ISASOMEC 27004 : 2005 (Superseding IS 15150 : 2002) RAT AT wert wettest — azar caries — ToT Gal Tara oe — attend Indian Standard INFORMATION TECHNOLOGY — SECURITY TECHNIQUES — INFORMATION SECURITY MANAGEMENT SYSTEMS — REQUIREMENTS ICS 35,040 © BIS 2005 BUREAU OF INDIAN STANDARDS MANAK BHAVAN, 9 BAHADUR SHAH ZAFAR MARG NEW DELHI 110002 ‘December 2005 Price Group 11Information Systems Security Sectional Gommittee, LTD 38 NATIONAL FOREWORD This Indian Standard which is identical with ISO/EC 27001 : 2005 ‘Information technology — Security techniques — Information security management systems — Requirements’ issued by the International Organization for Standardization (ISO) and Intemational Electrotechnical Commission (IEC) jointly was adopted by the Bureau of indian Standards on the recommendations of the Information Systems Seourity Sectional Committee and approval of the Electronics and Information Technology Division Council This standard supersedes IS 15150 : 2002 ‘Information technology — Information security management systems — Requirements’ and has been aligned with the latest International Standard ISO/IEC 27001 : 2005 on information security management system requirements, ‘The text of the ISO/IEC Standard has been approved as suitable for publication as an Indian Standard without deviations. Certain conventions are, however, not identical to those used in Indian Standards. Attention is particularly drawn to the following: 2) Whereverthe words ‘International Standard’ appear referring to this standard, they should be read as ‘Indian Standard 'b) Comma (,) has been used as a decimal marker while in Indian Standards, the current practice is to use a point (.) as the decimal marker. In this adopted standard, reference appears to the following Internationa: Standard for which Indian Standard also exists, The corresponding Indian Standard which is to be substituted in its place is listed below along with its degree of equivalence for the edition indicated) International Standard Corresponding Indian Standard Degree of Equivalence ISO/IEC 17799 : 2005 Information IS/ISOMEC 17799 : 2005 Information Identical technology — Security techniques — technology — Security techniques — Code of practice for information Code ot practice forinformation security security management management With the publication of this standard, IS 15150 : 2002 shall be withdrawn.IS/ISOMEC 27001 : 2005 Contents Page introduction.. 4 General . 2 Process approach.. 2 Compatibility with other management systems ‘Scope... 4 General... 2 Application . Normative references. Terms and definitions 4 Information security management system 4.4 General requirements. . 42 Establishing and managing the ISMS. 4.2.4 Establish the ISMS. 4.22 Implement and operate the ISMS 42.3 Monitor and reviow the ISMS. 4.2.4 Maintain and improve the ISMS....0- neo 43 Documentation requirements. 434° General. — 43.2 Control of documents = 4.3.3 Control of records. S Management responsibility 8.1 Management commitment .. 5.2 Resource management. 5.2.4 Provision of resources. 5.2.2 Training, awareness and competence. 6 Internal ISMS audits. 7 Management review of the ISMS 74 General... 72 Review input... 73 Review output... 8 ISM improvement... 8.4 Continual improvement. 8.2 Corrective actior 8.3 Preventive action vn ‘Annex A (normative) Control objectives and controls.. Annex B (informative) OECD principles and this International Standard .. ‘Annex € (informative) Correspondence between ISO $001:2000, ISO 14001:2004 and this International Standard « Bibliography.ISASONEC 27001 : 2005 0 Introduction 0.1 Goneral ‘This Intemational Standard has been prepared to provide a model for establishing, implementing, operating, ‘monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The ‘adoption of an ISMIS should be a strategic decision for an organization. The design and implementation of an organization's ISMS is influenced by their needs and objectives, security requirements, the processes employed and the size and structure of the organization. These and their supporting systems are expected to change over time. It is expected that an ISMS implementation will be scaled in accordance wih the needs of the organization, e.g, a simple situation requires a simple ISMS solution. This Intemational Standard can be used in order fo assess conformance by interested iniemnat and extemal parties, 0.2 Process approach This international Standard adopts a process approach for establishing, implementing, operating, monitoring reviewing, maintaining and improving an organization's ISMS. ‘An organization needs to identify and manage many activities in order to function effectively. Any activity using TesoUrces and managed in order to enable the transformation of inputs info outputs can be considered to be @ process. Often the output from one process directly forms the input to the next process. The application of a system of processes within an organization, together with the identification and Inleractions of these processes, and their management, can be referred to as a "process approach The process appioach for information security management presented in this International Standara encourages its users to emighasize the importance of @) understanding an organization's information security requirements and the need to establish policy and objectives for information security, 'b} implementing and operating controls to manage an organization's information security risks in the context of the organization's overall business risks; ©) monitoring and reviewing the performance and effectiveness of the ISM; and 4) continual improvement based on objective measurement, ‘This International Standard adopts the "Plan-Do-Check-Act’ (POCA) model, which is applied to structure al ISMS processes. Figure 1 illustrates how an ISMS takes as input the information securiy requirements and ‘expectations of the interested parties and through the necessary actions and processes produces information, security outcomes that meets those requirements and expectations, Figure 1 also illustrates the links in the Processes presented in Clauses 4, 5, 6, 7 and 8. ‘The adoption of the POCA model will also reflect the principles as set out in the OECD Guidelines (2002) governing the secunily of information systems and networks. This Intemational Standard provides a robust ‘model for implementing the principles in those guidelines governing risk assessment, security design and implementation, security management and reassessment, 41), OECD Guidelines for the Security oF Information Systems and Networks — Towards a Culture of Security. Paris: (ECD, July 2002, vaew. o8e.0r9ISMSONEC 27001 : 2005 EXAMPLE 1 ‘A requirement might be that breaches of information security will not cause serious financial damage to an ‘organization and/or cause embarrassment to the organization EXAMPLE 2 ‘An expectation might be that if a serious incident occurs — perhaps hacking of an organization's eBusiness ‘web site — there should be people with sufficient training in appropriate procedures to minimize the impact. a rt oun 7 a oa / ay : Saxe \ ge ‘Shs | S) amen Tena Bo Senin Ra i | Cr =) / — tc | security * “ information nase . ores “ and expectations oo we securty Figure 1 — PDCA model applied to ISMS processes Plan (establish the ISMS) | Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization's overall policies and abjectives. Do (implement and operate | Implement and operate the ISMS policy, controls, processes and the ISMS) | procedures. Check (monitor and review | Assess and, where applicable, measure process performance against the ISMS) ISMS policy, objectives and practical experience and report the results to management for review. ‘Act (maintain and improve | Take corrective and preventive actions, based on the results of the internal the ISMS) ISMS audit and management review or other relevant information, to ‘achieve continual improvement of the ISMS. 0.3 Compatibility with other management systems ‘This International Standard is aligned with ISO 9001:2000 and ISO 14001:2004 in order to support consistent and integrated implementation and operation with related management standards. One suttably designed management system can thus salisly the requirements of all tiese standards. Table C.7 iustrates the relationship between the clauses of this Intemational Standard, ISO 901.2000 and ISO 14001:2004 ‘This International Standard is designed to enable an organization to align or integrate its ISMS with related ‘management system requirements,ISASOMEC 27001 : 2005 Indian Standard INFORMATION TECHNOLOGY — SECURITY TECHNIQUES — INFORMATION SECURITY MANAGEMENT SYSTEMS — REQUIREMENTS IMPORTANT — This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. Compliance With an International Standard does not in itself confer immunity from legal obligations. 1 Scope 4.4 General This International Standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations), This Intemational Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization's overall business risks. Il specifies requirements for the implementation of security Controls customized to the needs of individual organizations or parts thereot. ‘The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect, Information assets and give confidence to interested partes. NOTE 1: References to ‘business’ in this Intorational Standard should be interpreted broadly to mean those activities that are core to the purposes for the organization's existence. NOTE 2: ISONEC 17799 provides implementation guidance that can be used when designing contols 4.2 Application ‘The requirements set out in this Intemational Standard are generic and are intended to be applicable to all organizations, regardless of type, size and nature, Excluding any of the requirements specified in Clauses 4, 5,8, 7, and 8 is not acceptable when an organization claims conformity to this Intemational Standard Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be justified and ‘evidence needs to be provided that the associated risks have been accepted by accountable persons. Where any controls are exciuded, claims of conformity to this International Standard are not acceptable unless such ‘exclusions do not affect the organization's ablity, and/or responsibilty, to provide information security that meets the security requirements determined by risk assessment and applicable legal or regulatory requirements, NOTE: If an organization already has an operative business process management system (2.9. in relation wih 180 9001 or ISO 14001), itis preferable in most cases to saisy the cequirements of this Intemational Standard within this existing management system, 2 Normative references ‘The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISONEC 17799:2005, Information technology — Securly techniques — Code of practice for information security managementIS/ISONEC 27001 : 2005 3. Terms and definitions For the purposes of this document, the following terms and definitions apply 34 assot anything that has value to the organization fisonec 13335-1:2004) 3.2 availability the property of being accessible and usable upon demand by an authorized entity [SONEC 19385-1:2008) 33 confidentiality the property that information is not made available or disclosed to unauthorized individuals, entities, or Processes [SONEC 13335-1:2008) 34 information security preservation of confidentiality, integrity and availabilty of information; in addlion, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved {Isonec 17799:2005) 35 information security event an identified occurrence of a system, service or network state indicating a possible breach of information ‘security policy or failure of safeguards, or a previously unknown situation that may be security relevant IISONEC TR 18044:2004) 6 information security incident a single or a series of unwanted or unexpected information security events that have a significant probability (of compromising business operations and threatening information security [SOREC TR 18046:2004) 37 information security management system isms that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security NOTE: The management system includes organizational structure, polices, planring activites, responsibilties, practves, procedures, processes and resources, 3.8 integrity the property of safeguarding the accuracy and completeness of assets: [ISOAEC 13335-1:2004) 39 residual risk the risk remaining after risk treatment [ISONEC Guide 73.2002)IS/SOMEC 27001 : 2005 3.10 risk acceptance decision to accept a risk [ISONEC Guide 73:2002] at tisk analysis: systematic use of information to identify sources and to estimate the risk [ISOAEC Guide 73:2002) 342 Fisk assessment ‘overall process of risk analysis and risk evaluation [ISONEC Guide 73:2002] 3.13 risk evaluation process of comparing the estimated risk against given risk criteria to determine the significance of the risk [ISOVIEC Guide 73:2002} 314 risk management coordinated activites to direct and control an organization with regard to risk [SOME Guide 73:2002} 345 risk treatment process of selection and implementation of measures fo modify risk [ISONEC Guide 73:2002] NOTE: In this International Standars the term ‘conta is used as a synonym for measure’ 3.46 statement of applicability documented statement describing the control objectives and controls that are relevant and applicable to the organization’s ISMS. NOTE: Control objectives and controls are based on the resus and eaneiusions of the risk assessment and risk freatment processes, legal or regulatory requirements, contractual obligations and the organizations business requirements for information secur 4 information security management system 4.4 General requirements ‘The organization shall establish, implement, operate, monitor, review, maintain and improve @ documented ISMS within the context of the organization's overall business activities and the risks it faces. For the purposes. Of this International Standard the process used is based on the PDGA model shown in Figure 1.IS/SONEC 27001 : 2005 4.2 Establishing and managing the SMS 4.24 Establish the ISMS “The oxganization shall do the folowing 2) Define the scope and boundaries of the ISMS in terms of the characteristics of the business, the organization, is location, assets and technology, and including details of and justification for any ‘exclusions ftom the scope (see 1.2). b) Define an ISMS policy in terms of the characteristics of the business, the organization, its location, assets ‘and technology that 4) includes a framework for setting objectives and establishes an overall sense of direction and principles for action with regard to information security: 2) takes into account business and legal or regulatory requirements, and contractual security obligations; 43) aligns with the organization's strategic risk management context in which the establishment and maintenance of the ISMS will take place, 4) establishes criteria against which risk will be evaluated (see 4.2.1); and '5) has been approved by management NOTE: For the purposes of this International Standard, the ISMS policy is considered a 2 superset of the Information security pay. These policies can be descnted in one document ©) Define the risk assessment approach of the organization. 41) Identify a risk assessment methodology that is suited fo the ISMS, and the identified business information security, lagal and regulatory requirements, 2) Develop criteria for accepting risks and identify the acceptable levels of risk. (see 5.19). “The tisk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible result. NOTE There are different methodologies fr risk assessment. Examples of risk assessment methodologies are Mouccod th ISGIES TR 132853, Information tectnalogy — Guidelines for tie management of IT Secunity — TTeehniques forthe management of 1T Secuty| 4) ldontity the risks, 4} Identify the assets within the scope of the ISMS, and the owners? of these assets. 2) Identify the threats to those assets. 2) Identify the vuinerabiliies that might be exploited by the threats. 4) Identity the impacts that losses of confidentiality. integrity and availablity may have on the assets. 2) The tem ‘owner denies. an individual or entity that has approved management respansiity tor conteling he 2 caunton, development. maintenance, use and secunty of the assets, The term ‘owner does nol man thatthe person Betually has any property rights to the asset°) 9 IS/ISOJIEC 27001 : 2005 Analyse and evaluate the risks. 4) Assess the business impacts upon the organization that might result from security failures, taking into account the consequences of loss of confidentiality, integfity ar availablity of the assets. 2) Assess the realistic likethood of security failures occurring in the light of prevailing threats and ‘wulnerabilties, and impacts associated with these assets, and the controls currently implemented 3) Estimate the levels of risks. 4) Determine whether the risks are acceptable or require treatment using the criteria for accepting risks established in 4.2 1c)2) Identity and evaluate options for the treatment of risks. Possible actions include 1) applying appropriate controls; 2) knowingly and objectively accepting risks, providing they clearly salty the organization's policies and the criteria for accepling risks (see 4.2 1c)2)); 3) avoiding risks; and 4) transferring the associated business risks to other parties, @.9. insurers, suppliers, Select control objectives and controls for the treatment of risks. Control objectives and controls shall be selected and implemented to meet the requirements identified by the risk assessment and risk treatment process. This selection shall take account of the criteria for accepting risks (see 4.2. {c)2)) as well as logal, regulatory and contractual requirements. The control objectives and controls from Annex A shall be selected as part of this process as suitable to cover the identified requirements. The control objectives and controls listed in Annex A are not exhaustive and additional contro! objectives and controls may also be selected. NOTE Annex A contains a comprehensive list of control cbisctives and corlrols that have been found to be ‘commonly relevant in organizations. Users of ins International Standara are directed to Annex A as a staring point for control selection to ensure that no important control options are overioakedt Obtain management approval ofthe proposed residual sks. Obtain management authorization to implement and operate the ISMS. Prepare a Statement of Appiicabilly, A Statement of Applicability shall be prepared that includes the following 4) the control objectives and controls selected in 42.19) and the reasons for ther selection 2). the control objectives and controis current implemented (see 4.2.16)2)); and 3). the exclusion of any control objectives and controls in Annex A and the justification for their ‘exclusion, NOTE: The Statement of Applicability provides a summary of cocisions concerning risk treatment. Justiying exclusions provides a cross-check that no controls nave been inadvertently omittecISASONEC 27001 : 2005 4.2.2 Implement and operate the ISMS ‘The organization shall do the following. 12) Formulate a risk ‘treatment plan that identifies the appropriate management action, resources, responsibilities and priorities for managing information security risks (see 5). by Implement the risk treatment plan in order to achieve the identfied control objectives, which includes consideration of funding and allocation of roles and responsibilities, ©). Implement controls selected in 4.2.19) to meet the control objectives. 6) Define how to measure the etfectiveness of the selected controls oF groups of controls and specify Now these measurements are to be used to assess control effectiveness to produce comparable and Foproducible results (see 4.2.3¢)) NOTE Measuring the effectiveness of controls alows managers and staff to determine how well controls achieve planned control objectives. fe). Implement raining and awareness programmes (see 52.2). 4) Manage operation of the ISMS 19) Manage resources for the ISMS (see 5.2) fh) Implement procedures and other controls capable of enabling prompt detection of security events and response to secutty incidents (see 4.2.32). 42.3 Monitor and review the ISS “The organization shal do the following. 2) Execute monitoring and reviewing procedures and other controls to 1) promptly detect errors inthe results of processing: 2) promptly identity attempted and successful secutty breaches and incidents; 3) enable management to determine whether the security activities delegated to people or implemented by information technology are performing as expected 44) help detect security events and thereby prevent security incidents by the use of indicators; and 5) determine whether the actions taken to resolve a breach of security were effective b) Undertake regular reviews of the effectiveness of the ISMS (including meeting ISMS policy and bjectives, and review of security controls) taking into account results of security aucits, Incidents, resus from effectiveness measurements, suggestions end feedback from all interested parties. ©) Measure the effectiveness of controls to verify that security requirements have been met 4). Review risk assessments at planned intervals and review the residual risks and the idenlifed acceptable levels of risks, taking into account changes to: 41) the organization; 2). technology; 3) business objectives and processes;ISNSONEC 27001 1005 4) identified threats 5) effectiveness of the implemented controls, and 8) extemal events, such as changes to the legal or regulatory environment, changed contractual obligations, and changes in social climate, €) Conduct internal 1SMS audits at planned intervals (see 6). NOTE: ternal aucits, sometimes caled frst party audits, are conducted by, or on behalf of, the organization isl for internel purposes, f) Undertake 2 management review of the ISMS on a regular basis to ensure that the scope remains adequate end improvements in the SMS process ate identified (see 7.1) 49) Update security plans to take into account the findings of monitoring and reviewing activities, fh) Reoord actions and events that could have an impact on the effectiveness or performance of the ISMS (see 4.3.3) 4.2.4 Maintain and improve the ISMS ‘The organization shall regularly do the following. 2), Implement the identified improvements in the ISMS, b) Take appropriate corrective and preventive actions in accordance with 82 and 8.3. Apply the lessons learnt from the security experiences of other organizations and those of the organization itselt ©) Communicate the actions and improvements to al) interested parties with a level of detail appropriate to the circumstances and, as relevant, agree cn how to proceed. ©) Ensure that the improvements achiove their intended objectives. 4.3 Documentation requirements 43.4 General Documentation shall include records of management decisions, ensure that actions are traceable to ‘management decisions and policies, and ensure that the recorded resulls are reproducible. Its important to be able to demonstrate the relationship from the selected controls back to the results of the ‘isk assessment and risk treatment process, and subsequently back to the ISM policy and objectives. The ISMS documentation shall include: a} documented statements of the ISMS policy (see 4 2,1b)) and objectives: 1). the scope of the ISMS (see 4.2.1a)) €) procedures and controls in support ofthe ISMS: 8) a description ofthe risk assessment methodology (see 4.2.1c)) 8) the fk assessment report (see 4.2.10) 10 4.2.19); 1) the risk veatment plan (see 4.2 2b)ISISONEC 27004 : 2005 9) documented procedures needed by the organization to ensure the effective planning, operation and Ccontral ofits information security processes and describe how to measure the effectiveness of controls, (see 42.3c)) hh) records required by this International Standard (see 4.3.3); and 1) tho Statement of Applicability, NOTE 1: Where the term "documented procedure” appears within ths Intemational Standard, this means thatthe precedute is established, documented, implemented and maintained, NOTE 2 The extent ofthe ISMS documentation can differ from one organization to another owing to = the size ofthe organization and the type ofits activities: and the scope and complexiy ofthe security requirements and the system being menaged NOTE 3: Documents and records may be in any form or ype of medium. 43.2 Control of documents Documents required by the |SMS shall be protected and controlled. A documented procedure shall be established to define the management actions needed to @) approve documents for adequacy prior to issue; ») review and update documents as necessary and re-approve documents, ©) ensure that changes and the current revision status of documents are identified: 4) ensure that relovant versions of applicable documents are available at points of use, ©) ensure that documents remain legible and readily identifiable, ) ensure that documents are available fo those who need them, and are transferred, stored and ultimately disposed of in accordance with the procedures applicable to their classification: 9). ensure that documents of extemal origin are identified 1h) eneure that the distribution of documents is controlled i) prevent the unintended use of obsolete documents; and, |) apply suitable identification to them if they are retained for any purpose. 43.3 Control of records Records shall be established and maintained to provide evidence of conformity to requirements and the effective operation of the ISMS. They shall be protected and controlled. The ISMS shall take account of any relevant legal or regulatory requirements and contractual obligations. Records shail remain legible, readily identifiable and retrievable. The controls needed for the identification, storage, protection, retrieval, retention time and disposition of records shall be documented and implemented Records shall be kept of the performance of the process as outlined in 4.2 and of all eccurrences of significant security incidents related to the ISMS. EXAMPLE Examples of records ate a visitors’ book, audit reports and completed access authorization forms.ISMSONEC 27001 : 2005 5 Management responsibility 5.1 Management commitment Management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the |SMS by: fa) establishing an ISMS policy b)_ ensuring that ISMS objectives and plans are established; ¢)_ establishing roles and responsibilties for information security; d) communicating to the organization the importance of meeting information security objectives and conforming to the information security policy, its responsibilties under the law and the need for continual improvement ©) providing sufficient resources to establish, implement, operate, monitor, review, maintain and improve the ISMS (see 5.2.1); 4) deciding the enteris for accepting risks and the acceptable levels of risk; 19) ensuring that internal ISMS audits are conducted (see 6) and 1) conducting management reviows ofthe ISMS (see 7). 8.2 Resource management 521 Provision of resources ‘The organization shall determine and provide the resources needed to: a) establish, implement, operate, monitor, review, maintain and improve an |SMS; )_ ensure that information security procedures suppor the business requirements; entity and address legal and regulatory requirements and contractual secunty obligations: 6) maintain adequate securty by correct application ofall implemented controls ©) carry out reviews when necessary, and to react appropriately tothe results ofthese reviews; and 4) wihere required, improve the effectiveness ofthe ISMS. 5.2.2 Training, awareness and compotence ‘The organization shall ensure that all personnel who are assigned responsibilities defined in the ISMS are competent to perform the required tasks by. 2). determining the necessary competencies for personne! performing work effecting the ISMS. ')_provicing training or taking cther actions (2.9. employing competent personnel) to satisfy these needs: ¢) evaluating the effectiveness of the actions taken; and 8, maintaining records of education, training, skls, experience and qualifications (soe 4.3.3) ‘The organization shall also ensute that all relevant personnel are aware of the relevance and importance of their information security activities and how they contribute to the achievement of the ISMS objectives.ISISOMEC 27001 : 2005 6 Internal ISMS audits ‘The organization shall conduct internal [SMS audits at planned intervals to determine whether the control objectives, controls, processes and procedures ofits ISMS: 'a) conform to the requirements of this International Standard and relevant legislation or regulations; ')_ conform to the identified information security requirements: ©) are effectively implemented and maintained and d)_ perform as expected ‘An audit programme shall be planned, taking into consideration the status and importance of the processes ‘and areas to be audited, es wall as the results of previous audits, The aucit criteria, scope, frequency and methods shall be defined. The selection of auditors and conduct of audits shall ‘ensure’ objectivity and impartiality of the audit process. Auditors shall not aucit their ovin work. The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records (see 4.3.3) shall be defined in a documented procedure, ‘The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results (see 8) NOTE. 180 19011:2002, Guidelines for qualty and/or environmental management systems auditing. may provide helpful guidance for carying out the internal ISMS aust, 7 Management review of the ISMS 7.4 General Management shall reviow the organization's ISMS at planned intervals (at least once a year) to ensure its continuing suitability, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the ISMS, inciuding the information secunty policy and information security objectives. The results of the reviews shall be clearly documented and records shall be maintained (soe 4.3.3), 7.2 Review input ‘The inpul to a management review shall include: fa) results of ISMS audits and reviews; )_ feedback from interested parties; (©) techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness; 9) status of preventive and corrective actions: ‘¢)._vulnerabiities or threats not adequately addressed in the previous risk assessment; 4) results trom effectiveness measurements, 9) follow-up actions from previous management reviews; fh). any changes that could affect the ISMS: and ') recommendations for improvement. 10ISASONEC 27001 : 2005 7.3 Review output ‘The outpul from the management review shall include any decisions and actions related to the following. 2) Improvement ofthe effectiveness ofthe ISMS, D)_ Update ofthe risk assessment and rsk treatment plan ©) Modification of procedures and controls that effect information securty, as necessary, to respond to internat or external events that may impact on the ISMS, including changes to: 41) business requirements; 2) security requirements 3) business processes effecting the existing business requirements; 4) regulatory or legat requirements 5) contractual obligations, and 6) levels of isk andior criteria for accepting risks. 1) Resource needs )_ Improvement to how the effectiveness of controls is being measured. 8 ISMS improvement 8.1 Continual improvement The organization shail continually improve the effectiveness of the ISMS through the use of the information Security policy, information securty objectives, ausit results, analysis of monitored events, corrective and Preventive actions and management review (see 7). 8.2 Corrective action The organization shall take action to eliminate the cause of nonconformities with the ISMS requirements in order to prevent recurrence. The documented procedure for corrective action shall define requirements for: @)_identiying noncenformities: b) determining the causes of noncontormites ©) evaluating the need for actions to ensure that nonconformities do not recur; 4) determining and implementing the corrective action needed; €) recording results of action taken (see 4.3.3); and ) reviewing of corrective action taken, 14ISNSONEC 27001 : 2005 8.3 Preventive action The organization shal determine action to eliminate the cause of potential nonconformities with the ISS requirements in order to prevent their occurrence. Preventive actions taken shall be appropriate to the impact of the potential problems. The documented procedure for preventive action shall define requirements for: 2) dentiying potential nonconformities and thei causes; ')_ evaluating the need for action o prevent occurrence of nonconformities, ©) determining and implementing preventive action needed; 6) recorcing resuits of action taken (se04.3.3); and €) reviewing of preventive action taken. “The organization shall identify changed risks and identify preventive action requirements focusing attention on significantly changed risks, “The priority of preventive actions shall be determined based on the results of the risk assessment NOTE: Action o pravent noncanformiis is often more cast-etfecive than corrective action. 12IS/ISOJEC 27001 : 2005 Annex A (normative) Control objectives and controls The control cbjectives and controls listed in Table A.1 are directly derived from and aligned with those listed in ISONEC 17799:2005 Clauses 6 to 15. The lists in Table A.1 are not exhaustive and en organization may consider that additional control objectives and controls are necessary. Control objectives and controls {rom these tables shall be seleciod as part of the ISMS process specified in 4.2 1 ISOMEC 1799:2005 Clauses 5 to 15 provide implementation advice and guidance on best practice in support of the controls specified in A.S to A.15. Table A.1 — Control objectives and controls AS Security policy AS Information security policy Objective: To provide management direction and support for information secutty in accordance with business ‘equifements and celavant|asis and regulatons | Gontror Asi1 | Information securty policy ‘An information security policy document shall 9¢ approved informa ty policy proved by ‘management, and published ang communicated to all employees {2nd relevant extemal parties Control A812 | Reviow ofthe information ‘The information seeurty policy shall be reviewed at planned security poley | Intorvais or significant changes occur to ensure 4s continuing Suitably, adequacy, ang effectiveness 8 Organization of information security AGS Internal organization Objective: To manage information security within the organization | contor aot Management commitment to | Management shall actively support security within the organization information securty through clear cirecton, demonstrated commitment, explicit ‘assignment, and acknowledgment of information security responsibiltes | contrat A612 | Information securiy co- | infarmaton security actives shall ba co-ordinated by ‘ordination representatives from diferent parts ofthe organization with relevant roles and ob functions. 6.13 | Allocation ofinforation | Contror securiy responsibilities Allinformation security responsibities shal be clearly defined 13ISASONEC 27001 : 2005 Control ‘ncaa | Authorization process for information processing ‘A management authorization process for new information ‘oites processing facies shall be deined and implemented. Contr | ABAS | ecsfdentialiy agreements | Regulremenis for confisentally or non-cisclosure agreements reflecting the organization's needs for the protection of information shal be identfied and regularly reviewed Contot AST | Contact wih authoribes ‘Appropriate contacts with relevant authorities shall be maintained Contr! Agi.7 | Contact with special interest sroups Appropriate contacts with special interest groups or other specialist | security forums and professional associations shall be maintained Controt ‘The organization's approach to managing information security and |Ac18 | independent review of oo i ee " information security its implementation .e. contr objectives, contra, polices, processes, and procedures for information securiy) shal be reviewed independent st planned intervals, or when signicant cchangas tothe security implementation occur. ovjectva: To 62 — Extomal partios maintain the security ofthe ergenization’s information and infomation processing facilis that are accessed, processes, communicated to, or managed by external parties Contos party agreements A021 | tdentlcation ofrsks related. | The risks to the organzatln’s Information and information to extoral partion processing faites tram business processes invaving external peti shal be identfiec and appropriate contiotsplementod botore granting access Control A822 | Addressing secunty wen Geaing with customers | Allidentied secuntyrequicements shal be addressed before ging | ‘customers accass tthe organizations information or assets Contot Semen wih thed pares nvolving accessing, rocessin 4623 | Adsressing secunty inti | 22 S *: wiematones communicating or managing the organization's information or | information processing faites, or adding products or services 12 Information processing facilis shall cover all relevant securty requirements 14ISMSONEC 27001 : 2005 AT Asset management AT4 Responsibility for assets | Objective: To achieve and maintain appropiate protection of erganizatonal assets. | contro! | Arad Inventory of assets All assets shaf be clearly Kdentied and an inventory of af important | ‘assets drawn up and maintaines. | contro! i} ATA2 | ‘Ownership of assets ‘Allinformation and assets associated with information processing | facites shall be ‘ouned'®) by a designated part of the orgenzaton. Conirat AT13 | accoptableuse of assets | Rules forthe acceptable use of information and assets associated | With information processing facies shall be identfies, documented and implamented, 7.2. Information classification Objective: To ensure that information receives an appropriate level of protection. Araa Soviet | Gtessication guidelines | information shallbe clessified in terms ofits valun, egal requirements, senstiuty and extialty t the ergenizaton, control A722 | information abating and ‘An appropriate set of procedures for information labeling and handling shall be developed and implemented in accordance with the classification scheme adoptod by the organization. handling AS Human resources security AB.1 Prior to employment) Objective: To ensure that employees, contractors and this party users understand their rasponsbities, ond are ‘sultabe forthe roles they are considered for, and to reduce the nek ofthat, fraud or misuee of facies, Contos Agia Roles anc rsponsibites | Security roles and responsbities of employees, contactors and | | third party users shalt be defined and documented in accordance | with the erganizaton’s information security pole. Explanation: The term ‘owner identifes an individual or entity that has epproved management responsibilty for Convoling the production, development, maintenance, use and securily of the assets. The term ‘owner’ does not mean thatthe person actually has propery rights fo the asset 44)_Explanation: The word ‘employment is meant here to cover all of the folowing different situations: employment of ‘people (temporary or longer lasting). appointment of job roles, changing of job roles, assignment of contracts, and the fermination of any of these arrangements, 15ISASONEC 27001 ; 2005 Contr | Backaround verfication checks an all candidates for employment, ‘Screening | contractors, and tied party users shallbe earned out in accordance \with relevant laws, regulations and ethics, and proportional tothe business requirements, the classification af the information fo be. ‘accessed, and the perceived risks, Controt A813 | Terms.end consitions of | AS partof their contractual eoigetion, employees, contractors and | | employment, third pariy users shall agree and sign the terms and conditions of | their employment contact, whieh shal stat thew and the | | | e1ganizaton’s resaonsibtties for information security. 8.2 During employment | Objective: To ensure thet all employees, contractors and third party users are aware of information security threats 4nd concems, their responsboilibes and labities, anc are equipoed to support organizational securty policy in the Course a their normal work, and lo feduse the risk of human evo. | Contra! A821 | stanagement responsicities | Management shall require employees, contractors and thi party | sors to apply security in accordance with established policies and Procedures ofthe organization, Contos 622 | Information security All amployees of the organization and, where relovant, contractors ‘uaroness, education and | an third party users shal receive appropriate awareness taining raining and regular updates in orgarizational polices and procedures, as relevant fo their job function Controt Ag23 Discipinary process ‘There shall be a formal disciplinary procass for employees who have committed a security breach A83-— Termination or change of employment Objoctive: To ensure that employees, contractors and third party users ext an organization or change employment in an orderly manner, Contra Ag34 Termination responsioiites | Responsibilities for pecorming employment termination or change: of employment snal be cleary defined and assigned | Contrat A832 | atu of assets All employees, contractors and third party usere shall retuin all of the | organization's assets in their possession upon termination of their | employment, contractor agreement Controt Aga “The access rights ofall employees, contractors anc third party users Removal of access rights | to information and information areeessing feces shail be removed | upon termination oftheir employment, contract or agreement, or {dusted upon change, 16ISMSONEC 27001 : A Physical and environmental socurity Working in secure areas AS4 — Socure.areas objetivo: To provent unauthorized physical access, damage and interference tothe organization's premises and | information conto! A911 | payetca secunty permeter | Securly perimeters (barriers such a8 walls, card contolies entey gates or manned reception desks) shall be used to protect areas that contain information and information processing aces Control | Ag12 Physical entry contois | cacure areas sha be protected by appropriate any contols to censure tht only athorzed personnel are alowed eccess. Contra! A913 | Securing ofces, rooms and | facies Physical secunty for effies,reoms, and facies shal be designed and applied Control A914 | Protecing against extoral__| physical protection against damage from fk, ood, earthquake, | {and environmental threats | eypision, cl unrest. and other forms of natural or man-made | lsastor shall be designed and appies. Conta! aots Physical protection and guidelines for working in secure arees shall be designed and applied CCabing secunty ower and telecommunications cabling carrying data or supporting infomation services shal be protected from intercestion or damage. ‘conto! A916 | Public access, delivery and | ACCESS points such as delivery and Ioan areas and otter pons foadty areas where unauthoraed persons may enter the premises shal De contol and, possible, isolated from information processing | facies to avoid unauthorzes access 49.2 Equipment security Objective: To proven ess, damage, thf or compromise of assets and interruption tothe exgaizatons activites. conto A921 | Equipment sting ana Equipment shall be sited or protected to reduce the eks fom | protection nvronmenial teats and hazards, and opportunities for \ | unauthorized access A922 Sentech | Supporting utities | Equipment shall be protected from power failures and other | sruptns caused by fares in supporting ilies, ‘Contos A923 7ISASONEC 27001 : 2005 conte aga Equipment maintenance Equipment shall be correctly maintained to ensure its continued | evaistty ane integrity A925 Sec of it off | Senter pense Security shalt be appied to ofsite equpmant taking into account the oferent sks of working outed he organization's premises Contr A926 | Secure aaposalorouse of equipment All toms of equipment containing storage media shall be checked to ‘ensure that any sensitve data and licensed software has bean removed or securely avenurtten prior to disposal Ag27 Removal of property Contr Equipment, information or software shall not be taken of ite without prior authorization Objective: To A.40 Communications and operations mar A404 Operational procedures and responsibiities {ensure the correct and secure operation of information processing facies, | nagement Contras 1014 | Documented operating procedures, Operating procedures shel be documented, maintained, and made avalable tall users who need them A012 Control (Change management Changes to information processing facilities and systems shall be conve Contay A113 | Sooregation ofdutes Dutios and areas of responsibilty chal be segregated to reduce ‘opportunites for unauthorized or unintentional modification or misuse ofthe organization's assets. Conta! 10.14 | Seperation of development, {est and operational actties Development, test and operational facilities shall be secarated to ‘eduoe the risks of unauthorsed access or changes to the ‘operational system, ovjecte: To A10.2- Third party service dollvery management implement and maintain the aporoprit evel infection secunty and service delivery inne wih | thir panty senrce delivery agteomen's Ato24 Sonice delivery Control It shallbe ensured thatthe security contol, service desnizens ang dalverylvels included inthe third party service delivery agreement | a8 implemented, operated, and maintained ay bia hra pam. | 18IS/SONEC 27001 : 2005 At022 third party services Contr Monitoring end review of | The gervioes, reporis and records provides by the third party ehall be regularly monitored and reviewed, and aucils shallbe carried out reguiaty. party sorvices Control ‘Changas to the provision of eervies, ieluding maiataieing and Managing changes to thi | impreving existing information security policies, procedures ané ‘controls, shall be managed, taking account of the ertcalty of business systems and processes involved and re-assessmont of risks ‘objective: To A103 System planning and acceptance ‘minimize the risk of syster ms faiures, _—— oe | Controt 1031 | capacity management ‘The use of resources shall be monitored, tuned, and projections made of future capacity requirements fo ensure the required system performance. Controt A132 System acceptance Objective: To A104 Protection against malicious and. versione shall be established and euitaba teste ofthe system(s) Carried out during development and prior to accepiance. protect the integrity of software and information ‘Acceptance criteria fr new information systems, upgrades, and naw code | Control A104.1 | Contols against malicious | petecton, prevention, and recovery controls to protect against code malicious code and sppropriste user awareness procedures shail be plement. onto! 10.42 | Controls against mobile _| Where the use of motile code is authorized, the configuration shall ensure thatthe authorized mobile code operates according 1 @ early defined security policy, and unauthorized mobile cade shal be prevented irom executing. Objective: To 1054 A105 Backup Information back-up ‘maintain the integrity and availability of information and information processing facies —eese*”*eweOeorewwrow Contot Back-up copies of information and software shall be taken and tested regularly in accordance withthe agreed backup palcy. 19ISHSONEC 27004 : 2005 A106 Network security management ‘Objective: To ensure the protection of information in networks and the protection of the supporting infrastructure, Conitot 1084 | Network controls Networks shall be adequately managed and controlled, in order to be protected from threats, and fo maintain security for the systoms, I and applications using the network, including information in transit, Contra At062 Security features, service levels, and management caquirements of Security of network services | ali network services shall be identified and included in any network services agreement, whether these services are provided in-nouse cr outsouresd, A107 Media handling Objective: To prevent unautherized disclosure, modification, removal or destruction of assets, and interruption to business activites. T Cont 407.4 | wanagement of removable media “There shall be procedures in place for the management of romavable media, {ena ate aces Tc Procedures | established fo protect this information from unauthorized disclosure [contr i074 | sosmereeum oa A408 Exchange of information Objoctve: To maintain the securty of information and software exchanged within an erganzation and with any extemal ently Control 108.1 | Information exchange Formal exchange policies, procedures, and controls shall bein place policies and proceaures to protect me exenange of information through the use of al 98s of ‘communication facilites, | contr A082 fscrageastemeris | pgearons shtbeenlaed ere charg fefrntin { ard software betwoen ne organization and external pares | Controt AAD83 | physical median vensit | Media containing information shal be protected against Uunautrorized access, misuse of corruption ducing transportation beyond an organization's physical boundaries. 20ISASONEC 27001 : 2005 cone! Arosa Electronic messaging Information involved in electronic messaging shall be appropriately nome cone! A1085 Business information Policies and procedures shall be developed and implemented to systems protect information associated with the interconnection of business fameun iar 7.109 leon omer serees Oe To ensure te secu ef eect cammac ences, nd tal secure te conte | 41091 | crectronic commerce Information involved in electronic commerce passing over public | metas she rte tom tausuan soup ane oote | Jha ceria Secure ns eon | conver Awaz | Information involves in oni transactions shall be protected to | Ondine transactions prevent incomplete transmission, mis-routing, unauthorized Perper, sures decom uroureed message pte een. como rasa | pute sala The het ofomatin bog mde asi on pies information available system shall be protected to prevent unauthorized rodfeaton A904 Wontorng | objective: To detect unauthorized information processing activities conta A10104 | csittogging | Aust logs recording usr activites, excaptions, an information |Couryavo ave rors onder on apa o | | sttntre mediates ard ucss cnt! meena owe! 410122 suoiompomtemuse | Poesduesocnonttng we af lomaton paces feites | Tarte ecubchesend terete arbemerionsenmin | ‘ovewed olay | Toama con! Preston lromaton | Logg als eng cmaten sha be roe epost | | anpetng and uber ercse A10.104 Administrator and operator. | Contro! logs ‘System administrator and system operator activities shall be logged. conor A10-10.8 Fault logging Fase statte gant anaes ne ponte actonaan, —_| 21ISISOMEC 27001 : 2005 contrat _}poreed accurate ume source pop - [AM Access conto | 4.111 Business requirement for access contro! | Objective: To control access to information } Contr | cess canto! ptey ‘An access control policy shall be established, documented, and | reviewed based on business and security requirements for accoxs. | AA12 User access management _Dejostee: To ene athoized user acess and to prevent unauthoriges acces to ifermatien systems, } Contra 18129 | eerregoaten ‘her shal be s fora wsereistaton nd deseiraton procedure in place for granting and revoking access to all | Information systems and services, Control | lL “The allocation and use of privileges shall be restricted and | { cantales Controt ‘The allocation of passwords shall be contol through a formal | svanagement protest \ Conor Review of user access fights | t4anagement shal eview users’ access rights at regular intervals \ using 2 formal process. Ovjectve: To prevent unauthorized user access, and compromise ar theft ot information and information processing | recites. \ Control |assas | selection and use of passwords, > ¥onne [arse | Unattended user equipment | Users shail ensure that unattended equipment has sporopriate preveeton | Ccontot ANB Clear desk and clear screen | 4 ciear desk policy for papers and removable storage media and a | Petey clear screen palcy for information processing facities stall be { ade BooneA114 Network access control Objective: To prevent unauthorized accoss to networked services, ISASO/EC 27001 : 2005 Contr 1141 | Poly en uso of etek roe serch on be proved i) acess othe sences tat ey have been spectenlyeuthariaed tae | conor 1142 | Useraunenteatontor | external connections | Approprete authentication methods shal be used fo contol access, | ertenct user | Control 114s | equpmemisentesten in| ae | Automate equpmentienifcaton shal be considered a # means | toauterteateconnctons rom spect atone and eau | conn arias | Remoedagnosicand | Coniguaton pon sotecten | Prva! and epeslacosso agro and configuration pats | shatine controied | cantor asas ‘Segregation in networks: | Groups of information services, users, and information systems shalt be searegted on nator Cantor | Anas For shared nator, especial nse excnding cots tho Notwork connection control tganizaton's boundaries, the capabiity of users to connect fo the retwork shall be restricted, in line with the access control policy and requirements of the business applications (see 11.1) Aer Network routing control, — 2 E=—_—EI—r———r——rvrvrvor A415 Operating system access control Contr Routing controls shall be implemented for networks to ensure that ‘computer connections and information fews da net breach the | 2c0e85 control policy ofthe business applications, Onjective: To prevent unauthorized access to operating systems, Controt Ansa Secure log-on procedures | Access to operating systems shal be controled by a secure log-on procedure. Controt A412 | User identification and ‘Ail users shall nave a unique identifier (usor 1D) for their personal ‘authentication use only, and a suitable authentication technique shall be chosen to substantiate the claimed identity ofa user Controt A1153 | Password management system ‘Systems for managing passwords shal be interactive and shel! ‘ensure quality passwords,ISASO/EC 27004 : 2005 eS Contra! 1554 | use orsystern utes _| The ose of uly programs that might be capable of overriding | system and application contoe shale estes ana tightly, | ontoes | Inactive sessions shall shut own aor gine pated of act. | Contr Attse | Limitation of connection time 5 Restrictions on connection times shall be used to provide additional security forigh-fsk applications i [ane appa acetone ce Controt | |A1181 | information access ‘Access to information and application system functions by users and | resirition ‘suppor personnel shal be restricted in accordance withthe defined | access contol policy Conitrot Atte2 Sensitvesystemisolaton | onsite systems shal have a dedicated (slated) computing ; ferviranment | A117 Mobite computing anc wteworking |} Objective: To ensure information security when using mobile computing and teleworking facilities. an ana ‘Mabie computing and i | A formal poicy shall be in place, and appropriate sacurty measures ‘communications | shall be adopted to oretect against the risks of using mabile computing and communication facilites. poo eee | contre | ana | | Towering | Accioy operstonal plans ond provedures sal be develonee and) | _[ nbtmentdtertnonerng actives | [AA2 Information systems acquisition, development and maintenance A421 Security requirements of Information systems bjt To enous that ser isan nega arta inomaton sitar \ “] Controt 1211 | secunyrequremens | anaes and pest Statemans of buinessrequremetsfornew infomation etme, | acemancamente 6 sisi norton ayslers nal spect te requirements fo secu contl,ISNSOMEC 27001 : 2005 A122 Correct processing in appitcations Objective: To prevent errors, loss, unauthorized modification or misuse of information in applications | An224 Corte! | tnput data vation Data input to applications shallbe validated to ensure that tis data is correct and sppropiat | | contot 41222 | Control of internal \aicaton checks shal be incorporated into applications to detect processing [any corruption of information tough processing erors or ceiberate acts | Cont! [91222 | essage itgrty Requirements for ensuring authentely and protecting messege | integty in appicatons shal be idenifed, and appropriate conto’ identfed ana implemented Conta! 141224 | ouput data vatdaton | Dalgoubut trom en eplcaton shal be validated to ensure that he processing of stored information is correct and aparoprite tothe | creumstances - - 4 ‘A123. Cryptographic controls Objective: To protect ne confidentiality, authenticity or itegrty of information by cryptographic means, Contos 1231 | Policy onthe use of | cryptographic controls A palicy onthe use of cryptographic controls for protection of Information shall be developed and implemented. Contra! A232 Key management Key management shall be in place to support tre organization's uso of eyptographic techniques. A124 Security of system files Objective: To ensure the securiy of system files. Control 1244 | Conti! of operational | software ‘There shall be procedures in place to contro the instalation of oftware on operational systems. A1242 | Protection of sysiom test | Contra! cata ‘Test data shall be selected carefully, nd protected and controled 41243 | Access controlto program — | Contr! source code ‘Access to program source code shall be restrictedIS/ISONEC 2700" 2005 A125 Security in development and support processes (Objective: Ta maintain the secuiy of application system software and information. Contro! An2st Change contol procedures | The implementation of changes shall be cantrlled by the use of formal change contro! procedures, Conte! aioe | Technical review of When operating systems are changed, businass extical applications stl be reviewed and tested to ensure there i no adverse impact (0m organizational operations or security. | contr 1259 | Resuistons onchange o Solwarepectases "| Mediietons to sofware packages shal be discouraged ites o | neceasary change, a alsrangos shal be sti conoe, applications after operating systom chanees Controt 41054 | tomate stage ‘Opportunities for information leakage shall be prevented. ‘controt A1255 | Outsourced sofware evelooment ‘Outsourced software development shall be supervised and rmositared by the organization nt A426 Technical Vulnerability Management Objective: To reduce risks resulting from expoitation of published technical vlnerabilties, Tone ras | omar’ | Tit ivomaon stu! eh winerbiin fern unerabies | cyanea wad eta be otesineoganzatons ego | {© such vlperabiies eveustd, ond appropriate measures tents | | scares the associate risk A413 Information security incident management | A.13.1_ Reporting information security events and weaknesses njectve: To ensure information secunty events and weaknesses associated with information systems are ‘communicated in a manner allowing timely corrective action to be taken, | conte ‘All employees, contractors and third party users of information systems and services shall be requited to note and report any observed or suspected secunty weaknesses in systems or sarvices A131.2 | Reporting escurity weaknesses | contr 1231 | Reporing infomation | | Serene eee | ntormatoneecuiy events shall be reponed trough appropiate I | | management channels as quctly os possible { 28ISASOMIEC 27001 : 2005 43.2. Management of information security incidents and improvements ‘Objective: To ensure a consistent and effective approach is applied tothe management of information security incidents. | contor A1921 | Responsibilities and Monagement responsibilles and procedures shall be established to procedures fensure a quick, effective, nd orderly response to information | security incigents Controt 81322 | Leaming fom information | There shall be mechanisms in place to enable tne types, volumes, secunty incidents {and costs of infermation security incidents to be quantified and | monitored, | Contra! Where a follow-up action against person or organization after an Collection of evigence information eecurty incident involves legal action (ether eli or cctiminal, evidence shall be collected, retained, snd presented to Conform to the rules for evidence laid down in ne relevant | |urisaiton(s). A1323 |A.14 Business continuity management A141 Information security aspects of business cantinulty management Ovjective: To counteract interuplions to business actives and to protect erica business processes from the | effects of major failures of information systems or disasters and to ensure their timely resumation Ccontrot Including formation tai — | secuntyintne business | Amanaged process shall be developed and maintained fr business ontnuty menegement | contnuly throughout the organization that aderesses the infermation provese secury requements needed forthe organization's business continuity, Conta | 1442 | Business continuity and risk | Events that can cause interuptions to business processes shall be | assessment ‘entifed, long with the probably and mpact of such interruptions. | | ane ther consequences for information secu. | | ontes Developing and 414.13 | implementing continuty | Plans shal! be developed and implemented to maintain or restore plane including information | operations and ensure availabilty of information atthe required lavel security and in the required time scales following interuption to, or fare of, | critical pusiness processes, | Contro! 14.14 | Business continuity planning | A single femework of business cantinuly plans shal be maintained framework to ensure allpians are consistent, corsistently address. Information securty requirements, and to dently priostas fo testing and maintenance. Testing, maintaining ang re- | Control | assessing business | susiness continuity plans shall be tested and updated regulary to L contrwlty plans ‘ensure that they are up to date and effective,ISMSONEG 27001 : 2005 ‘AAS Compliance requirements. { ! lausez | - Ats4 Objective: To sveid broaches of any law, statutory, cequlatory or contractual obligations, and of any security AMAA ‘of material in respect of which there may be intllectual property | satis and on he use of proprietary sofware products Contra Compliance with legal requirements | onto! Identfication of appicable | All elevant statutory, regultory and contractual requirements and leatelaton the organization's approach to meet these requirements shall be explicitly defines, documented, and kept up to date for each Information system ang the organization ) | contr | uate propery vhs | ASropie procedures sabe ingle i nse compace ac ‘ntoplabe, epuiony,er crac! foquomarts ne wo | [neve A182 i J ATE13 | Protection of organizations! | important records shall be protected trom loss, destruction end } records falsification, in accordance with statutory, cegulatory, contractual, | and business requirements, | Control [ass14 | Data protection ana privacy persona information | Bala pretecion and pay shal be snsure a roguied in ovat | {egistation, regulations, 2nd, if applicable, contractual clauses. i | Prevention ofmisuse of | Contrah JA%515 | etormation processing Objective: To ensure compliance of systems with organizational securiy poeies and standards. | Jo Users shall be deterces from using information processing facies {for unauthorized purpases. faites Contra! Regulation of erptogrephic controls, Cryptographic controls shal be used in compliance with al rlovent _sg70emens, laws, and regulations on Compliance with security poticles and standards, and technical compliance 28 nn | contrat | 1521) Compliance wth security | Wanagars shel ensure theta securty procedure win tei area policies and standards | of responsibly are carried out correct to achieve compliance with \ | secumty policies and standards tL | | contro! 1522 | Technical compliance } checking {nformation systems shall be regularly checked for compliance with secuty implementation standards | LH —-4.15.3 Information systems aualt considerations ISMSOMEC 27001 : 2005 Objective. To maximize the effectiveness of and to minimize interference toram the information systems audi process. Conta! A183.1 | Information systems audit | aust requirements and activties involving checks on operational ‘controls systems shall be carefuly planned and agreed to minimize the risk of disruptions to businass processes Cont! 1832 | Protection of information systoms audit tools Access to information systems aust tools shal be protected to prevent any possible misuse ar compremise 29ISASONEC 27001 : 2005 Annex B (informative) OECD principtes and this International Standard ‘The principles given in the OECD Guidelines for the Securiy of information Systems and Networks apply 10 all policy and operational levels that govern the secumlty of information systems and networks. This Intemational Standard provides an information security management system framework for implementing some of the OECD principles using the PDCA model and the processes described in Clauses 4, 5, 6 and 8 as indicated in Table 8.1 ‘Table B41 — OECD principles and the PDCA model ‘O&CD principle Awareness Patlicipants should be aware ofthe need for security of information systems and noworks ang what they can do to enhance security Responsibility | Alpariopans are espns for ha sanyo sfomation sysiams and networks, Response Paniipants should actin a timely and co-operative ‘manner to prevent. detect and respond te security incgont, ‘Corresponding ISMS process and PDCA pI ‘This actly is part of the Do phase (see 42.2 and 6.2.2) ‘This activity s part of the Do phase (ses 42.2 and 5.1) This sin part a monitoring actly Check phase (see 4.23 and 6 107.3) and 2 responding activiy Act phase (s02.4.2.4 and 6.1 108.3) This can also be covered by Some aspects ofthe Plan and Chack phases. Risk assessment PPantcipants should conduct ek assessments. Panicipants should incorporate security as an essential element of information systems and networks. Security design and implementation (Once a risk assessment has been complsted, contats are “This ect is pan ofthe Plan pase (see 4.2.1) and risk reassessment is part ofthe Check phase (see 4.2.3 and 6 107.3), selected forthe reatment of risks as parcat the Plan phase (see 421). The Do phase (see 42.2 and 52) hen ‘covers tre implementation and operational use of ese controls. ‘Security management Participants should adopt a comprehensive approach to | security management ‘The management of risks a process which includes the prevention, detection and response fa incidents, ongoing ‘maintenance, review and audit. Al ofthese aspects are ‘encompassed inthe Plan, Do, Check end Act pases, y Reassessment Portipants should review and reassess the sacunity of Information systems and networks, and make appropriate madifzations t securiy polices, pracions, ‘measures an procedures. 30 Reassessment of information seourity is @ part of the {check pase (see 4.23 and a to 7 3) where reguiar reviews should be undertaken to check the effectiveness ofthe informatan secunty management system, and macoving the eecunty(s part of the Act phase (see 42.4 and 6.11983).ISASONEC 27001 : 2005 Annex C (informative) Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard Table C.1 shows the correspondence between ISO 9001-2000, ISO 14001-2004 and this Intemational Standard, ‘Table C.1 — Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard This Intornational Standard 180 9001:2000 180 14004:2004 0 introduction O introduction Introduction (01 General 0.1 General (02 Process approach 0.2 Process approach (0.3 Relationship with 1S0 8006 3 Compaboliy with other 4 Campatity wih eter management systems management systems 1 Scope 1 Scope 1 Scope 1.4 General 1.1 Gonecal 1.2 Poplin 12 Appcaon 2 Normative references 2 Normative reference Normative reference 2 Terms and defitions 2 Terms and definitions 2 Terms and defitions 4 information security “Quality managementsystom | 4 EMS requirements Imanagement system | 4.1 Genera requirements 4.1 Goneralrequrements 4.4 General equrements 4.2 Establishing and managing the Isms 42.4 Estabich the ISM 4.2.2 Implement anc operate the | 4.4 implementation and operation sms 4.2.3 Monitor and review the ISMS__| 8.2.3 Monitoring and measurement of | 45.1 Monitonng ang measurement processes 8.2.4 Monitoring and measurement of product 4ISASONEC 27001 : 2005 This Intemational Standard 180 2001:2000 180 14001:2008 4.2.4 Mints and improve the isMs 4.3 Documentation requirements 43.1 General 4.3.2 Control of documents 43.3 Contro of records 42 Documentaon requirements 4.2.1 General 42.2 Quality manual 4.23 Conta of documents 4.2.4 Control of records 4.48 Documentation canto! 45.4 Contvol of records 5 Management responsibilty 45.1 Management commitment 5 Management responsibilty 5:1 Management commitment 5.2 Customer focus 5.3 Quality patey 5.4 Planning 5.5 Responsibly, authority and communication 42 Environmental policy 43 Planning 82 Resource management 5.2.1 Provision of resources 5.2.2 Training, awareness and competence 6 Resource management 6.1 Provision of resources 6.2 Human resources 6.2.2 Competence, awareness and ‘raining 6.3 Infrastructure 6.4 Wotk environment 4.4.2 Competence, traning, and 6 Internal ISMS audits 8.2.2 Internal Audit 4.8.5 Internal aust 7 Management review of tho ISMS 7.4 General 7.2 Review input 7.3 Review ouiput 5.6 Management review 56.1 General 5.6.2 Review input 5.6.3 Review output 4.6 Management review 8 ISMS improvement 8.1 Continual improvement 8.5 Improvement 8.5.1 Continual improvernant 32ISMSONEC 27001 : 2005 ‘This International Standard 180 9001:2000, 180 14001:2004 8.2 Corrective action 8.5.3 Corrective actions 4.5.3 Non-contormly, corectve faction ang preventive ection 8.3 Preventive action 8.5.3 Preventive actions ‘Annex A Control objectives anc) controls Annex OECD principles and this International Standaré Annex C Correspondence bbotwoen 180 8001:2000, ISO 14001:2004 and this International Standard ‘Annex A Correspondence between 180 9001:2000 ang ISO 14007:1996 ‘Annex A Guidance on the use of this International Standard Annex 8 Correspondence between 180 14001-2004 and 180 9001:2000 33IS/SOMEC 27001 : 2005 Bibliography ‘Standards publications tH fa 8 4) i) 6 1S0 9001:2000, Qualliy management systems — Requirements ISQIIEC 13335-1:2004, nformation fochnology — Security techniques — Management of information ‘and communications technology securty— Part 1: Concepts and models for information and communications teclnology security management ISO/IEC TR 13335-3:1998, Information technology — Guidelines for the management of IT Security — Part 2: Techniques for the management of IT security ISONEC TR 13335-4:2000, Information technology ~ Guidelines for the management of IT Secunty — Part 4: Selection af safeguards (SO 14001-2004, Environmental management systems — Requirements with guidance for use ISOMEC TR 18044:2004, Information technology — Security techniques — information security incident management ISO 19011:2002, Cuidetines for quality and/or environmental management systems auditing ISONEC Guide 62:1996, General requirements for bodies operating assessment and ccortfication/registration of quality systems ISOAEC Guide 73:2002, Risk management — Vocabulary — Guidelines for use in standards Other publications n 2 (3 OECD, Guidelines for the Security of Information Systems and Networks — Towards a Culture of Securlly. Paris: OECD, July 2002. wwnw.cecd.org NIST SP 800-30, Risk Management Guide for Information Technology Systems Deming W.E., Out of the Crisis, Cambridge, Mass: MIT, Center for Advanced Engineering Study, 1986Bureau of Indian Standards BIS is a statutory institution established under the Bureau of Indian Standards Act, 1988 to promote harmonious development of the activities of standardization, marking and quality certification of goods and attending to connected matters in the country. Copyright BIS has the copyright ofall its publications. No part of these publications may be reproduced in any form without the prior permission in writing of BIS. This does not preclude the free use, in the course of implementing the standard, of necessary details, such as symbols and sizes, type or grade designations Enquiries relating to copyright be addressed to the Director (Publications), BIS, Review of Indian Standards ‘Amendments are issued to standards as the need arises on the basis of comments. Standards are also reviewed periodically; a standard along with amendments is reaffirmed when such review indicates that no changes are needed; if the review indicates that changes are needed, itis taken up for revision. Users of Indian Standards should ascertain that they are in possession of the latest amendments or edition by referring to the latest issue of 'BIS Catalogue’ and ‘Standards : Monthly Additions This Indian Standard has been developed from Doc : No. LTD 36 (2049). Amendments Issued Since Publication ‘Amend No. Date of Issue Text Affected BUREAU OF INDIAN STANDARDS, Headquarters Manak Bhavan, 9 Bahadur Shah Zafar Marg, New Delhi 110 002 Telegrams : Manaksanstha Telephones : 2323 01 31, 2323 33 75, 2323 94 02 (Common to all offices) Regional Offices Telephone Central: Manak Bhavan, 9 Bahadur Shah Zafar Marg 2323 76 17 NEW DELHI 110 002 2323 38 44 Eastern: 1/14 (C117, Scheme VIIM, V. |. P. Road, Kankurgachi '2337 84 99, 2337 8561 KOLKATA 700 054 2337 86 26, 2337 91 20 Northern: SCO 335-336, Sector 34-A, CHANDIGARH 160 022 260 38 43 260 92 85 Souther : C.1.T. Campus, IV Gross Road, CHENNAI 600 113 ‘2254 12 16, 2254 14 42 2264 25 19, 2254 23 15 Westem : Manakalaya, E9 MIDC, Marol, Andheri (East) "2832 92 95, 2832 78 58 MUMBAI 400 093 2832 78 91, 2832 78 92 Branches : AHMEDABAD. BANGALORE. BHOPAL. BHUBANESHWAR. COIMBATORE. FARIDABAD. GHAZIABAD. GUWAHATI. HYDERABAD. JAIPUR. KANPUR. LUCKNOW. NAGPUR, NALAGARH. PATNA, PUNE. RAJKOT. THIRUVANANTHAPURAM. VISAKHAPATNAM Prnted at Prabhat Offset Press, New Oalne2