernenergie-anlagen. Dieser Bereich wird von IEC 62645 abgedeckt.
Darüber hinaus enthält dieses Dokument eine Anforderung, um die in ISO/IEC 27001:2013 beschriebenen Risikobeurteilungs- und -behandlungsprozesse an die in diesem Dokument enthaltenen energiesektor-spezifischen Empfehlungen anzupassen.

Technologies de l'information - Techniques de sécurité - Mesures de sécurité de l'information pour l'industrie des opérateurs de l'énergie (ISO/IEC 27019:2017, Version corrigée 2019-08)

Informacijska tehnologija - Varnostne tehnike - Kontrole informacijske varnosti za energetske operaterje (ISO/IEC 27019:2017, popravljena različica 2019-08)

General Information

Status
Published
Publication Date
16-Apr-2020
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
01-Apr-2020
Due Date
06-Jun-2020
Completion Date
17-Apr-2020

Buy Standard

Standard
SIST EN ISO/IEC 27019:2020
English language
46 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day
Standard
SIST EN ISO/IEC 27019:2020
English language
46 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
SIST EN ISO/IEC 27019:2020
01-maj-2020

Informacijska tehnologija - Varnostne tehnike - Kontrole informacijske varnosti za

energetske operaterje (ISO/IEC 27019:2017, popravljena različica 2019-08)

Information technology - Security techniques - Information security controls for the

energy utility industry (ISO/IEC 27019:2017, Corrected version 2019-08)

Informationstechnik - Sicherheitsverfahren - Informationssicherheitsmaßnahmen für die

Energieversorgung (ISO/IEC 27019:2017, korrigierte Fassung 2019-08)
Technologies de l'information - Techniques de sécurité - Mesures de sécurité de

l'information pour l'industrie des opérateurs de l'énergie (ISO/IEC 27019:2017, Version

corrigée 2019-08)
Ta slovenski standard je istoveten z: EN ISO/IEC 27019:2020
ICS:
03.100.70 Sistemi vodenja Management systems
27.010 Prenos energije in toplote na Energy and heat transfer
splošno engineering in general
35.030 Informacijska varnost IT Security
SIST EN ISO/IEC 27019:2020 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN ISO/IEC 27019:2020
---------------------- Page: 2 ----------------------
SIST EN ISO/IEC 27019:2020
EUROPEAN STANDARD
EN ISO/IEC 27019
NORME EUROPÉENNE
EUROPÄISCHE NORM
March 2020
ICS 03.100.70
English version
Information technology - Security techniques - Information
security controls for the energy utility industry (ISO/IEC
27019:2017, Corrected version 2019-08)

Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -

- Mesures de sécurité de l'information pour l'industrie Informationssicherheitsmaßnahmen für die

des opérateurs de l'énergie (ISO/IEC 27019:2017, Energieversorgung (ISO/IEC 27019:2017, korrigierte

Version corrigée 2019-08) Fassung 2019-08)
This European Standard was approved by CEN on 2 March 2020.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for

giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical

references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to

any CEN and CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by

translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC

Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,

Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,

Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,

Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels

© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 27019:2020 E

reserved worldwide for CEN national Members and for
CENELEC Members.
---------------------- Page: 3 ----------------------
SIST EN ISO/IEC 27019:2020
EN ISO/IEC 27019:2020 (E)
Contents Page

European foreword ....................................................................................................................................................... 3

---------------------- Page: 4 ----------------------
SIST EN ISO/IEC 27019:2020
EN ISO/IEC 27019:2020 (E)
European foreword

The text of ISO/IEC 27019:2017 has been prepared by Technical Committee ISO/IEC JTC 1 "Information

technology” of the International Organization for Standardization (ISO) and has been taken over as

EN ISO/IEC 27019:2020 by Technical Committee CEN/CLC/JTC 13 “Cybersecurity and Data Protection”

the secretariat of which is held by DIN.

This European Standard shall be given the status of a national standard, either by publication of an

identical text or by endorsement, at the latest by September 2020, and conflicting national standards

shall be withdrawn at the latest by September 2020.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CEN shall not be held responsible for identifying any or all such patent rights.

According to the CEN-CENELEC Internal Regulations, the national standards organizations of the

following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,

Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,

Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of

North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the

United Kingdom.
Endorsement notice

The text of ISO/IEC 27019:2017 has been approved by CEN as EN ISO/IEC 27019:2020 without any

modification.
---------------------- Page: 5 ----------------------
SIST EN ISO/IEC 27019:2020
---------------------- Page: 6 ----------------------
SIST EN ISO/IEC 27019:2020
INTERNATIONAL ISO/IEC
STANDARD 27019
First edition
2017-10
Corrected version
2019-08
Information technology — Security
techniques — Information security
controls for the energy utility industry
Technologies de l'information — Techniques de sécurité — Mesures
de sécurité de l'information pour l'industrie des opérateurs de
l'énergie
Reference number
ISO/IEC 27019:2017(E)
ISO/IEC 2017
---------------------- Page: 7 ----------------------
SIST EN ISO/IEC 27019:2020
ISO/IEC 27019:2017(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2017

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2017 – All rights reserved
---------------------- Page: 8 ----------------------
SIST EN ISO/IEC 27019:2020
ISO/IEC 27019:2017(E)
Contents Page

Foreword ......................................................................................................................................................................................................................................vii

0 ............................................................................................................................................................................................

Introduction ............................................................................................................................................................................................................................viii

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 2

4 Structure of the document.......................................................................................................................................................................... 4

4.1 General ........................................................................................................................................................................................................... 4

4.2 Refinement of ISO/IEC 27001:2013 requirements ................................................................................................. 4

4.3 Energy utility industry specific guidance related to ISO/IEC 27002:2013 ........................................ 4

5 Information security policies .................................................................................................................................................................. 4

6 Organization of information security ............................................................................................................................................. 4

6.1 Internal organization ......................................................................................................................................................................... 4

6.1.1 Information security roles and responsibilities ................................................................................... 4

6.1.2 Segregation of duties .................................................................................................................................................... 5

6.1.3 Contact with authorities ............................................................................................................................................ 5

6.1.4 Contact with special interest groups .............................................................................................................. 5

6.1.5 Information security in project management ......................................................................................... 5

6.1.6 ENR – Identification of risks related to external parties ............................................................... 5

6.1.7 ENR – Addressing security when dealing with customers .......................................................... 6

6.2 Mobile devices and teleworking .............................................................................................................................................. 6

6.2.1 Mobile device policy ..................................................................................................................................................... 6

6.2.2 Teleworking.......................................................................................................................................................................... 7

7 Human resource security ............................................................................................................................................................................ 7

7.1 Prior to employment .......................................................................................................................................................................... 7

7.1.1 Screening ................................................................................................................................................................................ 7

7.1.2 Terms and conditions of employment ........................................................................................................... 8

7.2 During employment ............................................................................................................................................................................ 8

7.2.1 Management responsibilities ................................................................................................................................ 8

7.2.2 Information security awareness, education and training ............................................................ 8

7.2.3 Disciplinary process ........................................................................................................................................... ........... 8

7.3 Termination and change of employment ......................................................................................................................... 8

8 Asset management ............................................................................................................................................................................................. 8

8.1 Responsibility for assets ................................................................................................................................................................. 8

8.1.1 Inventory of assets ......................................................................................................................................................... 8

8.1.2 Ownership of assets ...................................................................................................................................................... 9

8.1.3 Acceptable use of assets ............................................................................................................................................ 9

8.1.4 Return of assets ................................................................................................................................................................ 9

8.2 Information classification .............................................................................................................................................................. 9

8.2.1 Classification of information ................................................................................................................................ 9

8.2.2 Labelling of information .......................................................................................................................................10

8.2.3 Handling of assets ........................................................................................................................................................10

8.3 Media handling ....................................................................................................................................................................................10

9 Access control .......................................................................................................................................................................................................10

9.1 Business requirements of access control ......................................................................................................................10

9.1.1 Access control policy .................................................................................................................................................10

9.1.2 Access to networks and network services ..............................................................................................10

9.2 User access management ............................................................................................................................................................11

9.2.1 User registration and de-registration .........................................................................................................11

9.2.2 User access provisioning........................................................................................................................................11

9.2.3 Management of privileged access rights ..................................................................................................11

© ISO/IEC 2017 – All rights reserved iii
---------------------- Page: 9 ----------------------
SIST EN ISO/IEC 27019:2020
ISO/IEC 27019:2017(E)

9.2.4 Management of secret authentication information of users ...................................................11

9.2.5 Review of user access rights ...............................................................................................................................11

9.2.6 Removal or adjustment of access rights ...................................................................................................11

9.3 User responsibilities .......................................................................................................................................................................11

9.3.1 Use of secret authentication information ..............................................................................................11

9.4 System and application access control ............................................................................................................................12

9.4.1 Information access restriction ..........................................................................................................................12

9.4.2 Secure log-on procedures .....................................................................................................................................12

9.4.3 Password management system ........................................................................................................................12

9.4.4 Use of privileged utility programs .................................................................................................................12

9.4.5 Access control to program source code ....................................................................................................12

10 Cryptography .......................................................................................................................................................................................................12

10.1 Cryptography controls ......... ..........................................................................................................................................................12

10.1.1 Policy on the use of cryptographic controls ..........................................................................................12

10.1.2 Key management ..........................................................................................................................................................12

11 Physical and environmental security ...........................................................................................................................................13

11.1 Secure areas ............................................................................................................................................................................................13

11.1.1 Physical security perimeter .................................................................................................................................13

11.1.2 Physical entry controls ............................................................................................................................................13

11.1.3 Securing offices, rooms and facilities ..........................................................................................................13

11.1.4 Protecting against external and environmental threats .............................................................13

11.1.5 Working in secure areas .........................................................................................................................................13

11.1.6 Delivery and loading areas ...................................................................................................................................13

11.1.7 ENR – Securing control centres ........................................................................................................................13

11.1.8 ENR – Securing equipment rooms .................................................................................................................14

11.1.9 ENR – Securing peripheral sites ......................................................................................................................15

11.2 Equipment ..............................................................................................................................................................................................16

11.2.1 Equipment siting and protection ...................................................................................................................16

11.2.2 Supporting utilities .....................................................................................................................................................16

11.2.3 Cabling security .............................................................................................................................................................16

11.2.4 Equipment maintenance ........................................................................................................................................16

11.2.5 Removal of assets .........................................................................................................................................................16

11.2.6 Security of equipment and assets off-premises .................................................................................17

11.2.7 Secure disposal or re-use of equipment ...................................................................................................17

11.2.8 Unattended user equipment ...............................................................................................................................17

11.2.9 Clear desk and clear screen policy ................................................................................................................17

11.3 ENR – Security in premises of external parties .......................................................................................................17

11.3.1 ENR – Equipment sited on the premises of other energy utility organizations .....17

11.3.2 ENR – Equipment sited on customer’s premises ..............................................................................18

11.3.3 ENR – Interconnected control and communication systems .................. ................................18

12 Operations security ........................................................................................................................................................................................18

12.1 Operational procedures and responsibilities ............................................................................................................18

12.1.1 Documented operating procedures ..............................................................................................................18

12.1.2 Change management .................................................................................................................................................19

12.1.3 Capacity management ..............................................................................................................................................19

12.1.4 Separation of development, testing and operational environments ..............................19

12.2 Protection from malware ...........................................................................................................................................................19

12.2.1 Controls against malware ......................................................................................................................................19

12.3 Back-up .......................................................................................................................................................................................................20

12.4 Logging and monitoring ...............................................................................................................................................................20

12.4.1 Event logging ....................................................................................................................................................................20

12.4.2 Protection of log information .............................................................................................................................20

12.4.3 Administrator and operator logs ....................................................................................................................20

12.4.4 Clock synchronization ..............................................................................................................................................20

12.5 Control of operational software ............................................................................................................................................20

12.5.1 Installation of software on operational systems ...............................................................................20

12.6 Technical vulnerability management ...............................................................................................................................21

iv © ISO/IEC 2017 – All rights reserved
---------------------- Page: 10 ----------------------
SIST EN ISO/IEC 27019:2020
ISO/IEC 27019:2017(E)

12.6.1 Management of technical vulnerabilities.................................................................................................21

12.6.2 Restrictions on software installation ..........................................................................................................21

12.7 Information systems audit considerations ..................................................................................................................21

12.8 ENR – Legacy systems ....................................................................................................................................................................21

12.8.1 ENR – Treatment of legacy systems .............................................................................................................21

12.9 ENR – Safety functions ..................................................................................................................................................................22

12.9.1 ENR – Integrity and availability of safety functions .......................................................................22

13 Communications security ........................................................................................................................................................................22

13.1 Network security management .............................................................................................................................................22

13.1.1 Network controls ..........................................................................................................................................................22

13.1.2 Security of network services ..............................................................................................................................22

13.1.3 Segregation in networks ........................................................................................................................................22

13.1.4 ENR – Securing process control data communication .................................................................23

13.1.5 ENR – Logical connection of external process control systems ...........................................23

13.2 Information transfer ......................................................................................................................................................................24

14 System acquisition, development and maintenance ....................................................................................................24

14.1 Security requirements of information systems .......................................................................................................24

14.1.1 Information security requirements analysis and specification ............................................24

14.1.2 Securing application services on public networks ..........................................................................24

14.1.3 Protecting application services transactions .......................................................................................24

14.2 Security in development and support processes ...................................................................................................24

14.2.1 Secure development policy ..................................................................................................................................24

14.2.2 System change control procedures ...............................................................................................................24

14.2.3 Technical review of applications after operating platform changes ................................24

14.2.4 Restrictions on changes to software packages ...................................................................................24

14.2.5 Secure system engineering principles........................................................................................................24

14.2.6 Secure development environment ................................................................................................................24

14.2.7 Outsourced development ...........................................................................................................................

...

SLOVENSKI STANDARD
SIST EN ISO/IEC 27019:2020
01-maj-2020

Informacijska tehnologija - Varnostne tehnike - Kontrole informacijske varnosti za

energetske operaterje (ISO/IEC 27019:2017, popravljena verzija 2019-08)

Information technology - Security techniques - Information security controls for the

energy utility industry (ISO/IEC 27019:2017, Corrected version 2019-08)

Informationstechnik - Sicherheitsverfahren - Informationssicherheitsmaßnahmen für die

Energieversorgung (ISO/IEC 27019:2017, korrigierte Fassung 2019-08)
Technologies de l'information - Techniques de sécurité - Mesures de sécurité de

l'information pour l'industrie des opérateurs de l'énergie (ISO/IEC 27019:2017, Version

corrigée 2019-08)
Ta slovenski standard je istoveten z: EN ISO/IEC 27019:2020
ICS:
03.100.70 Sistemi vodenja Management systems
27.010 Prenos energije in toplote na Energy and heat transfer
splošno engineering in general
35.030 Informacijska varnost IT Security
SIST EN ISO/IEC 27019:2020 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN ISO/IEC 27019:2020
---------------------- Page: 2 ----------------------
SIST EN ISO/IEC 27019:2020
EUROPEAN STANDARD
EN ISO/IEC 27019
NORME EUROPÉENNE
EUROPÄISCHE NORM
March 2020
ICS 03.100.70
English version
Information technology - Security techniques - Information
security controls for the energy utility industry (ISO/IEC
27019:2017, Corrected version 2019-08)

Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -

- Mesures de sécurité de l'information pour l'industrie Informationssicherheitsmaßnahmen für die

des opérateurs de l'énergie (ISO/IEC 27019:2017, Energieversorgung (ISO/IEC 27019:2017, korrigierte

Version corrigée 2019-08) Fassung 2019-08)
This European Standard was approved by CEN on 2 March 2020.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for

giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical

references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to

any CEN and CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by

translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC

Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,

Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,

Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,

Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels

© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 27019:2020 E

reserved worldwide for CEN national Members and for
CENELEC Members.
---------------------- Page: 3 ----------------------
SIST EN ISO/IEC 27019:2020
EN ISO/IEC 27019:2020 (E)
Contents Page

European foreword ....................................................................................................................................................... 3

---------------------- Page: 4 ----------------------
SIST EN ISO/IEC 27019:2020
EN ISO/IEC 27019:2020 (E)
European foreword

The text of ISO/IEC 27019:2017 has been prepared by Technical Committee ISO/IEC JTC 1 "Information

technology” of the International Organization for Standardization (ISO) and has been taken over as

EN ISO/IEC 27019:2020 by Technical Committee CEN/CLC/JTC 13 “Cybersecurity and Data Protection”

the secretariat of which is held by DIN.

This European Standard shall be given the status of a national standard, either by publication of an

identical text or by endorsement, at the latest by September 2020, and conflicting national standards

shall be withdrawn at the latest by September 2020.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CEN shall not be held responsible for identifying any or all such patent rights.

According to the CEN-CENELEC Internal Regulations, the national standards organizations of the

following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,

Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,

Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of

North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the

United Kingdom.
Endorsement notice

The text of ISO/IEC 27019:2017 has been approved by CEN as EN ISO/IEC 27019:2020 without any

modification.
---------------------- Page: 5 ----------------------
SIST EN ISO/IEC 27019:2020
---------------------- Page: 6 ----------------------
SIST EN ISO/IEC 27019:2020
INTERNATIONAL ISO/IEC
STANDARD 27019
First edition
2017-10
Corrected version
2019-08
Information technology — Security
techniques — Information security
controls for the energy utility industry
Technologies de l'information — Techniques de sécurité — Mesures
de sécurité de l'information pour l'industrie des opérateurs de
l'énergie
Reference number
ISO/IEC 27019:2017(E)
ISO/IEC 2017
---------------------- Page: 7 ----------------------
SIST EN ISO/IEC 27019:2020
ISO/IEC 27019:2017(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2017

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2017 – All rights reserved
---------------------- Page: 8 ----------------------
SIST EN ISO/IEC 27019:2020
ISO/IEC 27019:2017(E)
Contents Page

Foreword ......................................................................................................................................................................................................................................vii

0 ............................................................................................................................................................................................

Introduction ............................................................................................................................................................................................................................viii

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 2

4 Structure of the document.......................................................................................................................................................................... 4

4.1 General ........................................................................................................................................................................................................... 4

4.2 Refinement of ISO/IEC 27001:2013 requirements ................................................................................................. 4

4.3 Energy utility industry specific guidance related to ISO/IEC 27002:2013 ........................................ 4

5 Information security policies .................................................................................................................................................................. 4

6 Organization of information security ............................................................................................................................................. 4

6.1 Internal organization ......................................................................................................................................................................... 4

6.1.1 Information security roles and responsibilities ................................................................................... 4

6.1.2 Segregation of duties .................................................................................................................................................... 5

6.1.3 Contact with authorities ............................................................................................................................................ 5

6.1.4 Contact with special interest groups .............................................................................................................. 5

6.1.5 Information security in project management ......................................................................................... 5

6.1.6 ENR – Identification of risks related to external parties ............................................................... 5

6.1.7 ENR – Addressing security when dealing with customers .......................................................... 6

6.2 Mobile devices and teleworking .............................................................................................................................................. 6

6.2.1 Mobile device policy ..................................................................................................................................................... 6

6.2.2 Teleworking.......................................................................................................................................................................... 7

7 Human resource security ............................................................................................................................................................................ 7

7.1 Prior to employment .......................................................................................................................................................................... 7

7.1.1 Screening ................................................................................................................................................................................ 7

7.1.2 Terms and conditions of employment ........................................................................................................... 8

7.2 During employment ............................................................................................................................................................................ 8

7.2.1 Management responsibilities ................................................................................................................................ 8

7.2.2 Information security awareness, education and training ............................................................ 8

7.2.3 Disciplinary process ........................................................................................................................................... ........... 8

7.3 Termination and change of employment ......................................................................................................................... 8

8 Asset management ............................................................................................................................................................................................. 8

8.1 Responsibility for assets ................................................................................................................................................................. 8

8.1.1 Inventory of assets ......................................................................................................................................................... 8

8.1.2 Ownership of assets ...................................................................................................................................................... 9

8.1.3 Acceptable use of assets ............................................................................................................................................ 9

8.1.4 Return of assets ................................................................................................................................................................ 9

8.2 Information classification .............................................................................................................................................................. 9

8.2.1 Classification of information ................................................................................................................................ 9

8.2.2 Labelling of information .......................................................................................................................................10

8.2.3 Handling of assets ........................................................................................................................................................10

8.3 Media handling ....................................................................................................................................................................................10

9 Access control .......................................................................................................................................................................................................10

9.1 Business requirements of access control ......................................................................................................................10

9.1.1 Access control policy .................................................................................................................................................10

9.1.2 Access to networks and network services ..............................................................................................10

9.2 User access management ............................................................................................................................................................11

9.2.1 User registration and de-registration .........................................................................................................11

9.2.2 User access provisioning........................................................................................................................................11

9.2.3 Management of privileged access rights ..................................................................................................11

© ISO/IEC 2017 – All rights reserved iii
---------------------- Page: 9 ----------------------
SIST EN ISO/IEC 27019:2020
ISO/IEC 27019:2017(E)

9.2.4 Management of secret authentication information of users ...................................................11

9.2.5 Review of user access rights ...............................................................................................................................11

9.2.6 Removal or adjustment of access rights ...................................................................................................11

9.3 User responsibilities .......................................................................................................................................................................11

9.3.1 Use of secret authentication information ..............................................................................................11

9.4 System and application access control ............................................................................................................................12

9.4.1 Information access restriction ..........................................................................................................................12

9.4.2 Secure log-on procedures .....................................................................................................................................12

9.4.3 Password management system ........................................................................................................................12

9.4.4 Use of privileged utility programs .................................................................................................................12

9.4.5 Access control to program source code ....................................................................................................12

10 Cryptography .......................................................................................................................................................................................................12

10.1 Cryptography controls ......... ..........................................................................................................................................................12

10.1.1 Policy on the use of cryptographic controls ..........................................................................................12

10.1.2 Key management ..........................................................................................................................................................12

11 Physical and environmental security ...........................................................................................................................................13

11.1 Secure areas ............................................................................................................................................................................................13

11.1.1 Physical security perimeter .................................................................................................................................13

11.1.2 Physical entry controls ............................................................................................................................................13

11.1.3 Securing offices, rooms and facilities ..........................................................................................................13

11.1.4 Protecting against external and environmental threats .............................................................13

11.1.5 Working in secure areas .........................................................................................................................................13

11.1.6 Delivery and loading areas ...................................................................................................................................13

11.1.7 ENR – Securing control centres ........................................................................................................................13

11.1.8 ENR – Securing equipment rooms .................................................................................................................14

11.1.9 ENR – Securing peripheral sites ......................................................................................................................15

11.2 Equipment ..............................................................................................................................................................................................16

11.2.1 Equipment siting and protection ...................................................................................................................16

11.2.2 Supporting utilities .....................................................................................................................................................16

11.2.3 Cabling security .............................................................................................................................................................16

11.2.4 Equipment maintenance ........................................................................................................................................16

11.2.5 Removal of assets .........................................................................................................................................................16

11.2.6 Security of equipment and assets off-premises .................................................................................17

11.2.7 Secure disposal or re-use of equipment ...................................................................................................17

11.2.8 Unattended user equipment ...............................................................................................................................17

11.2.9 Clear desk and clear screen policy ................................................................................................................17

11.3 ENR – Security in premises of external parties .......................................................................................................17

11.3.1 ENR – Equipment sited on the premises of other energy utility organizations .....17

11.3.2 ENR – Equipment sited on customer’s premises ..............................................................................18

11.3.3 ENR – Interconnected control and communication systems .................. ................................18

12 Operations security ........................................................................................................................................................................................18

12.1 Operational procedures and responsibilities ............................................................................................................18

12.1.1 Documented operating procedures ..............................................................................................................18

12.1.2 Change management .................................................................................................................................................19

12.1.3 Capacity management ..............................................................................................................................................19

12.1.4 Separation of development, testing and operational environments ..............................19

12.2 Protection from malware ...........................................................................................................................................................19

12.2.1 Controls against malware ......................................................................................................................................19

12.3 Back-up .......................................................................................................................................................................................................20

12.4 Logging and monitoring ...............................................................................................................................................................20

12.4.1 Event logging ....................................................................................................................................................................20

12.4.2 Protection of log information .............................................................................................................................20

12.4.3 Administrator and operator logs ....................................................................................................................20

12.4.4 Clock synchronization ..............................................................................................................................................20

12.5 Control of operational software ............................................................................................................................................20

12.5.1 Installation of software on operational systems ...............................................................................20

12.6 Technical vulnerability management ...............................................................................................................................21

iv © ISO/IEC 2017 – All rights reserved
---------------------- Page: 10 ----------------------
SIST EN ISO/IEC 27019:2020
ISO/IEC 27019:2017(E)

12.6.1 Management of technical vulnerabilities.................................................................................................21

12.6.2 Restrictions on software installation ..........................................................................................................21

12.7 Information systems audit considerations ..................................................................................................................21

12.8 ENR – Legacy systems ....................................................................................................................................................................21

12.8.1 ENR – Treatment of legacy systems .............................................................................................................21

12.9 ENR – Safety functions ..................................................................................................................................................................22

12.9.1 ENR – Integrity and availability of safety functions .......................................................................22

13 Communications security ........................................................................................................................................................................22

13.1 Network security management .............................................................................................................................................22

13.1.1 Network controls ..........................................................................................................................................................22

13.1.2 Security of network services ..............................................................................................................................22

13.1.3 Segregation in networks ........................................................................................................................................22

13.1.4 ENR – Securing process control data communication .................................................................23

13.1.5 ENR – Logical connection of external process control systems ...........................................23

13.2 Information transfer ......................................................................................................................................................................24

14 System acquisition, development and maintenance ....................................................................................................24

14.1 Security requirements of information systems .......................................................................................................24

14.1.1 Information security requirements analysis and specification ............................................24

14.1.2 Securing application services on public networks ..........................................................................24

14.1.3 Protecting application services transactions .......................................................................................24

14.2 Security in development and support processes ...................................................................................................24

14.2.1 Secure development policy ..................................................................................................................................24

14.2.2 System change control procedures ...............................................................................................................24

14.2.3 Technical review of applications after operating platform changes ................................24

14.2.4 Restrictions on changes to software packages ...................................................................................24

14.2.5 Secure system engineering principles........................................................................................................24

14.2.6 Secure development environment ................................................................................................................24

14.2.7 Outsourced development .............................................................................................................................

...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.