1、November 2016 English price group 9No part of this translation may be reproduced without prior permission ofDIN Deutsches Institut fr Normung e. V., Berlin. Beuth Verlag GmbH, 10772 Berlin, Germany,has the exclusive right of sale for German Standards (DIN-Normen).ICS 03.100.70; 03.120.20; 35.030!%v/
2、“2588312www.din.deDIN ISO/IEC 27009Information technology Security techniques Sectorspecific application of ISO/IEC 27001 Requirements (ISO/IEC 27009:2016),English translation of DIN ISO/IEC 27009:2016-11Informationstechnik ITSicherheitsverfahren Sektorspezifische Anwendung der ISO/IEC 27001 Anforde
3、rungen (ISO/IEC 27009:2016),Englische bersetzung von DIN ISO/IEC 27009:2016-11Technologies de linformation Techniques de scurit Application de lISO/IEC 27001 un secteur spcifique Exigences (ISO/IEC 27009:2016),Traduction anglaise de DIN ISO/IEC 27009:2016-11www.beuth.deDocument comprises su pagesDTr
4、anslation by DIN-Sprachendienst.In case of doubt, the German-language original shall be considered authoritative.11.16 DIN ISO/IEC 27009:2016-11 2 A comma is used as the decimal marker. Contents Page National foreword . 3 National Annex NA (informative) Bibliography 4 1 Scope 5 2 Normative reference
5、s 5 3 Terms and definitions . 5 4 Overview of this International Standard 5 4.1 General 5 4.2 Structure of this International Standard 6 4.3 Expanding ISO/IEC 27001 requirements or ISO/IEC 27002 controls 7 5 Additional, refined or interpreted ISO/IEC 27001 requirements . 7 5.1 General 7 5.2 Addition
6、al requirements 7 5.3 Refined requirements . 8 5.4 Interpreted requirements . 8 6 Additional or modified ISO/IEC 27002 guidance 8 6.1 General 8 6.2 Additional guidance . 8 6.3 Modified guidance . 9 Annex A (normative) Template for developing sector-specific standards related to ISO/IEC 27001:2013 or
7、 ISO/IEC 27002:2013 10 A.1 Drafting instructions . 10 A.2 Template . 10 Bibliography . 13 DIN ISO/IEC 27009:2016-11 3 National foreword International Standard ISO/IEC 27009:2016 has been adopted, unchanged, as DIN ISO/IEC 27009:2016. The responsible German body involved in its preparation was DIN-No
8、rmenausschuss Informationstechnik und Anwendungen (DIN Standards Committee Information Technology and selected IT Applications), Working Committee NA 043-01-27-01 AK Anforderungen, Dienste und Richtlinien fr IT-Sicherheitssysteme. ISO/IEC 27009:2016 has been prepared by Technical Committee ISO/IEC J
9、TC 1 “Information technology”, Subcommittee SC 27 “IT Security techniques”. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. DIN and/or DKE shall not be held responsible for identifying any or all such patent rights. The DIN Standa
10、rds corresponding to the International Standards referred to in this document are as follows: ISO/IEC 27000:2016 DIN ISO/IEC 27000 (under revision) ISO/IEC 27001:2013 DIN ISO/IEC 27001 ISO/IEC 27002:2013 DIN ISO/IEC 27002 (under revision) DIN ISO/IEC 27009:2016-11 4 National Annex NA (informative) B
11、ibliography DIN ISO/IEC 27000, Information technology Security techniques Information security management systems Overview and vocabulary DIN ISO/IEC 27001:2015-03, Information technology Security techniques Information security management systems Requirements (ISO/IEC 27001:2013 + Cor. 1:2014) DIN
12、ISO/IEC 27002:2014-02, Information technology Security techniques Code of practice for information security management (ISO/IEC FDIS 27002:2013) Information technology Security techniques Sector-specific application of ISO/IEC 27001 Requirements1 ScopeThis International Standard defines the requirem
13、ents for the use of ISO/IEC 27001 in any specific sector (field, application area or market sector). It explains how to include requirements additional to those in ISO/IEC 27001, how to refine any of the ISO/IEC 27001 requirements, and how to include controls or control sets in addition to ISO/IEC 2
14、7001:2013, Annex A.This International Standard ensures that additional or refined requirements are not in conflict with the requirements in ISO/IEC 27001.This International Standard is applicable to those involved in producing sector-specific standards that relate to ISO/IEC 27001.2 Normative refere
15、ncesThe following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO/
16、IEC 27000:2016, Information technology Security techniques Information security management systems Overview and vocabularyISO/IEC 27001:2013, Information technology Security techniques Information security management systems RequirementsISO/IEC 27002:2013, Information technology Security techniques
17、Code of practice for information security controls3 Terms and definitionsFor the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply.3.1interpretationexplanation (in form of requirement or guidance) of an ISO/IEC 27001 requirement in a sector-specific
18、context which does not invalidate any of the ISO/IEC 27001 requirements3.2refinementsector-specific specification of an ISO/IEC 27001 requirement which does not remove or invalidate any of the ISO/IEC 27001 requirements4 Overview of this International Standard4.1 GeneralISO/IEC 27001 is an Internati
19、onal Standard that defines the requirements for establishing, implementing, maintaining and continually improving an information security management system. 5 DIN ISO/IEC 27009:2016-11 It states that its requirements are generic and are intended to be applicable to all organizations, regardless of t
20、ype, size or nature. NOTE Management system standards within ISO are built in accordance with ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2016.1ISO/IEC 27002 is an International Standard that provides guidelines for information security management practices including the selection, impl
21、ementation and management of controls taking into consideration the organizations information security risk environment. The guidelines have a hierarchical structure that consists of clauses, control objectives, controls, implementation guidance and other information. The guidelines of ISO/IEC 27002
22、 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.The control objective and controls of ISO/IEC 27002 are listed in Annex A of ISO/IEC 27001:2013 in a normative form. ISO/IEC 27001:2013 requires an organization to “determine all controls that are
23、 necessary to implement the information security risk treatment option(s) chosen (see 6.1.3 b)”, and “compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted (see 6.1.3 c)”.While ISO/IEC 27001 and ISO/IEC 27002 are widely accept
24、ed in organizations, including commercial enterprises, government agencies and not-for-profit organizations, there are emerging needs for sector-specific versions of these standards. Examples of standards which have been developed to address these sector-specific needs are: ISO/IEC 27010,2Informatio
25、n security management for inter-sector and inter-organizational communications; ISO/IEC 27011,3Information security management guidelines for telecommunications organizations based on ISO/IEC 27002; ISO/IEC 27017,4Code of practice for information security controls based on ISO/IEC 27002 for cloud se
26、rvices; and ISO/IEC 27018,5Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.Organizations outside of ISO/IEC have also produced standards addressing sector-specific needs.Sector-specific standards should be consistent with the req
27、uirements of the information security management system. This International Standard provides requirements for how to add to, refine or interpret the requirements of ISO/IEC 27001 and how to add or modify the guidelines of ISO/IEC 27002 for sector-specific use.This International Standard assumes tha
28、t all requirements from ISO/IEC 27001 that are not refined or interpreted, and all controls in ISO/IEC 27002 that are not modified, will apply in the sector-specific context unchanged.4.2 Structure of this International StandardClause 5 provides requirements and guidance on how to define requirement
29、s that are additional to, refinement or interpretation of ISO/IEC 27001 requirements.Clause 6 provides requirements and guidance on how to provide control objectives, controls, implementation guidance or other information that are additional to or modify ISO/IEC 27002 content.Annex A contains a temp
30、late which should be used for sector-specific standards related to ISO/IEC 27001 and/or ISO/IEC 27002.Within this International Standard, the following concepts are used to adapt ISO/IEC 27001 requirements for a sector: Addition see 5.26DIN ISO/IEC 27009:2016-11 Refinement see 5.3 Interpretation see
31、 5.4.Within this International Standard, the following concepts are used to adapt ISO/IEC 27002 guidance for a sector: Addition see 6.2 Modification see 6.3.NOTE Any sector-specific guidance that is developed following the requirements and guidance in this International Standard cannot be contained
32、within a Technical Report . The ISO/IEC Directives1define a Technical Report as a document that does not contain requirements, and any sector-specific standard developed based on this International Standard, particularly Annex A, will contain at least a minimum set of requirements (see clause 4.1 of
33、 the template in A.2).4.3 Expanding ISO/IEC 27001 requirements or ISO/IEC 27002 controlsSector-specific standards related to ISO/IEC 27001 may add requirements or guidance to those of ISO/IEC 27001 or ISO/IEC 27002. The addition may expand the requirements or guidance beyond information security int
34、o their sector-specific topic.EXAMPLE ISO/IEC 27018, Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors uses such expansions. ISO/IEC 27018:2014, Annex A5contains a set of controls aimed at the protection of personally identifiable
35、information and, therefore, expands the scope of ISO/IEC 270185to cover PII protection in addition to information security.5 Additional, refined or interpreted ISO/IEC 27001 requirements5.1 GeneralFigure 1 illustrates how sector-specific requirements are constructed in relationship to ISO/IEC 27001.
36、Figure 1 Construction of sector-specific requirements5.2 Additional requirementsSpecification of additional requirements is permitted.EXAMPLE A sector which has additional requirements for an information security policy can add them to the requirements for the policy specified in ISO/IEC 27001:2013,
37、 5.2.No requirement that is added to those in ISO/IEC 27001 shall remove or invalidate any of the requirements defined in ISO/IEC 27001. Sector-specific additions to ISO/IEC 27001 requirements shall, where possible, follow the requirements and guidance set out in Annex A of this International Standa
38、rd.7 DIN ISO/IEC 27009:2016-11 N1)N1)National footnote: The expression “Technical Report refers to the Technical Reports prepared in accordance with the ISO/IEC Directives. 5.3 Refined requirementsRefinement of ISO/IEC 27001 requirements is permitted.NOTE Refinements do not remove or invalidate any
39、of the requirements in ISO/IEC 27001 (see 3.2).Sector-specific refinements of ISO/IEC 27001 requirements shall, where possible, follow the requirements and guidance set out in Annex A of this International Standard.EXAMPLE 1 A sector-specific standard could contain controls additional to ISO/IEC 270
40、01:2013, Annex A. In this case, the requirements related to information security risk treatment in ISO/IEC 27001:2013, 6.1.3 c) and d) need to be refined to include the additional controls given in the sector-specific standard.Specification of a particular approach to meeting requirements in ISO/IEC
41、 27001 is also permitted.EXAMPLE 2 A particular sector has a prescribed way to determine the competence of people working within the scope of the sectors-specific management system. This requirement could refine the general requirement in ISO/IEC 27001:2013, 7.2.5.4 Interpreted requirementsInterpret
42、ation of ISO/IEC 27001 requirements is permitted.NOTE Interpretations do not invalidate any of the ISO/IEC 27001 requirements but explain them or place them into sector-specific context (see 3.1).Sector-specific interpretations of ISO/IEC 27001 requirements shall, where possible, follow the requirem
43、ents and guidance set out in Annex A of this International Standard.6 Additional or modified ISO/IEC 27002 guidance6.1 GeneralFigure 2 illustrates how ISO/IEC 27002 guidance can be added to or modified.Figure 2 Construction of sector-specific guidanceEach control shall only contain one instance of t
44、he word “should”.NOTE In ISO/IEC 27001:2013, Information security risk treatment requires an organization to state controls that have been determined and justification of inclusions, and justification for exclusions of controls from Annex A. Having only one use of “should” within a control statement
45、 eliminates the possibility of ambiguity over the scope of the control.6.2 Additional guidanceAddition of clauses, control objectives, controls, implementation guidance and other information to ISO/IEC 27002 is permitted.8DIN ISO/IEC 27009:2016-11 Clauses, control objectives, controls, implementatio
46、n guidance and other information additional to ISO/IEC 27002 shall, where possible, follow the requirements and guidance set out in Annex A of this International Standard.Before specifying additional clauses, control objectives or controls, entities producing sector-specific standards related to ISO
47、/IEC 27001 should consider whether a more effective approach would be to modify existing ISO/IEC 27002 content, or achieve the desired result through the addition of sector-specific control objectives, controls, implementation guidance and other information to the existing ISO/IEC 27002 content.6.3
48、Modified guidanceModification of clauses, control objectives, controls, implementation guidance and other information from ISO/IEC 27002 is permitted.No modification shall remove, invalidate or reduce any of the controls in ISO/IEC 27002.Modified clauses, control objectives, controls, implementation
49、 guidance and other information from ISO/IEC 27002 shall, where possible, follow the requirements and guidance set out in Annex A of this International Standard.9 DIN ISO/IEC 27009:2016-11 Annex A (normative) Template for developing sector-specific standards related to ISO/IEC 27001:2013 or ISO/IEC 27002:2013A.1 Drafting instructionsWithin A.2 the following formatting convention is used: Text in angle br
