BSI Group Headquarters
 

389 Chiswick High Road London W4 4AL
Tel: +44 (0)20 8996 9000
Fax: +44 (0)20 8996 7400
www.bsigroup.com

 
 
 Latest date for receipt of comments: 23 March 2013
 
 Responsible committee: IST/33 IT - Security techniques
 
 Interested committees:
Title:

       
 Form 36
 
 DPC: 12 / 30192064 DC
 
 
 
 
 
 
 
Date: 21 January 2013
     Origin: International
 
 
 
 
 
 
   Project No. 2008/03528

Draft BS ISO/IEC 27001 Information technology - Security techniques - Information security management systemRequirements

Please notify the secretary if you are aware of any keywords that might assist in classifying or identifying the standard or if the
content of this standard
i) has any issues related to 3rd party IPR, patent or copyright
ii) affects other national standard(s)
iii) requires additional national guidance or information

 
 
 
 
 
   WARNING: THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A BRITISH STANDARD.
   
 THIS DRAFT IS NOT CURRENT BEYOND 23 March 2013
 

This draft is issued to allow comments from interested parties; all comments will be given consideration prior to publication. No
acknowledgement will normally be sent. See overleaf for information on the submission of comments.

 

No copying is allowed, in any form, without prior written permission from BSI except as permitted under the Copyright, Designs
and Patent Act 1988 or for circulation within a nominating organization for briefing purposes. Electronic circulation is limited to
dissemination by e-mail within such an organization by committee members.

 

Further copies of this draft may be purchased from BSI Shop http://shop.bsigroup.com
or from BSI Customer Services, Tel: +44(0) 20 8996 9001 or email cservices@bsigroup.com.
British, International and foreign standards are also available from BSI Customer Services.

 

Information on the co-operating organizations represented on the committees referenced above may be obtained from
http://standardsdevelopment.bsigroup.com

Responsible Committee Secretary: Ms Anne Cassidy (BSI)
Direct tel: 020 8996 7430

 Introduction
This draft standard is based on international discussions in which the UK has taken an active part. Your comments on this draft
 are welcome and will assist in the preparation of the consequent standard. There is a high probability that this text could be
 adopted by CENELEC as a reference document for harmonization or as a European Standard. Recipients of this draft are
 requested to comment on the text bearing in mind this possibility.
 
 
UK Vote
 Please indicate whether you consider the UK should submit a negative (with reasons) or positive vote on this draft.
 
BSI Committee Responsibilities
Whether or not the standard is published in its original (international) form, or as a formal British Standard Implementation the
BSI committee's responsibilities are to:

 
 - aid enquirers to understand the text;
 - present to the responsible international committee any enquiries on interpretation, or proposals for change, and keep UK
   interests informed;
 - monitor related International and European developments and promulgate them in the UK.

Submission of Comments
- The guidance given below is intended to ensure that all comments receive efficient and appropriate attention by the responsible
BSI committee. Annotated drafts are not acceptable and will be rejected.

 

 

- All comments must be submitted, preferably electronically, to the Responsible Committee Secretary at the address given on the
front cover. Comments should be compatible with version 6.0 or version 97 of Microsoft Word for Windows, if possible;
otherwise comments in ASCII text format are acceptable. Any comments not submitted electronically should still adhere
to these format requirements.

 

 
 
 

- All comments submitted should be presented as given in the example below. Further information on submitting comments and
how to obtain a blank electronic version of a comment form are available from the BSI website at:
http://drafts.bsigroup.com/

 
 

Date: xx/xx/20xx

Template for comments and secretariat observations
1
M
B

2
ClauseNo./
Subclause
No./Annex
(e.g.3.1)

(3)
Paragraph/
Figure/
Table/Note

Document: ISO/DIS xxxx

4

5

Typeofco
mment

Commend(justificationforchange)byth
e
MB

ProposedchangebytheMB

Definitionisambiguousandneedsclarifyin
g.

Amendtoread'...sothatthemainsconnector
towhichnoconnection...'

3.1

Definition1

ed

6.4

Paragraph2

te

(6)

DeletereferencetoUVphotometer.
TheuseoftheUVphotometerasan
alternativecannotbesupportedas
seriousproblemshavebeenencounteredinit
s
useintheUK.

(7)
Secretariatobservationsoneach
commentsubmitted

DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27001
ISO/IEC JTC 1

Secretariat: ANSI

Voting begins on
2013-01-16

Voting terminates on
2013-04-16

 

INTERNATIONAL ORGANIZATION FOR STANDARDIZATION
INTERNATIONAL ELECTROTECHNICAL COMMISSION

 

 


МЕЖДУНАРОДНАЯ ОРГАНИЗАЦИЯ ПО СТАНДАРТИЗАЦИИ
МЕЖДУНАРОДНАЯ ЭЛЕКТРОТЕХНИЧЕСКАЯ КОММИСИЯ


ORGANISATION INTERNATIONALE DE NORMALISATION

COMMISSION ÉLECTROTECHNIQUE INTERNATIONALE

Information technology — Security techniques — Information
security management systems — Requirements

 
 

Technologies de l'information — Techniques de sécurité — Systèmes de management de la sécurité de
l'information — Exigences

 
 
[Revision of first edition (ISO/IEC 27001:2005)]
 
 
 
ICS 35.040

 
 
 

   Tsecretariat.
o expedite distribution, this document is circulated as received from the committee
ISO Central Secretariat work of editing and text composition will be undertaken at
 publication stage.
 Pour accélérer la distribution, le présent document est distribué tel qu'il est parvenu du
 secrétariat du comité. Le travail de rédaction et de composition de texte sera effectué au
 Secrétariat central de l'ISO au stade de publication.

THIS DOCUMENT IS A DRAFT CIRCULATED FOR COMMENT AND APPROVAL. IT IS THEREFORE SUBJECT TO CHANGE AND MAY NOT BE
REFERRED TO AS AN INTERNATIONAL STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, TECHNOLOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON OCCASION HAVE TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL TO BECOME
STANDARDS TO WHICH REFERENCE MAY BE MADE IN NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPORTING DOCUMENTATION.

 

 

Downloaded: 2012-11-21
Single
user licence only, 2013 and networking prohibited
International
Organization
for Standardization,copying
©
International Electrotechnical Commission, 2013

Requests for permission to reproduce should be addressed to either ISO at the address below or ISO's member body in the country of the requester.ISO/IEC DIS 27001          Copyright notice This ISO document is a Draft International Standard and is copyright-protected by ISO. + 41 22 749 01 11  Fax + 41 22 749 09 47  E-mail copyright@iso. stored in a retrieval system or transmitted in any form or by any means.iso. photocopying. Violators may be prosecuted.org    Web www. without prior written permission being secured.com. ii                  Licensed to: Ademanda. Except as permitted under the applicable laws of the user's country. recording or otherwise.  ISO copyright office  Case postale 56 • CH-1211 Geneva 20  Tel. neither this ISO draft nor any extract from it may be reproduced.  Downloaded: 2012-11-21    Single user licence   only.org Reproduction may be subject to royalty payments or a licensing agreement. electronic. copying and networking prohibited  © ISO/IEC 2013 — All rights reserved .

...........................................................................................................................................................................................................4 Context of the organization.............................2 Organizational roles...............................................................4 Information security objectives and plans to achieve them......................................3 Information security risk assessment.....  Downloaded: 2012-11-21  Single user licence only.................................1 7.2 8..............................1 4 4..........................................................1 10.....................................................3 Information security risk treatment..........7 9 9...5 Resources .....................................2 5 5.................................................................6 General ......................................................1 0...................................................................................................................................2 Introduction..............................................................v General .................................................................2 4.........8 Management review .....4 7...............................1 2 Normative references............................................................6 Documented information..........................1 Information security management system.................5 Competence..............................................4 7 7..........................................................................6 8 8.............................................................................................................................8 10 10.......................................................................9 Continual improvement ................... measurement..............................................................................3 7.................................................................................................................................................................................................1 7................................................1 6............... copying and networking prohibited © ISO/IEC 2012 – All rights reserved iii ...........................................................................................................................................................3 Performance evaluation.......3 Leadership ......................1................................................................................................9 Annex A (normative) Reference control objectives and controls.......................................................................................................9 Nonconformity and corrective action.................................................................................................................................................................3 6..........2 Planning ........................................................................................................................................................3 Support........................................1 5............................................................com..................................................................7 Information security risk treatment.......2 Improvement................................................................................................3 4....3 6 6..............................................................................10 Bibliography..............................................................................6 Control of documented information..............................................................2 9................................................................................................................................. analysis and evaluation......................................................................................7 Operational planning and control...................................................................................................3 Actions to address risks and opportunities......................................................6 Creating and updating ......1..............................................................5 7.........................................................................1 9................5 Awareness......................................................................iv 0 0.............2 6.3 Operation..........................5..........................................................................................................7 Internal audit..........................................1........................................................................................................5.........................................................................................................................1 Determining the scope of the information security management system.............................................................7 Information security risk assessment..........................1 6.........................v Compatibility with other management system standards .......................................................1 3 Terms and definitions..................................................................1 Understanding the organization and its context.............................................................................................................................................................. responsibilities and authorities .........................................................................................................2 Policy.............................................................................................2 Leadership and commitment .......................1 4............1 8....7 Monitoring.......................................1 Understanding the needs and expectations of interested parties...........................................................................................................2 7........................5 Communication ...................................2 5.................ISO/IEC DIS 27001 Contents Page Foreword ...........................v 1 Scope......................................23        Licensed to: Ademanda......................5...........3 General ..................................................................................................2 7.....................................................................................

Information technology. in liaison with ISO and IEC. copying and networking prohibited  © ISO/IEC 2012 – All rights reserved . Subcommittee SC 27.   Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. governmental and non-governmental.   International Standards are drafted in accordance with the rules given in the ISO/IEC Directives. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. ISO and IEC have established a joint technical committee. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. also take part in the work.ISO/IEC DIS 27001             Foreword   ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization.   The main task of the joint technical committee is to prepare International Standards. In the field of information technology. Part 2.com.   This second edition cancels and replaces the first edition (ISO/IEC 27001:2005). iv Licensed to: Ademanda. Other international organizations. Downloaded: 2012-11-21 Single user licence only. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. which has been technically revised. Security techniques. ISO and IEC shall not be held responsible for identifying any or all such patent rights.   ISO/IEC 27001 was prepared by Joint Technical Committee ISO/IEC JTC 1. ISO/IEC JTC 1.

and controls.1  General This International Standard has been prepared to provide requirements for establishing.com. and core definitions defined in Annex SL of ISO/IEC Directives. including certification bodies.2 Compatibility with other management system standards This International Standard applies the high-level structure. The design and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives. maintaining and continuously improving an Information Security Management System (ISMS). information systems.   The information security management system protects the confidentiality.    LDicensed to: Ademanda. integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. The adoption of an information security management system is a strategic decision for an organization. Part 1. 0. implementing. ownloaded: 2012-11-21  Single user licence only. copying and networking prohibited © ISO/IEC 2012 – All rights reserved v .ISO/IEC DIS 27001 0 Introduction     0. The list items are enumerated for reference purpose only.   This International Standard can be used by internal and external parties.   ISO/IEC 27000 describes the overview and the vocabulary of information security management systems. identical text.   This common approach defined in the Annex SL will be useful for those organizations that choose to operate a single management system that meets the requirements of two or more management system standards. ISO/IEC 27004 and ISO/IEC 27005).   It is important that the information security management system is part of and integrated with the organization’s processes and overall management structure and that information security is considered in the design of processes. to assess the organization's ability to meet the organization’s own information security requirements. It is expected that an information security management system implementation will be scaled in accordance with the needs of the organization. identical sub-clause titles. All of these influencing factors are expected to change over time. security requirements. which form the subject of the ISMS family of standards (including ISO/IEC 27003.   The order in which requirements are presented in this International Standard does not reflect their importance or imply the order in which they are to be implemented. and defines related terms and definitions. and therefore maintains compatibility with other management system standards that have adopted the Annex SL. the organizational processes used and the size and structure of the organization. common terms.

com. copying and networking prohibited .Licensed to: Ademanda. Downloaded: 2012-11-21 Single user licence only.

the organization shall consider:    a) the external and internal issues referred to in 4. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization claims conformity to this International Standard. 4.3. NOTE: Determining these issues refers to establishing the external and internal context of the organization considered in Clause 5. the latest edition of the referenced document (including any amendments) applies. The requirements set out in this International Standard are generic and are intended to be applicable to all organizations.3 Determining the scope of the information security management system The organization shall determine the boundaries and applicability of the information security management system to establish its scope. only the edition cited applies. copying and networking prohibited © ISO/IEC 2012 – All rights reserved 1 .1  Understanding the organization and its context The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. 2 Normative references The following referenced document is indispensable for the application of this document. regardless of type.com.2 Understanding the needs and expectations of interested parties The organization shall determine: a)    b) interested parties that are relevant to the information security management system. 4 Context of the organization     4. the terms and definitions given in ISO/IEC 27000 apply. and      Licensed to: Ademanda. This International Standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. size or nature.1. implementing.   When determining this scope. Information technology — Security Techniques — Information security management systems – Overview and vocabulary 3 Terms and definitions For the purposes of this document.    Downloaded: 2012-11-21  Single user licence only.2. maintaining and continually improving an information security management system within the context of the organization.DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27001 Information technology ― Security techniques ― Information security management systems ― Requirements 1 Scope This International Standard specifies the requirements for establishing. and the requirements of these interested parties relevant to information security. NOTE: The requirements of interested parties may include legal and regulatory requirements and contractual obligations.    b) the requirements referred to in 4.   ISO/IEC 27000. For dated references.1 of ISO 31000. 4. For undated references.

 Licensed to: Ademanda. and    d) includes a commitment to continual improvement of the information security management system.    c) includes a commitment to satisfy applicable requirements related to information security.  c) ensuring that the resources needed for the information security management system are available. maintain and continually improve an information security management system. f) directing and supporting persons to contribute to the effectiveness of the information security    management system. The scope shall be available as documented information. and   h) supporting other relevant management roles to demonstrate their leadership as it applies to their    areas of responsibility.1  Leadership and commitment Top management shall demonstrate leadership and commitment with respect to the information security management system by:            a) ensuring the information security policy and the information security objectives are established and    are compatible with the strategic direction of the organization.    b) includes information security objectives (see 6. as appropriate. implement.   g) promoting continual improvement.   5. in accordance with the requirements of this International Standard. and g) be available to interested parties.com.  d) communicating the importance of effective information security management and conforming to the    information security management system requirements.ISO/IEC DIS 27001          c) interfaces and dependencies between activities performed by the organisation. copying and networking prohibited  © ISO/IEC 2011 – All rights reserved . 4.  b) ensuring the integration of the information security management system requirements into the    organization’s processes.4 Information security management system The organization shall establish.  Downloaded: 2012-11-21    Single user licence only. and those that are    performed by other organisations.   The information security policy shall:    e) be available as documented information. 2 f) be communicated within the organization. 5 Leadership     5.2) or provides the framework for setting information    security objectives.2  Policy Top management shall establish an information security policy that:    a) is appropriate to the purpose of the organization.  e) ensuring that the information security management system achieves its intended outcome(s).

valid and    comparable results. 6 Planning     6. and    c) ensures that repeated information security risk assessments produce consistent.ISO/IEC DIS 27001 5. and    c) achieve continual improvement.        1) Apply the information security risk assessment process to identify risks associated with the        loss of confidentiality.    b) determines the criteria for performing information security risk assessments.          Licensed to: Ademanda. or reduce.   NOTE: Top management may also assign responsibilities and authorities for reporting performance of the information security management system within the organization. the organization shall consider the issues referred to in 4.   The organization shall:    d) Identify the information security risks. 6. copying and networking prohibited © ISO/IEC 2012 – All rights reserved 3 .1 and the requirements referred to in 4. responsibilities and authorities Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. and    b) reporting on the performance of the information security management system to top management. and      2) evaluate the effectiveness of these actions. integrity and availability for information within the scope of the ISMS.1.   Top management shall assign the responsibility and authority for:    a) ensuring that the information security management system conforms to the requirements of this    International Standard.            DSingle ownloaded: 2012-11-21 user licence only. and    e) how to      1) integrate and implement these actions into its information security management      processes.1  Actions to address risks and opportunities General When planning for the information security management system.2 and determine the risks and opportunities that need to be addressed to:    a) ensure the information security management system can achieve its intended outcome(s).3 Organizational roles. including the risk acceptance criteria.com.2 system Information security risk assessment The organization shall define an information security risk assessment process that:    a) establishes and maintains information security risk criteria.1 6. undesired effects.   The organization shall plan:    d) actions to address these risks and opportunities.    b) prevent.1.

 2) Assess the realistic likelihood of the occurrence of the risks identified in 6.  1) Compare the analysed risks with the risk criteria established in 6.1.com.   NOTE: The information security risk assessment and treatment process in this International Standard aligns with the principles and generic guidelines provided in ISO 31000.3 b) above with those in Annex A and verify that no    necessary controls have been omitted. 6. f) obtain risk owner’s approval of the information security risk treatment plan and the acceptance of  the residual information security risks. b) and c))    and justification for inclusions.  NOTE 1: Annex A contains a comprehensive list of control objectives and controls.  d) produce a Statement of Applicability that contains the necessary controls (see 6. Analyse the information security risks. or identify them from any source.2 Information security objectives and plans to achieve them The organization shall establish information security objectives at relevant functions and levels.  c) compare the controls determined in 6.  Downloaded: 2012-11-21 4 Single user licence only.1 e) 1).  3) Determine the levels of risk. 6.  NOTE: Organizations can design controls as required. and the justification for    exclusions of controls in Annex A.1 e) 1) were    to materialize.3 Information security risk treatment The organization shall apply an information security risk treatment process to:                  a) select appropriate information security risk treatment options.2 a) and establish priorities    for treatment.   The organization shall retain documented information about the information security risk treatment process.  1) Assess the potential consequences that would result if the risks identified in 6. taking account of the risk    assessment results.1.   The information security objectives shall:      Licensed to: Ademanda. copying and networking prohibited  © ISO/IEC 2011 – All rights reserved .1.3 a). whether they are implemented or not.1. Users of this International  Standard are directed to Annex A to ensure that no important control options are overlooked  NOTE 2: Control objectives are implicitly included in the controls chosen.1.  b) determine all controls that are necessary to implement the information security risk treatment    option(s) chosen.ISO/IEC DIS 27001            e)               f)  2) Identify the risk owners.1.  e) formulate an information security risk treatment plan.   The organization shall retain documented information about the information security risk assessment process. The control objectives and controls  listed in Annex A are not exhaustive and additional control objectives and controls may also be needed. Evaluate the information security risks.

the mentoring of.    b) ensure that these persons are competent on the basis of appropriate education.    b) their contribution to the effectiveness of the information security management system.   When planning how to achieve its information security objectives. and j) how the results will be evaluated.            ISO/IEC DIS 27001  a) be consistent with the information security policy. including the    benefits of improved information security performance.    d) be communicated.com. 7.     7 Support     7.    experience. copying and networking prohibited © ISO/IEC 2012 – All rights reserved 5 . g)   what resources will be required. and evaluate the effectiveness    of the actions taken.   The organization shall retain documented information on the information security objectives. or the hiring or contracting of competent persons. and risk assessment and treatment    results. and    e) be updated as appropriate. and    d) retain appropriate documented information as evidence of competence. for example: the provision of training to. maintenance and continual improvement of the information security management system. take actions to acquire the necessary competence. implementation. the organization shall determine: f) what will be done.    c) where applicable.    c) take into account applicable information security requirements.2 Competence The organization shall:    a) determine the necessary competence of person(s) doing work under its control that affects its    information security performance.    b) be measurable (if practicable).   or NOTE: Applicable actions may include. training. 7. i) when it will be completed.3 Awareness Persons doing work under the organization’s control shall be aware of:    a) the information security policy. or the reassignment of current employees.      Downloaded: 2012-11-21  Single user licence only. h) who will be responsible.1  Resources The organization shall determine and provide the resources needed for the establishment. and        Licensed to: Ademanda.

with whom to communicate.  Downloaded: 2012-11-21 Single user licence only. a title. format (e.g. where and when it is needed. and      3) the competence of persons.g. and    b) documented information determined by the organization as being necessary for the effectiveness of    the information security management system.5.g. processes. from loss of confidentiality. copying and networking prohibited  © ISO/IEC 2011 – All rights reserved . as applicable:         6  Licensed to: Ademanda.1 on what to communicate. electronic).5. products and services.     7. when to communicate. Documented information    General The organization’s information security management system shall include:    a) documented information required by this International Standard. and it is adequately protected (e.5. author. graphics) and media (e.ISO/IEC DIS 27001        c) 7.4 the implications of not conforming with the information security management system requirements. language. or loss of integrity). Communication The organization shall determine the need for internal and external communications relevant to the information security management system including:            a)  b)  c)  d)  e) 7. paper. software version. and the processes by which communication shall be effected. the organization shall address the following activities. improper use. or reference number).3 identification and description (e. For the control of documented information.g.2  Creating and updating When creating and updating documented information the organization shall ensure appropriate:    a)    b)    c) 7. date. Control of documented information Documented information required by the information security management system and by this International Standard shall be controlled to ensure:    a)    b)   it is available and suitable for use.   NOTE: The extent of documented information for an information security management system can differ from one organization to another due to:    1) the   size of organization and its type of activities.  2) the complexity of processes and their interactions.com.5   7. who shall communicate. and review and approval for suitability and adequacy.

retrieval and use.   The organization shall ensure that outsourced processes are determined and controlled.   The organization shall determine:    a) what needs to be monitored and measured.   NOTE: Access implies a decision regarding the permission to view the documented information only. access. analysis and evaluation. shall be identified as appropriate. taking account of the criteria established in 6.    b) the methods for monitoring.2.g. including the preservation of legibility. as necessary.2 Information security risk assessment The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur. measurement. 8. etc. 8. 8 Operation     8. determined by the organization to be necessary for the planning and operation of the information security management system.   The organization shall control planned changes and review the consequences of unintended changes. or the permission and authority to view and change the documented information. copying and networking prohibited © ISO/IEC 2012 – All rights reserved 7 . and f) retention and disposition. version control). and controlled.1. e) control of changes (e. taking action to mitigate any adverse effects.   The organization shall retain documented information of the results of the information security risk assessments. including information security processes and controls. as applicable.   The organization shall retain documented information of the results of the information security risk treatment.com. implement and control the processes needed to meet information security requirements. Documented information of external origin.      Licensed to: Ademanda.2).1  Operational planning and control The organization shall plan.1. 9 Performance evaluation     9.3 Information security risk treatment The organization shall implement the information security risk treatment plan.      Downloaded: 2012-11-21  Single user licence only.1  Monitoring.   The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned. to ensure valid    results. measurement.ISO/IEC DIS 27001 c)   d)   distribution. and to implement the actions determined in 6. The organization shall also implement plans to achieve information security objectives determined in 6. storage and preservation. analysis and evaluation The organization shall evaluate the information security performance and the effectiveness of the information security management system.

9.com.   The management review shall include consideration of:    a) the status of actions from previous management reviews.        3) audit results.    c) feedback on the information security performance. methods. and f) who shall analyse and evaluate these results.    b) changes in external and internal issues that are relevant to the information security management    system.3 f) ensure that the results of the audits are reported to relevant management. The audit programme(s) shall take into    consideration the importance of the processes concerned and the results of previous audits. establish. 9. including trends in:        1) nonconformities and corrective actions.    Management review Top management shall review the organization's information security management system at planned intervals to ensure its continuing suitability.    e) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process. copying and networking prohibited 8  © ISO/IEC 2011 – All rights reserved .    d) define the audit criteria and scope for each audit. and g) retain documented information as evidence of the audit programme(s) and the audit results. and        Licensed to: Ademanda. and        2) the requirements of this International Standard. implement and maintain an audit programme(s). The organization shall retain appropriate documented information as evidence of the monitoring and measurement results.ISO/IEC DIS 27001          NOTE: The methods selected should produce comparable and reproducible results to be considered valid.        DSingle ownloaded: 2012-11-21 user licence only.    b) is effectively implemented and maintained.        2) monitoring and measurement results.2 Internal audit The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system:    a) conforms to        1) the organization’s own requirements for its information security management system. planning requirements and reporting. adequacy and effectiveness.    c) when the monitoring and measuring shall be performed.    responsibilities.    e) when the results from monitoring and measurement shall be analyzed and evaluated.    d) who shall monitor and measure. including the frequency.   The organization shall:    c) plan.

  10. and as applicable:        1) take action to control and correct it.1 Nonconformity and corrective action   When a nonconformity occurs.        2) determining the causes of the nonconformity. and f) opportunities for continual improvement. and    e) make changes to the information security management system. if necessary.   10 Improvement   10.com.    b) evaluate the need for action to eliminate the causes of nonconformity. and  g) the results of any corrective action.2 Continual improvement   The organization shall continually improve the suitability. by:        1) reviewing the nonconformity.   Corrective actions shall be appropriate to the effects of the nonconformities encountered.    d) review the effectiveness of any corrective action taken. adequacy and effectiveness of the information security management system. or could potentially occur. e) results of risk assessment and status of risk treatment plan. the organization shall:    a) react to the nonconformity. and        3) determining if similar nonconformities exist.ISO/IEC DIS 27001   d)    4) fulfilment of information security objectives.    c) implement any action needed.   The organization shall retain documented information as evidence of the results of management reviews. copying and networking prohibited © ISO/IEC 2012 – All rights reserved 9 .   The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken. feedback from interested parties. ownloaded: 2012-11-21  Single user licence only. and        2) deal with the consequences. in order that it does not recur    or occur elsewhere.    LDicensed to: Ademanda. The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.

publishedandcommunicatedtoemployeesandrelevantexternal parties A.1 Informationsecurity rolesand responsibilities A.1 Policiesforinformation security Control Asetofpoliciesforinformationsecurityshallbedefined.    Table A.5 to A.6. Downloaded: 2012-11-21 Single user licence only.ISO/IEC DIS 27001                Annex A      (normative)  Reference control objectives and controls     The control objectives and controls listed in Table A.1Internalorganisation Objective:Toestablishamanagementframeworktoinitiateandcontroltheimplementationofinformationsecurity withintheorganisation A.6.0 to A.6Organisationofinformationsecurity A.1 – Control objectives and controls A.1 are directly derived from and aligned with those listed in ISO/IEC DIS 27002 Clauses 5 to 18.1.1Managementdirectionforinformationsecurity Objective:Toprovidemanagementdirectionandsupportforinformationsecurityinaccordancewithbusiness requirementsandrelevantlawsandregulations.5. copying and networking prohibited  © ISO/IEC 2011 – All rights reserved . The control objectives and controls in these tables are not exhaustive and an organization may consider that additional control objectives and controls are necessary.4 Informationsecurityin projectmanagement Control Informationsecurityshallbeaddressedinprojectmanagement. ISO/IEC DIS 27002 Clauses 5 to 18 provide implementation advice and guidance on best practice in support of the controls specified in A.18 (A.3.4 are not used – this enables the control reference index to be aligned with the guidance sections in ISO/IEC DIS 27002).6.1.5.6.1.1.1. regardlessofthetypeoftheproject 10 Control Allinformationsecurityresponsibilitiesshallbedefinedandallocated Control Appropriatecontactswithrelevantauthoritiesshallbemaintained Licensed to: Ademanda.1.5.com.2 Contactwithauthorities A.adequacyand effectiveness A.6. Control objectives and controls from these tables shall be selected as part of the information security management system process as specified in Section 6.1.2 Reviewofthepolicies forinformationsecurity Control Thepoliciesforinformationsecurityshallbereviewedatplannedintervalsorif significantchangesoccurtoensuretheircontinuingsuitability. A.3 Contactwithspecial interestgroups Control Appropriatecontactswithspecialinterestgroupsorotherspecialist securityforumsandprofessionalassociationsshallbemaintained A.5SecurityPolicies A.approvedby management.

education andtraining Control Allemployeesoftheorganizationand.com.theclassificationofthe informationtobeaccessedandtheperceivedrisks A.1 Mobiledevicepolicy Control Apolicyandsupportingsecuritymeasuresshallbeadoptedtoprotect againsttherisksintroducedbyusingmobiledevices A. ownloaded: 2012-11-21  Single user licence only.1.7.3    LDicensed to: Ademanda.6.7Humanresourcesecurity A.1.employeesshallagreeandsignthe termsandconditionsoftheiremploymentcontract.ISO/IEC DIS 27001 A.2 Teleworking Control Apolicyandsupportingsecuritymeasuresshallbeimplementedto protectinformationaccessed.2 Informationsecurity awareness.1Priortoemployment Objective:Toestablishamanagementframeworktoinitiateandcontroltheimplementationofinformationsecurity withintheorganisation?? A.7.5 Segregationofduties Control Conflictingdutiesandareasofresponsibilityshallbesegregatedto reduceopportunitiesforunauthorizedorunintentionalmodificationor misuseoftheorganization’sassets A.2 Termsandconditions ofemployment Control Aspartoftheircontractualobligation.7.2.2Mobiledevicesandteleworking Objective:Toensurethesecurityofteleworkinganduseofmobiledevices A.educationand trainingandregularupdatesinorganizationalpoliciesandprocedures.6.processedorstoredonteleworkingsites A.as relevantfortheirjobfunction Disciplinaryprocess Control Thereshallbeaformalandcommunicateddisciplinaryprocessinplace totakeactionagainstemployeeswhohavecommittedaninformation securitybreach A.2.1. copying and networking prohibited © ISO/IEC 2012 – All rights reserved 11 .6.2.whererelevant.whichshallstatetheir andtheorganization’sresponsibilitiesforinformationsecurity A.7.1 Management responsibilities Control Managementshallrequireallemployeesandexternalpartyusersto applysecurityinaccordancewithestablishedpoliciesandproceduresof theorganization A.6.7.2.2Duringemployment Objective:Toensurethatemployeesandexternalpartyusersareawareofandfulfiltheirinformation securityresponsibilities A.externalparty usersshallreceiveappropriateawarenessprogramme.2.1 Screening Control Backgroundverificationchecksonallcandidatesforemploymentshallbe carriedoutinaccordancewithrelevantlaws.7.regulationsandethicsand proportionaltothebusinessrequirements.7.

2 Ownershipofassets A.1Responsibilityforassets Objective:Toachieveandmaintainappropriateprotectionoforganizationalassets A.8. sensitivityorcriticalitytotheorganization Labelingofinformation Control Anappropriatesetofproceduresforinformationlabelingshallbe developedandimplementedinaccordancewiththeinformation classificationschemeadoptedbytheorganization Handlingofassets Control Proceduresforhandlingassetsshallbedevelopedandimplementedin accordancewiththeinformationclassificationschemeadoptedbythe organization Returnofassets Control Allemployeesandexternalpartyusersshallreturnallofthe organizationalassetsintheirpossessionuponterminationoftheir employment.1 A.2.ISO/IEC DIS 27001 A.2.1.2.3Terminationandchangeofemployment Objective:Toprotecttheorganization’sinterestsaspartoftheprocessofchangingorterminating employment A.8.8. documentedandimplemented A.legalrequirements.3.1 Terminationorchange ofemployment responsibilities Control Informationsecurityresponsibilitiesanddutiesthatremainvalidafter terminationorchangeofemploymentshallbedefined.contractoragreement A.7.2Informationclassification Objective:Toensurethatinformationreceivesanappropriatelevelofprotectioninaccordancewithits importancetotheorganization A.8Assetmanagement A.8.8.3 A.1.modification.removalordestructionofinformationstoredon 12 Licensed to: Ademanda.8.4 Classificationof information Control Informationshallbeclassifiedintermsofitsvalue. Downloaded: 2012-11-21 Single user licence only.2 A.1 Inventoryofassets A.7.1.3 Acceptableuseof assets Control Assetsassociatedwithinformationandinformationprocessingfacilities shallbeidentifiedandaninventoryoftheseassetsshallbedrawnupand maintained Control Assetsmaintainedintheinventoryshallbeowned Control Rulesfortheacceptableuseofinformationandassetsassociatedwith informationandinformationprocessingfacilitiesshallbeidentified.3Mediahandling Objective:Topreventunauthorizeddisclosure.8.8.com.2.communicatedto theemployeeorexternalpartyuserandenforced A. copying and networking prohibited  © ISO/IEC 2011 – All rights reserved .8.8.

9.1 Accesscontrolpolicy Control Anaccesscontrolpolicyshallbeestablished.2 Policyontheuseof networkservices Control Usersshallonlybeprovidedwithaccesstothenetworkandnetwork servicesthattheyhavebeenspecificallyauthorizedtouse A.9Accesscontrol A.9.1.4 Reviewofuseraccess rights A.2 Disposalofmedia Control Mediashallbedisposedofsecurelywhennolongerrequired.8.9.9.9.3.using formalprocedures A.2Useraccessmanagement Objective:Toensureauthorizeduseraccessandtopreventunauthorizedaccesstosystemsandservices Control Aformaluserregistrationandde-registrationprocedureshallbe implementedforgrantingandrevokingaccessforallusertypestoall systemsandservices A.3.1 Userregistrationand de-registration A.3 Managementofsecret authentication informationofusers Control Theallocationofsecretauthenticationinformationshallbecontrolled throughaformalmanagementprocess A.2.2.1Businessrequirementsofaccesscontrol Objective:Torestrictaccesstoinformationandinformationprocessingfacilities A. ownloaded: 2012-11-21  Single user licence only.9.1.9.com.misuseorcorruptionduringtransportation A. copying and networking prohibited © ISO/IEC 2012 – All rights reserved 13 .contractoragreement.8.9.1 Managementof removablemedia A.3.2.2 Privilegemanagement Control Theallocationanduseofprivilegedaccessrightsshallberestrictedand controlled A.5 Removaloradjustment ofaccessrights Control Assetownersshallreviewusers’accessrightsatregularintervals Control Theaccessrightsofallemployeesandexternalpartyusersto informationandinformationprocessingfacilitiesshallberemovedupon terminationoftheiremployment.2.documentedandreviewed basedonbusinessandsecurityrequirements A.3 Physicalmediatransfer Control Mediacontaininginformationshallbeprotectedagainstunauthorized access.oradjustedupon change    LDicensed to: Ademanda.8.2.ISO/IEC DIS 27001 media Control Proceduresshallbeimplementedforthemanagementofremovable mediainaccordancewiththeclassificationschemeadoptedbythe organization A.9.

accesstosystemsand applicationsshallbecontrolledbyasecurelog-onprocedure A. copying and networking prohibited  © ISO/IEC 2011 – All rights reserved .9.1.3 Passwordmanagement system Control Passwordsmanagementsystemsshallbeinteractiveandshallensure qualitypasswords A.9.4 Useofprivilegedutility programs Control Theuseofutilityprogramsthatmightbecapableofoverridingsystem andapplicationcontrolsshallberestrictedandtightlycontrolled A.4Systemandapplicationaccesscontrol Objective:Topreventunauthorizedaccesstosystemsandapplications A. Downloaded: 2012-11-21 Single user licence only.10.4.3.11Physicalandenvironmentalsecurity A. 11.4.protectionandlifetimeofcryptographickeysshallbe developedandimplementedthroughtheirwholelifecycle A.1Secureareas Objective:Topreventunauthorizedphysicalaccess.9.4.10Cryptography A.2 Keymanagement Control Apolicyontheuse.damageandinterferencetotheorganization’s informationandinformationprocessingfacilities A.1 Policyontheuseof cryptographiccontrols Control Apolicyontheuseofcryptographiccontrolsforprotectionofinformation shallbedevelopedandimplemented A.authenticityor integrityofinformation A.11.1.3Userresponsibilities Objective:Tomakeusersaccountableforsafeguardingtheirauthenticationinformation A.com.9.1 Useofsecret authentication information Control Usersshallberequiredtofollowtheorganization’ssecuritypracticesin theuseofsecretauthenticationinformation A. 10. 10.5 Accesscontrolto programsourcecode Control Accesstoprogramsourcecodeshallberestricted A.9.4.ISO/IEC DIS 27001 A.1 14 Physicalsecurity perimeter Control Securityperimetersshallbedefinedandusedtoprotectareasthat Licensed to: Ademanda.9.1 Informationaccess restriction Control Accesstoinformationandapplicationsystemfunctionsshallberestricted inaccordancewiththeaccesscontrolpolicy A.1Cryptographiccontrols Objective:Toensureproperandeffectiveuseofcryptographytoprotecttheconfidentiality.9.4.2 Securelog-on procedures Control Whererequiredbytheaccesscontrolpolicy.9.1.

11. 11. ownloaded: 2012-11-21  Single user licence only. 11.1.com.5 Workinginsecureareas Control Physicalprotectionandguidelinesforworkinginsecureareasshallbe designedandapplied A.6 Deliveryandloading areas Control Accesspointssuchasdeliveryandloadingareasandotherpointswhere unauthorizedpersonsmayenterthepremisesshallbecontrolledand. 11.6 Securityofequipment Control Securityshallbeappliedtooff-siteassetstakingintoaccountthedifferent    LDicensed to: Ademanda.4 Protectingagainst externalend environmentalthreats Control Physicalprotectionagainstnaturaldisasters. 11.1.4 Equipmentmaintenanc e Control Equipmentshallbecorrectlymaintainedtoensureitscontinued availabilityandintegrity A.1. 11.1.2 Supportingutilities Control Equipmentshallbesitedandprotectedtoreducetherisksfrom environmentalthreatsandhazards.2.5 Removalofassets Control Equipment. 11.3 Cablingsecurity A.ISO/IEC DIS 27001 containeithersensitiveororcriticalinformationandinformation processingfacilities A.theftorcompromiseofassetsandinterruptiontotheorganization’s operations A.3 Securingoffice.room andfacilities Control Physicalsecurityforoffices.interferenceor damage A.2. 11.roomsandfacilitiesshallbedesignedand applied A.1 Equipmentsitingand protection A.damage. 11.informationorsoftwareshallnotbetakenoff-sitewithoutprior authorization A.if possible.isolatedfrominformationprocessingfacilitiestoavoid unauthorizedaccess A.2.1. 11. 11.2Equipment Objective:Topreventloss.andopportunitiesforunauthorized access Control Equipmentshallbeprotectedfrompowerfailuresandotherdisruptions causedbyfailuresinsupportingutilities Control Powerandtelecommunicationscablingcarryingdataorsupporting informationservicesshallbeprotectedfrominterception.2 Physicalentrycontrols Control Secureareasshallbeprotectedbyappropriateentrycontrolstoensure thatonlyauthorizedpersonnelareallowedaccess A.2.2.maliciousattackor accidentsshallbedesignedandapplied A. 11. copying and networking prohibited © ISO/IEC 2012 – All rights reserved 15 .2.

12Operationssecurity A. 11.3Backup Objective:Toprotectagainstlossofdata A.2.2.1Operationalproceduresandresponsibilities Objective:Toensurecorrectandsecureoperationsofinformationprocessingfacilities A.1.1. 11.1 Controlsagainst malware Control Detection. 12.1 Documentedoperating procedures Control Operatingproceduresshallbedocumentedandmadeavailabletoall userswhoneedthem A. 12.12.2Protectionfrommalware Objective:Toensurethatinformationandinformationprocessingfacilitiesareprotectedagainstmalware A. Downloaded: 2012-11-21 Single user licence only.3.9 Cleardeskandclear screenpolicy Control Usersshallensurethatunattendedequipmenthasappropriateprotection Control Acleardeskpolicyforpapersandremovablestoragemediaandaclear screenpolicyforinformationprocessingfacilitiesshallbeadopted A.informationprocessing facilitiesandsystemsshallbecontrolled A.4Loggingandmonitoring 16 Licensed to: Ademanda.12.2 Changemanagement Control Changestotheorganisation.8 Unattendeduser equipment A.softwareandsystemimagesshallbetaken andtestedregularlyinaccordancewiththeagreedbackuppolicy A.12.andoperationalenvironmentsshallbeseparated toreducetherisksofunauthorizedaccessorchangestotheoperational environment A. 12.1 Informationbackup Control Backupcopiesofinformation.7 Securitydisposalorreuseofequipment Control Allitemsofequipmentcontainingstoragemediashallbeverifiedto ensurethatanysensitivedataandlicensedsoftwarehasbeenremoved orsecurelyoverwrittenpriortodisposalorre-use A.2.1.com. 11.tunedandprojectionsmadeof futurecapacityrequirementstoensuretherequiredsystemperformance Separationof development. 12.combinedwithappropriateuserawareness A. 12.12.testing andoperational environments Control Development.preventionandrecoverycontrolstoprotectagainstmalware shallbeimplemented. 12.testing.2.ISO/IEC DIS 27001 andassetsoff-premises risksofworkingoutsidetheorganization’spremises A. copying and networking prohibited  © ISO/IEC 2011 – All rights reserved .4 A.1.businessprocesses.3 Capacitymanagement Control Theuseofresourcesshallbemonitored.

exceptions.4.2 Protectionoflog information Control Loggingfacilitiesandloginformationshallbeprotectedagainsttampering andunauthorizedaccess A. 12.12.13.com.7Informationsystemsauditconsiderations Objective:Tominimizetheimpactofauditactivitiesonoperationalsystems A.6Technicalvulnerabilitymanagement Objective:Topreventexploitationoftechnicalvulnerabilities A.13Communicationssecurity A.faultsandinformation securityeventsshallbeproduced.1 Installationofsoftware onoperationalsystems Control Proceduresshallbeimplementedtocontroltheinstallationofsoftwareon operationalsystems A.4.4.5Controlofoperationalsoftware Objective:Toensuretheintegrityofoperationalsystems A. protectedandregularlyreviewed A.1 Informationsystems auditcontrols Control Auditrequirementsandactivitiesinvolvingverificationofoperational systemsshallbecarefullyplannedandagreedtominimizedisruptionsto businessprocesses A. 12.4.6. 12.ISO/IEC DIS 27001 Objective:Torecordeventsandgenerateevidence A.4 Clocksynchronisaton Control Theclocksofallrelevantinformationprocessingsystemswithinan organizationorsecuritydomainshallbesynchronizedtosinglereference timesource A.3 Administratorand operatorlogs Control Systemadministratorandsystemoperatoractivitiesshallbelogged.12. 12.1 Managementof technicalvulnerabilities A.7.1 Eventlogging Control Eventlogsrecordinguseractivities.2 Restrictionson softwareinstallation Control Informationabouttechnicalvulnerabilitiesofinformationsystemsbeing usedshallbeobtainedinatimelyfashion.6.1Networksecuritymanagement Objective:Toensuretheprotectionofinformationinnetworksanditssupportinginformationprocessing facilities    LDicensed to: Ademanda.12. copying and networking prohibited © ISO/IEC 2012 – All rights reserved 17 . 12.5. ownloaded: 2012-11-21  Single user licence only. 12. 12. 12.theorganization'sexposureto suchvulnerabilitiesevaluatedandappropriatemeasurestakento addresstheassociatedrisk Control Rulesgoverningtheinstallationofsoftwarebyusersshallbeestablished andimplemented A.keptandregularlyreviewed A.

servicelevelsandmanagementrequirementsofall networkservicesshallbeidentifiedandincludedinnetworkservices agreements.regularlyreviewedanddocumented A.1 Networkcontrols A. 13. 13.3 Electronicmessaging Control Informationinvolvedinelectronicmessagingshallbeappropriately protected A. copying and networking prohibited  © ISO/IEC 2011 – All rights reserved .1 A.takinginto accountallrelevantcriteriasuchastheentirelifecycleorwhetherthe applicationisavailableoverpublicnetworks Securingapplications servicesonpublic networks Control Informationinvolvedinapplicationservicespassingoverpublicnetworks shallbeprotectedfromfraudulentactivity.1.2.2.whethertheseservicesareprovidedin-houseoroutsourced Control Groupsofinformationservices.4 Confidentialityornondisclosureagreements Control Requirementsforconfidentialityornon-disclosureagreementsreflecting theorganization’sneedsfortheprotectionofinformationshallbe identified.usersandinformationsystemsshallbe segregatedonnetworks A. 13.14.contractdisputeand Licensed to: Ademanda.1.This includesinparticularspecificsecurityrequirementforinformationsystemswhichprovideservicesover publicnetworks A.13. 13. 13.1Securityrequirementsofinformationsystems Objective:Toensurethatsecurityisanintegralpartofinformationsystemsacrosstheentirelifecycle.2 Securityofnetwork services A.2.2 18 Securityrequirements analysisand specification Control Therequirementsforinformationsecuritycontrolsshallbeincludedinthe statementsofbusinessandtechnicalrequirementsfornewinformation systemsorenhancementstoexistinginformationsystems.2Informationtransfer Objective:Tomaintainthesecurityofinformationtransferredwithinanorganizationandwithanyexternal entity Control Formaltransferpolicies.1 Informationtransfer policiesandprocedures A.2 Agreementson informationtransfer Control Agreementsshalladdressthesecuretransferofbusinessinformation betweentheorganizationandexternalparties A.developmentandmaintenance A.1.1. 14. Downloaded: 2012-11-21 Single user licence only.3 Segregationin networks Control Networksshallbemanagedandcontrolledtoprotectinformationin systemsandapplications Control Securitymechanisms. 13.2.proceduresandcontrolsshallbeinplaceto protectthetransferofinformationthroughtheuseofalltypesof communicationfacilities A.ISO/IEC DIS 27001 A. 13. 14.com.14Systemacquisition.1.

unauthorizeddisclosure. 14.2.7 Outsourced development A.2.1.2. 14.2.9 Systemacceptance testing Control Theorganizationshallsuperviseandmonitortheactivityofoutsourced systemdevelopment Control Testsofthesecurityfunctionalityshallbecarriedoutduringdevelopment Control Acceptancetestingprogramsandrelatedcriteriashallbeestablishedfor newinformationsystems.businesscriticalapplications shallbereviewedandtestedtoensurethereisnoadverseimpacton organizationaloperationsorsecurity A. 14.limitedto necessarychangesandallchangesshallbestrictlycontrolled A.2 Changecontrol procedures Control Theimplementationofchangesshallbecontrolledbytheuseofformal changecontrolprocedures A.4 Restrictionsonchanges tosoftwarepackages Control Modificationstosoftwarepackagesshallbediscouraged.3 Technicalreviewof applicationsafter operatingplatform changes Control Whenoperatingplatformsarechanged.upgradesandnewversions A.3 Protectingapplication servicestransactions Control Informationinvolvedinapplicationservicetransactionsshallbeprotected topreventincompletetransmission. 14.unauthorizedmessageduplicationor replay A.2.maintainedandappliedtoanyinformationsystem developmentefforts A.2. 14. 14.1 Securedevelopment policy Control Rulesforthedevelopmentofsoftwareandsystemsshallbeestablished andappliedtodevelopmentswithintheorganization A.2Securityindevelopmentandsupportprocesses Objective:Toensurethatinformationsecurityisdesignedandimplementedwithinthedevelopmentlifecycle ofinformationsystems A. 14.2.14.com. 14.5 Systemdevelopment procedures Control Principlesforengineeringsecuresystemsshallbeestablished. ownloaded: 2012-11-21  Single user licence only.8 Systemsecuritytesting A.14.3Testdata Objective:Toensuretheprotectionofdatausedfortesting    LDicensed to: Ademanda.unauthorizedmessage alteration. 14.2.mis-routing. documented. copying and networking prohibited © ISO/IEC 2012 – All rights reserved 19 . 14.6 Securedevelopment environment Control Organizationsshallestablishandappropriatelyprotectsecure developmentenvironmentforsystemdevelopmentandintegrationefforts thatcoverstheentiresystemdevelopmentlifecycle A.2.ISO/IEC DIS 27001 unauthorizeddisclosureandmodification A.

1. 16.1 A.1. communicateorprovideITinfrastructurecomponentsforthe organization’sinformation ICTsupplychain Control Agreementswithsuppliersshallincluderequirementstoaddressthe informationsecurityrisksassociatedwithInformationand CommunicationsTechnologyservicesandproductsupplychain A.1 Protectionoftestdata Control Testdatashallbeselectedcarefully.includingcommunicationonsecurityeventsandweaknesses 20 Control Managementresponsibilitiesandproceduresshallbeestablishedto ensureaquick.proceduresand controls.2.1 Informationsecurity policyforsupplier relationships Control Informationsecurityrequirementsformitigatingtherisksassociatedwith supplieraccesstoorganization’sinformationorinformationprocessing facilitiesshallbedocumented A.protectedandcontrolled A.2Supplierservicedeliverymanagement Objective:Tomaintainanagreedlevelofinformationsecurityandservicedeliveryinlinewithsupplier agreements A.effectiveandorderlyresponsetoinformationsecurity incidents A.1 Responsibilitiesand procedures A. 15.systemsandprocessesinvolvedandre-assessmentofrisks A.2 Reportinginformation securityevents Control Informationsecurityeventsshallbereportedthroughappropriate managementchannelsasquicklyaspossible Licensed to: Ademanda.process.store.2 Monitoringandreview ofsupplierservices Managingchangesto supplierservices Control Organizationsshallregularlymonitor.takingaccountofthecriticalityofbusiness information.1Managementofinformationsecurityincidentsandimprovements Objective:Toensureaconsistentandeffectiveapproachtothemanagementofinformationsecurity incidents.1.includingmaintaining andimprovingexistinginformationsecuritypolicies.1.1Securityinsupplierrelationships Objective:Toensureprotectionoftheorganization’sinformationthatisaccessiblebysuppliers A. 14. 15.1.16Informationsecurityincidentmanagement A. 15.com.16.15Supplierrelationships A.15.3. copying and networking prohibited  © ISO/IEC 2011 – All rights reserved .15.shallbemanaged.2. 15.reviewandauditsupplierservice delivery Control Changestotheprovisionofservicesbysuppliers.2 Addressingsecurity withinsupplier agreements Control Allrelevantinformationsecurityrequirementsshallbeestablishedand agreedwitheachsupplierthatmayhaveaccessto. 15. 16.ISO/IEC DIS 27001 A.3 A. Downloaded: 2012-11-21 Single user licence only.

3 Reportinginformation securityweaknesses Control Employeesandexternalpartiesusingtheorganisation’sinformation systemsandservicesshallberequiredtonoteandreportanyobserved orsuspectedinformationsecurityweaknessesinsystemsorservices A.1.2.6 A.17. collection.4 Assessmentand decisionofinformation securityevents Control Informationsecurityeventsshallbeassessedanddecidediftheyshallbe classifiedasinformationsecurityincidents A. ownloaded: 2012-11-21  Single user licence only.1Informationsecuritycontinuity Objective:Informationsecuritycontinuityshallbeembeddedinorganization’sbusinesscontinuity management(BCM)toensureprotectionofinformationatanytimeandtoanticipateadverseoccurrences A.7 A.1.g. 17. 17.1.document.1 Planninginformation securitycontinuity Control Theorganizationshalldetermineitsrequirementsforinformationsecurity andcontinuityofinformationsecuritymanagementinadversesituations.3 Verify.ISO/IEC DIS 27001 A.acquisitionandpreservationofinformation.1.2Redundancies Objective:Toensureavailabilityofinformationprocessingfacilities A. 17. 16.2 Implementing informationsecurity continuity Control Theorganizationshallestablish.1. 17.18Compliance    LDicensed to: Ademanda.1.reviewand evaluateinformation securitycontinuity Control Theorganizationshallverifytheestablishedandimplementedinformation securitycontinuitycontrolsatregularintervalsinordertoensurethatthey arevalidandeffectiveduringadversesituations A.whichcanserveas evidence A.17Informationsecurityaspectsofbusinesscontinuitymanagement A. copying and networking prohibited © ISO/IEC 2012 – All rights reserved 21 .1. 16. 16.proceduresandcontrolstoguaranteetherequiredlevelof continuityforinformationsecurityduringanadversesituation A.duringacrisisordisaster A.1 Availabilityof informationprocessing facilities Control Informationprocessingfacilitiesshallbeimplementedwithredundancy sufficienttomeetavailabilityrequirements A. 16.com.5 Responseto informationsecurity incidents Control Informationsecurityincidentsshallberespondedtoinaccordancewith thedocumentedprocedures Learningfrom informationsecurity incidents Control Knowledgegainedfromanalyzingandresolvinginformationsecurity incidentsshallbeusedtoreducethelikelihoodorimpactoffuture incidents Collectionofevidence Control Theorganizationshalldefineandapplyproceduresfortheidentification.implementandmaintain processes.17. 16.1. e.

1. 18.1 Independentreviewof informationsecurity Control Theorganization’sapproachtomanaginginformationsecurityandits implementation(i.ifapplicable.contractualrequirementsandthe organization’sapproachtomeettheserequirementsshallbeexplicitly identified.3 Protectionof documented information Control Recordsshallbeprotectedfromloss. Downloaded: 2012-11-21 Single user licence only. 18.regulations.3 Technicalcompliance inspection Control Informationsystemsshallberegularlyinspectedforcompliancewiththe organisation’sinformationsecuritypoliciesandstandards A.falsification. contractualclauses A.controlobjectives.processesand proceduresforinformationsecurity)shallbereviewedindependentlyat plannedintervalsorwhensignificantchangestothesecurity implementationoccur A. 18.lawsandregulations Licensed to: Ademanda.e.1.18.standardsandanyothersecurityrequirements A.regulatoryorcontractualobligationsrelatedtoinformation securityandofanysecurityrequirements Identificationof applicablelegislation andcontractual requirements Control Allrelevantstatutory.2.2.2Compliancewithlegalandcontractualrequirements Objective:Toavoidbreachesoflegal.5 Regulationof cryptographiccontrols A.and. 18.2 Intellectualproperty rights(IPR) Control Appropriateproceduresshallbeimplementedtoensurecompliancewith legislative. 18.18.controls.documentedandkeptuptodateforeachinformationsystem andtheorganization A. copying and networking prohibited  © ISO/IEC 2011 – All rights reserved .statutory. 18. 18.2.1Informationsecurityreviews Objective:Toensurethatinformationsecurityisimplementedandoperatedinaccordancewiththe organisationalpoliciesandprocedures A. 18. unauthorizedaccessandunauthorizedrelease.4 Privacyandprotection ofpersonally identifiableinformation Control Privacyandprotectionofpersonallyidentifiableinformationshallbe ensuredasrequiredinrelevantlegislation.inaccordancewith statutory.destruction.2.regulatory.1.2 Compliancewith securitypoliciesand standards Control Managersshallregularlyreviewthecomplianceofinformationprocessing andprocedureswithintheirareaofresponsibilitywiththeappropriate securitypolicies.1 22 Control Cryptographiccontrolsshallbeusedincompliancewithallrelevant agreements.regulatoryandcontractualrequirementsontheuseofmaterial inrespectofwhichtheremaybeintellectualpropertyrightsandonthe useofproprietarysoftwareproducts A.2.contractualandbusinessrequirements A.regulatory.policies.com.ISO/IEC DIS 27001 A.

copying and networking prohibited © ISO/IEC 2012 – All rights reserved 23 . Information technology — Security Techniques — Code of practice for information security management.   ISO/IEC 27004:2009. Risk Management – Principles and guidelines   ISO/IEC Directives.   ISO 19011:2011. Information technology — Security Techniques — Information security management system implementation guidance. Information technology — Security Techniques — Information security management – Measurement.       [1]     [2]     [3]     [4]     [4]   [5]   [6]   [7]      ISO/IEC DIS 27001  Bibliography ISO/IEC 27002:2005. Part 1 Consolidated ISO Supplement – Procedures specific to ISO: 2012   ISO/IEC 27007:2011 Information technology — Security Techniques — Guidelines for Information security management systems auditing    LDicensed to: Ademanda.   ISO/IEC 27003:2010.com. Information technology — Security Techniques — Information security risk management.   ISO 31000:2009. ownloaded: 2012-11-21  Single user licence only.   ISO/IEC 27005:2011. Guidelines for auditing management systems.