DIN EN ISO IEC 27002-2017 Information technology - Security techniques - Code of practice for information security controls (ISO IEC 27002 2013 including Cor 1 2014 and Cor 2 2015).pdf

1、June 2017 English price group 31No part of this translation may be reproduced without prior permission ofDIN Deutsches Institut fr Normung e. V., Berlin. Beuth Verlag GmbH, 10772 Berlin, Germany,has the exclusive right of sale for German Standards (DIN-Normen).ICS 03.100.70; 35.030!%g%-“2680210www.d

2、in.deDIN EN ISO/IEC 27002Information technology Security techniques Code of practice for information security controls (ISO/IEC 27002:2013 including Cor 1:2014 and Cor 2:2015);English version EN ISO/IEC 27002:2017,English translation of DIN EN ISO/IEC 27002:2017-06Informationstechnik Sicherheitsverf

3、ahren Leitfaden fr Informationssicherheitsmanahmen (ISO/IEC 27002:2013 einschlielich Cor 1:2014 und Cor 2:2015);Englische Fassung EN ISO/IEC 27002:2017,Englische bersetzung von DIN EN ISO/IEC 27002:2017-06Technologies de linformation Techniques de scurit Code de bonne pratique pour le management de

4、la scurit de linformation (ISO/IEC 27002:2013 y compris Cor 1:2014 et Cor 2:2015);Version anglaise EN ISO/IEC 27002:2017,Traduction anglaise de DIN EN ISO/IEC 27002:2017-06SupersedesDIN ISO/IEC 27002:201611www.beuth.deDocument comprises 93 pagesDTranslation by DIN-Sprachendienst.In case of doubt, th

5、e German-language original shall be considered authoritative.06.17 DIN EN ISO/IEC 27002:2017-06 2 A comma is used as the decimal marker. National foreword ISO/IEC 27002 has been prepared by Technical Committee ISO/IEC JTC 1 “Information technology”, Subcommittee SC 27 “IT Security techniques”. Inter

6、national Standard ISO/IEC 27002:2013 including Cor 1:2014 and Cor 2:2015 has been adopted, unchanged, as DIN EN ISO/IEC 27002:2017. The responsible German body involved in its preparation was DIN-Normenausschuss Informationstechnik und Anwendungen (DIN Standards Committee Information Technology and

7、selected IT Applications), Working Committee NA 043-01-27 AA “IT Security Techniques”. This document has been prepared by DIN-Normenausschuss Informationstechnik und Anwendungen (DIN Standards Committee Information Technology and selected IT Applications) in collaboration with the Swiss Association

8、for Standardization (SNV). The start and finish of text introduced or altered by Corrigendum 1 and Corrigendum 2 is indicated in the text by tags PQ and RS The DIN Standards corresponding to the International Standards referred to in this document are as follows: ISO/IEC 27000 DIN ISO/IEC 27000 ISO

9、15489-1 DIN ISO 15489-1 ISO/IEC 22301 DIN EN ISO 22301 ISO/IEC 22313 DIN EN ISO 22313 ISO/IEC 27001 DIN EN ISO/IEC 27001 ISO/IEC 27037 DIN EN ISO/IEC 27037 Amendments This standard differs from DIN ISO/IEC 27002:2016-11 as follows: a) EN ISO/IEC 27002:2017 has been adopted without modifications as a

10、 DIN EN ISO/IEC standard. Previous editions DIN ISO/IEC 27002: 2008-09, 2016-11 DIN EN ISO/IEC 27002:2017-06 3 National Annex NA (informative) Bibliography DIN EN ISO 22301, Societal security Business continuity management systems Requirements DIN EN ISO 22313, Societal security Business continuity

11、management systems Guidance DIN ISO/IEC 27001, Information technology Security techniques Information security management systems Requirements DIN EN ISO/IEC 27037, Information technology Security techniques Guidelines for identification, collection, acquisition and preservation of digital evidence

12、DIN EN ISO 15489-1, Information and documentation Records management Part 1: General DIN ISO/IEC 27000, Information technology Security techniques Information security management DIN EN ISO/IEC 27002:2017-06 4 This page is intentionally blank EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO/

13、IEC 27002 February 2017 ICS 03.100.70; 35.030 English Version Information technology - Security techniques - Code of practice for information security controls (ISO/IEC 27002:2013 including Cor 1:2014 and Cor 2:2015) Technologies de linformation - Techniques de scurit - Code de bonne pratique pour l

14、e management de la scurit de linformation (ISO/IEC 27002:2013 y compris Cor 1:2014 et Cor 2:2015) Informationstechnik - Sicherheitsverfahren - Leitfaden fr Informationssicherheitsmanahmen (ISO/IEC 27002:2013 einschlielich Cor 1:2014 und Cor 2:2015) This European Standard was approved by CEN on 26 Ja

15、nuary 2017. CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standa

16、rds may be obtained on application to the CEN-CENELEC Management Centre or to any CEN and CENELEC member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN and CENELEC member into

17、its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN and CENELEC members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia,

18、 France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION E

19、UROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2017 CEN and CENELEC All rights of exploitation in any form and by any means reserved worldwide for CEN and CENELEC national Members. Ref. No. EN ISO/IEC 27002:2017 E EN ISO/IEC 27002:2017 (E) 2 Contents P

20、age European foreword . 6 Foreword 7 0 Introduction 8 1 Scope . 10 2 Normative references . 10 3 Terms and definitions 10 4 Structure of this standard . 10 4.1 Clauses 10 4.2 Control categories 10 5 Information security policies 11 5.1 Management direction for information security 11 5.1.1 Policies

21、for information security 11 5.1.2 Review of the policies for information security 12 6 Organization of information security . 13 6.1 Internal organization 13 6.1.1 Information security roles and responsibilities . 13 6.1.2 Segregation of duties 13 6.1.3 Contact with authorities 14 6.1.4 Contact with

22、 special interest groups . 14 6.1.5 Information security in project management . 15 6.2 Mobile devices and teleworking . 15 6.2.1 Mobile device policy 15 6.2.2 Teleworking . 16 7 Human resource security 18 7.1 Prior to employment . 18 7.1.1 Screening . 18 7.1.2 Terms and conditions of employment 18

23、7.2 During employment 19 7.2.1 Management responsibilities 19 7.2.2 Information security awareness, education and training . 20 7.2.3 Disciplinary process 21 7.3 Termination and change of employment 22 7.3.1 Termination or change of employment responsibilities . 22 8 Asset management . 22 8.1 Respon

24、sibility for assets 22 8.1.1 Inventory of assets . 22 8.1.2 Ownership of assets 23 8.1.3 Acceptable use of assets . 23 8.1.4 Return of assets 24 8.2 Information classification . 24 8.2.1 Classification of information 24 8.2.2 Labelling of information 25 8.2.3 Handling of assets 25 DIN EN ISO/IEC 270

25、02:2017-06 EN ISO/IEC 27002:2017 (E) 3 8.3 Media handling 26 8.3.1 Management of removable media 26 8.3.2 Disposal of media 27 8.3.3 Physical media transfer 27 9 Access control 28 9.1 Business requirements of access control . 28 9.1.1 Access control policy . 28 9.1.2 Access to networks and network s

26、ervices . 29 9.2 User access management . 30 9.2.1 User registration and de-registration . 30 9.2.2 User access provisioning 30 9.2.3 Management of privileged access rights 31 9.2.4 Management of secret authentication information of users. 31 9.2.5 Review of user access rights . 32 9.2.6 Removal or

27、adjustment of access rights . 32 9.3 User responsibilities . 33 9.3.1 Use of secret authentication information 33 9.4 System and application access control . 34 9.4.1 Information access restriction . 34 9.4.2 Secure log-on procedures 35 9.4.3 Password management system . 35 9.4.4 Use of privileged u

28、tility programs 36 9.4.5 Access control to program source code 37 10 Cryptography . 37 10.1 Cryptographic controls . 37 10.1.1 Policy on the use of cryptographic controls 37 10.1.2 Key management 38 11 Physical and environmental security 39 11.1 Secure areas 39 11.1.1 Physical security perimeter 40

29、11.1.2 Physical entry controls . 40 11.1.3 Securing offices, rooms and facilities 41 11.1.4 Protecting against external and environmental threats 41 11.1.5 Working in secure areas 42 11.1.6 Delivery and loading areas 42 11.2 Equipment . 42 11.2.1 Equipment siting and protection 43 11.2.2 Supporting

30、utilities 43 11.2.3 Cabling security . 44 11.2.4 Equipment maintenance 44 11.2.5 Removal of assets . 45 11.2.6 Security of equipment and assets off-premises . 45 11.2.7 Secure disposal or re-use of equipment . 46 11.2.8 Unattended user equipment . 46 11.2.9 Clear desk and clear screen policy . 47 12

31、 Operations security 47 12.1 Operational procedures and responsibilities 47 12.1.1 Documented operating procedures . 47 12.1.2 Change management . 48 12.1.3 Capacity management . 49 12.1.4 Separation of development, testing and operational environments . 49 DIN EN ISO/IEC 27002:2017-06 EN ISO/IEC 27

32、002:2017 (E) 4 12.2 Protection from malware 50 12.2.1 Controls against malware . 50 12.3 Backup 51 12.3.1 Information backup. 51 12.4 Logging and monitoring . 52 12.4.1 Event logging 52 12.4.2 Protection of log information 53 12.4.3 Administrator and operator logs . 54 12.4.4 Clock synchronisation 5

33、4 12.5 Control of operational software 54 12.5.1 Installation of software on operational systems 54 12.6 Technical vulnerability management . 55 12.6.1 Management of technical vulnerabilities 55 12.6.2 Restrictions on software installation 57 12.7 Information systems audit considerations . 57 12.7.1

34、 Information systems audit controls 57 13 Communications security 58 13.1 Network security management . 58 13.1.1 Network controls 58 13.1.2 Security of network services 58 13.1.3 Segregation in networks 59 13.2 Information transfer . 59 13.2.1 Information transfer policies and procedures 60 13.2.2

35、Agreements on information transfer 61 13.2.3 Electronic messaging 61 13.2.4 Confidentiality or non-disclosure agreements 62 14 System acquisition, development and maintenance . 63 14.1 Security requirements of information systems 63 14.1.1 Information security requirements analysis and specification

36、 63 14.1.2 Securing application services on public networks 64 14.1.3 Protecting application services transactions. 65 14.2 Security in development and support processes 66 14.2.1 Secure development policy . 66 14.2.2 System change control procedures 66 14.2.3 Technical review of applications after

37、operating platform changes . 67 14.2.4 Restrictions on changes to software packages 68 14.2.5 Secure system engineering principles 68 14.2.6 Secure development environment. 69 14.2.7 Outsourced development 69 14.2.8 System security testing 70 14.2.9 System acceptance testing 70 14.3 Test data 71 14.

38、3.1 Protection of test data 71 15 Supplier relationships 71 15.1 Information security in supplier relationships. 71 15.1.1 Information security policy for supplier relationships . 71 15.1.2 Addressing security within supplier agreements 72 15.1.3 Information and communication technology supply chain

39、 74 15.2 Supplier service delivery management . 75 15.2.1 Monitoring and review of supplier services . 75 15.2.2 Managing changes to supplier services 75 DIN EN ISO/IEC 27002:2017-06 EN ISO/IEC 27002:2017 (E) 5 16 Information security incident management . 76 16.1 Management of information security

40、incidents and improvements . 76 16.1.1 Responsibilities and procedures 76 16.1.2 Reporting information security events 77 16.1.3 Reporting information security weaknesses 78 16.1.4 Assessment of and decision on information security events 78 16.1.5 Response to information security incidents . 78 16.

41、1.6 Learning from information security incidents 79 16.1.7 Collection of evidence . 79 17 Information security aspects of business continuity management 80 17.1 Information security continuity 80 17.1.1 Planning information security continuity . 80 17.1.2 Implementing information security continuity

42、 . 81 17.1.3 Verify, review and evaluate information security continuity 82 17.2 Redundancies . 82 17.2.1 Availability of information processing facilities . 82 18 Compliance 83 18.1 Compliance with legal and contractual requirements 83 18.1.1 Identification of applicable legislation and contractual

43、 requirements 83 18.1.2 Intellectual property rights 83 18.1.3 Protection of records . 84 18.1.4 Privacy and protection of personally identifiable information . 85 18.1.5 Regulation of cryptographic controls 85 18.2 Information security reviews . 86 18.2.1 Independent review of information security

44、. 86 18.2.2 Compliance with security policies and standards 86 18.2.3 Technical compliance review . 87 Bibliography . 88 DIN EN ISO/IEC 27002:2017-06 European foreword The text of ISO/IEC 27002:2013 including Cor 1:2014 and Cor 2:2015 has been prepared by Technical Committee ISO/IEC JTC 1 “Informati

45、on technology” of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and has been taken over as EN ISO/IEC 27002:2017. This European Standard shall be given the status of a national standard, either by publication of an identical text or

46、by endorsement, at the latest by August 2017, and conflicting national standards shall be withdrawn at the latest by August 2017. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for

47、 identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former

48、 Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO/

49、IEC 27002:2013 including Cor 1:2014 and Cor 2:2015 has been approved by CEN as EN ISO/IEC 27002:2017 without any modification. DIN EN ISO/IEC 27002:2017-06 EN ISO/IEC 27002:2017 (E)6ForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of Internat