1、BS ISO/IEC 27002:2013Incorporating corrigendum September 2014BS ISO/IEC 27002:2013Incorporating corrigenda September 2014 and November 2015BS EN ISO/IEC 27002:2017Information technology Security techniques Code of practice for information security controls (ISO/IEC 27002:2013)BSI Standards Publicati
2、onWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS EN ISO/IEC 27002:2017 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of EN ISO/IEC 27002:2017. It is identical to ISO/IEC 27002:2013, incorporating corrigenda September 2014 and November 2015. It supersedes
3、 BS ISO/IEC 27002:2013 which is withdrawn.The start and finish of text introduced or altered by corrigendum is indicated in the text by tags. Text altered by ISO/IEC corrigendum September 2014 is indicated in the text by .The UK participation in its preparation was entrusted by Technical Committee I
4、ST/33, IT - Security techniques, to Subcommittee IST/33/-/1, Requirements, security services and guidelines.A list of organizations represented on this subcommittee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Us
5、ers are responsible for its correct application. The British Standards Institution 2017. Published by BSI Standards Limited 2017ISBN 978 0 580 95520 4ICS 35.030Compliance with a British Standard cannot confer immunity from legal obligations.This British Standard was published under the authority of
6、the Standards Policy and Strategy Committee on 1 October 2013.Amendments/corrigenda issued since publicationDate Text affected31 October 2014 Implementation of ISO/IEC corrigendum September 201430 November 2015 Implementation of ISO/IEC corrigendum November 2015: Subclause 14.2.8 modified31 March 20
7、17 This corrigendum renumbers BS ISO/IEC 27002:2013 as BS EN ISO/EC 27002:2017.EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO/IEC 27002 February 2017 ICS 03.100.70; 35.030 English Version Information technology - Security techniques - Code of practice for information security controls (ISO
8、/IEC 27002:2013 including Cor 1:2014 and Cor 2:2015) Technologies de linformation - Techniques de scurit - Code de bonne pratique pour le management de la scurit de linformation (ISO/IEC 27002:2013 y compris Cor 1:2014 et Cor 2:2015) Informationstechnik - Sicherheitsverfahren - Leitfaden fr Informat
9、ionssicherheitsmanahmen (ISO/IEC 27002:2013 einschlielich Cor 1:2014 und Cor 2:2015) This European Standard was approved by CEN on 26 January 2017. CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard t
10、he status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN and CENELEC member. This European Standard exists in three official versions (
11、English, French, German). A version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN and CENELEC members are the national standards
12、bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia,
13、Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2017 CEN and CENELEC All rights of exploitation in any form and by an
14、y means reserved worldwide for CEN and CENELEC national Members. Ref. No. EN ISO/IEC 27002:2017 E ISO/IEC 27002:2013(E) ISO/IEC 2013 All rights reserved iiiContents PageForeword v0 Introduction .vi1 Scope . 12 Normative references 13 Terms and definitions . 14 Structure of this standard . 14.1 Claus
15、es . 14.2 Control categories 15 Information security policies 25.1 Management direction for information security . 26 Organization of information security . 46.1 Internal organization . 46.2 Mobile devices and teleworking 67 Human resource security 97.1 Prior to employment 97.2 During employment . 1
16、07.3 Termination and change of employment 138 Asset management 138.1 Responsibility for assets 138.2 Information classification .158.3 Media handling 179 Access control .199.1 Business requirements of access control 199.2 User access management 219.3 User responsibilities . 249.4 System and applicat
17、ion access control 2510 Cryptography .2810.1 Cryptographic controls . 2811 Physical and environmental security .3011.1 Secure areas 3011.2 Equipment 3312 Operations security 3812.1 Operational procedures and responsibilities 3812.2 Protection from malware 4112.3 Backup . 4212.4 Logging and monitorin
18、g . 4312.5 Control of operational software 4512.6 Technical vulnerability management .4612.7 Information systems audit considerations 4813 Communications security 4913.1 Network security management . 4913.2 Information transfer .5014 System acquisition, development and maintenance 5414.1 Security re
19、quirements of information systems .5414.2 Security in development and support processes .5714.3 Test data .6215 Supplier relationships .6215.1 Information security in supplier relationships 62BS ISO/IEC 27002:2013BS EN ISO/IEC 27002:2017EN ISO/IEC 27002:2017 (E)EN ISO/IEC 27002:2017 (E) 3 European f
20、oreword The text of ISO/IEC 27002:2013 including Cor 1:2014 and Cor 2:2015 has been prepared by Technical Committee ISO/IEC JTC 1 “Information technology” of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and has been taken over as EN
21、 ISO/IEC 27002:2017. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by August 2017, and conflicting national standards shall be withdrawn at the latest by August 2017. Attention is drawn to the poss
22、ibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries a
23、re bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, P
24、ortugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO/IEC 27002:2013 including Cor 1:2014 and Cor 2:2015 has been approved by CEN as EN ISO/IEC 27002:2017 without any modification. ISO/IEC 27002:2013(E) ISO/IEC 201
25、3 All rights reserved iiiContents PageForeword v0 Introduction .vi1 Scope . 12 Normative references 13 Terms and definitions . 14 Structure of this standard . 14.1 Clauses . 14.2 Control categories 15 Information security policies 25.1 Management direction for information security . 26 Organization
26、of information security . 46.1 Internal organization . 46.2 Mobile devices and teleworking 67 Human resource security 97.1 Prior to employment 97.2 During employment . 107.3 Termination and change of employment 138 Asset management 138.1 Responsibility for assets 138.2 Information classification .15
27、8.3 Media handling 179 Access control .199.1 Business requirements of access control 199.2 User access management 219.3 User responsibilities . 249.4 System and application access control 2510 Cryptography .2810.1 Cryptographic controls . 2811 Physical and environmental security .3011.1 Secure areas
28、 3011.2 Equipment 3312 Operations security 3812.1 Operational procedures and responsibilities 3812.2 Protection from malware 4112.3 Backup . 4212.4 Logging and monitoring . 4312.5 Control of operational software 4512.6 Technical vulnerability management .4612.7 Information systems audit consideratio
29、ns 4813 Communications security 4913.1 Network security management . 4913.2 Information transfer .5014 System acquisition, development and maintenance 5414.1 Security requirements of information systems .5414.2 Security in development and support processes .5714.3 Test data .6215 Supplier relationsh
30、ips .6215.1 Information security in supplier relationships 62BS ISO/IEC 27002:2013BS EN ISO/IEC 27002:2017ISO/IEC 27002:2013(E)ISO/IEC 27002:2013(E)iv ISO/IEC 2013 All rights reserved15.2 Supplier service delivery management 6616 Information security incident management 6716.1 Management of informat
31、ion security incidents and improvements .6717 Information security aspects of business continuity management .7117.1 Information security continuity 7117.2 Redundancies 7318 Compliance 7418.1 Compliance with legal and contractual requirements .7418.2 Information security reviews 77Bibliography .79BS
32、 ISO/IEC 27002:2013ISO/IEC 27002:2013(E)ForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of
33、 International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in l
34、iaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.ISO/IEC 27002 was prepared by
35、Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent r
36、ights.This second edition cancels and replaces the first edition (ISO/IEC 27002:2005), which has been technically and structurally revised. ISO/IEC 2013 All rights reserved vBS ISO/IEC 27002:2013BS EN ISO/IEC 27002:2017ISO/IEC 27002:2013(E)ISO/IEC 27002:2013(E)iv ISO/IEC 2013 All rights reserved15.2
37、 Supplier service delivery management 6616 Information security incident management 6716.1 Management of information security incidents and improvements .6717 Information security aspects of business continuity management .7117.1 Information security continuity 7117.2 Redundancies 7318 Compliance 74
38、18.1 Compliance with legal and contractual requirements .7418.2 Information security reviews 77Bibliography .79BS ISO/IEC 27002:2013ISO/IEC 27002:2013(E)ForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized syste
39、m for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees col
40、laborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.International Standard
41、s are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.ISO/IEC 27002 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.Attention is drawn to the possibility that some of the elements of this documen
42、t may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights.This second edition cancels and replaces the first edition (ISO/IEC 27002:2005), which has been technically and structurally revised. ISO/IEC 2013 All rights reserved vBS ISO/IEC 27
43、002:2013BS EN ISO/IEC 27002:2017ISO/IEC 27002:2013(E)ISO/IEC 27002:2013(E)0 Introduction0.1 Background and contextThis International Standard is designed for organizations to use as a reference for selecting controls within the process of implementing an Information Security Management System (ISMS)
44、 based on ISO/IEC 2700110or as a guidance document for organizations implementing commonly accepted information security controls. This standard is also intended for use in developing industry- and organization-specific information security management guidelines, taking into consideration their spec
45、ific information security risk environment(s).Organizations of all types and sizes (including public and private sector, commercial and non-profit) collect, process, store and transmit information in many forms including electronic, physical and verbal (e.g. conversations and presentations).The valu
46、e of information goes beyond the written words, numbers and images: knowledge, concepts, ideas and brands are examples of intangible forms of information. In an interconnected world, information and related processes, systems, networks and personnel involved in their operation, handling and protecti
47、on are assets that, like other important business assets, are valuable to an organizations business and consequently deserve or require protection against various hazards.Assets are subject to both deliberate and accidental threats while the related processes, systems, networks and people have inher
48、ent vulnerabilities. Changes to business processes and systems or other external changes (such as new laws and regulations) may create new information security risks. Therefore, given the multitude of ways in which threats could take advantage of vulnerabilities to harm the organization, information
49、 security risks are always present. Effective information security reduces these risks by protecting the organization against threats and vulnerabilities, and then reduces impacts to its assets.Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business
