BS PD ISO IEC TR 27023-2015 Information technology Security techniques Mapping the revised editions of ISO IEC 27001 and ISO IEC 27002《信息技术 安全技术 映射ISO IEC 27001和ISO IEC 27002的修订版》.pdf

1、BSI Standards Publication PD ISO/IEC TR 27023:2015 Information technology Security techniques Mapping the revised editions of ISO/IEC 27001 and ISO/IEC 27002PD ISO/IEC TR 27023:2015 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC TR 27023:2015. The UK par

2、ticipation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are r

3、esponsible for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 87610 3 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the S

4、tandards Policy and Strategy Committee on 31 July 2015. Amendments issued since publication Date Text affectedPD ISO/IEC TR 27023:2015 Information technology Security techniques Mapping the revised editions of ISO/IEC 27001 and ISO/IEC 27002 Technologies de linformation Techniques de scurit Mappage

5、des dtions rvises de lISO/IEC 27001 et de lISO/IEC 27002 TECHNICAL REPORT ISO/IEC TR 27023 First edition 2015-07-01 Reference number ISO/IEC TR 27023:2015(E) ISO/IEC 2015 PD ISO/IEC TR 27023:2015ii ISO/IEC 2015 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2015, Published in Switzerland A

6、ll rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested

7、from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC TR 27023:2015(E)PD ISO/IEC TR 27023:2015ISO/I

8、EC TR 27023:2015(E)Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Comparison between revised editions of ISO/IEC 27001 1 5 Comparison between revised editions of ISO/IEC 27002 8 5.1 Comparison between ISO/IEC 27002:2005 and ISO/IEC 27002:2013 . 8 5.2 C

9、omparison between ISO/IEC 27002:2013 and ISO/IEC 27002:2005 14 ISO/IEC 2015 All rights reserved iii Contents PagePD ISO/IEC TR 27023:2015ISO/IEC TR 27023:2015(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the special

10、ized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical comm

11、ittees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedu

12、res used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules

13、 of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights

14、 identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an expla

15、nation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT), see the following URL: Foreword Supplementary information. The committee responsible for this docu

16、ment is ISO/IEC JTC 1, Information technology, SC 27, IT Security techniques.iv ISO/IEC 2015 All rights reservedPD ISO/IEC TR 27023:2015ISO/IEC TR 27023:2015(E) Introduction Both standards, ISO/IEC 27001 and ISO/IEC 27002, have been revised as part of the normal standards maintenance process, and th

17、e results of this revision process are contained in ISO/IEC 27001:2013 and ISO/IEC 27002:2013. This Technical Report contains the following tables: Clause 4, Table 1 Comparison between ISO/IEC 27001:2013 and ISO/IEC 27001:2005; Clause 5, Table 2 Comparison between ISO/IEC 27002:2005 and ISO/IEC 2700

18、2:2013; Clause 5, Table 3 Comparison between ISO/IEC 27002:2013 and ISO/IEC 27002:2005. These tables can be used to determine where requirements or controls in the old standards went, or where requirements or controls in the new standards have come from. Where a relationship is stated, it does not m

19、ean that the content is identical. This Technical Report is designed to provide a factual correspondence between the old and new editions of ISO/IEC 27001 and ISO/IEC 27002 respectively, and so by intention it does not provide any explanatory commentary on why a change has been made or the significa

20、nce of the change. Users of this Technical Report need to evaluate the significance of the changes in context with regard to their particular application and implementation of the revised editions of these standards. For ISO/IEC 27002, the comparison was based on control objectives, controls, and im

21、plementation guidance. ISO/IEC 2015 All rights reserved vPD ISO/IEC TR 27023:2015PD ISO/IEC TR 27023:2015Information technology Security techniques Mapping the revised editions of ISO/IEC 27001 and ISO/IEC 27002 1 Scope The purpose of this Technical Report is to show the corresponding relationship b

22、etween the revised versions of ISO/IEC 27001 and ISO/IEC 27002. This Technical Report will be useful to all users migrating from the 2005 to the 2013 versions of ISO/IEC 27001 and ISO/IEC 27002. 2 Normative references The following referenced documents are indispensable for the application of this d

23、ocument. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27000:2014, Information technology Security techniques Information security management systems Overview and vocabulary ISO/

24、IEC 27001:2013, Information technology Security techniques Information security management systems Requirements ISO/IEC 27002:2013, Information technology Security techniques Code of practice for information security controls 3 T erms a nd definiti ons For the purposes of this document, the terms an

25、d definitions contained in ISO/IEC 27000:2014 apply. 4 Comparison between revised editions of ISO/IEC 27001 Table 1 Comparison between ISO/IEC 27001:2013 and ISO/IEC 27001:2005 ISO/IEC 27001:2013 ISO/IEC 27001:2005 4.1 Understanding the organization and its context 8.3 Preventive action 4.2 a) Under

26、standing the needs and expecta- tions of interested parties New requirement 4.2 b) Understanding the needs and expecta- tions of interested parties 5.2.1 c) Provision of resources 7.3 c) 4) Review output 7.3 c) 5) Review output 4.3 Determining the scope of the informa- tion security management syste

27、m 4.2.1 a) Establish the ISMS 4.3 a) Determining the scope of the informa- tion security management system 4.2.1 a) Establish the ISMS 4.2.3 f) Monitor and review the ISMS 4.3 b) Determining the scope of the informa- tion security management system 4.2.3 f) Monitor and review the ISMS TECHNICAL REPO

28、RT ISO/IEC TR 27023:2015(E) ISO/IEC 2015 All rights reserved 1PD ISO/IEC TR 27023:2015ISO/IEC TR 27023:2015(E) ISO/IEC 27001:2013 ISO/IEC 27001:2005 4.3 c) Determining the scope of the informa- tion security management system New requirement 4.3 Determining the scope of the infor- mation security ma

29、nagement system Last sentence 4.3.1 b) General 4.3.2 f) Control of documents 4.4 Information security management system 4.1 General requirements 5.2.1 a) Provision of resources 5.1 a) Leadership and commitment 4.2.1 b) 3) Establish the ISMS 5.1 a), b) Management commitment 5.1 b) Leadership and comm

30、itment New requirement 5.1 c) Leadership and commitment 5.1 e) Management commitment 5.1 d) Leadership and commitment 5.1 d) Management commitment 5.1 e) Leadership and commitment 5.1 b), g), h) Management commitment 5.1 f) Leadership and commitment 5.1 b), g), h) Management commitment 5.1 g) Leader

31、ship and commitment 5.1 a), d), g), h) Management commitment 5.1 h) Leadership and commitment 5.1 Management commitment 5.2 Policy First sentence 4.2.1 b) 5) Establish the ISMS 5.1 a) Management commitment 5.2 a) Policy 4.2.1 b) Establish the ISMS 5.2 b) Policy 4.2.1 b) 1) Establish the ISMS 5.2 c)

32、Policy 4.2.1 b) 2) Establish the ISMS Policy 4.3.3 Control of records 5.2 d) Policy 5.1 d) Management commitment 5.2 e) Policy 4.3.1 a) General 5.2 f) Policy 5.1 d) Management commitment 5.2 g) Policy 4.3.2 f) Control of documents 5.3 Organizational roles, responsibilities and authorities First sent

33、ence 5.1 c) Management commitment 6 Internal ISMS audits 5.3 a) Organizational roles, responsibilities and authorities 4.3.3 Control of records 5.1 c) Management commitment 6 Internal ISMS audits 5.3 b) Organizational roles, responsibilities and authorities 4.3.3 Control of records 5.1 c) Management

34、 commitment 6 Internal ISMS audits 6.1.1 Actions to address risks and opportu- nities General 4.2.1 d) Establish the ISMS 8.3 a) Preventive action 6.1.1 a) Actions to address risks and opportu- nities General New requirementTable 1 (continued) 2 ISO/IEC 2015 All rights reservedPD ISO/IEC TR 27023:20

35、15ISO/IEC TR 27023:2015(E) ISO/IEC 27001:2013 ISO/IEC 27001:2005 6.1.1 b) Actions to address risks and opportu- nities General New requirement 6.1.1 c) Actions to address risks and opportu- nities General New requirement 6.1.1 d) Actions to address risks and opportu- nities General 4.2.1 e) 4) Estab

36、lish the ISMS Actions to address risks and opportu- nities General 8.3 b), c) Preventive action 6.1.1 e) 1) Actions to address risks and opportu- nities General 4.2.2 a) Implement and operate the ISMS Actions to address risks and opportu- nities General 8.3 c) Preventive action 6.1.1 e) 2) Actions t

37、o address risks and opportu- nities General 8.3 e) Preventive action 6.1.2 Information security risk assessment First sentence 4.2.1 c) 1) Establish the ISMS 6.1.2 a) Information security risk assessment New requirement 6.1.2 a) 1) Information security risk assessment 4.2.1 b) 4), c) 2 Establish the

38、 ISMS Information security risk assessment 5.1 f) Management commitment 6.1.2 a) 2) Information security risk assessment New requirement 6.1.2 b) Information security risk assessment 4.2.1 c) Establish the ISMS 6.1.2 c) Information security risk assessment 4.2.1 d) Establish the ISMS 6.1.2 c) 1) Inf

39、ormation security risk assessment 4.2.1 d) 1), 2), 3), 4) Establish the ISMS 6.1.2 c) 2) Information security risk assessment 4.2.1 d) 1) Establish the ISMS 6.1.2 d) 1) Information security risk assessment 4.2.1 e) 1) Establish the ISMS 6.1.2 d) 2) Information security risk assessment 4.2.1 e) 2) Es

40、tablish the ISMS 6.1.2 d) 3) Information security risk assessment 4.2.1 e) 3) Establish the ISMS 6.1.2 e) 1) Information security risk assessment 4.2.1 e) 4) Establish the ISMS 6.1.2 e) 2) Information security risk assessment 4.2.1 e) 4) Establish the ISMS 6.1.2 Information security risk assessment-

41、 Last sentence 4.3.1 d), e) General 6.1.3 Information security risk treatment 4.2.1 f) Establish the ISMS 6.1.3 a) Information security risk treatment 4.2.1 f) 1), 2), 3), 4) Establish the ISMS 6.1.3 b) Information security risk treatment 4.2.1 g) Establish the ISMS 6.1.3 c) Information security ris

42、k treatment New requirement 6.1.3 d) Information security risk treatment 4.2.1 j) 1), 2), 3) Establish the ISMS Information security risk treatment 4.3.1 i) General 6.1.3 e) Information security risk treatment 4.2.2 a) Implement and operate the ISMS 6.1.3 f) Information security risk treatment 4.2.1

43、 h) Establish the ISMSTable 1 (continued) ISO/IEC 2015 All rights reserved 3PD ISO/IEC TR 27023:2015ISO/IEC TR 27023:2015(E) ISO/IEC 27001:2013 ISO/IEC 27001:2005 6.1.3 Information security risk treatment- Last sentence 4.3.1 f) General 6.2 Information security objectives and plans to achieve them-F

44、irst sentence 5.1 b) Management commitment 6.2 a) Information security objectives and plans to achieve them 5.1 d) Management commitment 6.2 b) Information security objectives and plans to achieve them New requirement 6.2 c) Information security objectives and plans to achieve them New requirement 6

45、.2 d) Information security objectives and plans to achieve them 5.1 d) Management commitment 6.2 e) Information security objectives and plans to achieve them 4.2.3 b) Monitor and review the ISMS 6.2 Information security objectives and plans to achieve them-Last sentence 4.3.1 a) General 6.2 f) Infor

46、mation security objectives and plans to achieve them New requirement 6.2 g) Information security objectives and plans to achieve them New requirement 6.2 h) Information security objectives and plans to achieve them New requirement 6.2 i) Information security objectives and plans to achieve them New

47、requirement 6.2 j) Information security objectives and plans to achieve them 4.2.3 b) Monitor and review the ISMS 7.1 Resources 4.2.2 b), g) Implement and operate the ISMS 5.2.1 Provision of resources 7.2 a) Competence 5.2.2 a) Training, awareness and competence 7.2 b) Competence 5.2.2 Training, awa

48、reness and competence 7.2 c) Competence 5.2.2 b), c) Training, awareness and competence 7.2 d) Competence 5.2.2 d) Training, awareness and competence 7.3 a) Awareness New requirement 7.3 b) Awareness 4.2.2 e) Implement and operate the ISMS 5.2.2 Training, awareness and competence 7.3 c) Awareness 4.

49、2.2 e) Implement and operate the ISMS 5.2.2 Training, awareness and competence 7.4 Communication-First sentence 4.2.4 c) Maintain and improve the ISMS 5.1 d) Management commitment 7.4 a) Communication 4.2.4 c) Maintain and improve the ISMS 5.1 d) Management commitment 7.4 b) Communication New requirementTable 1 (continued) 4 ISO/IEC 2015 All rights reservedPD ISO/IEC TR 27023:2015ISO/IEC TR 27023:2015(E) ISO/IEC 27001:2013 ISO/IEC 27