1、 INCITS/ISO/IEC 27002:2013 2014 (ISO/IEC 27002:2013, IDT) Information technology Security techniques Code of practice for information security controls INCITS/ISO/IEC 27002:2013 2014 PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file ma
2、y be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat acce
3、pts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that th
4、e file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard. Date of
5、ANSI Approval: 6/18/2014 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2014 by Information Technology Industry Council (ITI). All rights reserved. These materials are subject to copyright claims of International Standardization Organizati
6、on (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may be reproduced in any form, including an electronic retrieval system, without the prior written p
7、ermission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America ii ITIC 2014 All rights reserved ISO/IEC 27002:2013(E) ISO/IEC 2013 All rights reserved iiiContents PageForeword v0 Introduction .v
8、i1 Scope . 12 Normative references 13 Terms and definitions . 14 Structure of this standard . 14.1 Clauses . 14.2 Control categories 15 Information security policies 25.1 Management direction for information security . 26 Organization of information security . 46.1 Internal organization . 46.2 Mobil
9、e devices and teleworking 67 Human resource security 97.1 Prior to employment 97.2 During employment . 107.3 Termination and change of employment 138 Asset management 138.1 Responsibility for assets 138.2 Information classification .158.3 Media handling 179 Access control .199.1 Business requirement
10、s of access control 199.2 User access management 219.3 User responsibilities . 249.4 System and application access control 2510 Cryptography .2810.1 Cryptographic controls . 2811 Physical and environmental security .3011.1 Secure areas 3011.2 Equipment 3312 Operations security 3812.1 Operational pro
11、cedures and responsibilities 3812.2 Protection from malware 4112.3 Backup . 4212.4 Logging and monitoring . 4312.5 Control of operational software 4512.6 Technical vulnerability management .4612.7 Information systems audit considerations 4813 Communications security 4913.1 Network security managemen
12、t . 4913.2 Information transfer .5014 System acquisition, development and maintenance 5414.1 Security requirements of information systems .5414.2 Security in development and support processes .5714.3 Test data .6215 Supplier relationships .6215.1 Information security in supplier relationships 62ISO/
13、IEC 27002:2013(E)iv ISO/IEC 2013 All rights reserved15.2 Supplier service delivery management 6616 Information security incident management 6716.1 Management of information security incidents and improvements .6717 Information security aspects of business continuity management .7117.1 Information se
14、curity continuity 7117.2 Redundancies 7318 Compliance 7418.1 Compliance with legal and contractual requirements .7418.2 Information security reviews 77Bibliography .79ISO/IEC 27002:2013(E)ForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Com
15、mission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. I
16、SO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, I
17、SO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.ISO/IEC 27002 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.Attention is drawn to the possibility that s
18、ome of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights.This second edition cancels and replaces the first edition (ISO/IEC 27002:2005), which has been technically and structurally revised. ISO/IEC 2013
19、 All rights reserved vISO/IEC 27002:2013(E)0 Introduction0.1 Background and contextThis International Standard is designed for organizations to use as a reference for selecting controls within the process of implementing an Information Security Management System (ISMS) based on ISO/IEC 2700110or as
20、a guidance document for organizations implementing commonly accepted information security controls. This standard is also intended for use in developing industry- and organization-specific information security management guidelines, taking into consideration their specific information security risk
21、environment(s).Organizations of all types and sizes (including public and private sector, commercial and non-profit) collect, process, store and transmit information in many forms including electronic, physical and verbal (e.g. conversations and presentations).The value of information goes beyond th
22、e written words, numbers and images: knowledge, concepts, ideas and brands are examples of intangible forms of information. In an interconnected world, information and related processes, systems, networks and personnel involved in their operation, handling and protection are assets that, like other
23、important business assets, are valuable to an organizations business and consequently deserve or require protection against various hazards.Assets are subject to both deliberate and accidental threats while the related processes, systems, networks and people have inherent vulnerabilities. Changes to
24、 business processes and systems or other external changes (such as new laws and regulations) may create new information security risks. Therefore, given the multitude of ways in which threats could take advantage of vulnerabilities to harm the organization, information security risks are always pres
25、ent. Effective information security reduces these risks by protecting the organization against threats and vulnerabilities, and then reduces impacts to its assets.Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational st
26、ructures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the organization are met. An ISMS such as that specified in ISO/IEC 2700110takes a holi
27、stic, coordinated view of the organizations information security risks in order to implement a comprehensive suite of information security controls under the overall framework of a coherent management system.Many information systems have not been designed to be secure in the sense of ISO/IEC 2700110
28、and this standard. The security that can be achieved through technical means is limited and should be supported by appropriate management and procedures. Identifying which controls should be in place requires careful planning and attention to detail. A successful ISMS requires support by all employe
29、es in the organization. It can also require participation from shareholders, suppliers or other external parties. Specialist advice from external parties can also be needed.In a more general sense, effective information security also assures management and other stakeholders that the organizations a
30、ssets are reasonably safe and protected against harm, thereby acting as a business enabler.0.2 Information security requirementsIt is essential that an organization identifies its security requirements. There are three main sources of security requirements:a) the assessment of risks to the organizat
31、ion, taking into account the organizations overall business strategy and objectives. Through a risk assessment, threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated;b) the legal, statutory, regulatory and contractual requireme
32、nts that an organization, its trading partners, contractors and service providers have to satisfy, and their socio-cultural environment;vi ISO/IEC 2013 All rights reservedISO/IEC 27002:2013(E)c) the set of principles, objectives and business requirements for information handling, processing, storing
33、, communicating and archiving that an organization has developed to support its operations.Resources employed in implementing controls need to be balanced against the business harm likely to result from security issues in the absence of those controls. The results of a risk assessment will help guid
34、e and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks.ISO/IEC 2700511provides information security risk management guidance, including advice on risk assessment, risk treatment, r
35、isk acceptance, risk communication, risk monitoring and risk review.0.3 Selecting controlsControls can be selected from this standard or from other control sets, or new controls can be designed to meet specific needs as appropriate.The selection of controls is dependent upon organizational decisions
36、 based on the criteria for risk acceptance, risk treatment options and the general risk management approach applied to the organization, and should also be subject to all relevant national and international legislation and regulations. Control selection also depends on the manner in which controls i
37、nteract to provide defence in depth.Some of the controls in this standard can be considered as guiding principles for information security management and applicable for most organizations. The controls are explained in more detail below along with implementation guidance. More information about sele
38、cting controls and other risk treatment options can be found in ISO/IEC 27005.110.4 Developing your own guidelinesThis International Standard may be regarded as a starting point for developing organization-specific guidelines. Not all of the controls and guidance in this code of practice may be appl
39、icable. Furthermore, additional controls and guidelines not included in this standard may be required. When documents are developed containing additional guidelines or controls, it may be useful to include cross-references to clauses in this standard where applicable to facilitate compliance checkin
40、g by auditors and business partners.0.5 Lifecycle considerationsInformation has a natural lifecycle, from creation and origination through storage, processing, use and transmission to its eventual destruction or decay. The value of, and risks to, assets may vary during their lifetime (e.g. unauthori
41、zed disclosure or theft of a companys financial accounts is far less significant after they have been formally published) but information security remains important to some extent at all stages.Information systems have lifecycles within which they are conceived, specified, designed, developed, teste
42、d, implemented, used, maintained and eventually retired from service and disposed of. Information security should be taken into account at every stage. New system developments and changes to existing systems present opportunities for organizations to update and improve security controls, taking actu
43、al incidents and current and projected information security risks into account.0.6 Related standardsWhile this standard offers guidance on a broad range of information security controls that are commonly applied in many different organizations, the remaining standards in the ISO/IEC 27000 family pro
44、vide complementary advice or requirements on other aspects of the overall process of managing information security.Refer to ISO/IEC 27000 for a general introduction to both ISMSs and the family of standards. ISO/IEC 27000 provides a glossary, formally defining most of the terms used throughout the I
45、SO/IEC 27000 family of standards, and describes the scope and objectives for each member of the family. ISO/IEC 2013 All rights reserved viiInformation technology Security techniques Code of practice for information security controls1 ScopeThis International Standard gives guidelines for organizatio
46、nal information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organizations information security risk environment(s).This International Standard is designed to be used by organizations
47、 that intend to:a) select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;10b) implement commonly accepted information security controls;c) develop their own information security management guidelines.2 Normative referencesThe following do
48、cuments, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO/IEC 27000, Informati
49、on technology Security techniques Information security management systems Overview and vocabulary3 Terms and definitionsFor the purposes of this document, the terms and definitions given in ISO/IEC 27000 apply.4 Structure of this standardThis standard contains 14 security control clauses collectively containing a total of 35 main security categories and 114 controls.4.1 ClausesEach clause defining security controls contains one or more main securit
