BS ISO IEC 27035-1-2016 Information technology Security techniques Information security incident management Principles of incident management《信息技术 安全技术 信息安全事件管理 事件管理原则》.pdf

1、BS ISO/IEC 27035-1:2016 Information technology Security techniques Information security incident management Part 1: Principles of incident management BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS ISO/IEC 27035-1:2016 BRITISH STANDARD National foreword The UK pa

2、rticipation in its preparation was entrusted to Technical Committee IST/33/4, Security Controls and Services. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Us

3、ers are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 79888 7 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority

4、 of the Standards Policy and Strategy Committee on 30 November 2016. Amendments/corrigenda issued since publication Date Text affected This British Standard is the UK implementation of ISO/IEC 27035-1:2016. Together with BS ISO/IEC 27035-2:2016, it supersedes BS ISO/IEC 27035:2011 which is withdrawn

5、.BS ISO/IEC 27035-1:2016 Information technology Security techniques Information security incident management Part 1: Principles of incident management Technologies de linformation Techniques de scurit Gestion des incidents de scurit de linformation Partie 1: Principes de la gestion des incidents INT

6、ERNATIONAL STANDARD ISO/IEC 27035-1 Reference number ISO/IEC 27035-1:2016(E) First edition 2016- 11-01 ISO/IEC 2016 BS ISO/IEC 27035-1:2016ii ISO/IEC 2016 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2016, Published in Switzerland All rights reserved. Unless otherwise specified, no part

7、of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body

8、 in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 27035-1:2016(E)BS ISO/IEC 27035-1:2016ISO/IEC 27035-1:2016(E)Foreword iv Introduction v 1 Scope . 1 2

9、 Normative references 1 3 T erms and definitions . 1 4 Overview . 2 4.1 Basic concepts and principles 2 4.2 Objectives of incident management 3 4.3 Benefits of a structured approach 5 4.4 Adaptability . 6 5 Phases 6 5.1 Overview 6 5.2 Plan and Prepare . 9 5.3 Detection and Reporting . 9 5.4 Assessme

10、nt and Decision 10 5.5 Responses .11 5.6 Lessons Learnt .12 Annex A (informative) Relationship to investigative standards .13 Annex B (informative) Examples of information security incidents and their causes 16 Annex C (informative) Cross reference table of ISO/IEC 27001 to ISO/IEC 27035 19 Bibliogr

11、aphy .21 ISO/IEC 2016 All rights reserved iii Contents PageBS ISO/IEC 27035-1:2016ISO/IEC 27035-1:2016(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodi

12、es that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other i

13、nternational organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for

14、 its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/dire

15、ctives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will

16、be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressi

17、ons related to conformit y assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html. The committee responsible for this document is ISO/IEC JTC 1, Information

18、 technology, SC 27, IT Security techniques. This first edition of ISO/IEC 27035-1, together with ISO/IEC 27035-2, cancels and replaces ISO/IEC 27035:2011, which has been technically revised. ISO/IEC 27035 consists of the following parts, under the general title Information technology Security techni

19、ques Information security incident management: Part 1: Principles of incident management Part 2: Guidelines to plan and prepare for incident response Further parts may follow.iv ISO/IEC 2016 All rights reservedBS ISO/IEC 27035-1:2016ISO/IEC 27035-1:2016(E) Introduction Information security policies

20、or controls alone will not guarantee total protection of information, information systems, services or networks. After controls have been implemented, residual vulnerabilities are likely to remain that can reduce the effectiveness of information security and facilitate the occurrence of information

21、security incidents. This can potentially have direct and indirect adverse impacts on an organizations business operations. Furthermore, it is inevitable that new instances of previously unidentified threats will occur. Insufficient preparation by an organization to deal with such incidents will make

22、 any response less effective, and increase the degree of potential adverse business impact. Therefore, it is essential for any organization desiring a strong information security program to have a structured and planned approach to: detect, report and assess information security incidents; respond t

23、o information security incidents, including the activation of appropriate controls to prevent, reduce, and recover from impacts; report information security vulnerabilities, so they can be assessed and dealt with appropriately; learn from information security incidents and vulnerabilities, institute

24、 preventive controls, and make improvements to the overall approach to information security incident management. For the purpose of achieving this planned approach, ISO/IEC 27035 provides guidance on aspects of information security incident management in the following corresponding parts. ISO/IEC 27

25、035-1, Principles of incident management (this document), presents basic concepts and phases of information security incident management, and how to improve incident management. This part combines these concepts with principles in a structured approach to detecting, reporting, assessing, and respond

26、ing to incidents, and applying lessons learnt. ISO/IEC 27035-2, Guidelines to plan and prepare for incident response, describes how to plan and prepare for incident response. This part covers the “Plan and Prepare” and “Lessons Learnt” phases of the model presented in ISO/IEC 27035-1. ISO/IEC 27035

27、is intended to complement other standards and documents that give guidance on the investigation of, and preparation to investigate, information security incidents. ISO/IEC 27035 is not a comprehensive guide, but a reference for certain fundamental principles that are intended to ensure that tools, t

28、echniques and methods can be selected appropriately and shown to be fit for purpose should the need arise. While ISO/IEC 27035 encompasses the management of information security incidents, it also covers some aspects of information security vulnerabilities. Guidance on vulnerability disclosure and v

29、ulnerability handling by vendors is provided in ISO/IEC 29147 and ISO/IEC 30111, respectively. ISO/IEC 27035 also intends to inform decision-makers that need to determine the reliability of digital evidence presented to them. It is applicable to organizations needing to protect, analyse and present

30、potential digital evidence. It is relevant to policy-making bodies that create and evaluate procedures relating to digital evidence, often as part of a larger body of evidence. Further information about investigative standards is available in Annex A. ISO/IEC 2016 All rights reserved vBS ISO/IEC 270

31、35-1:2016BS ISO/IEC 27035-1:2016Information technology Security techniques Information security incident management Part 1: Principles of incident management 1 Scope This part of ISO/IEC 27035 is the foundation of this multipart International Standard. It presents basic concepts and phases of inform

32、ation security incident management and combines these concepts with principles in a structured approach to detecting, reporting, assessing, and responding to incidents, and applying lessons learnt. The principles given in this part of ISO/IEC 27035 are generic and intended to be applicable to all or

33、ganizations, regardless of type, size or nature. Organizations can adjust the guidance given in this part of ISO/IEC 27035 according to their type, size and nature of business in relation to the information security risk situation. This part of ISO/IEC 27035 is also applicable to external organizati

34、ons providing information security incident management services. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, t

35、he latest edition of the referenced document (including any amendments) applies. ISO/IEC 27000, Information technology Security techniques Information security management systems Overview and vocabulary ISO/IEC 27035-2, Information technology Security techniques Information security incident managem

36、ent Part 2: Guidelines to plan and prepare for incident response 3 T erms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses

37、: IEC Electropedia: available at http:/ /www.electropedia.org/ ISO Online browsing platform: available at http:/ /www.iso.org/obp 3.1 information security investigation application of examinations, analysis and interpretation to aid understanding of an information security incident (3.4) SOURCE: ISO

38、/IEC 27042, 3.10, modified The phrase “an incident” was replaced by “an information security incident”. INTERNATIONAL ST ANDARD ISO/IEC 27035-1:2016(E) ISO/IEC 2016 All rights reserved 1BS ISO/IEC 27035-1:2016ISO/IEC 27035-1:2016(E) 3.2 incident response team IRT team of appropriately skilled and tr

39、usted members of the organization that handles incidents during their lifecycle Note 1 to entry: CERT (Computer Emergency Response Team) and CSIRT (Computer Security Incident Response Team) are commonly used terms for IRT. 3.3 information security event occurrence indicating a possible breach of inf

40、ormation security or failure of controls 3.4 information security incident one or multiple related and identified information security events (3.3) that can harm an organizations assets or compromise its operations 3.5 information security incident management exercise of a consistent and effective a

41、pproach to the handling of information security incidents (3.4) 3.6 incident handling actions of detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents (3.4) 3.7 incident response actions taken to mitigate or resolve an information security inc

42、ident (3.4), including those taken to protect and restore the normal operational conditions of an information system and the information stored in it 3.8 point of contact PoC defined organizational function or role serving as the coordinator or focal point of information concerning incident manageme

43、nt activities 4 Overview 4.1 Basic concepts and principles An information security event is an occurrence indicating a possible breach of information security or failure of controls. An information security incident is one or multiple related and identified information security events that meet esta

44、blished criteria and can harm an organizations assets or compromise its operations. The occurrence of an information security event does not necessarily mean that an attack has been successful or that there are any implications on confidentiality, integrity or availability, i.e., not all information

45、 security events are classified as information security incidents. Information security incidents can be deliberate (e.g. caused by malware or intentional breach of discipline) or accidental (e.g. caused by inadvertent human error or unavoidable acts of nature) and can be caused by technical (e.g. c

46、omputer viruses) or non-technical (e.g. loss or theft of computers) means. Consequences can include the unauthorized disclosure, modification, destruction, or unavailability of information, or the damage or theft of organizational assets that contain information. Annex B provides descriptions of sel

47、ected example information security incidents and their causes for informative purposes only. It is important to note that these examples are by no means exhaustive.2 ISO/IEC 2016 All rights reservedBS ISO/IEC 27035-1:2016ISO/IEC 27035-1:2016(E) A threat exploits vulnerabilities (weaknesses) in infor

48、mation systems, services, or networks, causing the occurrence of information security events and thus potentially causing incidents to information assets exposed by the vulnerabilities. Figure 1 shows the relationship of objects in an information security incident. Figure 1 Relationship of objects i

49、n an information security incident Information sharing and coordination with external IRTs is an important consideration. Many incidents cross organizational boundaries and cannot be easily resolved by a single IRT. Information sharing and coordination relationships or partnerships with external IRTs can greatly enhance the ability to respond to and resolve incidents. For further detail about information sharing, see ISO/IEC 27010. 4.