1、BS ISO/IEC 27001:2013Incorporating corrigenda September 2014 and December 2015Incorporating corrigendum September 2014BS ISO/IEC 27001:2013BS EN ISO/IEC 27001:2017Information technology Security techniques Information security management systems Requirements (ISO/IEC 27001:2013) BSI Standards Public
2、ationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS EN ISO/IEC 27001:2017 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of EN ISO/IEC 27001:2017. It is identical to ISO/IEC 27001:2013, incorporating corrigenda September 2014 and December 2015. It superse
3、des BS ISO/IEC 27001:2013 which is withdrawn.The UK participation in its preparation was entrusted by Technical Committee IST/33, IT - Security techniques, to Subcommittee IST/33/-/1, Requirements, security services and guidelines.A list of organizations represented on this subcommittee can be obtai
4、ned on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2017. Published by BSI Standards Limited 2017ISBN 978 0 580 95518 1ICS 03.100.70; 35.030Compli
5、ance with a British Standard cannot confer immunity from legal obligations.This British Standard was published under the authority of the Standards Policy and Strategy Committee on 1 October 2013.Amendments/corrigenda issued since publicationDate Text affected31 October 2014 Implementation of ISO/IE
6、C corrigendum September 2014: third column of A.8.1.1 in Table A.1 amended31 January 2016 Implementation of ISO/IEC corrigendum December 2015: Subclause 6.1.3 corrected31 March 2017 This corrigendum renumbers BS ISO/IEC 27001:2013 as BS EN ISO/IEC 27001:2017.EUROPEAN STANDARD NORME EUROPENNE EUROPIS
7、CHE NORM EN ISO/IEC 27001 February 2017 ICS 03.100.70; 35.030 English Version Information technology - Security techniques - Information security management systems - Requirements (ISO/IEC 27001:2013 including Cor 1:2014 and Cor 2:2015) Technologies de linformation - Techniques de scurit - Systmes d
8、e management de la scurit de linformation - Exigences (ISO/IEC 27001:2013 y compris Cor 1:2014 et Cor 2:2015) Informationstechnik - Sicherheitsverfahren - Informationssicherheits-Managementsysteme - Anforderungen (ISO/IEC 27001:2013 einschlielich Cor 1:2014 und Cor 2:2015) This European Standard was
9、 approved by CEN on 26 January 2017. CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concer
10、ning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN and CENELEC member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN
11、 and CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN and CENELEC members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugosl
12、av Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT E
13、UROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2017 CEN and CENELEC All rights of exploitation in any form and by any means reserved worldwide for CEN and CENELEC national Members. Ref. No. EN ISO/IEC 27001:2017 E ISO/IEC 27001
14、:2013(E) ISO/IEC 2013 All rights reserved iiiContents PageForeword iv0 Introduction .v1 Scope . 12 Normative references 13 Terms and definitions . 14 Context of the organization . 14.1 Understanding the organization and its context . 14.2 Understanding the needs and expectations of interested partie
15、s 14.3 Determining the scope of the information security management system 14.4 Information security management system . 25 Leadership 25.1 Leadership and commitment . 25.2 Policy . 25.3 Organizational roles, responsibilities and authorities 36 Planning . 36.1 Actions to address risks and opportunit
16、ies . 36.2 Information security objectives and planning to achieve them . 57 Support . 57.1 Resources . 57.2 Competence . 57.3 Awareness . 57.4 Communication 67.5 Documented information . 68 Operation . 78.1 Operational planning and control 78.2 Information security risk assessment. 78.3 Information
17、 security risk treatment 79 Performance evaluation . 79.1 Monitoring, measurement, analysis and evaluation . 79.2 Internal audit 89.3 Management review . 810 Improvement 910.1 Nonconformity and corrective action . 910.2 Continual improvement 9Annex A (normative) Reference control objectives and cont
18、rols 10Bibliography .23BS ISO/IEC 27001:2013EN ISO/IEC 27001:2017 (E) 3 European foreword The text of ISO/IEC 27001:2013 including Cor 1:2014 and Cor 2:2015 has been prepared by Technical Committee ISO/IEC JTC 1 “Information technology” of the International Organization for Standardization (ISO) and
19、 the International Electrotechnical Commission (IEC) and has been taken over as EN ISO/IEC 27001:2017. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by August 2017, and conflicting national standar
20、ds shall be withdrawn at the latest by August 2017. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENELEC Inter
21、nal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ir
22、eland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO/IEC 27001:2013 including Cor 1:2014 and Cor 2:2015 has been approved by CEN as
23、 EN ISO/IEC 27001:2017 without any modification. BS EN ISO/IEC 27001:2017EN ISO/IEC 27001:2017 (E)ISO/IEC 27001:2013(E) ISO/IEC 2013 All rights reserved iiiContents PageForeword iv0 Introduction .v1 Scope . 12 Normative references 13 Terms and definitions . 14 Context of the organization . 14.1 Unde
24、rstanding the organization and its context . 14.2 Understanding the needs and expectations of interested parties 14.3 Determining the scope of the information security management system 14.4 Information security management system . 25 Leadership 25.1 Leadership and commitment . 25.2 Policy . 25.3 Or
25、ganizational roles, responsibilities and authorities 36 Planning . 36.1 Actions to address risks and opportunities . 36.2 Information security objectives and planning to achieve them . 57 Support . 57.1 Resources . 57.2 Competence . 57.3 Awareness . 57.4 Communication 67.5 Documented information . 6
26、8 Operation . 78.1 Operational planning and control 78.2 Information security risk assessment. 78.3 Information security risk treatment 79 Performance evaluation . 79.1 Monitoring, measurement, analysis and evaluation . 79.2 Internal audit 89.3 Management review . 810 Improvement 910.1 Nonconformity
27、 and corrective action . 910.2 Continual improvement 9Annex A (normative) Reference control objectives and controls 10Bibliography .23BS ISO/IEC 27001:2013BS EN ISO/IEC 27001:2017ISO/IEC 27001:2013(E)ISO/IEC 27001:2013(E)ForewordISO (the International Organization for Standardization) and IEC (the I
28、nternational Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particula
29、r fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have establish
30、ed a joint technical committee, ISO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical co
31、mmittee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC sh
32、all not be held responsible for identifying any or all such patent rights.ISO/IEC 27001 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.This second edition cancels and replaces the first edition (ISO/IEC 27001:2005), which h
33、as been technically revised.iv ISO/IEC 2013 All rights reservedBS ISO/IEC 27001:2013ISO/IEC 27001:2013(E)0 Introduction0.1 GeneralThis International Standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security manage
34、ment system. The adoption of an information security management system is a strategic decision for an organization. The establishment and implementation of an organizations information security management system is influenced by the organizations needs and objectives, security requirements, the orga
35、nizational processes used and the size and structure of the organization. All of these influencing factors are expected to change over time.The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gi
36、ves confidence to interested parties that risks are adequately managed.It is important that the information security management system is part of and integrated with the organizations processes and overall management structure and that information security is considered in the design of processes, i
37、nformation systems, and controls. It is expected that an information security management system implementation will be scaled in accordance with the needs of the organization.This International Standard can be used by internal and external parties to assess the organizations ability to meet the orga
38、nizations own information security requirements.The order in which requirements are presented in this International Standard does not reflect their importance or imply the order in which they are to be implemented. The list items are enumerated for reference purpose only.ISO/IEC 27000 describes the
39、overview and the vocabulary of information security management systems, referencing the information security management system family of standards (including ISO/IEC 270032, ISO/IEC 270043and ISO/IEC 270054), with related terms and definitions.0.2 Compatibility with other management system standards
40、This International Standard applies the high-level structure, identical sub-clause titles, identical text, common terms, and core definitions defined in Annex SL of ISO/IEC Directives, Part 1, Consolidated ISO Supplement, and therefore maintains compatibility with other management system standards t
41、hat have adopted the Annex SL.This common approach defined in the Annex SL will be useful for those organizations that choose to operate a single management system that meets the requirements of two or more management system standards. ISO/IEC 2013 All rights reserved vBS ISO/IEC 27001:2013BS EN ISO
42、/IEC 27001:2017ISO/IEC 27001:2013(E)ISO/IEC 27001:2013(E)ForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in t
43、he development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-g
44、overnmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.The main task
45、 of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a v
46、ote.Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.ISO/IEC 27001 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technol
47、ogy, Subcommittee SC 27, IT Security techniques.This second edition cancels and replaces the first edition (ISO/IEC 27001:2005), which has been technically revised.iv ISO/IEC 2013 All rights reservedBS ISO/IEC 27001:2013ISO/IEC 27001:2013(E)0 Introduction0.1 GeneralThis International Standard has be
48、en prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization. The establishment and implementation of an organ
49、izations information security management system is influenced by the organizations needs and objectives, security requirements, the organizational processes used and the size and structure of the organization. All of these influencing factors are expected to change over time.The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process
