International Standard: Iso/Iec 27001
INTERNATIONAL STANDARD ISO/IEC 27001 Second edition 2013-10-01 Information technology — Security techniques — Informat
Views 104 Downloads 0 File size 271KB
Recommend stories
- Author / Uploaded
- Eric Lachaud
Citation preview
INTERNATIONAL STANDARD
ISO/IEC 27001 Second edition 2013-10-01
Information technology — Security techniques — Information security management systems — Requirements Technologies de l’information — Techniques de sécurité — Systèmes de management de la sécurité de l’information — Exigences
Reference number ISO/IEC 27001:2013(E)
© ISO/IEC 2013
ISO/IEC 27001:2013(E)
COPYRIGHT PROTECTED DOCUMENT © ISO/IEC 2013 All rights reserved. Unless otherwise speci ied no p rt of this public tion m be reproduced or utili ed otherwise in n form or b n me ns electronic or mech nic l including photocop ing or posting on the internet or n intr net without prior written permission. Permission c n be re uested from either ISO t the ddress below or ISO s member bod in the countr of the re uester. ISO cop right of ice C se post le C -1211 enev 20 Tel. + 41 22 749 01 11 + 41 22 749 09 47 E-m il cop right iso.org Web www.iso.org Published in Swit erl nd
ii
© ISO/IEC 2013 – All rights reserved
ISO/IEC 27001:2013(E)
Contents
P ge
Foreword ........................................................................................................................................................................................................................................ iv 0
Introduction ...............................................................................................................................................................................................................v
1
Scope ................................................................................................................................................................................................................................. 1
2
Normative references ...................................................................................................................................................................................... 1
3
Terms and deϐinitions ..................................................................................................................................................................................... 1
4
Context of the organization ....................................................................................................................................................................... 1 4.1 Underst nding the org ni tion nd its conte t ....................................................................................................... 1 4.2 Underst nding the needs nd e pect tions of interested p rties .............................................................. 1 4.3 Determining the scope of the inform tion securit m n gement s stem .......................................... 1 4.4 Inform tion securit m n gement s stem..................................................................................................................... 2
5
Leadership .................................................................................................................................................................................................................. 2 .1 Le dership nd commitment ..................................................................................................................................................... 2 .2 Polic ............................................................................................................................................................................................................... 2 .3 Org ni tion l roles responsibilities nd uthorities.......................................................................................... 3
6
Planning......................................................................................................................................................................................................................... 3 .1 Actions to ddress ris s nd opportunities ................................................................................................................... 3 .2 Inform tion securit ob ectives nd pl nning to chieve them ...................................................................
7
Support ........................................................................................................................................................................................................................... 5 7.1 Resources..................................................................................................................................................................................................... 7.2 Competence ............................................................................................................................................................................................... 7.3 Aw reness ................................................................................................................................................................................................... 7.4 Communic tion ...................................................................................................................................................................................... 7. Documented inform tion...............................................................................................................................................................
8
Operation ..................................................................................................................................................................................................................... 7 8.1 Oper tion l pl nning nd control .......................................................................................................................................... 7 8.2 Inform tion securit ris ssessment................................................................................................................................. 7 8.3 Inform tion securit ris tre tment .................................................................................................................................... 7
9
Performance evaluation ............................................................................................................................................................................... 7 9.1 onitoring me surement n l sis nd ev lu tion ............................................................................................... 7 9.2 Intern l udit ............................................................................................................................................................................................ 8 9.3 n gement review ........................................................................................................................................................................... 8
10
Improvement ............................................................................................................................................................................................................ 9 10.1 Nonconformit nd corrective ction ................................................................................................................................. 9 10.2 Continu l improvement .................................................................................................................................................................. 9
Annex A (norm tive) Reference control objectives and controls ........................................................................................10 Bibliography ............................................................................................................................................................................................................................. 23
© ISO/IEC 2013 – All rights reserved
iii
ISO/IEC 27001:2013(E)
Foreword ISO (the Intern tion l Org ni tion for St nd rdi tion) nd IEC (the Intern tion l Electrotechnic l Commission) form the speci li ed s stem for worldwide st nd rdi tion. N tion l bodies th t re members of ISO or IEC p rticip te in the development of Intern tion l St nd rds through technic l committees est blished b the respective org ni tion to de l with p rticul r ields of technic l ctivit . ISO nd IEC technic l committees coll bor te in ields of mutu l interest. Other intern tion l org ni tions government l nd non-government l in li ison with ISO nd IEC lso t e p rt in the wor . In the ield of inform tion technolog ISO nd IEC h ve est blished oint technic l committee ISO/IEC JTC 1. Intern tion l St nd rds re dr fted in ccord nce with the rules given in the ISO/IEC Directives P rt 2. The m in t s of the oint technic l committee is to prep re Intern tion l St nd rds. Dr ft Intern tion l St nd rds dopted b the oint technic l committee re circul ted to n tion l bodies for voting. Public tion s n Intern tion l St nd rd re uires pprov l b t le st 7 of the n tion l bodies c sting vote. Attention is dr wn to the possibilit th t some of the elements of this document m be the sub ect of p tent rights. ISO nd IEC sh ll not be held responsible for identif ing n or ll such p tent rights. ISO/IEC 27001 w s prep red b Joint Technic l Committee ISO/IEC JTC 1 Information technology Subcommittee SC 27 IT Security techniques. This second edition c ncels nd repl ces the irst edition (ISO/IEC 27001:200 ) which h s been technic ll revised.
iv
© ISO/IEC 2013 – All rights reserved
ISO/IEC 27001:2013(E)
0
Introduction
0.1
General
This Intern tion l St nd rd h s been prep red to provide re uirements for est blishing implementing m int ining nd continu ll improving n inform tion securit m n gement s stem. The doption of n inform tion securit m n gement s stem is str tegic decision for n org ni tion. The est blishment nd implement tion of n org ni tion s inform tion securit m n gement s stem is in luenced b the org ni tion s needs nd ob ectives securit re uirements the org ni tion l processes used nd the si e nd structure of the org ni tion. All of these in luencing f ctors re e pected to ch nge over time. The inform tion securit m n gement s stem preserves the con identi lit integrit nd v il bilit of inform tion b ppl ing ris m n gement process nd gives con idence to interested p rties th t ris s re de u tel m n ged. It is import nt th t the inform tion securit m n gement s stem is p rt of nd integr ted with the org ni tion s processes nd over ll m n gement structure nd th t inform tion securit is considered in the design of processes inform tion s stems nd controls. It is e pected th t n inform tion securit m n gement s stem implement tion will be sc led in ccord nce with the needs of the org ni tion. This Intern tion l St nd rd c n be used b intern l nd e tern l p rties to ssess the org ni tion s bilit to meet the org ni tion s own inform tion securit re uirements. The order in which re uirements re presented in this Intern tion l St nd rd does not re lect their import nce or impl the order in which the re to be implemented. The list items re enumer ted for reference purpose onl . ISO/IEC 27000 describes the overview nd the voc bul r of inform tion securit m n gement s stems referencing the inform tion securit m n gement s stem f mil of st nd rds (including ISO/IEC 27003[2] ISO/IEC 27004[3] nd ISO/IEC 2700 [4]) with rel ted terms nd de initions.
0.2
Compatibility with other management system standards
This Intern tion l St nd rd pplies the high-level structure identic l sub-cl use titles identic l te t common terms nd core de initions de ined in Anne SL of ISO/IEC Directives P rt 1 Consolid ted ISO Supplement nd therefore m int ins comp tibilit with other m n gement s stem st nd rds th t h ve dopted the Anne SL. This common ppro ch de ined in the Anne SL will be useful for those org ni tions th t choose to oper te single m n gement s stem th t meets the re uirements of two or more m n gement s stem st nd rds.
© ISO/IEC 2013 – All rights reserved
v
INTERNATIONAL STANDARD
ISO/IEC 27001:2013(E)
Information technology — Security techniques — Information security management systems — Requirements 1 Scope This Intern tion l St nd rd speci ies the re uirements for est blishing implementing m int ining nd continu ll improving n inform tion securit m n gement s stem within the conte t of the org ni tion. This Intern tion l St nd rd lso includes re uirements for the ssessment nd tre tment of inform tion securit ris s t ilored to the needs of the org ni tion. The re uirements set out in this Intern tion l St nd rd re generic nd re intended to be pplic ble to ll org ni tions reg rdless of t pe si e or n ture. E cluding n of the re uirements speci ied in Cl uses 4 to 10 is not ccept ble when n org ni tion cl ims conformit to this Intern tion l St nd rd.
2 Normative references The following documents in whole or in p rt re norm tivel referenced in this document nd re indispens ble for its pplic tion. or d ted references onl the edition cited pplies. or und ted references the l test edition of the referenced document (including n mendments) pplies. ISO/IEC 27000 Information technology — Security techniques — Information security management systems — Overview and vocabulary
3 Terms and deϐinitions or the purposes of this document the terms nd de initions given in ISO/IEC 27000 ppl .
4 Context of the organization 4.1 Understanding the organization and its context The org ni tion sh ll determine e tern l nd intern l issues th t re relev nt to its purpose nd th t ffect its bilit to chieve the intended outcome(s) of its inform tion securit m n gement s stem. NOTE Determining these issues refers to est blishing the e tern l nd intern l conte t of the org ni tion considered in Cl use .3 of ISO 31000:2009[ ].
4.2 Understanding the needs and expectations of interested parties The org ni tion sh ll determine: )
interested p rties th t re relev nt to the inform tion securit m n gement s stem nd
b) the re uirements of these interested p rties relev nt to inform tion securit . NOTE The re uirements of interested p rties m contr ctu l oblig tions.
include leg l
nd regul tor
re uirements
nd
4.3 Determining the scope of the information security management system The org ni tion sh ll determine the bound ries m n gement s stem to est blish its scope.
© ISO/IEC 2013 – All rights reserved
nd
pplic bilit
of the inform tion securit
1
ISO/IEC 27001:2013(E)
When determining this scope the org ni tion sh ll consider: )
the e tern l nd intern l issues referred to in 4.1
b) the re uirements referred to in 4.2 nd c)
interf ces nd dependencies between ctivities performed b the org ni tion nd those th t re performed b other org ni tions.
The scope sh ll be v il ble s documented inform tion.
4.4 Information security management system The org ni tion sh ll est blish implement m int in nd continu ll improve n inform tion securit m n gement s stem in ccord nce with the re uirements of this Intern tion l St nd rd.
5 Leadership 5.1 Leadership and commitment Top m n gement sh ll demonstr te le dership nd commitment with respect to the inform tion securit m n gement s stem b : )
ensuring the inform tion securit polic nd the inform tion securit ob ectives re est blished nd re comp tible with the str tegic direction of the org ni tion
b) ensuring the integr tion of the inform tion securit m n gement s stem re uirements into the org ni tion s processes c)
ensuring th t the resources needed for the inform tion securit m n gement s stem re v il ble
d) communic ting the import nce of effective inform tion securit m n gement nd of conforming to the inform tion securit m n gement s stem re uirements e)
ensuring th t the inform tion securit m n gement s stem chieves its intended outcome(s)
f)
directing nd supporting persons to contribute to the effectiveness of the inform tion securit m n gement s stem
g) promoting continu l improvement
nd
h) supporting other relev nt m n gement roles to demonstr te their le dership s it pplies to their re s of responsibilit .
5.2 Policy Top m n gement sh ll est blish n inform tion securit polic th t: )
is ppropri te to the purpose of the org ni tion
b) includes inform tion securit ob ectives (see .2) or provides the fr mewor for setting inform tion securit ob ectives c)
includes commitment to s tisf
pplic ble re uirements rel ted to inform tion securit
nd
d) includes commitment to continu l improvement of the inform tion securit m n gement s stem. The inform tion securit polic sh ll: e)
2
be v il ble s documented inform tion
© ISO/IEC 2013 – All rights reserved
ISO/IEC 27001:2013(E)
f)
be communic ted within the org ni tion nd
g) be v il ble to interested p rties s ppropri te.
5.3 Organizational roles, responsibilities and authorities Top m n gement sh ll ensure th t the responsibilities nd uthorities for roles relev nt to inform tion securit re ssigned nd communic ted. Top m n gement sh ll ssign the responsibilit )
nd uthorit for:
ensuring th t the inform tion securit m n gement s stem conforms to the re uirements of this Intern tion l St nd rd nd
b) reporting on the perform nce of the inform tion securit m n gement s stem to top m n gement. NOTE Top m n gement m lso ssign responsibilities nd uthorities for reporting perform nce of the inform tion securit m n gement s stem within the org ni tion.
6 Planning 6.1 Actions to address risks and opportunities 6.1.1
General
When pl nning for the inform tion securit m n gement s stem the org ni tion sh ll consider the issues referred to in 4.1 nd the re uirements referred to in 4.2 nd determine the ris s nd opportunities th t need to be ddressed to: )
ensure the inform tion securit m n gement s stem c n chieve its intended outcome(s)
b) prevent or reduce undesired effects nd c)
chieve continu l improvement.
The org ni tion sh ll pl n: d) e)
ctions to ddress these ris s nd opportunities nd how to 1) integr te nd implement the processes nd
ctions into its inform tion securit
m n gement s stem
2) ev lu te the effectiveness of these ctions. 6.1.2
Information security risk assessment
The org ni tion sh ll de ine nd ppl )
n inform tion securit ris
ssessment process th t:
est blishes nd m int ins inform tion securit ris criteri th t include: 1) the ris
ccept nce criteri
nd
2) criteri for performing inform tion securit ris b) ensures th t repe ted inform tion securit comp r ble results
© ISO/IEC 2013 – All rights reserved
ris
ssessments ssessments produce consistent v lid
nd
3
ISO/IEC 27001:2013(E)
c)
identi ies the inform tion securit ris s: 1)
ppl the inform tion securit ris ssessment process to identif ris s ssoci ted with the loss of con identi lit integrit nd v il bilit for inform tion within the scope of the inform tion securit m n gement s stem nd
2) identif the ris owners d)
n l ses the inform tion securit ris s: 1)
ssess the potenti l conse uences th t would result if the ris s identi ied in .1.2 c) 1) were to m teri li e
2)
ssess the re listic li elihood of the occurrence of the ris s identi ied in .1.2 c) 1) nd
3) determine the levels of ris e)
ev lu tes the inform tion securit ris s: 1) comp re the results of ris
n l sis with the ris criteri est blished in .1.2 ) nd
2) prioriti e the n l sed ris s for ris tre tment. The org ni tion sh ll ret in documented inform tion ssessment process. 6.1.3
ris
Information security risk treatment
The org ni tion sh ll de ine nd ppl )
bout the inform tion securit
n inform tion securit ris tre tment process to:
select ppropri te inform tion securit ssessment results
ris
tre tment options t
ing
ccount of the ris
b) determine ll controls th t re necess r to implement the inform tion securit ris tre tment option(s) chosen NOTE
c)
Org ni tions c n design controls s re uired or identif them from n source.
comp re the controls determined in .1.3 b) bove with those in Anne A nd verif th t no necess r controls h ve been omitted NOTE 1 Anne A cont ins comprehensive list of control ob ectives nd controls. Users of this Intern tion l St nd rd re directed to Anne A to ensure th t no necess r controls re overloo ed. NOTE 2 Control ob ectives re implicitl included in the controls chosen. The control ob ectives nd controls listed in Anne A re not e h ustive nd ddition l control ob ectives nd controls m be needed.
d) produce St tement of Applic bilit th t cont ins the necess r controls (see .1.3 b) nd c)) nd usti ic tion for inclusions whether the re implemented or not nd the usti ic tion for e clusions of controls from Anne A e)
formul te n inform tion securit ris tre tment pl n nd
f)
obt in ris owners pprov l of the inform tion securit ris tre tment pl n nd ccept nce of the residu l inform tion securit ris s.
The org ni tion sh ll ret in documented inform tion bout the inform tion securit ris tre tment process. NOTE The inform tion securit ris ssessment nd tre tment process in this Intern tion l St nd rd ligns with the principles nd generic guidelines provided in ISO 31000[ ].
4
© ISO/IEC 2013 – All rights reserved
ISO/IEC 27001:2013(E)
6.2 Information security objectives and planning to achieve them The org ni tion sh ll est blish inform tion securit ob ectives t relev nt functions nd levels. The inform tion securit ob ectives sh ll: )
be consistent with the inform tion securit polic
b) be me sur ble (if pr ctic ble) c)
t
e into ccount pplic ble inform tion securit re uirements nd results from ris nd ris tre tment
ssessment
d) be communic ted nd e)
be upd ted s ppropri te.
The org ni tion sh ll ret in documented inform tion on the inform tion securit ob ectives. When pl nning how to chieve its inform tion securit ob ectives the org ni tion sh ll determine: f)
wh t will be done
g) wh t resources will be re uired h) who will be responsible i)
when it will be completed nd
)
how the results will be ev lu ted.
7 Support 7.1 Resources The org ni tion sh ll determine nd provide the resources needed for the est blishment implement tion m inten nce nd continu l improvement of the inform tion securit m n gement s stem.
7.2 Competence The org ni tion sh ll: )
determine the necess r competence of person(s) doing wor under its control th t ffects its inform tion securit perform nce
b) ensure th t these persons re competent on the b sis of ppropri te educ tion tr ining or e perience c)
where pplic ble t e ctions to c uire the necess r competence nd ev lu te the effectiveness of the ctions t en nd
d) ret in ppropri te documented inform tion s evidence of competence. NOTE Applic ble ctions m include for e mple: the provision of tr ining to the mentoring of or the ressignment of current emplo ees or the hiring or contr cting of competent persons.
7.3 Awareness Persons doing wor under the org ni tion s control sh ll be w re of: )
the inform tion securit polic
© ISO/IEC 2013 – All rights reserved
5
ISO/IEC 27001:2013(E)
b) their contribution to the effectiveness of the inform tion securit m n gement s stem including the bene its of improved inform tion securit perform nce nd c)
the implic tions of not conforming with the inform tion securit m n gement s stem re uirements.
7.4 Communication The org ni tion sh ll determine the need for intern l nd e tern l communic tions relev nt to the inform tion securit m n gement s stem including: )
on wh t to communic te
b) when to communic te c)
with whom to communic te
d) who sh ll communic te nd e)
the processes b which communic tion sh ll be effected.
7.5 Documented information 7.5.1
General
The org ni tion s inform tion securit m n gement s stem sh ll include: )
documented inform tion re uired b this Intern tion l St nd rd nd
b) documented inform tion determined b the org ni tion s being necess r for the effectiveness of the inform tion securit m n gement s stem. NOTE The e tent of documented inform tion for n inform tion securit m n gement s stem c n differ from one org ni tion to nother due to: 1)
the si e of org ni tion nd its t pe of ctivities processes products nd services
2)
the comple it of processes nd their inter ctions nd
3)
the competence of persons.
7.5.2
Creating and updating
When cre ting nd upd ting documented inform tion the org ni tion sh ll ensure ppropri te: )
identi ic tion nd description (e.g. title d te uthor or reference number)
b) form t (e.g. l ngu ge softw re version gr phics) nd medi (e.g. p per electronic) nd c)
review nd pprov l for suit bilit
7.5.3
nd de u c .
Control of documented information
Documented inform tion re uired b the inform tion securit Intern tion l St nd rd sh ll be controlled to ensure: )
m n gement s stem
nd b
this
it is v il ble nd suit ble for use where nd when it is needed nd
b) it is de u tel protected (e.g. from loss of con identi lit improper use or loss of integrit ).
6
© ISO/IEC 2013 – All rights reserved
ISO/IEC 27001:2013(E)
or the control of documented inform tion the org ni s pplic ble: c)
tion sh ll ddress the following ctivities
distribution ccess retriev l nd use
d) stor ge nd preserv tion including the preserv tion of legibilit e)
control of ch nges (e.g. version control) nd
f)
retention nd disposition.
Documented inform tion of e tern l origin determined b the org ni tion to be necess r for the pl nning nd oper tion of the inform tion securit m n gement s stem sh ll be identi ied s ppropri te nd controlled. NOTE Access implies decision reg rding the permission to view the documented inform tion onl or the permission nd uthorit to view nd ch nge the documented inform tion etc.
8 Operation 8.1 Operational planning and control The org ni tion sh ll pl n implement nd control the processes needed to meet inform tion securit re uirements nd to implement the ctions determined in .1. The org ni tion sh ll lso implement pl ns to chieve inform tion securit ob ectives determined in .2. The org ni tion sh ll eep documented inform tion to the e tent necess r to h ve con idence th t the processes h ve been c rried out s pl nned. The org ni tion sh ll control pl nned ch nges nd review the conse uences of unintended ch nges t ing ction to mitig te n dverse effects s necess r . The org ni tion sh ll ensure th t outsourced processes re determined nd controlled.
8.2 Information security risk assessment The org ni tion sh ll perform inform tion securit ris ssessments t pl nned interv ls or when signi ic nt ch nges re proposed or occur t ing ccount of the criteri est blished in .1.2 ). The org ni tion sh ll ret in documented inform tion of the results of the inform tion securit ris ssessments.
8.3 Information security risk treatment The org ni tion sh ll implement the inform tion securit ris tre tment pl n. The org ni tion sh ll ret in documented inform tion of the results of the inform tion securit ris tre tment.
9 Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation The org ni tion sh ll ev lu te the inform tion securit perform nce nd the effectiveness of the inform tion securit m n gement s stem. The org ni tion sh ll determine: )
wh t needs to be monitored nd me sured including inform tion securit processes nd controls
© ISO/IEC 2013 – All rights reserved
7
ISO/IEC 27001:2013(E)
b) the methods for monitoring me surement v lid results NOTE
c)
n l sis nd ev lu tion
s pplic ble to ensure
The methods selected should produce comp r ble nd reproducible results to be considered v lid.
when the monitoring nd me suring sh ll be performed
d) who sh ll monitor nd me sure e)
when the results from monitoring nd me surement sh ll be n l sed nd ev lu ted nd
f)
who sh ll n l se nd ev lu te these results.
The org ni tion sh ll ret in ppropri te documented inform tion s evidence of the monitoring nd me surement results.
9.2 Internal audit The org ni tion sh ll conduct intern l udits t pl nned interv ls to provide inform tion on whether the inform tion securit m n gement s stem: )
conforms to 1) the org ni tion s own re uirements for its inform tion securit m n gement s stem nd 2) the re uirements of this Intern tion l St nd rd
b) is effectivel implemented nd m int ined. The org ni tion sh ll: c)
pl n est blish implement nd m int in n udit progr mme(s) including the fre uenc methods responsibilities pl nning re uirements nd reporting. The udit progr mme(s) sh ll t e into consider tion the import nce of the processes concerned nd the results of previous udits
d) de ine the udit criteri
nd scope for e ch udit
e)
select uditors nd conduct udits th t ensure ob ectivit
nd the imp rti lit of the udit process
f)
ensure th t the results of the udits re reported to relev nt m n gement
nd
g) ret in documented inform tion s evidence of the udit progr mme(s) nd the udit results.
9.3 Management review Top m n gement sh ll review the org ni tion s inform tion securit m n gement s stem t pl nned interv ls to ensure its continuing suit bilit de u c nd effectiveness. The m n gement review sh ll include consider tion of: )
the st tus of ctions from previous m n gement reviews
b) ch nges in e tern l nd intern l issues th t re relev nt to the inform tion securit m n gement s stem c)
feedb c on the inform tion securit perform nce including trends in: 1) nonconformities nd corrective ctions 2) monitoring nd me surement results 3)
8
udit results nd
© ISO/IEC 2013 – All rights reserved
ISO/IEC 27001:2013(E)
4) ful ilment of inform tion securit ob ectives d) feedb c from interested p rties e)
results of ris
ssessment nd st tus of ris tre tment pl n nd
f)
opportunities for continu l improvement.
The outputs of the m n gement review sh ll include decisions rel ted to continu l improvement opportunities nd n needs for ch nges to the inform tion securit m n gement s stem. The org ni tion sh ll ret in documented inform tion s evidence of the results of m n gement reviews.
10 Improvement 10.1 Nonconformity and corrective action When nonconformit occurs the org ni tion sh ll: )
re ct to the nonconformit 1) t
nd s pplic ble:
e ction to control nd correct it
nd
2) de l with the conse uences b) ev lu te the need for ction to elimin te the c uses of nonconformit in order th t it does not recur or occur elsewhere b : 1) reviewing the nonconformit 2) determining the c uses of the nonconformit
nd
3) determining if simil r nonconformities e ist or could potenti ll occur c)
implement n
ction needed
d) review the effectiveness of n corrective ction t e)
m
en nd
e ch nges to the inform tion securit m n gement s stem if necess r .
Corrective ctions sh ll be ppropri te to the effects of the nonconformities encountered. The org ni tion sh ll ret in documented inform tion s evidence of: f)
the n ture of the nonconformities nd n subse uent ctions t
en nd
g) the results of n corrective ction.
10.2 Continual improvement The org ni tion sh ll continu ll improve the suit bilit securit m n gement s stem.
© ISO/IEC 2013 – All rights reserved
de u c
nd effectiveness of the inform tion
9
ISO/IEC 27001:2013(E)
Annex A (norm tive) Reference control objectives and controls The control ob ectives nd controls listed in T ble A.1 re directl derived from nd ligned with those listed in ISO/IEC 27002:2013[1] Cl uses to 18 nd re to be used in conte t with Cl use .1.3. Table A.1 — Control objectives and controls A.5
Information security policies
A.5.1 Management direction for information security Ob ective: To provide m n gement direction nd support for inform tion securit in ccord nce with business re uirements nd relev nt l ws nd regul tions. Control A. .1.1
Policies for inform tion securit
A. .1.2
Review of the policies for inform tion securit
A.6
A set of policies for inform tion securit sh ll be de ined pproved b m n gement published nd communic ted to emplo ees nd relev nt e tern l p rties. Control The policies for inform tion securit sh ll be reviewed t pl nned interv ls or if signi ic nt ch nges occur to ensure their continuing suit bilit de u c nd effectiveness.
Organization of information security
A.6.1 Internal organization Ob ective: To est blish m n gement fr mewor to initi te nd control the implement tion nd oper tion of inform tion securit within the org ni tion. A. .1.1
Control Inform tion securit roles nd responsibili- All inform tion securit responsibilities sh ll be de ined nd lloties c ted. Control
A. .1.2
Segreg tion of duties
Con licting duties nd re s of responsibilit sh ll be segreg ted to reduce opportunities for un uthori ed or unintention l modi ic tion or misuse of the org ni tion s ssets.
A. .1.3
Cont ct with uthorities
Control Appropri te cont cts with relev nt uthorities sh ll be m int ined. Control
A. .1.4
Cont ct with speci l interest groups
A. .1.
Control Inform tion securit in pro ect m n gement Inform tion securit sh ll be ddressed in pro ect m n gement reg rdless of the t pe of the pro ect.
Appropri te cont cts with speci l interest groups or other speci list securit forums nd profession l ssoci tions sh ll be m int ined.
A.6.2 Mobile devices and teleworking Ob ective: To ensure the securit of telewor ing nd use of mobile devices.
10
© ISO/IEC 2013 – All rights reserved
ISO/IEC 27001:2013(E)
Table A.1 (continued) Control A. .2.1
obile device polic
A polic nd supporting securit me sures sh ll be dopted to m n ge the ris s introduced b using mobile devices. Control
A. .2.2
Telewor ing
A polic nd supporting securit me sures sh ll be implemented to protect inform tion ccessed processed or stored t telewor ing sites.
A.7
Human resource security
A.7.1
Prior to employment
Ob ective: To ensure th t emplo ees nd contr ctors underst nd their responsibilities nd re suitble for the roles for which the re considered. Control A.7.1.1
Screening
c ground veri ic tion chec s on ll c ndid tes for emplo ment sh ll be c rried out in ccord nce with relev nt l ws regul tions nd ethics nd sh ll be proportion l to the business re uirements the cl ssi ic tion of the inform tion to be ccessed nd the perceived ris s. Control
A.7.1.2 A.7.2
Terms nd conditions of emplo ment
The contr ctu l greements with emplo ees nd contr ctors sh ll st te their nd the org ni tion s responsibilities for inform tion securit .
During employment
Ob ective: To ensure th t emplo ees nd contr ctors re w re of nd ful il their inform tion securit responsibilities. A.7.2.1
Control n gement responsin gement sh ll re uire ll emplo ees nd contr ctors to ppl bilities inform tion securit in ccord nce with the est blished policies nd procedures of the org ni tion. Control
A.7.2.2
Inform tion securit w reness educ tion nd tr ining
All emplo ees of the org ni tion nd where relev nt contr ctors sh ll receive ppropri te w reness educ tion nd tr ining nd regul r upd tes in org ni tion l policies nd procedures s relev nt for their ob function. Control
A.7.2.3 A.7.3
Disciplin r process
There sh ll be form l nd communic ted disciplin r process in pl ce to t e ction g inst emplo ees who h ve committed n inform tion securit bre ch.
Termination and change of employment
Ob ective: To protect the org ni tion s interests s p rt of the process of ch nging or termin ting emplo ment. A.7.3.1 A.8
Control Termin tion or ch nge of emplo ment respon- Inform tion securit responsibilities nd duties th t rem in v lid fter termin tion or ch nge of emplo ment sh ll be de ined comsibilities munic ted to the emplo ee or contr ctor nd enforced. Asset management
A.8.1 Responsibility for assets © ISO/IEC 2013 – All rights reserved
11
ISO/IEC 27001:2013(E)
Table A.1 (continued) Ob ective: To identif org ni tion l ssets nd de ine ppropri te protection responsibilities. Control A.8.1.1
Inventor of ssets
A.8.1.2
Ownership of ssets
Assets ssoci ted with inform tion nd inform tion processing f cilities sh ll be identi ied nd n inventor of these ssets sh ll be dr wn up nd m int ined. Control Assets m int ined in the inventor sh ll be owned. Control
A.8.1.3
Accept ble use of ssets
Rules for the ccept ble use of inform tion nd of ssets ssoci ted with inform tion nd inform tion processing f cilities sh ll be identi ied documented nd implemented. Control
A.8.1.4
Return of ssets
All emplo ees nd e tern l p rt users sh ll return ll of the org ni tion l ssets in their possession upon termin tion of their emplo ment contr ct or greement.
A.8.2 Information classiϐication Ob ective: To ensure th t inform tion receives n ppropri te level of protection in ccord nce with its import nce to the org ni tion. Control A.8.2.1
Cl ssi ic tion of infor- Inform tion sh ll be cl ssi ied in terms of leg l re uirements m tion v lue critic lit nd sensitivit to un uthorised disclosure or modi ic tion. Control
A.8.2.2
L belling of inform tion
An ppropri te set of procedures for inform tion l belling sh ll be developed nd implemented in ccord nce with the inform tion cl ssi ic tion scheme dopted b the org ni tion. Control
A.8.2.3
ndling of ssets
Procedures for h ndling ssets sh ll be developed nd implemented in ccord nce with the inform tion cl ssi ic tion scheme dopted b the org ni tion.
A.8.3 Media handling Ob ective: To prevent un uthori ed disclosure modi ic tion remov l or destruction of inform tion stored on medi . Control A.8.3.1
n gement of remov- Procedures sh ll be implemented for the m n gement of removble medi ble medi in ccord nce with the cl ssi ic tion scheme dopted b the org ni tion. Control
A.8.3.2
Dispos l of medi
A.8.3.3
Ph sic l medi tr nsfer
edi sh ll be disposed of securel when no longer re uired using form l procedures. Control edi cont ining inform tion sh ll be protected g inst un uthori ed ccess misuse or corruption during tr nsport tion.
A.9
Access control
A.9.1
Business requirements of access control
12
© ISO/IEC 2013 – All rights reserved
ISO/IEC 27001:2013(E)
Table A.1 (continued) Ob ective:
To limit ccess to inform tion nd inform tion processing f cilities. Control
A.9.1.1
Access control polic
A.9.1.2
Access to networ s nd networ services
An ccess control polic sh ll be est blished documented nd reviewed b sed on business nd inform tion securit re uirements. Control Users sh ll onl be provided with ccess to the networ nd networ services th t the h ve been speci ic ll uthori ed to use.
A.9.2 User access management Ob ective: To ensure uthori ed user ccess nd to prevent un uthori ed ccess to s stems nd services. A.9.2.1
User registr tion nd de-registr tion
Control A form l user registr tion nd de-registr tion process sh ll be implemented to en ble ssignment of ccess rights. Control
A.9.2.2
User ccess provision- A form l user ccess provisioning process sh ll be implemented to ing ssign or revo e ccess rights for ll user t pes to ll s stems nd services. Control
A.9.2.3
n gement of privileged ccess rights
A.9.2.4
n gement of secret Control uthentic tion infor- The lloc tion of secret uthentic tion inform tion sh ll be conm tion of users trolled through form l m n gement process.
A.9.2.
Review of user ccess rights
The lloc tion nd use of privileged ccess rights sh ll be restricted nd controlled.
Control Asset owners sh ll review users ccess rights t regul r interv ls. Control
A.9.2.
Remov l or d ustment The ccess rights of ll emplo ees nd e tern l p rt users to inform tion nd inform tion processing f cilities sh ll be removed of ccess rights upon termin tion of their emplo ment contr ct or greement or d usted upon ch nge.
A.9.3 User responsibilities Ob ective: To m A.9.3.1 A.9.4
e users ccount ble for s fegu rding their uthentic tion inform tion.
Control Use of secret uthentiUsers sh ll be re uired to follow the org ni tion s pr ctices in the c tion inform tion use of secret uthentic tion inform tion. System and application access control
Ob ective: To prevent un uthori ed ccess to s stems nd pplic tions. A.9.4.1
Inform tion ccess restriction
A.9.4.2
Secure log-on procedures
© ISO/IEC 2013 – All rights reserved
Control Access to inform tion nd pplic tion s stem functions sh ll be restricted in ccord nce with the ccess control polic . Control Where re uired b the ccess control polic ccess to s stems nd pplic tions sh ll be controlled b secure log-on procedure. 13
ISO/IEC 27001:2013(E)
Table A.1 (continued) A.9.4.3
P ssword m n gement s stem
Control P ssword m n gement s stems sh ll be inter ctive nd sh ll ensure u lit p sswords. Control
A.9.4.4
Use of privileged utilit progr ms
The use of utilit progr ms th t might be c p ble of overriding s stem nd pplic tion controls sh ll be restricted nd tightl controlled.
A.9.4.
Access control to progr m source code
Control
A.10
Access to progr m source code sh ll be restricted.
Cryptography
A.10.1 Cryptographic controls Ob ective: To ensure proper nd effective use of cr ptogr ph to protect the con identi lit ticit nd/or integrit of inform tion. A.10.1.1
uthen-
Control Polic on the use of cr ptogr phic controls A polic on the use of cr ptogr phic controls for protection of inform tion sh ll be developed nd implemented. Control
A.10.1.2 A.11
e m n gement
A polic on the use protection nd lifetime of cr ptogr phic e s sh ll be developed nd implemented through their whole lifec cle.
Physical and environmental security
A.11.1 Secure areas Ob ective: To prevent un uthori ed ph sic l ccess d m ge nd interference to the org ni tion s inform tion nd inform tion processing f cilities. Control A.11.1.1
Ph sic l securit perimeter
Securit perimeters sh ll be de ined nd used to protect re s th t cont in either sensitive or critic l inform tion nd inform tion processing f cilities. Control
A.11.1.2
Ph sic l entr controls Secure re s sh ll be protected b ppropri te entr controls to ensure th t onl uthori ed personnel re llowed ccess.
A.11.1.3
Securing of ices rooms nd f cilities
A.11.1.4
Protecting g inst e tern l nd environment l thre ts
A.11.1.
Wor ing in secure re s
Control Ph sic l securit for of ices rooms nd f cilities sh ll be designed nd pplied. Control Ph sic l protection g inst n tur l dis sters m licious tt c or ccidents sh ll be designed nd pplied. Control Procedures for wor ing in secure re s sh ll be designed nd pplied. Control
A.11.1.
14
Deliver re s
nd lo ding
Access points such s deliver nd lo ding re s nd other points where un uthori ed persons could enter the premises sh ll be controlled nd if possible isol ted from inform tion processing f cilities to void un uthori ed ccess. © ISO/IEC 2013 – All rights reserved
ISO/IEC 27001:2013(E)
Table A.1 (continued) A.11.2 Equipment Ob ective: To prevent loss d m ge theft or compromise of ssets nd interruption to the org ni tion s oper tions. Control A.11.2.1
E uipment siting nd protection
E uipment sh ll be sited nd protected to reduce the ris s from environment l thre ts nd h rds nd opportunities for un uthori ed ccess. Control
A.11.2.2 Supporting utilities
E uipment sh ll be protected from power f ilures nd other disruptions c used b f ilures in supporting utilities. Control
A.11.2.3 C bling securit
E uipment m inteA.11.2.4 n nce
Power nd telecommunic tions c bling c rr ing d t or supporting inform tion services sh ll be protected from interception interference or d m ge. Control E uipment sh ll be correctl m int ined to ensure its continued v il bilit nd integrit . Control
A.11.2.
Remov l of ssets
A.11.2.
Securit of e uipment Control nd ssets off-premSecurit sh ll be pplied to off-site ssets t ing into ccount the ises different ris s of wor ing outside the org ni tion s premises.
E uipment inform tion or softw re sh ll not be t without prior uthori tion.
en off-site
Control A.11.2.7
Secure dispos l or re- All items of e uipment cont ining stor ge medi sh ll be veri ied use of e uipment to ensure th t n sensitive d t nd licensed softw re h s been removed or securel overwritten prior to dispos l or re-use.
Un ttended user A.11.2.8 e uipment
Control Users sh ll ensure th t un ttended e uipment h s ppropri te protection. Control
A.11.2.9 A.12
Cle r des nd cle r screen polic
A cle r des polic for p pers nd remov ble stor ge medi nd cle r screen polic for inform tion processing f cilities sh ll be dopted.
Operations security
A.12.1 Operational procedures and responsibilities Ob ective: To ensure correct nd secure oper tions of inform tion processing f cilities. A.12.1.1
Control Documented oper ting Oper ting procedures sh ll be documented nd m de v il ble to procedures ll users who need them. Control
A.12.1.2 Ch nge m n gement
© ISO/IEC 2013 – All rights reserved
Ch nges to the org ni tion business processes inform tion processing f cilities nd s stems th t ffect inform tion securit sh ll be controlled.
15
ISO/IEC 27001:2013(E)
Table A.1 (continued) Control A.12.1.3 C p cit m n gement The use of resources sh ll be monitored tuned nd pro ections m de of future c p cit re uirements to ensure the re uired s stem perform nce. Sep r tion of development testing nd A.12.1.4 oper tion l environments
Control Development testing nd oper tion l environments sh ll be sep r ted to reduce the ris s of un uthori ed ccess or ch nges to the oper tion l environment.
A.12.2 Protection from malware Ob ective: To ensure th t inform tion nd inform tion processing f cilities re protected g inst m lw re. Control A.12.2.1
Controls g inst m lw re
Detection prevention nd recover controls to protect g inst m lw re sh ll be implemented combined with ppropri te user w reness.
A.12.3 Backup Ob ective: To protect g inst loss of d t . Control A.12.3.1 Inform tion b c up
c up copies of inform tion softw re nd s stem im ges sh ll be t en nd tested regul rl in ccord nce with n greed b c up polic .
A.12.4 Logging and monitoring Ob ective: To record events nd gener te evidence. Control A.12.4.1 Event logging
A.12.4.2
Event logs recording user ctivities e ceptions f ults nd inform tion securit events sh ll be produced ept nd regul rl reviewed.
Control Protection of log inforLogging f cilities nd log inform tion sh ll be protected g inst m tion t mpering nd un uthori ed ccess.
Administr tor nd A.12.4.3 oper tor logs
Control S stem dministr tor nd s stem oper tor ctivities sh ll be logged nd the logs protected nd regul rl reviewed. Control
A.12.4.4 Cloc s nchronis tion The cloc s of ll relev nt inform tion processing s stems within n org ni tion or securit dom in sh ll be s nchronised to single reference time source. A.12.5 Control of operational software Ob ective: To ensure the integrit of oper tion l s stems. Inst ll tion of softA.12. .1 w re on oper tion l s stems
Control Procedures sh ll be implemented to control the inst ll tion of softw re on oper tion l s stems.
A.12.6 Technical vulnerability management Ob ective: To prevent e ploit tion of technic l vulner bilities. 16
© ISO/IEC 2013 – All rights reserved
ISO/IEC 27001:2013(E)
Table A.1 (continued) Control A.12. .1
n gement of techni- Inform tion bout technic l vulner bilities of inform tion s stems being used sh ll be obt ined in timel f shion the org ni tion s c l vulner bilities e posure to such vulner bilities ev lu ted nd ppropri te me sures t en to ddress the ssoci ted ris .
Restrictions on softA.12. .2 w re inst ll tion
Control Rules governing the inst ll tion of softw re b users sh ll be est blished nd implemented.
A.12.7 Information systems audit considerations Ob ective: To minimise the imp ct of udit ctivities on oper tion l s stems. Control A.12.7.1 A.13
Inform tion s stems udit controls
Audit re uirements nd ctivities involving veri ic tion of oper tion l s stems sh ll be c refull pl nned nd greed to minimise disruptions to business processes.
Communications security
A.13.1 Network security management Ob ective: To ensure the protection of inform tion in networ s nd its supporting inform tion processing f cilities. Control A.13.1.1
Networ controls
Networ s sh ll be m n ged nd controlled to protect inform tion in s stems nd pplic tions. Control
A.13.1.2
Securit of networ services
Segreg tion in netA.13.1.3 wor s
Securit mech nisms service levels nd m n gement re uirements of ll networ services sh ll be identi ied nd included in networ services greements whether these services re provided in-house or outsourced. Control roups of inform tion services users nd inform tion s stems sh ll be segreg ted on networ s.
A.13.2 Information transfer Ob ective: To m int in the securit of inform tion tr nsferred within n org ni tion nd with n e tern l entit . Inform tion tr nsfer A.13.2.1 policies nd procedures Agreements on inforA.13.2.2 m tion tr nsfer
Control orm l tr nsfer policies procedures nd controls sh ll be in pl ce to protect the tr nsfer of inform tion through the use of ll t pes of communic tion f cilities. Control Agreements sh ll ddress the secure tr nsfer of business inform tion between the org ni tion nd e tern l p rties. Control
A.13.2.3 Electronic mess ging
© ISO/IEC 2013 – All rights reserved
Inform tion involved in electronic mess ging sh ll be ppropritel protected.
17
ISO/IEC 27001:2013(E)
Table A.1 (continued) Control A.13.2.4 A.14
Con identi lit or non- Re uirements for con identi lit or non-disclosure greements disclosure greements re lecting the org ni tion s needs for the protection of inform tion sh ll be identi ied regul rl reviewed nd documented.
System acquisition, development and maintenance
A.14.1 Security requirements of information systems Ob ective: To ensure th t inform tion securit is n integr l p rt of inform tion s stems cross the entire lifec cle. This lso includes the re uirements for inform tion s stems which provide services over public networ s. A.14.1.1
Control Inform tion securit re uirements n l sis The inform tion securit rel ted re uirements sh ll be included in the re uirements for new inform tion s stems or enh ncements to nd speci ic tion e isting inform tion s stems.
A.14.1.2
Securing pplic tion services on public networ s
Control Inform tion involved in pplic tion services p ssing over public networ s sh ll be protected from fr udulent ctivit contr ct dispute nd un uthori ed disclosure nd modi ic tion. Control
A.14.1.3
Protecting pplic tion Inform tion involved in pplic tion service tr ns ctions sh ll be services tr ns ctions protected to prevent incomplete tr nsmission mis-routing un uthori ed mess ge lter tion un uthori ed disclosure un uthori ed mess ge duplic tion or repl .
A.14.2 Security in development and support processes Ob ective: To ensure th t inform tion securit is designed nd implemented within the development lifec cle of inform tion s stems. A.14.2.1
Secure development polic
Control Rules for the development of softw re nd s stems sh ll be est blished nd pplied to developments within the org ni tion.
Control S stem ch nge control A.14.2.2 Ch nges to s stems within the development lifec cle sh ll be conprocedures trolled b the use of form l ch nge control procedures. Technic l review of pplic tions fter A.14.2.3 oper ting pl tform ch nges
Control
Restrictions on A.14.2.4 ch nges to softw re p c ges
Control
When oper ting pl tforms re ch nged business critic l pplic tions sh ll be reviewed nd tested to ensure there is no dverse imp ct on org ni tion l oper tions or securit . odi ic tions to softw re p c ges sh ll be discour ged limited to necess r ch nges nd ll ch nges sh ll be strictl controlled. Control
A.14.2.
18
Secure s stem engineering principles
Principles for engineering secure s stems sh ll be est blished documented m int ined nd pplied to n inform tion s stem implement tion efforts.
© ISO/IEC 2013 – All rights reserved
ISO/IEC 27001:2013(E)
Table A.1 (continued) Control A.14.2.
Secure development environment
A.14.2.7
Outsourced development
A.14.2.8
S stem securit testing
A.14.2.9
S stem ccept nce testing
Org ni tions sh ll est blish nd ppropri tel protect secure development environments for s stem development nd integr tion efforts th t cover the entire s stem development lifec cle. Control The org ni tion sh ll supervise nd monitor the ctivit of outsourced s stem development. Control Testing of securit function lit sh ll be c rried out during development. Control Accept nce testing progr ms nd rel ted criteri sh ll be est blished for new inform tion s stems upgr des nd new versions.
A.14.3 Test data Ob ective: To ensure the protection of d t used for testing. A.14.3.1 A.15
Protection of test d t
Control Test d t sh ll be selected c refull protected nd controlled.
Supplier relationships
A.15.1 Information security in supplier relationships Ob ective: To ensure protection of the org ni tion s ssets th t is ccessible b suppliers. A.1 .1.1
Inform tion securit polic for supplier rel tionships
Control Inform tion securit re uirements for mitig ting the ris s ssocited with supplier s ccess to the org ni tion s ssets sh ll be greed with the supplier nd documented. Control
Addressing securit All relev nt inform tion securit re uirements sh ll be est blished A.1 .1.2 within supplier gree- nd greed with e ch supplier th t m ccess process store ments communic te or provide IT infr structure components for the org ni tion s inform tion. Inform tion nd comA.1 .1.3 munic tion technolog suppl ch in
Control Agreements with suppliers sh ll include re uirements to ddress the inform tion securit ris s ssoci ted with inform tion nd communic tions technolog services nd product suppl ch in.
A.15.2 Supplier service delivery management Ob ective: To m int in n greed level of inform tion securit plier greements.
nd service deliver in line with sup-
Control onitoring nd review A.1 .2.1 Org ni tions sh ll regul rl monitor review nd udit supplier of supplier services service deliver . Control n ging ch nges to A.1 .2.2 supplier services
© ISO/IEC 2013 – All rights reserved
Ch nges to the provision of services b suppliers including m int ining nd improving e isting inform tion securit policies procedures nd controls sh ll be m n ged t ing ccount of the critic lit of business inform tion s stems nd processes involved nd re- ssessment of ris s. 19
ISO/IEC 27001:2013(E)
Table A.1 (continued) A.16
Information security incident management
A.16.1 Management of information security incidents and improvements Ob ective: To ensure consistent nd effective ppro ch to the m n gement of inform tion securit incidents including communic tion on securit events nd we nesses. Control A.1 .1.1
Responsibilities nd procedures
n gement responsibilities nd procedures sh ll be est blished to ensure uic effective nd orderl response to inform tion securit incidents.
Control Reporting inform tion A.1 .1.2 Inform tion securit events sh ll be reported through ppropri te securit events m n gement ch nnels s uic l s possible. Control A.1 .1.3
Reporting inform tion Emplo ees nd contr ctors using the org ni tion s inform tion securit we nesses s stems nd services sh ll be re uired to note nd report n observed or suspected inform tion securit we nesses in s stems or services. Control
A.1 .1.4
Assessment of nd decision on inform tion securit events
A.1 .1.
Control Response to inform tion securit incidents Inform tion securit incidents sh ll be responded to in ccord nce with the documented procedures.
A.1 .1.
Le rning from inform tion securit incidents
Inform tion securit events sh ll be ssessed nd it sh ll be decided if the re to be cl ssi ied s inform tion securit incidents.
Control nowledge g ined from n l sing nd resolving inform tion securit incidents sh ll be used to reduce the li elihood or imp ct of future incidents. Control
A.1 .1.7 A.17
Collection of evidence The org ni tion sh ll de ine nd ppl procedures for the identi ic tion collection c uisition nd preserv tion of inform tion which c n serve s evidence.
Information security aspects of business continuity management
A.17.1 Information security continuity Ob ective: Inform tion securit continuit sh ll be embedded in the org ni tion s business continuit m n gement s stems. Control A.17.1.1
Pl nning inform tion securit continuit
The org ni tion sh ll determine its re uirements for inform tion securit nd the continuit of inform tion securit m n gement in dverse situ tions e.g. during crisis or dis ster. Control
A.17.1.2
20
Implementing inforThe org ni tion sh ll est blish document implement nd m inm tion securit conti- t in processes procedures nd controls to ensure the re uired nuit level of continuit for inform tion securit during n dverse situ tion.
© ISO/IEC 2013 – All rights reserved
ISO/IEC 27001:2013(E)
Table A.1 (continued) Control A.17.1.3
erif review nd ev lu te inform tion securit continuit
The org ni tion sh ll verif the est blished nd implemented inform tion securit continuit controls t regul r interv ls in order to ensure th t the re v lid nd effective during dverse situ tions.
A.17.2 Redundancies Ob ective: To ensure v il bilit of inform tion processing f cilities. A.17.2.1 A.18
Av il bilit of inform tion processing f cilities
Control Inform tion processing f cilities sh ll be implemented with redund nc suf icient to meet v il bilit re uirements.
Compliance
A.18.1 Compliance with legal and contractual requirements Ob ective: To void bre ches of leg l st tutor regul tor or contr ctu l oblig tions rel ted to inform tion securit nd of n securit re uirements.
A.18.1.1
Control Identi ic tion of ppliAll relev nt legisl tive st tutor regul tor contr ctu l re uirec ble legisl tion nd ments nd the org ni tion s ppro ch to meet these re uirements contr ctu l re uiresh ll be e plicitl identi ied documented nd ept up to d te for ments e ch inform tion s stem nd the org ni tion. Control
A.18.1.2
Intellectu l propert rights
Appropri te procedures sh ll be implemented to ensure complince with legisl tive regul tor nd contr ctu l re uirements rel ted to intellectu l propert rights nd use of propriet r softw re products. Control
A.18.1.3 Protection of records
Records sh ll be protected from loss destruction f lsi ic tion un uthori ed ccess nd un uthori ed rele se in ccord nce with legisl tor regul tor contr ctu l nd business re uirements.
A.18.1.4
Control Priv c nd protection of person ll identi i- Priv c nd protection of person ll identi i ble inform tion sh ll be ensured s re uired in relev nt legisl tion nd regul tion where ble inform tion pplic ble.
A.18.1.
Regul tion of cr ptogr phic controls
Control Cr ptogr phic controls sh ll be used in compli nce with ll relev nt greements legisl tion nd regul tions.
A.18.2 Information security reviews Ob ective: To ensure th t inform tion securit is implemented nd oper ted in ccord nce with the org ni tion l policies nd procedures. Control The org ni tion s ppro ch to m n ging inform tion securit nd Independent review of its implement tion (i.e. control ob ectives controls policies proA.18.2.1 inform tion securit cesses nd procedures for inform tion securit ) sh ll be reviewed independentl t pl nned interv ls or when signi ic nt ch nges occur.
© ISO/IEC 2013 – All rights reserved
21
ISO/IEC 27001:2013(E)
Table A.1 (continued) Control Compli nce with A.18.2.2 securit policies nd st nd rds
n gers sh ll regul rl review the compli nce of inform tion processing nd procedures within their re of responsibilit with the ppropri te securit policies st nd rds nd n other securit re uirements. Control
A.18.2.3
22
Technic l compli nce review
Inform tion s stems sh ll be regul rl reviewed for compli nce with the org ni tion s inform tion securit policies nd st ndrds.
© ISO/IEC 2013 – All rights reserved
ISO/IEC 27001:2013(E)
Bibliography [1]
ISO/IEC 27002:2013 Information technology — Security Techniques — Code of practice for information security controls
[2]
ISO/IEC 27003 Information technology — Security techniques — Information security management system implementation guidance
[3]
ISO/IEC 27004 Information technology — Security techniques — Information security management — Measurement
[4]
ISO/IEC 2700 Information technology — Security techniques — Information security risk management
[ ]
ISO 31000:2009 Risk management — Principles and guidelines
[ ]
ISO/IEC Directives P rt 1 Consolidated ISO Supplement Ȃ Procedures speciϔic to ISO 2012
© ISO/IEC 2013 – All rights reserved
23
ISO/IEC 27001:2013(E)
ICS౧35.040 © ISO/IEC 2013 – All rights reserved