INTERNATIONAL ISO/IEC STANDARD 27001 Information technology — Security techniques — Information security management systems — Requirements ‘ecologies de nfrmeton — Techniques de sfcurté — Setimee de management def seurté de nformation — xigeces soe Broo 2013E) cetsopcaniss0/18¢27001:2013(6) AX conmcernorecro.0coest © wopes2013 ‘yg reserve. Une pers seid o par of hi pbcton mye pad ed tera any fn ‘ler pra: Formation csr nts Ro ie es ow oO en yen Frain Eilers " 1st 201A ered1s0/18¢27001:2013(6) Contents Poe Foreword © Introduction a 2 Normative references. Terms and efit en 4 Context the organization on 4 Understanding the organization and is content 42 Understanding the nee and expectations of intrested partie nvm 43 Determining the scope ofthe information secur management sien 44° Informadon security management sysemns nnn Se Si Leadership and commitment 52 Poly. — a 53 Osnzational oles responsbities and athoriies 6 ey {82 Information security obfecves and planning to achieve thems FSU nnn TD szoarces 72 Competence 73 fwatenese. 74 Communiestion 73 Documented information. 8 Operation BI Operational patning and contra — 82 _ Information security risk asessmeni— — 83 Information secur Hse trestment.s-2-aa 9 Performance evaluation 941 Mentoring messurement analysis and evaluation 92. Intemal auditor 93 Management review 310. Irpr0ve tn enn 101 Noneoniormity and comective ation — 102 Continual improvement on nnvnsvononwonwnrnnennrnnnnn “Annex A (normative) Reference contro objectives and contruls ubliograph. penn 10/1205 Aahsresere 8150 /18¢27001:2013(E) Foreword 130 (the imernatonal Organization for Standardization) and 186 (he International Electrotechnical Commission) form the epecalinaé system for worldwide standardization. National bodies that re Imemers of I0 or IBC participate inthe development of International Standards through technical fommitees established by the espectve organization to deal with particular fds f technical ‘ctv. 180 2nd TEC technical committees callabocate in leds of mutual interest. Other International ‘organizations, governmental and nongovernmental in tson with 150 and TBC, le take pa inthe ror the fc of fformstiontenology ISO and TEC have erase a oi techies commits, Tsojlec Te 1 locernatlonal Standandsare drafted in accordance withthe rules given in the ISO/IEC Directives Part. ‘Thema asf thefointechnical committee sto prepare International Standards. raft International ‘Standards adopted dy the join tectnical commeter are circuited to national bales for voting Publication as en Intereational Standard requtes approval by atleast 7 96 of the ational bodies ‘astnga vote. ‘Artention i drawn tthe possibilty that some af the elements ofthis document may be the subject of patent ight 10 and TEC Shall not bee responsible for identifying any oral such patent rights so/tec 27001 was prepared by Jolat Technical Committe ISO/IEC ITC 1, lyformation technology, Subcommittee SC27 Pr eeuritylachniques. ‘Tis second edition cancels and replaces the frst edition (ISO/TEC 27001-2005), which has been {echnlcallyrevised. w ‘otsoyine 2082-Alisseed180 /18¢27001:2013(6) 0 Introduction 01 General ‘This ternational Stand hasbeen prepared to provide requirements fr establishing. Implementing tnaintainingand continually improving an informacion security management system Toe adoption of Information security management system isa strategic decsion for an organization, The establishment ‘id implementation of tn organizations information security management system is influced by the forgantationsnoeds and objectives, security requirement, the orgntztioal processes used andthe ‘saand structure ofthe organlastion, Allo! these influencing factors are expected to changeover tine ‘The formation security management system preserves the confidentiality integrity and avallbiity of information by applying risk management process and gives confidence to iterested partis that Fics areadequatsly managed. {es tmportane thatthe information secuety management systems pat of and Integrated with the ‘organization's processes and overall management structure a that inormation security is considered Inthe design efprocesses, information ystems, and controle isexpectd tata information security ‘mangement system implementation wil be eraled in accordance with the needs ofthe organization. ‘Tis International Standard can be used by internal and external partis to asses the organizations bt to meet the organizations own information security requrement ‘The order In which requirements are presente In thls International Standard does not reflect their importance or imply te order in which they are te Implemented. The lst tems are enumerated fr reference purpose ony. ISO/IEC 27000 describes the overview and the vocabulaty of information security mat snagement ‘ase eeencng the formation scr management ye ol of standard (nang, TSoytec 27o03t 1s0/1ec 270040) and ISO/IEC 2700SEH, with elated terms and destin. 02 Compatibility with other management eystem standards ‘This International Standard applies the ighlevel structure, Wenticl sub-clause ites, Kenta text amma terms, and core defaitons defined in Annex SL of Iso/lec Directives, Part, Consolidated SO Supplement and therefore maintains compatibility with other management system standards that have ‘doped the Annex SL. ‘Thiscommon approach definedinthe Annex SLwillbeuseul for those organizations that choose operate asinglemanagoment system that meets the requirements of vo or more management system standards, 21st 205 - Agsresered vINTERNATIONAL STANDARD ISO/IEC 27001:2013(6) Information technology — Security techniques — Information security management systems — Requirements 1 Scope ‘Ths Hiternational Standard specifies the requirement for establihing, implementing, maintaining and continually improving an foformation security management system within the context of the organtzation- This International standard als includes requements or the assesament and treatment ‘tinformation security risks allored tothe needs ofthe organaaton The requirement et outa this International standard are generic and are inanded tobe applicable to all aryanteations regardless cftype, size or nature Excluding any ofthe requlrementsspecfed in Classes 400i not seeptable ‘when an organtzation datas conformity to this Ineenatonal Sandard 2. Normative references ‘The following documents, in whole orn part, are normativly referenced inthis document and are Indispensable forts application. For dated references, ony the edition ced applies For undsted "ferences, helatst eiton othe relerenced document (ncding ary amendeent) apples, ISO/IEC 27000, information tchnolggy — Securty tecniques — Ijormation securky management ‘ystems — Overview and vocabulary 3. Terms and definitions For the purposesof this docu vent the terms and defatons given tn SO/1EC 27000 apply. 4 Context ofthe organization 4.1 Understanding the organization and its context ‘The organization shal determine exteral and internal issues that are relevantto ts purpose and that allect ts ability to achieve the intended outeome(} ofits information securty management system None, _Determinig these sues fers to estahishing the exteraal nd itera ones oth onganlaaton ‘haidered i Gauee S580 83000200900 42 Understanding the needs and expectations of terested parties ‘The organization shll determine 2) Interested partie that are relevant the Information security management system; and 1) therequiremens ofthese interested parties relevant toinformation security NOTE ‘The regurements of iotrested parties may fncade legal and regulatory requirement sed 43 Determining the scape of the information security management system, ‘The organlzation shall determine the boundaries and applicability of the information seculsy management system to etait Re scope. Ce io/tee2012- Aes sero 110/18¢27001:2013(6) ‘When determining ths scope, the organization shal consider: 4) theexcorna and internal sues referred ton 4: 1) therequirements refered ton 42: and 19) tncarfaces and dependencies between activities performed bythe organization, and those that are performed by ater organizations. ‘Thescope shall be avaliable as documented information. 44 Information security management system ‘The organization shall establish implement, maintain and continually improve an information security management system, Inaccordance with the requlrements ofthis Internatlonal Standard. 5 Leadership 5A Leadership and commitment ‘Top management stall demonstrate leadership and commitment with respect tthe Information seeurty management system by 2} enguring the information securty policy an the fformation sscurty objectives are ertablshed Band ae compatible with the strategie direction ofthe rganlztion; 1) ensuring the igraton of the Infrmatin security management system requirements into the ‘rgantation’s processes 1) ensuring thatthe resources needed forthe information security mangement eystem are avalable; 4) communicating the Importance of fective information security management and of conforming to the information security management system requirements, 6) ensuring tha the information security management system achlevests intended ovtome(3}: 1) dizecting ad supporting persons to contribute to the effectiveness ofthe information security ‘management syste; 2) promoting continual improvement and 1) supporting other relevant management roles to demonstrate thei leadership as applies to their areas ofFesponsiity. 52. Policy| “Top management shall establish an information security polly that 4) Isappropriateto the purpose ofthe rgantzation; 1) Includes information security objectives 6.2) or provides theframeworktor setting information security objectives: 19. tnchuds commitment to satisfy applicable requirements related to nformation security and 4) tnchudes commitment continual improvement of the formation security management system, ‘Theinformation security policy shall 19)_beavallale as documented information; 2 fetsonec 2013 -Aasresornd1s0/18¢27001:2013(6) 1) becommunicated within the organization: and 1) eavallabltoincerested parties as appropriate 5.3 Organizational roles, responsibilities and authorities ‘Top management shall ensure that he responsibilities and authorities for roles relevant toinformation ecuity are asegned and communicated ‘Top management shall assign the responsibility and athorky fr 8} ensuing that the information security management system conforms tothe requirements of this Inernational Standard; and 1) reporting onthe performance ofthe formation security management system to top management. NOTE __ Top management may als sgn reponalites and authors fr reperting perfomance ofthe eration secur atapement stam wit the galanin 6 Planning 6. Actions to address risks and opportunities 6411 Generat When planning for the information security management system, the organization sal conser the Issues eferredtc ind. and therequtrementsrwerredtoln.Zand determinetheriskeandopportunities ‘hat need to be addressed to: 4) ensure the fformation security management system can achievits intended otcame(); 1) prevent, or reduce, undesired effets; and ‘9 achieve continua improvement ‘The organization shall plas 4) actions to adress these risks and opportunities; and ©) howto 1 integrate and implement the actions into its information security management system processes; and 2) evaluate the effectiveness ofthese actions, 64.2 Information security risk assessment ‘The organization shall define snd apply an information security rik assessment process that 2) establishes and maintains information security rekeritera that ince: 1) theriseaceptanceenterta; and 2)_erteriafor performing storm 1) ensures hat repented information security risk aseaments produce conssteat, valid and omparable rests fon seeunty rskassessments; ‘15s 2013- Ais ered u150/18 27001:2013(6) 6) Monies the information security rise: 1) applythelnformationsecurty risk assessment proces to dently risk assoclated with thelass ‘at eonfdentlty,negety and avail for information within the seape ofthe Ivormation Security management system and 2) entity the risk orers; 8, analyses the information secure sks: 2) asseee the potential consequences that would result the risks ented in 6.2.0 3) were fomaterilizes 2) asvoss the realsticlikelhood ofthe occurrence ofthe iss identified in 1.2 3}-and 3). determine the levels of (9) evaluates the information secuty risks: 1 compare the results ofrisk analysis with the isk teria established n ..28) 2nd 2) prioritize the analysed risk fo sk treatment ‘The organization shall, assessment process tain documented information about the information security rise {64.3 Information security risk treatment ‘The organization shall define and aply an taformaton securt isk treatment proces tt 4) select appropriate information security risk treatment option, taking account of the risk [ssossment results; 1 determin al conte hat are necessary to inpement the ffomaton secur sk westment option(s) chosen NOTE Organinations can design controls a eqird or enti then fom any src, 6} comparethecontrolsdeterminedin 1.38) abovewiththosein AnnaxAandverifythatno necessary ‘ontrole have bean mitted, NOTE1 Annasdcotainsacomprebensiveisofontroobjecivesand contre Uersofthistternationl ‘Standard arerectedto Anas As eure that no necentry conta are creteaked. NOTE? | Contra objectives are impli secuded in the conte chosen The cnt abjetves and ‘tos stein aus a are not exhaust and datoal conta objectives ad coneols ay be ede 4) produce a Statement of Applicablity that contains the necessary controls (oe 61. 8) and 6) and Justieain for indusions whether tey are implemented or hot nd thelustifeation for exclsions teontrolsfrom Annex. }formulatean information security es treatment plan; and 1) obtain iskowners approval af the information security es treatment plan and acceptance ofthe ‘esd information security risks. ‘The organization shal retain documented fnfermatlon shout the Information security risk trestmant process NOTE Thelafrmation secur rik atasoner ond reatmast pacerinthinternational San ‘withthe principles and genercpuielns provided 80 8100050, ‘ ‘ots 20:3 aves meena1so/tec 27001:2013(8) 6.2 Informacion security objectives and planning to achieve them “Theorpanization shall esta “Theinformation security objectives shall 2) beconsistentwith thefnormation security poly: 1) bomeasurabe (if practicable): 6) take Ino accoune applicable information security requlrements, and results from risk assessment Sad ik estment? 4) becommunicated:and ©) euplated st appropriate. ‘The organnation shall retain documented information onthe information security objectives, ish nformation security objectives at relevant functions and levels. ‘When planning how to achieve its information secrity objectives, the organization sal determine: 1) what willbe done: a) what resources willbe required 1) who willbe responsible; 4) when wll be completed: and 5) ow the results wil be evaluated. 7 Support 7A Resources ‘Theorganisationshalldetermineandprovidetheresourcesneeded frtheestablishment.imperensation, ‘maintenance and continual improvement ofthe information socurty management syste. 72 Competence ‘The organization shall: 13) determine the neceaary competence of person() dong wrk under ie control that affect Its Inarmaton security performanes; 1). ensurethathesepersonsarecompetentonthebassofapproprateeductin,talning,cr experince; ©) where applicable take actions toaequire the necessary competence and evaluate the effectiveness ‘ofthe actions taken; and 4) retain appropriate documented information a evidence of competence. NOTE spplabe atone may incu, for example he provision aftrining tothe mentoring ob thee ‘Sclgamentol current empajes or thebiring or contracting! compat peat 78 Awareness Persons doing work under the orgenteations contra shall be aveare of 4) thetnformation secur policy: ‘o1sots2013- Ags ered 5180/126 27001:2012(6) 1) thelr contribution to the effectiveness of she information security management system, inching the benellts of improved information security performances and ©) theimplicationsofot conforming withthe information security management system requirments 7A Communication The organization shall determine the need for inte Information security management sytem Including: 2) onwhatto communicate: and external communications relevant tothe 1b) when to communiate; ©) with whom to communicate: ©) who shall communicate;and 2) the processes by which communication shall be efected, 75. Documented Information 784 General ‘The organizations information security management system shall nc: 8) documented information required by this International Standard and 1) documenied information determined bythe organization a beingnecessary forthe effectiveness of the information securty management system. NOTE The extant of dacunented information for an formation security management ye can der 1) thesia oorgenzation ands typeof acts, processes, products and services 2) thecomplestyofproceses andtharinterations and 5) thecompeense of persons, 782. Creatingand updating When cresting and updating documented information the orguniation shall ensure appropiate 4} Wentification and description og tite, date autor or reference number) 1) format (g, language, software version, graphics) and media (eg paper electronig) and ©) revlew and epproval or suitability and adequacy. 753 Control of documented information, Documented information required by the information security management system and by this International Standard shall be contelled to ensure 4) ltsavalableand suitable for use, where and when tis needed and 1) Ieisadequately protected (eg from loss of confidential, improper use, orlass oflntegity). ‘ oye 2012- Ales reared180/186 27001:2013() For the control of documented information, che arganiation shall address the following activities asappleabe ©) istrution acces, retrieval and use; 4) storago and preservation including the preservation oflegibity; 9) conttal of changes eg version control} 1) retention and dispsition, Documented information of external origin, determined by the organlzation to be necessary for ‘he planning and operation of the information security management stem shall be dented approprateand controle, NOTE Aces mpi a daciton regarding the pcmisin ta vew the documented information oly oth ‘ermicsion snd suthare to ew ae hang the dacumente intrmato, te 8 Operation 8. Operational planning and contro! ‘The organization shall plan, implement and contol the processes needed to meet information security ‘eqirements and to implement the acsonsdstermined in a. The organization shall algo implement ‘plans to achieve nfermaton securty objectives determined in 2 ‘The organization shall keep documented information tothe extent necessary to have confidence that the processeshave been erred ota planned. ‘The organization shall contr! planned changes and review the consequences of unintended changes, lakingaction to mligate any adverse ellect, ae necessary. ‘The organization shall ensure that outsourced processes are determined and controlled. {82 Information security riskassessment ‘The organization shall perform information security risk assessments a planned Intervals or when significant changes are proposed er occur taking account ofthe criteria estabished i G2). ‘The organlzation shall retain documented information of the results ofthe Information security risk assessments 83 Information security risk treatment ‘The orgenzaton shall implement the information security sskrestnen plan ‘The orgenteation shall retain dacumented information of the results ofthe information security Fisk teatment 9 Performance evaluation 941 Monitoring, measurement, analysis and evaluation ‘The organization shall evaluate the information security performance and the effectiveness ofthe Information security management system ‘The organization shall determine: 4) what needs to be montored and measured, Including information security processesand controls: ‘e1syine2013-atierseed 7150/18¢ 27001:2013(6) 1B) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid ests, NOTE Themethodssletd sould producecomparsbeandreprofucbe resis tobe conser ©) when the monitoring and measuring shall be performed; 4) who shall montorand measure: «}whenthe results from monitoringand measurement shal be analysed and evaluated; and 1) who shall analyse and evaluate these results. ‘The ongoniaton hall retain appropriate documented information ss evidence of the monitoring and smeasuremen esl 92 Internal audit ‘Tae organiaton sll conduct sternal ais at planed ftervals to provide information on whether thetnformation security management systems 3) conforms to 1) the organtatons own requirements forts information security management system; and 2) the requirements ofthis ternational Standard; 1) Isetoctioly implemented and maintained. ‘The orgalzation shall: ©) plan establish, implement and maintain an aut programme()incding the frequency, methods, {esponsiblises, planning requirements and reporting. Te audit propramme() shal ake nto ‘conaderaton the Importance ofthe processes concerned and the results of previous audits; 4) dating the audierterta and scope foreach audit 6) selectauitors and conduct audits that ensure objectivity andthe impartial ofthe audit process, 1) ensure that the results of theauditsare reported to relevant management; 3nd ) retain documented informations evidence of the audit programme(s and the auitresuts. 9.3. Management review ‘Top management shall revlew the organlzatlon’ Information security managemert system at planned Intervals to ensure Rs continuing suitability adequacy and effectiveness, ‘The management evi shall include consideration of 2) the status of actions fom previous managementreviws, 1) changes in external and internal issues that are relevant tothe information security management ‘system: ©) feedbsckcon the information securky performance, ching trends in 1. nonconformities and corrective actions; 2), monitoringané measurement results; 3) aditresuts-and 8 1st 205-ehsreserved180/18627001:2013(E) 4) fultment of information security objectives, 4) feeack trom intrested parties; ©) results ofrisk assessment and status ois trestment pla nd opportunites or continual improvement. “The qutputs of the management review shall include deislone related to cotinsal improvement opportunities and any needs for changes tothe Information seculty management syste ‘Thoorgosizationhallotan documented inormationas evidence ofthe resutsof managementreviews, 10 Improvement 410.1 Nonconformity and corrective action ‘When nonconformity occurs the organization shall: 4} reaetto the nonconformiy, and applicable 4) take action to contrl and correctit: and 2), deal withthe consequences 1) evaluatethe need fr ation a eliminate the causes of ronconformity, inorder that it does not recur tr occur elsewhere, by: 1) reviewing the nonconformity; 2) determining the causes ofthe nonconformity: and 3) determining if similar nonconformites exist, or could potentially ecu; ©) implement any aeton needed; 4) review the effectiveness of any corrective action taken: nd ©) makechanges tthe information security management syste f necessary Corrective actions shall be appropriate to the effets ofthe nonconformities encounter. ‘The organization shall retain documented information as evidence of 1) thenature ofthe nonconformities and eny subsequent actions taken, and A) theresuls of any corrective aetion. 102 Continual improvement ‘Theorganiation shall coninuliyimprove the suitability, adequacy and effectiveness ofthe Information security management syste ‘e1sytee 2012s rrenet °150/16 27001:2013(E) : Annex A (normative) Reference control objectives and controls ‘The control objectives and controls sted in Table. ae direty derived from and aligned with those sted in 150/120 2700220131, clauses 5 to Hand ae tobe used in context with ‘Table A.1 — Control objectives and controls [AS_ Information security polices [AS Management direction for information security objective: To provide management drection and support fr information security in acordance with lousines regulrements and rlevantlaws and regulations. cre asia [feestoritorna |p seofptes tr inormatin scary sal be deine approved fener" [erent le scented octane Peer ea Rew te pa saa RETRRRIERL, line pots tr inoratnseciry sal bereiyed lane este Ime segue changes arto ese tc enna sual adequacy and elfectveres. [A Organization ofinformation socurity [Aa tnternal organization objective: To establish a management famaworko iniateand contra he implementation snd lperationoftnformation security within the organization. inormation security [Controt Ja.si.1 frolesand respons lan myormation security responsibilities shal be defined and alle- ties sted (cond gation of dies. | Conflicting duis and ares of esponsbty shall be segregated to [A642 |Searesation outs rejiceoppertunies ar unouthoriaed or unintentional modes on or misuse ofthe organizations asses. [contact with author [Control [A613 leer Appropriate contact wih relevant authorities shall be maintained [conerot [contact with speci! appropriate contacts with special interest group or other spcial- laos appropriate contacts with speci groups o other spe “S14 linerest groups et security forums and profesional associations salle main- ined information security [ON Jacs.s |inGrojecemanagemsne| information security shall be addressed in project management, [regardless of the ype ofthe projet [Aga Mobile davies and teleworking [osjective:To ensure the security of teleworking and use of mobile devices 10 (e150 2012- eersred1s0/18¢27001:2013(E) ‘Table A (continued) 1.623. |eotie device policy (coneror | policy and supporting securky mestures shall be adapted to [manage the risks introduced by using mobile devices, |a.62.2 [reworking [controt | policy and supporting security mearures shall be implemented to lpotect information accessed, processed or stored at teleworking, Stes. [a7 Human resource security [aA Prior tp employment Dbective:To ensue that employees and contractors understand thelr responsibilities and are sue sb forthe ols for which they are considered lana. |sereening [contrat ciground verification checks on all candidates for employment etal carried ootin aecordance wih relevant aw, rogilstions and ehies snd shal be proportional othe business requirements, the clssication ofthe information tobe accessed andthe por- esved ek ‘Terms snd conditions [A742 Sremployment [comer tbe coneractual agreements with employees and contractors shall :tate tir an the organtaation's esponsltes fr information [a72 During employment Objective: To ensure that employees and contractors are aware of and fli thelr information security responses ‘Management responsi faraa |Manaee [conerot Management shall require al employees and contractors ‘0 apply information security in aecordance wit che established polices land procedures ofthe organization, Information securcy fa722 [awareness education land waning [control lll employes ofthe organization and where relevant, contrat- tors shall receive aparopriateawarencss education and taining snd regular updates in organtaatonal paces and procedures, 2s [relevant for thee ob function. fa.72.3 |piseipinary process [conerot there shall bes formal and communicated discplinary process is plac to take action agatest employees who ave comatted an information security breach [a3 Termination and change of employment objective: To protec the organization's nterestsas par ofthe process of changing or terminating Jempleyment {recmination or change In232_Jotemploymentrespo-| sities [Goneror Information security responstiitis and duties that rematn valld ater termination or change of employment shall be delied, com ‘murieatedto the employee or contractor and enforced. [Aid Asset management [A.8a_ Responsibility for assate 1/20: aes eerie u1s0/tEC 27001:2013(E) Table A (continued) [active Fo Meni onganiatonalasceteand define appropriate protection responsibitis faa inventory ofassets [coer [assets associated with information and information processing cities shall be dentified and an inventory ofthese eset shal lbe drawn up and maintained. [a32 lownershipofassets [cones |Asets maintsined in she inventory hall be owned, [acceptable ws of lasas [Accept [ener Rules forthe acceptable use of formation and of assets associated ith information and information processing faites al be dentled, documented and inplemenced Jaa |Retur ofassets [cone att employees and extrnal party vers shall return all ofthe locwartational assets in thelr possession upon termination oftheir employment, contractor agreement. [A.B2_information cassification To ensure ha Information receives an eppropriate level ofprotetion [ns importance to the organization. accordance with [conerot Jasza_|Sssseston otter fntarmason hall be cassie in tems oflegal requirements, Jatin | vale, criticality and sensitivity to unauthorised disclosure ot Imodiieston [contro |,.2.2.[Labellingotinforma- an appropriate set of procedures for information labeling shall be [developed and implemenced in accordance with te information [tesilation scheme adopted by the rgantzation, |n23 |mandting ofassets [ener Procedures forhandling assets hal be developed and imple- mented in accordance with the normation classification Schone stonted by the organization, [Aa Media handling Objective: To prevent unauthoriaa [sored on medi, dialogue, medication, removal or destruction ofinfrmation htanagement of remov- [234 |sble media [contrat [procedures shall be implemented forthe management of emov- ltle median accordance wit the classification scheme adopted by the organization, JA.23.2 Joisposa of media (concro! [Media shall be disposed of securely when no longer requlred using Irarmal procedures. eas |fsotmetaran (control edi containing information shall be protected against unauthor- led access, misuse or corruption curl transportation IAS Access control 94, Business requirements of access control 2 (21s tb 2012—Aiheret1so/1e¢27001:2013(8) Table Aa (contin) [Otjrive: _Tolimicacces to information ad information processing Fetes [comer laa |Access contro poly |Anaccess control poly shal be established, documented and [reviewed based ot business abd information security requte- laoaa accesso networks lend network services loner users shall only be provided with aces othe network and net [work services that they have boon specifically authorized to use [AS2 User access management objective vies "To ensure authored se acess and to prevent unauthorized acess to systems and set lao ser registration and [eoerar [formal user registration and deregietraton proces shall be Screisraton = implemented to enable assignment of acess rights lonrot luseracess provision | forma user ces provisioning proces shal be implented ta lneze roving Ine ssn or reve sees ngs oral wc gpestoal ostrsand Serie leonrat tanagemeat fpr lnsaa anmement eter |r acon and us ofpriveged aces iis shalbe rescind contrac. |Management of secret |Contral Jas2a_|athemation nor [pe tctoncsteretstentiton train dal be cone Imation ofusers" [vols trougs ora management pecs. Review oseraces [Conteh lnsas [rights LAsset owners shall review users’ access rights at regular intervals, Jeonral tinvar adjustment The eetright fl employes and eternal party arto hans [Renovator ah tal be enored fotaccers ight information and information processing fei {spon termination of thelr employment, contractor agreement, or atjusted upon change [AS3_Userresponsibiliies [objective Tomake users accoustae for safeguarding thelr authentication information laosa, \us of secret authent lestioninormation [contrat users shall be required to fellow the organaation's practices in the use of seer authentication Information, [ASA_systemand application acess control [objective To prevent unauthorized accesto systems and applications. Incas. evormation access [coerot |Accecsto information and application system funtion hall be irestcted in accordance withthe access contra policy lagna secure tog-on proce jaures [controh where required bythe access contol policy access to systems and applications shal be controled bya secure logon procedure (tsb 2013-ghrresevet Fr1s0/t¢ 27001:2013(6) Table (ones) ome oral Jaga [Rsrwordmanaee Ics ord management sstems sl be ateracive ad hl lente quay puso Jot usc otiege ut |rpe ae of ity pronramsthat mig be coral over [8944 lity programs |system and application controls shall be restricted and tightly ceca sss control to pro- [Control Jaoas [Acces trol top Jramsoureecode |Accss to program source coe shall ba restricted. [ato Cryptography [a0 Cryptographic controle objective: To ensure prope and efective use ef erypiography to protect the confdantaliy,authom te andor integrity of information raicyonsheuse of |e! Ho ee e|A poly onthe use of ke controlar protection of reels Api a he use of rypogrpie conto for protection eee {nformation shal be developed diets [contro Jaro. |keymanagement lA policy on the use protectin ad lifetime of cryptographic keys [hal be developed and implemented tarough ther whole eevee [Ai Physical and environmental security [aL Secure areas objective: To prevent unauthorized physical access, damage and itererence tothe organizations Information and information processing cles. [conor Physical secarity | security perimeters shal be defined and vse to protect areas that [Mt perimeter [ental tar senative erties information and information| rocesing elites Iconeror JA2.1.2 |Piysial entry controls|secure areas chal be protected by appropiate entry contro to [ensue that only authorized personnel are allowed acess, securngottees, [nel aod ee tiies [Physical secur for offies oameand facies hall be designed aed appa Protecingagainst _ [Conerot [as.t4 lesternl andenviron- |paysca protection gains natura dsastrs, mallcicus attack or few re ea tached ed ope nr gin see Janis [eck Prose for werhingin sear res shall desired and fost ene wer ndenting [tec pos hs every anrot on oer pont Jas [DE a rae nae Jeontrolled and, fpossibe, isolated from information processing Flite to avis unauthorized acess, “ isons 201- egret180 /1E¢27001:2013(F) ‘Table Aa Gontinved) [Aan2 Bauipment losjective: Te proven oss damage tion's operations. = theft or compromice of sets and iterrepion tthe organi [Equipment stingand [A202 Jprotection [conerok Equlpment shall bested and protected to reduce the risks from leuionmentl heats nd hatreds and opportunities or una Ithorieed access [a1.2.2 |supporting utes (convo! Equipment shal be protected from power fares and other ds iptons cose by failresin supporting wilt |aan.23 Jcablingsncurity [conrot iPower and telecommunications cabling carrying data or suppor- Ingnformation services shall protectod from interception, Intrterence or damage. asa.2a [elmer maine [contrat Equipment shall be correctly malztaned to ensure its continued svat end inept Jaan |Removal ofasets [contrat Equipment, ivormation or software shall ot be taken offsite without prior authorization security ofequipment| [aan2s Jand assets of-prem~ [control security sallbe applied to offsite assets taking nto account the alferort risks of workang outside te organo’ premises. secure sposal orre- [42127 |ise oc equipment [contro latttems ofequipment containing storage media shallbe verted Ito ensure tat any sensitive data and license sfeware hasbeen |emoved or securely overwitin pit to dsporal or Feuse [contro lusatended user lane |Uatende isers shall ensure that unattended equipment has appropriate elon. (con! [Clear desk and dear a clear desk policy for papers and removable storage mela and [42429 Jecreen policy cea screen policy for information processing alles shal be opted [a2 Operations security [a.32. Operational procedures and responsibilities lonecive: To ensure correct and secure operations a information processing falies, Documented operating laazaa [Documenta [conrot loperating procedures shallbe documented and made avaliable to ll users who need them, [412.12 |crange management [conror change to the organization, busines processes information pro~ lessng facies and systems thaatfet information security shall le controle. 2 1s072015- eters Fe180/186 27001:2013(E) Table Al (continued) Jéonror Jaaz.s |capacty management [Fhe use of esources shall be monitored, tuned and projections arscky manakemen fade of futur capacty requirementsto ensre the required sy [em performance separation ofdevel_[Controt Jazze lopment.tetingand —|pevelopment testing. and operational environments shall be sepa- operational enviran- reed to reduce the risks of unauthorized acess or changes tothe loperatonal environment [A2.2 Protection rom malware [objective T ensure that information and information processing facllas ae protected against natware. lacz2 contreisagainst mal [a3 Backap [Goeror Detection, prevention and recovery controls to protect against ‘malware shall be implemented, combined with appropriate user objective "To protee agalnstloss of ata faz. intormation backup [conerot Iseckup copes of information, softvare and system images shall b| {ken and tested regularly tm accordance with an agreed backup li [A124 Logging and monitoring lovective: To record events and generate evidence, coe = even recrng ter acties eens, us nr JAa244 [Eventlogging |mation security events shall be produced, kept and regularly a [Protection ofiog infor: |" [a2 re Pe ogging facilities and log information shal be protected agalnst, i ce seas [bent and |e neice seen opera ses habe Se oon az [cnesyecrentin [ne dees eft rennin poening stent we lan organization or security domain shal be synchronised tose lle reference tine source. [A2.5 Control of operational software lobieciv: To ensure the integrity operational ystems. laszsa instalation of son ware cn operational systems Jconror Procedures shall be implemented tp control he installation of sf [ware on operational systems. In.t2.6 Technical vulnerability management [objectiv: To proven explotation of technical valnerabies. 16 tse 2013- A iene180/18¢27001:2013(8) Table AA (continued) Management ofthat 1263 [esl vuloerabiies [Gora Information shout technical vulnerabilities of nformation systems being used shall be cbtalned namely fashon, the organtaxtion’s lexpacure ta such vulnerabilities evaluated and appropriate meas lores taken to addres the asocated risk Retin on sot [412.62 Jira intaliton [controt les governing the installation of softwareby users shall be estabshed and implemented. [at2:7 information systems audi considerations [objective To minimise the impact of ude activities on operational syst Information systems ja273 Hereontnas [contro |audicrequirements and activites involving verification of opera~ ona systems shal be carefully planed and agreed to minimise laisruptions to business processes [Aa Communications security [A134 Network security management cessing facies ‘Objective: Te ensure the proteton of information in networks and hs supporting information pro- jacana |Networkeconrole (conrad Networks shall be managed and controlled to protect information Insystemsand apleations. security of network laasaz |Securty [contrat security mechanisms, service levels and management requlre- ments oral network services shall be detifiec and Included in lnework services agreements, whether these services are provided lchowse or outsourced, Segrepstionin net- lasaaa [conerok Groups orinformation services, users and information systems stalbe segregated on networks [Aia2 Information transfor jective atthe ery of rman tanner wih ranaton snd Way lexternl nt. seminar |e wast ales raced halen plc ja3.21 (poles and proce” [Formal transfer polices procedures and control shall bein pl [ples and co protect te raeler of information through the use fs types of communication feces, |agroements on infor- [A#822 nation ans [contrat lAgreements hall addres the secure transfer of business informa- son between the organzation and external partes [13.2.3 |eteetonic messaging [conerot information ivalved in cleteonie messaging shall be spproprt ately protec. ‘etso7sc 2013-Aeig nsened ”Iso tee: 27001:2013(8) ‘able A. Continua) Iaaa2a Confidentiality or non Aseosure agreements [conerod Requirements for conidentiaity or non-disclosure agreements rlscting the organatons needs forthe protection of fforma Kon shall be dented, regulary reviewed and documented [Aad System acquisition, development and maintenance [aa.t Security requirements of information systems [objective lover puble networks. “To ensure that information security an integral pata information stems across he lentrelfecyee. This the requirements for informatio systems which provide services laseaa requirement land speciation (oner |The tetormation security elated requirements shall be ncinded in the requirements for new information systems or enhancersents to exstnginvormaton systems. awa securing aplication services on puble ‘newer [contro taformation involved in application services passing over public networks sal be protocted from fraudulent activity contact s+ [ute and unauthorized disclosure nd mediation, lamas [Protecting eplication services transactions conert ttormation involved in application service transactions shall be [protected o prevent incomplete transmission, mis outing una torlzed message alteration unauthorized disclosure, unathor aed message duplication or eply. [A142 Security in development: and support processes, lobective: ionsystens. "To ensure that information security is dsigned and implemented within the development lecyel of tefore laaon secure development aley [eonrar Rules forth development of software an systems shall be estab- lished and apple to developments within the erganization. laswo2 system ehange control procedures [conor changes to systems within the developmentlifecyele hall be con- role by the use of formal change control procedures. lua ‘Technical review of applications after operating platform [changes [conrot [when operating platforms are changed, business eritial applles- [sons chal be reviewed and tested to ensire there ino adverse espace on organizational operations or security. lasso Restietions on changes to software pecker oner Modiications to software packages shall be discouraged limited to necessary changes and al changes shal be strictly controled auas secure system eng- Inering pines contro Principles for engineering secure systems salle established, Jdocumente, mattained snd applied to any information system implementation eforts. ©tsonc 2015-nrgeeret1so/tec27001:2013(8) ‘Table A (continued) secure development 10426 Jervironment [conor lorgantatons shall extsish and appropriately protect sceure \gevelopment environmen fr system development aod incegra- huon forts that cover the entire system development fezyee Jantar Jousourced ever Jaane [ante sewtrte (conerot ‘The organization shall supervise and monltor the activity of ou sourced system development (control [esting securtyfunctionaliy shal be cared out ding devel lopment. Isystem acceptance [A2829 fein comer Acceptance testing programs and related criteria shall be estab ished Tor new infarmation systems, upgrades and new versions [asad Testdata [obectiv: To ensure the protection of data used for testing. [424 [Protection oftest data [comer est data shall be selected carefully protected and controlled. [As _ Supplier relationships [a15.1 Information security in supplier relationships [objective To ensure protection ofthe erganization’sasseis hat accesible by supple. Inrsation scarey last |poley for supper {elationchine [cone information security requirements or mitigating the risks asoci- ated with supplies ccess othe ergazation's asset shall be sareed with the supplier and documented lAddressng security lassaz [within supplier agree comer alt retevan information security requirements shall be established land agreed with each supplier tha may access, proces, store, loess Snmskce er provide inactive componente e Sruaton iiornatin, ‘womuonannsom eo?! Laasas Mopmatlonsnd cm. |sgrenents wth supplies sal nde reqtrementtoadres recat chlo | sormatn secry ate aseecared wit ifrmaton and Somos enone cknlogy sever and poet sucha (Aa82 Suplor service delivery management ‘Objective: To maintain anagreed ler agreements evel of information security and service delivery in ine with sup Monitoring and review [A524 orsupplir services [ener lorgantzatons shall regulary monitor, review and aut supplier levee delve Managing changesto [82522 supper services (contro! changes tothe provision services by suppliers, ncuding Inaintaining and improving existing ivormation security plies, [procedures and controls shal be managed, taking acount ofthe [ritiality of business information syatems ana processes invalved land ra-ascnertent of se ‘eto 2013- ais rset 19180/186 27001:2013(6) ‘Table A. ontinued) [R16 Information security incident management [A164 Management of information security incidents and improvements [osjective:To ensure a consistent and effective approach to the management ofinfornation Security Incidents including cormuniaton on security events and weakest, leit Jeponssties snd |nagenentrespnstiites nd procedures shal be established nasa geen respon roe JProcedures [to ensurea quick, effective and orderly response to information scum taddents. coal eporanginirmaton Jaca [Reporang norman ation security vets chal be rporte through apnroprate Inonagenecamals ss auc os poole control Reporting information |Etirlayees end contractors using the orgeniatons information 4.1623 [Eee eaten [systems and services shall be requlred to note an vepor any lbeerved or susperted Information security wesknesces i535 ems or services, lassessmentotana |C*neo” ‘sin on informa [formation security events shall be ascessed anit shall be [re icccusnyavents decided they are tobe csafed es Information security Ince dens. conerot Response to intorma- faasas [iesParantey mcdents[laformation security incidents shal be responded to in accordance with he dacementd procedures. Lewanea [contro earning rom hs. linformation secarty [Knowledge ganed (rom analysing an resolving informatio sect eee Icy Incidents chal be used to reduce the Heaihond or impact oF fre incidents [comer |ae7 |cotectionofevidence |The ganization shal define and apply procedures for he iden ste colton austin and preseratin formation which ean serve as evidence. IAa7 Information security aspects of business continlty management [A174 Information security continuity jective: information security continuity shall be embedded inthe organizations business contin ty management systems [eonerok Jaana [Planninginformation |rie organization shall determin ts requirements fr nformation security entity leseurity andthe continuky of information security management in adverse situation eg during acral or disaster \coneroh implementing infor. rhe orgoniation shall establish, document, implement and main- Ja.ara.2 |mation securty cont |tsn processes, procedures and controls to ensure te eguited fy level of contin for Information security during sn advert si ion. 20 ‘otsone 2015-atre sered150/18¢27001:2013(E) ‘Table Aa (Contin) verity review and laa7aa |evaluate information [security coxtnaty [Gomer Inc organization shall verity the established and implemented {information security continlty controls a egular tervals in forder to ensure that chey ae valld an elective during averse [A072 Redundancies [objective To ensure avalabiy of information processing faces. [acaitabitiy or infor lava [comer iaormation processing facts shall be implemented with redun- dancy suiient to meet avallaiity requirements [Ax8 Compllance [n.18.1 Compliance with legal and contractval requirements otjeciv: Ta avoid breaches of legal statutory regulator or cntracual obligations related te infor- Imation security and of any security requirements Identification of app {ablelegisistion and [contractual require lars contro allrelevant legislative statutory, regulatory, contractual requlre= Inenis end the organization's approach to meet these requlrements shall be explicitly identfed, documented and kept up to dat for each information system and the organization. Laree {lntelletual property 82 hts contre Appropriate procedures shall be implemented o ensure compl ance with Iegsative, regulatory an contractual requirements lated to ntllectat property rights and use of proprietary soft ware products. Jae [protection ofrecorts onert Records shall be protected rom loss, destruction, alification, lunauhorized acess and unauthorized release, In acordance with lepisatory regulatory, contractual and business requirements. lpvacy and protection Jas lofpersonaly dens latletnormation (contr Privacy and protection of personally identifiable information shall le ensured as required in Felevant legislation and regulation where spptcable. Regulation of erypto- JA825 | graphic controls [contro cryptographic controls shal bo sed in compliance with allre- evant agreements legislation and regulations. [AA.2 Information security rev objective: To ensure that information security is implemented and operated in accordance with the organizational poliies and procedures. Independent review of [A824 |inormation security [comer IMac organizations approach to managing information security and Its implementation (re contra abjectves, controls polls, pro- lesser snd procedures for information security) shall be reviewed Independently a planned Icervals or when ignileant changes etoyate2012- tered a180/18¢27001:2013(E) Table a (continues) [coir [Compliance wieh anager hall regularly review the compliance of information lata frecurty pliciesand|pracsringand procedures within thelr area of responeibity with standares the appropriate security plies, standards and anyother security requirements. [contro echnical compliance |nformation ystems shall be regulary reviewed for compliance Ja1823 Jrevtow |with the organiatons information securty polices and stand= srs 2 ©1sytoc 2015~ A eihersenea a s i 1s0/1¢27001:2013(8) Bibliography ISO/IEC 270022013, formation technology — Security Tecniques — Cade of practice for Information security centres 180/12 27003, formation technology — Security techniques — Infrmation security management ‘sjstem Implementation guldonce 1S0/1EC 27004, tjormation technology — Security techniques — Information security ‘manogement — Meosuremert '180/18¢27005 formation technology ~Sacurty techniques —Infarmaionsecury rskmanagement 180 31000:208, Risk management — Principles and guidelines 1S0/1EC Directives, Part, Cansolidated 80 Suplement~ Procedures spr to 10,2012 o/te2012-Alghsesert 2180/18¢27001:2013(E) . Ics 35.040 ries on 2 yes isotse2013- eee rseved