1、BS ISO/IEC 27000:2016Information technology Security techniques Information securitymanagement systems Overview and vocabularyBS EN ISO/IEC 27000:2017(ISO/IEC 27000:2016)BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS EN ISO/IEC 27000:2017 BRITISH STANDARDNational
2、 forewordThis British Standard is the UK implementation of EN ISO/IEC 27000:2017. It is identical to ISO/IEC 27000:2016. It supersedes BS ISO/IEC 27000:2016 which is withdrawn.A list of organizations represented on this subcommittee can be obtained on request to its secretary.This publication does n
3、ot purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2017. Published by BSI Standards Limited 2017ISBN 978 0 580 95519 8ICS 01.040.35; 03.100.70; 35.030Compliance with a British Standard cannot confer i
4、mmunity from legal obligations.This British Standard was published under the authority of the Standards Policy and Strategy Committee on 29 February 2016.Amendments/corrigenda issued since publicationDate Text affected31 March 2017 This corrigendum renumbers BS ISO/IEC 27000:2016 as BS EN ISO/IEC 27
5、000:2017The UK participation in its preparation was entrusted by Technical Committee IST/33, IT - Security techniques, to Subcommittee IST/33/-/1, Requirements, security services and guidelines.EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO/IEC 27000 February 2017 ICS 01.040.35; 03.100.70;
6、 35.030 English Version Information technology - Security techniques - Information security management systems - Overview and vocabulary (ISO/IEC 27000:2016) Technologies de linformation - Techniques de scurit - Systmes de gestion de scurit de linformation - Vue densemble et vocabulaire (ISO/IEC 270
7、00:2016) Informationstechnik - Sicherheitsverfahren - Informationssicherheits-Managementsysteme - berblick und Terminologie (ISO/IEC 27000:2016) This European Standard was approved by CEN on 26 January 2017. CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which
8、stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN and CENELEC member
9、. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official v
10、ersions. CEN and CENELEC members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Nether
11、lands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2017 CEN
12、and CENELEC All rights of exploitation in any form and by any means reserved worldwide for CEN and CENELEC national Members. Ref. No. EN ISO/IEC 27000:2017 E BS ISO/IEC 27000:2016ISO/IEC 27000:2016(E)Foreword v0 Introduction 10.1 Overview 10.2 ISMS family of standards 10.3 Purpose of this Internatio
13、nal Standard . 21 Scope . 22 Terms and definitions . 23 Information security management systems .143.1 General 143.2 What is an ISMS? 143.2.1 Overview and principles 143.2.2 Information 153.2.3 Information security 153.2.4 Management . 153.2.5 Management system 163.3 Process approach . 163.4 Why an
14、ISMS is important 163.5 Establishing, monitoring, maintaining and improving an ISMS 173.5.1 Overview 173.5.2 Identifying information security requirements .173.5.3 Assessing information security risks 183.5.4 Treating information security risks 183.5.5 Selecting and implementing controls .183.5.6 Mo
15、nitor, maintain and improve the effectiveness of the ISMS 193.5.7 Continual improvement 193.6 ISMS critical success factors . 203.7 Benefits of the ISMS family of standards . 204 ISMS family of standards .214.1 General information 214.2 Standards describing an overview and terminology 224.2.1 ISO/IE
16、C 27000 (this International Standard) .224.3 Standards specifying requirements . 224.3.1 ISO/IEC 27001 224.3.2 ISO/IEC 27006 224.4 Standards describing general guidelines 224.4.1 ISO/IEC 27002 224.4.2 ISO/IEC 27003 234.4.3 ISO/IEC 27004 234.4.4 ISO/IEC 27005 234.4.5 ISO/IEC 27007 234.4.6 ISO/IEC TR
17、27008 .234.4.7 ISO/IEC 27013 244.4.8 ISO/IEC 27014 244.4.9 ISO/IEC TR 27016 .244.5 Standards describing sector-specific guidelines 254.5.1 ISO/IEC 27010 254.5.2 ISO/IEC 27011 254.5.3 ISO/IEC TR 27015 .254.5.4 ISO/IEC 27017 254.5.5 ISO/IEC 27018 264.5.6 ISO/IEC TR 27019 .264.5.7 ISO 27799 26 ISO/IEC
18、2016 All rights reserved iiiContents PageEN ISO/IEC 27000:2017 (E) 3 European foreword The text of ISO/IEC 27000:2016 has been prepared by Technical Committee ISO/IEC JTC 1 “Information technology” of the International Organization for Standardization (ISO) and the International Electrotechnical Com
19、mission (IEC) and has been taken over as EN ISO/IEC 27000:2017. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by August 2017, and conflicting national standards shall be withdrawn at the latest by
20、August 2017. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national standards
21、 organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxemb
22、ourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO/IEC 27000:2016 has been approved by CEN as EN ISO/IEC 27000:2017 without any modification. BS EN ISO/IEC 27000:2017EN
23、 ISO/IEC 27000:2017 (E)BS ISO/IEC 27000:2016ISO/IEC 27000:2016(E)Foreword v0 Introduction 10.1 Overview 10.2 ISMS family of standards 10.3 Purpose of this International Standard . 21 Scope . 22 Terms and definitions . 23 Information security management systems .143.1 General 143.2 What is an ISMS? 1
24、43.2.1 Overview and principles 143.2.2 Information 153.2.3 Information security 153.2.4 Management . 153.2.5 Management system 163.3 Process approach . 163.4 Why an ISMS is important 163.5 Establishing, monitoring, maintaining and improving an ISMS 173.5.1 Overview 173.5.2 Identifying information se
25、curity requirements .173.5.3 Assessing information security risks 183.5.4 Treating information security risks 183.5.5 Selecting and implementing controls .183.5.6 Monitor, maintain and improve the effectiveness of the ISMS 193.5.7 Continual improvement 193.6 ISMS critical success factors . 203.7 Ben
26、efits of the ISMS family of standards . 204 ISMS family of standards .214.1 General information 214.2 Standards describing an overview and terminology 224.2.1 ISO/IEC 27000 (this International Standard) .224.3 Standards specifying requirements . 224.3.1 ISO/IEC 27001 224.3.2 ISO/IEC 27006 224.4 Stan
27、dards describing general guidelines 224.4.1 ISO/IEC 27002 224.4.2 ISO/IEC 27003 234.4.3 ISO/IEC 27004 234.4.4 ISO/IEC 27005 234.4.5 ISO/IEC 27007 234.4.6 ISO/IEC TR 27008 .234.4.7 ISO/IEC 27013 244.4.8 ISO/IEC 27014 244.4.9 ISO/IEC TR 27016 .244.5 Standards describing sector-specific guidelines 254.
28、5.1 ISO/IEC 27010 254.5.2 ISO/IEC 27011 254.5.3 ISO/IEC TR 27015 .254.5.4 ISO/IEC 27017 254.5.5 ISO/IEC 27018 264.5.6 ISO/IEC TR 27019 .264.5.7 ISO 27799 26 ISO/IEC 2016 All rights reserved iiiContents PageBS EN ISO/IEC 27000:2017ISO/IEC 27000:2016(E)BS ISO/IEC 27000:2016ISO/IEC 27000:2016(E)Annex A
29、 (informative) Verbal forms for the expression of provisions.28Annex B (informative) Term and term ownership 29Bibliography .33iv ISO/IEC 2016 All rights reservedBS ISO/IEC 27000:2016ISO/IEC 27000:2016(E)ForewordISO (the International Organization for Standardization) and IEC (the International Elec
30、trotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of techn
31、ical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint techni
32、cal committee, ISO/IEC JTC 1.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafte
33、d in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such pate
34、nt rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).Any trade name used in this document is information given for the convenience of users and does not c
35、onstitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary informationThe
36、 committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, IT Security techniques.This fourth edition cancels and replaces the third edition (ISO/IEC 27000:2014), which has been technically revised. ISO/IEC 2016 All rights reserved vBS EN ISO/IEC 27000:2017ISO/IEC 2700
37、0:2016(E)BS ISO/IEC 27000:2016ISO/IEC 27000:2016(E)Annex A (informative) Verbal forms for the expression of provisions.28Annex B (informative) Term and term ownership 29Bibliography .33iv ISO/IEC 2016 All rights reservedBS ISO/IEC 27000:2016ISO/IEC 27000:2016(E)ForewordISO (the International Organiz
38、ation for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respe
39、ctive organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of informati
40、on technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different t
41、ypes of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall no
42、t be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).Any trade name used in this document is inf
43、ormation given for the convenience of users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see
44、the following URL: Foreword - Supplementary informationThe committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, IT Security techniques.This fourth edition cancels and replaces the third edition (ISO/IEC 27000:2014), which has been technically revised. ISO/IEC 2016
45、 All rights reserved vBS EN ISO/IEC 27000:2017ISO/IEC 27000:2016(E)BS ISO/IEC 27000:2016 BS ISO/IEC 27000:2016Information technology Security techniques Information security management systems Overview and vocabulary0 Introduction0.1 OverviewInternational Standards for management systems provide a m
46、odel to follow in setting up and operating a management system. This model incorporates the features on which experts in the field have reached a consensus as being the international state of the art. ISO/IEC JTC 1/SC 27 maintains an expert committee dedicated to the development of international man
47、agement systems standards for information security, otherwise known as the Information Security Management System (ISMS) family of standards.Through the use of the ISMS family of standards, organizations can develop and implement a framework for managing the security of their information assets incl
48、uding financial information, intellectual property, and employee details, or information entrusted to them by customers or third parties. These standards can also be used to prepare for an independent assessment of their ISMS applied to the protection of information.0.2 ISMS family of standardsThe I
49、SMS family of standards (see Clause 4) is intended to assist organizations of all types and sizes to implement and operate an ISMS and consists of the following International Standards, under the general title Information technology Security techniques (given below in numerical order): ISO/IEC 27000, Information security management systems Overview and vocabulary ISO/IEC 27001, Information security management systems Requirements ISO/IEC 27002, Code of practice for information security controls ISO/IEC 27003, Information security