B S ISO/IEC 27001:2013

Information technoJogy
Security techniques —

management systems
Requirements

makinq excellence a habit"

BS ISO/IEC 27001:2013 BRITISH S T A N D A R D

National foreword

Ttiis British Standard ¡s the UK implementaüon of ISO/IEC 27001:2013. It

supersedes BS ISO/IEC 27001:2005/BS 7799-2:2005 which is
withdrawn.

The UK participatlcn In Its preparation was entrusted to Technical

Committee lST/33, IT - Security techniques.

A lIst of organizations represented on this committee can be oblained on

request to its secretary. ¡L J%

This publication does not purport to include all the necessary (líovisions
of a contrae!. Users are responsible for Its correct application.,

© The British Standards Institutlon 2013. ^

Published by BSI Standards Limited 2013. / l^,

ISBN 978 O 580 65099 4

ICS 35.040 „.,,.>,

Compliance with a British Standard oannot confer Immunlty from

legal obligations. 'sL

This British Standard was pubüshed under the authority of the Standards
Policy and Strategy Committee on 1 October 2013.
Amendments/Corrigenda issued since publication
Dato Textaffect¿d
 INTERNATIONAL ¿S« I S O / I E C
STANDARD 27001

Second e d i t i o n
2013-10-01

Information technology — S e c u r i t y
t e c h n i q u e s — Infoiiftation s e c u r i t y
m a n a g e m e n t systems — R e q u i r e m e n t s
Technologies de l'informatí^ — Techniques de sécurité — Systémes
de management de lasécunté de ¡'information — Exigences

a.. \'

Reference n u m b e r
iSO/lEC 2 7 0 0 1 : 2 0 1 3 ( E )

isollEQ
©ISO/IEC 2 0 1 3
BS ISO/lEC 27001:2013
iSO/lEC 27001:2013{E)

© ISO/IEC 2013
Al! rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or meciianical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permíssion can be requested from either ISO at the address below or ISO's member body in the country of
the requester.
ISO copyright office ^„ .sfirii^uísa»-
Case póstale 56 • C H-1211 Geneva 20
Tel.+ 41 22 749 01 1 1
Fax+ 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

i! © ISO/lEC 2013 - All rights reserved

 BS iSO/lEC 27001:2013
ISO/lEC 27001:2013(E)

Contents page

Foreword iv

0 Introduction , , v
1 Scope , : ,..
2 Normativo r e f e r e n t e s .
3 T e r m s a n d deflnitions
4 Context of the organization . C - -
4.1 Understanding the organization and its context '
4.2 Understanding the needs and expectations o f interested parties
4.3 D e t e r m i n i n g the scope o f t h e i n f o r m a t i o n security managem ' ystem
4.4 I n f o r m a t i o n security management system .^n , 2
5 Leadership , 2
5.1 Leadership and c o m m i t m e n t Z 2
5.2 Policy,,. 4 • 2
5.3 Organizational roles, responsibilities and authonües' 3
6 Planning , \. 3
6.1 Actions to address risks and o p p o r t u n i t i e s ^ , „., 3
6.2 I n f o r m a t i o n security objectives and planríin|*ta achieve t h e m ,. 5
7 Support. ,..„^^sK. , .., 5
7.1 Resources..: ^ ^ ^ J . . . 5
7.2 Competence , - 5
7.3 Awareness , 5
7.4 Communication /-v^*^ 6
7.5 Documented informatíonJ ^i^, 6
8 Operation ' ' 7
8.1 Operational p l a n n m g and control 7
8.2 I n f o r m a t i o n secunDi^nsk assessment , : 7
8.3 Information securityjisk treatment , , 7
9 Performance evaluation. , 7
9.1 M o n i t o r i n g , mé¡surement, analysis a n d evaluation 7
9.2 Internal a u d i t j , : ^ 8
9.3 Management r e v i e w , „ 8

10 Improvem^i^'„ ' ,.9

10.1 N o n c o n f o r m i t y and corrective action,..,., , 9
10.2 Gontmual i m p r o v e m e n t , 9
A n n e x A J n a n J ^ t í v e ) Reference control objectives a n d controls 10
Bibliography , • , 23

© ISO/IEC 2013 - All rights reserved Ui

BS ISO/lEC 27001:2013
ISO/lEC 27001:2013{E)

Foreword

ISO (the I n t e r n a t i o n a l O r g a n i z a t i o n for Standardization) a n d lEC (the I n t e r n a t i o n a l Electrotechnical

Commission) f o r m t h e specialized s y s t e m for w o r l d w i d e s t a n d a r d i z a t i o n . National bodies t h a t a r e
members o f ISO or lEC particípate i n t h e development o f I n t e r n a t i o n a l Standards t h r o u g h technical
committees established b y t h e respective o r g a n i z a t i o n t o deal w i t h p a r t i c u l a r fields o f technical
a c t i v i t y . ISO and lEC technical c o m m i t t e e s collaborate i n fields of m u t u a l interest. Other I n t e r n a t i o n a l
organizations, g o v e r n m e n t a l and non-governmental, i n liaison w i t h ISO and lEC, also take p a r t i n t h e
w o r k . I n the field of i n f o r m a t i o n technology, ISO a n d lEC have established a j o i n t technical c o m m i t t e e ,
ISO/IEC J T C l . ; •-

I n t e r n a t i o n a l Standards are d r a f t e d ín accordance w i t h the r u l e s given i n t h e ISO/IEC Directives, P a r t 2.

The m a i n task of the j o i n t technical c o m m i t t e e is to p r e p a r e I n t e r n a t i o n a l Standards Uraft I n t e r n a t i o n a l

Standards adopted b y t h e j o i n t t e c h n i c a l c o m m i t t e e are c i r c u l a t e d t o nationalj bodies for v o t i n g .
Publication as an I n t e r n a t i o n a l Standard requires a p p r o v a l b y at least 75 % u(Ahe n a t i o n a l bodies
c a s t i n g a vote. .{^ ^
' • • »

A t t e n t i o n is d r a w n t o the p o s s i b i l i t y t h a t some o f t h e elements o f t h i s d o c u m e n t may be the subject o f

patent r i g h t s . ISO and lEC shall not be held responsible for i d e n t i f y i n g a n y o r all such patent r i g h t s .

ISO/IEC 2 7 0 0 1 was p r e p a r e d b y j o i n t Technical C o m m i t t e e ISO/lEC ]TC 1, Information technology.

Subcommittee SC 27, IT Security techniques.

This second e d i t i o n caneéis a n d replaces the f i r s t e d i t i o n (ibO/IEC 27001:2005), w h i c h has been

t e c h n i c a l l y revised. -s¡^

iv © ISO/IEC 2013 - All rights reserved

 BS I S O / Í E C 27001:2013
ISO/lEC 27001:2013(E)

O Introduction

0.1 General

T h i s I n t e r n a t i o n a l Standard has been p r e p a r e d t o p r o v i d e r e q u i r e m e n t s for establishing, i m p l e m e n t i n g ,

m a i n t a i n i n g a n d c o n t i n u a l l y impro-vi r g an i n f o r m a t i o n s e c u r i t y management system. The a d o p t i o n of an
i n f o r m a t i o n s e c u r i t y managemeat system is a strategic decisión for an organization. The establishment
and i m p l e m e n t a t i o n of an organiza.ti on's i n f o r m a t i o n s e c u r i t y management system is influenced b y the
organization's needs and objectives, security r e q u i r e m e n t s , the organizational processes used a n d the
size and s t r u c t u r e of the o r g a n i z a t i o n . A l l o f these i n f l u e n c i n g factors are expected t o c h a n g e o v e r t i m e .

T h e i n f o r m a t i o n s e c u r i t y management system preserves t h e confidentiality, i n t e g r i t y and a v a i l a b i l i t y

of i n f o r m a t i o n b y a p p l y i n g a rislc management process a n d gives confidenc^.to i n t e r e s t e d p a r t i e s t h a t
risks are adequately managed. „

I t is i m p o r t a n t t h a t the information. s e c u r i t y management s y s t e m i s ^ á n t b f and integrated w^ith t h e

organization's processes and overa]] management s t r u c t u r e a n d thát i n f o r m a t i o n s e c u r i t y is considered
ín the design o f processes, i n f o r m a t i o n systems, and controls. I t is expécted t h a t a n i n f o r m a t i o n s e c u r i t y
management system implementat¡«n w i l l be scaled ín accordance w i t h the needs of the o r g a n i z a t i o n .

T h i s I n t e r n a t i o n a l Standard can l e u s e d b y i n t e r n a l a n d e x t e r n a l parties t o assess the organization's

a b i l i t y t o m e e t the organization's o^wn i n f o r m a t i o n secunity r e q u i r e m e n t s .

T h e o r d e r ín w h i c h r e q u i r e m e n t s are presented i n . t h i s I n t e r n a t i o n a l Standard does n o t reflect t h e i r

i m p o r t a n c e o r i m p l y the o r d e r in w h i c h t h e y are t o be i m p l e m e n t e d . The l i s t items are enumerated f o r
reference purpose only. , .

ISO/IEC 2 7 0 0 0 describes t h e o w v i e w a n d tjfe v o c a b u l a r y o f i n f o r m a t i o n s e c u r i t y management

systems, referencing the i n f o r m a t i o n s e c u r i t y management system family o f standards Oncluding
ISO/IEC 27003U1, ISO/IEC 27004P1 and ISO/IEC 27005[ál), w i t h related t e r m s and definitions.

0.2 C o m p a t i b i l i t y w i t h othefgpiaíágeraent s y s t e m s t a n d a r d s , ;

T h i s I n t e r n a t i o n a l Standard applies t h e hígh-level s t r u c t u r e , identical sub-clause titles, identical t e x t ,

c o m m o n t e r m s , and core definitioiis defined i n A n n e x SL of ISO/IEC Directives, Part 1, Consolidated ISO
Supplement, and therefore máintairs c o m p a t i b i l i t y w i t h o t h e r management system standards t h a t have
adopted t h e A n n e x SL. J

T h i s c o m m o n approach defined i n t t e A n n e x S L w i l l b e u s e f u l for those organizations thatchooseto opérate

a single managemefítr^ystem t h a t r w e t s the r e q u i r e m e n t s of t w o o r more management system standards.

© ISO/IEC 2013 - All rights reserved V

 BS ISO/lEC 27001:2013

INTERNATIONAL STANDARD ISO/IEC 2 7 0 0 1 : 2 0 1 3 ( E }

Information technology — Security techniques —

Information s e c u r i t y m a n a g e m e n t systems — Requirements

1 Scope

This I n t e r n a t i o n a l S t a n d a r d specifies the r e q u i r e m e n t s for establishing, implementing, m a i n t a i n i n g

and c o n t i n u a l l y i m p r o v i n g a n i n f o r m a t i o n s e c u r i t y management system w i t h i n t h e context of the
organization. This I n t e r n a t i o n a l Standard also includes r e q u i r e m e n t s for the assesjínent and t r e a t m e n t
of i n f o r m a t i o n s e c u r i t y r i s k s tai lored to t h e needs of t h e organization. The req^uirements s e t o u t i n this
I n t e r n a t i o n a l Standard are generic a n d are intended t o be applicable t o a l i i O f g a n i z a t i o n s , regardless
of type, size or n a t u r e . E x c l u d i n ^ any of t h e r e q u i r e m e n t s specified in,£lauscsJ: t o l ü is not acceptable
w h e n an o r g a n i z a t i o n claims c o n f o r m i t y t o t h i s I n t e r n a t i o n a l Standard. ,

.r ' <
2 Normative references • * ^ \'
The foUowing documents, i n v l i o l e o r i n p a r t , are normadv«ly referenced i n t h i s document and are
indispensable for its a p p l i c a t i o n . F o r dated referencesVonly the e d i t i o n cited applies. For undated
references, t h e latest e d i t i o n o i t h e referenced d o c u m e n t ( i n c l u d i n g any amendments] applies.

ISO/IEC 27000, Information technology — Securify tephniques — Information security management

systems — Overview and vocab iiFary """^ ' -•

3 Terms and definitions

O í • ' ' "•
For the purposes o f t h i s docunnent, t h e t e r m s and d e f i n i t i o n s given i n ISO/IEC 27000 apply.

4 Context of the organiaafekün '

O ' -
4.1 U n d e r s t a n d i n g t h e <»rg;anization a n d i t s c o n t e x t

The organization s h a l l déíegn inte e x t e r n a l and i n t e r n a ! issues t h a t are relevant t o its purpose and t h a t
affect its a b i l i t y to achieve^the ¡atended outcome(s3 of i t s i n f o r m a t i o n s e c u r i t y management system.
i . " ,?
NOTE Determinrrig;.tliese issiies refers to establishing the external and internal context ofthe organization
considered in Llause 5,3 of ISO 3LOOO:2009[Í].

4.2 U i ^ ^ s t ^ n d i n g the n e e l s a n d expectations of i n t e r e s t e d parties

The o r g a n i z a t i o n shall deternía e:

a] interested parties t h a t a r e relevant to the i n f o r m a t i o n s e c u r i t y management system; and

b) the r e q u i r e m e n t s of these iij.terested parfies relevant to i n f o r m a t i o n security.

NOTE T h e requirements cf interested parties may include legal and regulatory requirements and
contractual obligations.

4.3 D e t e r m i n i n g t h e s c o p e of t h e i n f o r m a t i o n s e c u r i t y m a n a g e m e n t s y s t e m

The organization shall d e t e r m i n e t h e boundaries and a p p l i c a b i l i t y of the i n f o r m a t i o n s e c u r i t y

management system to estábil s h i t s scope.

® ISO/IEC 2013 - All rights reserved

BS ISO/lEC 27001:2013
ISO/lEC 27001:2013(E)

W h e n d e t e r m i n i n g t h i s scope, t h e o r g a n i z a t i o n shall consider:

a) the e x t e r n a l and i n t e r n a l issues r e f e r r e d t o ín 4 J j

b) t h e r e q u i r e m e n t s r e f e r r e d t o i n í2: and

c) interfaces and dependencies b e t w e e n activities p e r f o r m e d b y t h e organization, and those t h a t are

p e r f o r m e d b y other organizations.

The scope shall be available as documented i n f o r m a t i o n . .•. .

4.4 Information security management system

The o r g a n i z a t i o n shall establish, i m p l e m e n t , m a i n t a i n and c o n t i n u a l l y i m p r o v e an i n f o r m a t i o n s e c u r i t y

management system, i n accordance w i t h t h e r e q u i r e m e n t s o f t h i s I n t e r n a t i o n a l Stand x d ,

5 Leadership ^ ^r, i o r / . - i : • \,

5.1 Leadership and commitment

Top management shall demónstrate leadership a n d comm¡tmeifií*i!§ifíi respect t o t h e i n f o r m a t i o n

s e c u r i t y management system b y : %

a) e n s u r i n g t h e i n f o r m a t i o n s e c u r i t y p o l i c y and t h e i n f o r m l t i t l h s e c u r i t y objectives a r e established

and are compatible w i t h t h e strategic d i r e c t i o n of the^orgünízation;

b) e n s u r i n g t h e i n t e g r a t i o n o f t h e i n f o r m a t i o n s e c u r i t y management system r e q u i r e m e n t s into the

organization's processes;

c) e n s u r i n g t h a t the resources needed for t h e i n f o r m a t i o n s e c u r i t y management system are available;

d) c o m m u n i c a t i n g the i m p o r t a n c e of effecUve I n f o r m a t i o n s e c u r i t y management and of c o n f o r m i n g to

the i n f o r m a t i o n s e c u r i t y management system r e q u i r e m e n t s ; ...

e) e n s u r i n g t h a t the i n f o r m a t i o n s e c u n t y management system achieves its intended outcome(s);

f) d i r e c t i n g and s u p p o r t i n g persons t o c o n t r i b u t e t o t h e effectiveness o f t h e i n f o r m a t i o n s e c u r i t y

management system; %.» -^..-j^

g) p r o m o t i n g continual imjjuov^ment; a n d

h) s u p p o r t i n g other relefáipt management roles to demónstrate t h e i r leadership as i t applies to t h e i r

áreas o f responsibility.

5.2 Policy ' -^'^ ..,,,..,vi.:,:,.;;.,.::uí.^^;;- >

Top management shall establish a n i n f o r m a t i o n s e c u r i t y p o l i c y t h a t :

a) is a p p r o p r i a t e to t h e purpose o f t h e o r g a n i z a t i o n ;

b) includes i n f o r m a t i o n s e c u r i t y objectives Csee £ 2 ) o r provides t h e f r a m e w o r k for s e t t i n g i n f o r m a t i o n

s e c u r i t y objectives;

c) includes a c o m m i t m e n t t o satisfy applicable r e q u i r e m e n t s related t o i n f o r m a t i o n s e c u r i t y ; and

d) includes a c o m m i t m e n t t o c o n t i n u a l i m p r o v e m e n t of the i n f o r m a t i o n s e c u r i t y management system.

T h e i n f o r m a t i o n s e c u r i t y policy shall:

e) be available as documented i n f o r m a t i o n ;

2 © ISO/IEC 2013 - All rights reserved

 BS ISO/lEC 27001:2013
ISO/lEC 27001:2013(E)

f) be communicated w i t h i n the o r g a n i z a t i o n ; and

g) be available t o i n t e r e s t e d p a r t i e s , as a p p r o p r i a t e . * > "

5.3 Organizatíonal r o l e s , responsibilitíes a n d a u t h o r i t i e s

Top management shall ensure t h a t the responsibilities a n d a u t h o r i t i e s f o r roles relevant to i n f o r m a t i o n

s e c u r i t y are assigned and c o m m u n i c a t e d . _

Top management shall assign the r e s p o n s i b i l i t y and a u t h o r i t y for:

a) e n s u r i n g t h a t t h e i n f o r m a t i o n s e c u r i t y management system c o n f o r m s t o t l i e requirements of t h i s

International Standard; and

b) r e p o r t i n g on the p e r f o r m a n c e o f t h e i n f o r m a t i o n s e c u r i t y management system t o top management.

NOTE Top m a n a g e m e n t m a y also assign r e s p o n s i b i l i t i e s a n d author[ti"es ^3"r,Teporting p e r f o r m a n c e o f tlie

information security management system w i t h i n the organization. < /^W,-

6 Planning

6,1 A c t i o n s to a d d r e s s r i s k s a n d o p p o r t u n i t i e s

6.1.1 General

When p l a n n i n g for t h e i n f o r m a t i o n s e c u r i t y m a n a g ^ e n t system, t h e o r g a n i z a t i o n shall consider the

issues referred to i n U . a n d t h e r e q u i r e m e n t s r e f e r r e d to i n 4 2 a n d d e t e r m i n e the risks and o p p o r t u n i t i e s
t h a t need t o be addressed t o :

a) ensure the i n f o r m a t i o n s e c u r i t y management s y s t e m can achieve its i n t e n d e d outcome(s); ^ ,

b) prevent, or reduce, u n d e s i r e d effects; and

c) achieve c o n t i n u a l i m p r o v e m e n t . -« .

The organization shall p l a n : ~*-<~'^' • ' uo: ..,...J

d) actions t o address these r i s k s a n d o p p o r t u n i t i e s ; a n d

é) howto ' \

1) intégrate í arta'^implement t h e actions i n t o i t s i n f o r m a t i o n s e c u r i t y management system

proces5es;'and

2) evalúate fhe effectiveness o f these actions.

6.1.2 Information s e c u r i t y r i s k a s s e s s m e n t

The organization shall define a n d apply an i n f o r m a t i o n s e c u r i t y r i s k assessment process that:

a) estabüshes and m a i n t a i n s i n f o r m a t i o n s e c u r i t y r i s k c r i t e r i a t h a t include:

1) the r i s k acceptance c r i t e r i a ; and ' • w^mt>iít:?icH' : . K J Í Í » : (

2) c r i t e r i a for p e r f o r m i n g i n f o r m a t i o n s e c u r i t y r i s k assessments;

b] ensures t h a t repeated i n f o r m a t i o n s e c u r i t y r i s k assessments produce consistent, v a l i d and

comparable results;

© ISO/lEC 2013 - All rights reserved 3

BS ISO/lEC 27001:2013
ISO/lEC 27001:2013(E)

c) identifies the i n f o r m a t i o n s e c u n t y risks: . . ' - -

1) a p p l y the i n f o r m a t i o n s e c u r i t y r i s k assessment process to i d e n t i f y r i s k s associated w i t h the loss

of confidentiality, i n t e g r i t y and a v a i l a b i l i t y for i n f o r m a t i o n v/ithin t h e scope of the i n f o r m a t i o n
s e c u r i t y management system; a n d

2] i d e n t i f y the r i s k owners; v;-^^^^^ - ^" ^ ' •

d) analyses the i n f o r m a t i o n s e c u r i t y r i s k s : -• ' '

1) assess the p o t e n t i a l consequences t h a t w o u l d r e s u l t i f the r i s k s i d e n t i f i e d in £1^2, 1) w e r e

to materialize; . \^'^^J
2) assess the realísticlikelihood o f t h e occurrence o f t h e r i s k s i d e n t i f i e d i n ¿ J L 2 c ] i ) ; and

3) d e t e r m i n e the levéis o f r i s k ; •• '

e) evaluates t h e i n f o r m a t i o n s e c u r i t y r i s k s : - • :-• ; /'^.j^**^ i.:», •¡¡s

1) c o m p a r e t h e results o f r i s k analysis w i t h t h e risk c r i t e r i a established i n M . ^ a); and

2) príoritize the analysed r i s k s f o r risk t r e a t m e n t . / * ' r-

The o r g a n i z a t i o n s h a l l r e t a i n d o c u m e n t e d information ^ouf'<the information security risk

assessment process.

6.1.3 Information s e c u r i t y r i s k t r e a t m e n t

The o r g a n i z a t i o n shall define and apply an i n f o r m a t i o n secu^f i t y r i s k t r e a t m e n t process to;

a] select a p p r o p r i a t e i n f o r m a t i o n s e c u r i t y r i s k t r e a t m e n t options, t a k i n g account of t h e risk

assessment results;

b) d e t e r m i n e a l l controls t h a t are necessar^ t o i m p l e m e n t t h e i n f o r m a t i o n s e c u r i t y r i s k t r e a t m e n t

option(s) chosen; g '
X
NOTE Organizations can design «füír^is as required, or identify them from anysource.

c) compare t h e controls d e t e r m i n e d i n S ^ b ) above w i t h those i n A n n e x A and verify t h a t no necessary

controls have been o m i t t e d ; «"^c^

NOTE 1 AnnexAcontamsacomprehensivelistofcontrol objectives and controls. Usersof this International

Standard are directed to Ajyjájíü to ensure that no necessary controls are overlooked.

NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and
controls listed in AstaHüjA are not exhaustive and additional control objectives and controls may be needed.
. ^ /
d) produce a ^ a t ' e m e n t of A p p l i c a b i l i t y t h a t contains t h e necessary controls [see £lX^ b) and c)) and
justificatiorTfor ¡nclusions, w h e t h e r they are i m p l e m e n t e d o r not, and t h e j u s t i f i c a t i o n for exclusions
of controls f r o m Annex A;

e) formúlate an i n f o r m a t i o n s e c u r i t y r i s k t r e a t m e n t p l a n ; a n d ¡st ^ u u j c b sic; c¿ í j i i - t {<.

f) o b t a i n r i s k o w n e r s ' approval o f t h e i n f o r m a t i o n s e c u r i t y r i s k t r e a t m e n t p l a n a n d acceptance o f t h e

residual i n f o r m a t i o n security r i s k s .

The o r g a n i z a t i o n shall r e t a i n documented i n f o r m a t i o n about the i n f o r m a t i o n s e c u r i t y r i s k t r e a t m e n t

process.

NOTE The information security risk assessment and treatment process in this International Standard aligns
w i t h the principies and generic guidelines provided in ISO SlOOOiy.

4 © ISO/IEC 2013 - All rights reserved

 BS ISO/lEC 27001:2013
iSO/lEC 27001:2013(E)

6.2 I n f o r m a t i o n s e c u r i t y o b j e c t i v e s a n d p l a n n i n g to a c h i e v e t h e m <

The organization shall establish i n f o r m a t i o n s e c u r i t y objectives at relevant functions and levéis.

T h e i n f o r m a t i o n s e c u r i t y objectives s h a l l : ' biifc ;;n:aív? ?/; rn; ssr: Í?.Í¡:"

a) be consistent w i t h t h e i n f o r m a t i o n s e c u r i t y policy; 4?% > í í , t - í -

b) b e m e a s u r a b l e ( i f practicable); • *i^i¿n <-^^'i*Uí.ií:tiO:!t: ;)ñ) ^fiiiV^^=»'' i "

c) t a k e i n t o account applicable i n f o r m a t i o n s e c u r i t y r e q u i r e m e n t s , a n d results f r o m r i s k assessment

and r i s k t r e a t m e n t ; í^^' í¡

á) be communicated; a n d ••<..'-.u:•:i^iVJJr:S•-'l:^yiü'iáí«}.'^ ^'^V*

e) be updated as appropriate. - -i *' ' ' ^^

The organization shall r e t a i n d o c u m e n t e d i n f o r m a t i o n o n t h e infornSíion'security objectives.

W h e n p l a n n i n g h o w t o achieve its i n f o r m a t i o n s e c u r i t y objectives, t h e organization shall determine:

f) w h a t w i l l be done; irntaíK»-- , H-i - >

g) w h a t resources w i l l be r e q u i r e d ; nolJeínur \

h) w h o w i l l be responsible;

i) w h e n i t w i l l be completed; a n d ^^--««2^

j) h o w the results w i l l be evaluated. ^

7 Support C**'^' " '

7.1 Resources * ^ . . f

T h e o r g a n i z a t i o n s h a l l d e t e r m i n e a n d p r o v i d e the resources needed f o r t h e establishment, i m p l e m e n t a t i o n ,

maintenance and c o n t i n u a l i m p r o v e m e n t o f the i n f o r m a t i o n s e c u r i t y management system.

7.2 Competence ' ' ^ ; . , - h v m ^ « á «..^^tu. .«o

The organization shall:

a) d e t e r m i n e t h e necessary competence o f person(s) doing w o r k u n d e r i t s c o n t r o l that affects i t s

i n f o r m a t i o n security performance;

b) e n s u i é'thL.i; these persons are competent on the basis of appropriate education, t r a i n i n g , or experience;

c) w h e r e applicable, take actions t o acquire t h e necessary conipetence, and evalúate t h e effectiveness

o f t h e actions taken; a n d

d) r e t a i n appropriate documented i n f o r m a t i o n as e v i d e n c e o f competence.

NOTE Applicable actions may i n c l u d e , for e x a m p l e : the provisión o f t r a i n i n g to, t h e m e n t o r i n g of, o r t h e r e -

a s s i g n m e n t of c u r r e n t employees; o r t h e h i r i n g o r c o n t r a c t i n g o f c o m p e t e n t p e r s o n s .

7.3 Awareness

Persons doing w o r k under the organization's c o n t r o l shall be aware of: •• ' •

a) t h e i n f o r m a t i o n security policy;

© ISO/IEC 2013 - All rights reserved 5

B S ISO/lEC 27001:2013
ISO/lEC 27001:2013(E)

b] t h e i r c o n t r i b u t i o n t o the effectiveness o f the i n f o r m a t i o n s e c u r i t y management system, i n c l u d i n g

the benefits of i m p r o v e d i n f o r m a t i o n s e c u r i t y p e r f o r m a n c e ; and

c) t h e i m p l i c a t i o n s of n o t c o n f o r m i n g w i t h t h e i n f o r m a t i o n s e c u r i t y management system r e q u i r e m e n t s .

7.4 Communication

T h e o r g a n i z a t i o n shall d e t e r m i n e the need f o r i n t e r n a l a n d e x t e r n a l Communications relevant t o t h e

i n f o r m a t i o n s e c u r i t y management system i n c l u d i n g :

a) on w h a t t o communicate; . , j ., , • • - ^ 1 ^ *

b) w h e n t o communicate; . ^ . '

c) w i t h w h o m to communicate;
Í7t.
d) w h o shall communicate; and

e) the processes by w h i c h c o m m u n i c a t i o n s h a l l be effected.

7.5 Documented information ,#

7.5.1 General
T h e organization's i n f o r m a t i o n s e c u r i t y management system s h j l l include: . • . ••

a] d o c u m e n t e d i n f o r m a t i o n r e q u i r e d b y t h i s I n t e r n a t i o n a ! Standard; and • i

b) d o c u m e n t e d i n f o r m a t i o n d e t e r m i n e d by the o r g a n i z a t i o n as being necessary for the effectiveness of

the i n f o r m a t i o n s e c u r i t y management system.

NOTE The extent of documented information lor jiti information security management sy.-Jtem can differ
from one organization to another due to: : %

1] the size oforganization and its type o f á c t i v i t i é s , processes, products and services; , , , ,, H

2) the coniplexity of processes and their Interactions; and

3) the competence of persons. ^^-Í:^,"'*.

7.5.2 C r e a t i n g and updating

W h e n c r e a t i n g and u p d a t i n g d o c u m e n t e d i n f o r m a t i o n t h e o r g a n i z a t i o n shall ensure a p p r o p r i a t e :

a) I d e n t i f i c a t i o n and Bescription (e.g. a t i t l e , date, author, o r reference number);

b) f o r m a t (e.g language, s o f t w a r e versión, graphics) a n d m e d i a (e.g. paper, electronic); a n d

c) r e v i e w and a p p r o v a l for s u i t a b i l i t y and adequacy. .,.t,:, •

7.5.3 Control of documented information

D o c u m e n t e d i n f o r m a t i o n r e q u i r e d b y t h e i n f o r m a t i o n s e c u r i t y management system a n d b y t h i s
I n t e r n a t i o n a l S t a n d a r d shall be c o n t r o l l e d to ensure: i : . , . . i , -w ; ¡«i

a) i t is available and suitable for use, w h e r e and w h e n i t is needed; and

b) i t is adequately protected (e.g. f r o m loss of c o n f i d e n t i a l i t y , i m p r o p e r use, or loss of i n t e g r i t y ) .

6 © ISO/IEC 2013 - AJI rights reserved

 BS ISO/lEC 27001:2013
ISO/lEC 27001:2013(E)

For t h e c o n t r o l o f d o c u m e n t e d i n f o r m a t i o n , t h e o r g a n i z a t i o n s h a l l address t h e f o l l o w i n g a c t i v i t i e s ,
as applicable:

c) d i s t r i b u t i o n , access, r e t r i e v a l a n d use; , 0 3<¿r>Ki CJÍO-^^ ; ;

d) storage and p r e s e r v a t i o n , i n c l u d i n g the p r e s e r v a t i o n o f l e g i b i l i t y ; . 0 . ,Í > »=

e) c o n t r o l of changes (e.g. versión c o n t r o l ) ; a n d

f) r e t e n t i o n and d i s p o s i t i o n .

Documented i n f o r m a t i o n o f e x t e r n a l o r i g i n , d e t e r m i n e d b y t h e o r g a n i z a t i o n t o be necessary for

the p l a n n i n g and operation o f the i n f o r m a t i o n s e c u r i t y management system, shall be identified as
appropriate, and c o n t r o l l e d .

NOTE Access I m p l i e s a decisión r e g a r d i n g t h e p e r m i s s i o n t o v i e w t h e d o c u m e n t e d i n f o r m a t i o n only, o r t h e

p e r m i s s i o n and a u t h o r i t y to v i e w a n d change t h e d o c u m e n t e d i n f o r m a t i o n , etc.

8 Operation .- v-.-^-i ^ . Í . ; ^ Í * V > ^ %

8.1 Operational planning and control

The organization shall p l a n , i m p l e m e n t and c o n t r o l t h e processes needed t o meet i n f o r m a t i o n s e c u r i t y

requirements, and t o i m p l e m e n t t h e actions d e t e r m i n e d i n íjul. The o r g a n i z a t i o n shall also i m p l e m e n t
plans t o achieve i n f o r m a t i o n s e c u r i t y objectives d e t e r m i n e d i n i 2 .

The organization shall keep d o c u m e n t e d informatioTi t o t h e extent necessary t o have confidence t h a t

the processes have been c a r r i e d o u t as p l a n n e d . >

The o r g a n i z a t i o n shall c o n t r o l p l a n n e d changes and r e v i e w t h e consequences of u n i n t e n d e d changes,

t a k i n g action to mitígate any adverse efíects, as necessary.

The organization shall ensure t h a t otósourced processes are d e t e r m i n e d a n d c o n t r o l l e d .

8.2 I n f o r m a t i o n s e c u r i t y risk a s s e s s m e n t

The organization shall perfárm i n f o r m a t i o n s e c u r i t y r i s k assessments at p l a n n e d i n t e r v a l s o r w h e n

significant changes are proposed o r occur, t a k i n g account o f t h e c r i t e r i a established i n £ L 2 a ) .

The o r g a n i z a t i o n s h a l ^ P ^ t a i n d o c u m e n t e d i n f o r m a t i o n o f t h e r e s u l t s o f t h e i n f o r m a t i o n s e c u r i t y
r i s k assessments. i

8.3 I n f o r m a t i o n s e c u r i t y risk t r e a t m e n t - . ;

The organization shall i m p l e m e n t t h e i n f o r m a t i o n s e c u r i t y r i s k t r e a t m e n t p l a n .

The o r g a n i z a t i o n s h a l l r e t a i n d o c u m e n t e d i n f o r m a t i o n o f t h e r e s u l t s o f t h e i n f o r m a t i o n s e c u r i t y
risk treatment.

9 Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation

The o r g a n i z a t i o n shall evalúate t h e i n f o r m a t i o n s e c u r i t y performance a n d t h e effectiveness o f the

i n f o r m a t i o n s e c u r i t y management system. . -

The organization shall d e t e r m i n e :

a) w h a t needs t o be m o n i t o r e d and measured, i n c l u d i n g i n f o r m a t i o n s e c u r i t y processes and controls;

© ISO/lEC 2013 - All rights reserved 7

BS ISO/lEC 27001:2013
ISO/lEC 27001:2013(E)

b) t h e m e t h o d s for m o n i t o r i n g , m e a s u r e m e n t , a n a l y s i s a n d e v a l u a t i o n , as applicable, t o e n s u r e
valid results;

NOTE T h e m e t h o d s selected s h o u l d p r o d u c e c o m p a r a b l e a n d r e p r o d u c i b l e r e s u l t s t o be c o n s i d e r e d v a l i d .

c) w h e n t h e m o n i t o r i n g and m e a s u r i n g shall be p e r f o r m e d ;

d) w h o shall m o n i t o r a n d measure;

e) w h e n t h e results f r o m m o n i t o r i n g a n d measurement s h a l l be analysed a n d evaluated; a n d

fj w h o shall analyse a n d evalúate these r e s u l t s .

The o r g a n i z a t i o n shall r e t a i n a p p r o p r i a t e d o c u m e n t e d i n f o r m a t i o n as evidence of the r i o n i t o r i n g a n d

measurement results.

9.2 Internal audit .

The o r g a n i z a t i o n shall conduct i n t e r n a l audits a t planned i n t e r v a l s t o p r o v i d e i n f o r m a t i o n on w h e t h e r

t h e i n f o r m a t i o n s e c u r i t y management system: f

a) conforms t o C.-'l.J

1) t h e organization's o w n r e q u i r e m e n t s for its ¡nformatioft%ecurity management system; a n d

2) t h e r e q u i r e m e n t s of this I n t e r n a t i o n a l Standard;

b] is effectively i m p l e m e n t e d a n d m a i n t a i n e d .

Theorganizationshall: ,

c) plan, establish, i m p l e m e n t a n d m a i n t a i n an a u d i t p r o g r a m m e f s ) , i n c l u d i n g the frequency, methods,

responsibilities, p l a n n i n g r e q u i r e m e n t s a n d r e p o r t i n g . T h e a u d i t programmeCs) shall take i n t o
consideration the i m p o r t a n c e of the processes concerned a n d the results o f previous audits;

d) define t h e a u d i t c r i t e r i a and scope f o r e a c h audit;

e) select a u d i t o r s a n d conduct audits t h a t ensure o b j e c t i v i t y and t h e i m p a r t i a l i t y o f the audit process;

f) ensure t h a t the results o f t h e a u d i t s are r e p o r t e d t o r e l e v a n t management; a n d

g) r e t a i n d o c u m e n t e d i n f o r m a t i o n as evidence of t h e a u d i t p r o g r a m m e ( s ) and the a u d i t results.

9.3 Management review

Top management shall r e v i e w t h e organization's i n f o r m a t i o n s e c u r i t y management system a t p l a n n e d

i n t e r v a l s t o ensure its c o n t i n u i n g s u i t a b i l i t y , adequacy and effectiveness.

The management r e v i e w shall include c o n s i d e r a t i o n of: , , i, < : ;

a) t h e status o f actions f r o m previous management reviews;

b) changes i n e x t e r n a l and i n t e r n a l issues t h a t are relevant t o t h e i n f o r m a t i o n s e c u r i t y management

system;

c) feedback o n t h e i n f o r m a t i o n s e c u r i t y performance, i n c l u d i n g t r e n d s i n ;

1] n o n c o n f o r m i t i e s a n d c o r r e c t i v e actions;

2) m o n i t o r i n g a n d m e a s u r e m e n t results;

3) a u d i t results; a n d

© ISO/IEC 2013 - All rights reserved

 BS iSOyiEC 27001:2013
ISO/lEC 27001:2013(E)

4) f u l f i l m e n t o f i n f o r m a t i o n s e c u r i t y objectives; : u c i SÜ.

d) feedback f r o m interested p a r t i e s ;

é) results of r i s k assessment and status o f r i s k t r e a t m e n t plan; and

f) o p p o r t u n i t i e s for continual i m p r o v e m e n t .

The o u t p u t s of t h e management r e v i e w shall include decisions related t o c o n t i n u a l i m p r o v e m e n t

o p p o r t u n i t i e s and any needs for changes t o the i n f o r m a t i o n s e c u r i t y management system.

T h e o r g a n i z a t i o n shall r e t a i n documented i n f o r m a t i o n as evidence o f t h e results of management reviews.

10 Improvement '^V»^'^ "

10.1 Nonconformity a n d corrective action níjsb^,

When a n o n c o n f o r m i t y occurs, the o r g a n i z a t i o n s h a l l :

a) react to the nonconformity, a n d as applicable:

1) take action t o c o n t r o l and c o r r e c t i t ; and

2) deal v.'ith the consequences; f"%^* ' . .. ,

b) evalúate the need for action t o elimínate the causes o f n o n c o n f o r m i t y , i n o r d e r t h a t i t does not r e c u r
or occur elsewhere, by:

1) revievving the n o n c o n f o r m i t y ; , -

2) d e t e r m i n i n g the causes o f the n o n c o n f o r m i t y ; a n d ^. - ^

3) d e t e r m i n i n g i f s i m i l a r n o n c o n f o r m i t i e s e x i s t . o r c o u l d p o t e n t i a l l y occur; '

c) i m p l e m e n t any a c t i o n needed;!^ .,r-. v , , .

d) r e v i e w the effectiveness of any c o r r e c t i v e action taken; a n d - • -

e) make changes to the i n f o i m a t i o n s e c u r i t y management system, i f necessary. " ......

Corrective actions shall be a p p r o p r i a t e t o the effects of t h e n o n c o n f o r m i t i e s encountered. ~ <•'>:•

The organization shall n k a i n d o c u m e n t e d i n f o r m a t i o n as evidence of: ^,

F) the n a t u r e óf the n o n c o n f o r m i t i e s and any subsequent actions t a k e n , and

g] the resíilE o f any corrective a c t i o n . ; * "„ • '

10.2 C o n t i n u a l i m p r o v e m e n t

The organization shall c o n t i n u a l l y i m p r o v e the suitability, adequacy and effectiveness of the i n f o r m a t i o n

s e c u r i t y management system.

© ISO/IEC 2013 - All rights reserved 9 '

BS ISO/lEC 27001:2013
ISO/lEC 27001:2013(E)

AnnexA
[normative]

Reference control objectives and controls

The c o n t r o l objectives a n d c o n t r o l s listed i n Table A . l are d i r e c t l y d e r i v e d f r o m a n d aligned w i t h those

l i s t e d i n ISO/IEC 27002:2013[i], Clauses 5 t o 18 and are t o be used i n context w i t h Ciiuse *>X.i

T a b l e A . l — C o n t r o l objectives a n d c o n t r o l s j ' C*

A.5 Information security policies -

A.5.1 M a n a g e m e n t d i r e c t i o n for i n f o r m a t i o n s e c u r i t y
Objective: To p r o v i d e management d i r e c t i o n and s u p p o r t for i n f o r m a t i o n s e c u r i t y i n accordance w i t h
business r e q u i r e m e n t s and relevant laws and regulations.
Control
Policies for i n f o r m a - A set of policies for i n f o r m a t i o n s e c u r i t y shall be defined, approved
A.5.1.1
tion security by management, published ami'íommunicated t o employees a n d
relevant e x t e r n a l parties.
Control
Review of t h e p o l i -
A.5.1.2 cies for i n f o r m a t i o n The policies for i n f o r m a t i o n s e c u r i t y shall be r e v i e w e d at p l a n n e d
security i n t e r v a l s o r i f signifiéant changes o c c u r t o ensure t h e i r c o n t i n u i n g
s u i t a b i l i t y , adequacy a n d effectiveness.
A.6 O r g a n i z a t i o n of i n f o r m a t i o n s e c u r i t y "'*'"|'
A.6.1 Internal organization
" • — " • ' ^
Objective: To establish a management fra|nework to i n i t i a t e a n d c o n t r o l t h e i m p l e m e n t a t i o n and
operation o f i n f o r m a t i o n s e c u r i t y witl^itrtííe o r g a n i z a t i o n .
Information secunty Conirof
A.6.1.1 roles and r e s p o n s i b i l i - AUi i n f o r m a t i o n s e c u r i t y r e s p o n s i b i l i t i e s shall be defined and allo-
ties cated.
Control

A.6.1.2 Segregation o f duties C o n f l i c t i n g duties and áreas of r e s p o n s i b i l i t y shall be segregated t o

reduce o p p o r t u n i t i e s for u n a u t h o r i z e d o r u n i n t e n t i o n a l modifica-
t i o n o r misuse o f t h e organization's assets.

Contact w i t h a u t h o r i - Control
A.6.1.3
ties A p p r o p r i a t e contacts w i t h relevant a u t h o r i t i e s shall be m a i n t a i n e d .
Control
Contact w i t h specia! A p p r o p r i a t e contacts w i t h special i n t e r e s t groups o r other special-
A.6.1.4
i n t e r e s t groups ist s e c u r i t y f o r u m s and professional associations shall be m a i n -
tained.
Control
Inform.ation s e c u r i t y
A.6.1.5
i n project management I n f o r m a t i o n s e c u r i t y shall be addressed i n project management,
regardless of the t y p e o f t h e project.
A.6.2 Mobíle d e v i c e s a n d t e l e w o r k i n g
Objective: To ensure t h e s e c u r i t y o f t e l e w o r k i n g and use o f mobile devices.

10 ® LSO/IEC 2013 - All rights reserved

 BS ISO/lEC 27001:2013
ISO/lEC 27001:2013(E)

Table A.l (continued]

Control . . . . .
A.6.2.1 Mobile device p o l i c y A p o l i c y and s u p p o r t i n g s e c u r i t y measures shall be adopted t o
manage t h e r i s k s i n t r o d u c e d b y using mobile devices.
Control

A.6.2.2 Teleworking A p o l i c y a n d s u p p o r t i n g s e c u r i t y measures shall be implemented t o

p r o t e c t i n f o r m a t i o n accessed, processed o r stored at t e l e w o r k i n g
sites.
A.7 H u m a n resource security
A.7.1 P r i o r to e m p l o y m e n t
Objective: To ensure t h a t employees and contractors u n d e r s t a n d t h e i r responsibilities and are suit-
able for the roles for w h i c h they are considered. "
Control -' . '

B a c k g r o u n d v e r i f i c a t i o n checas o n áll candidates for employment

A.7.1.1 Screening - — - shall be c a r r i e d out i n accordance w i t h relevant laws, regulations
a n d ethics and shall be p r o p o r l i o n a l t o the business requirements,
t h e classification o f the i n f o r m a t i o n t o be accessed and the per-
ceived r i s k s . *
Control . f
Terms and conditions The contractualTigreements w i t h employees and contractors shall
A.7.1.2
of e m p l o y m e n t State t h e i r and tfe?,organization's responsibilities for i n f o r m a t i o n
security.
A.7.2 During employment
Objective: To ensure t h a t employees and com ractors are aware of and fulfil t h e i r i n f o r m a t i o n s e c u r i t y
responsibilities.
Control
Management responsi- Management shall r e q u i r e all employees a n d contractors t o apply
A.7.2.1
bilities 4..^ m f o r m a t i o n s e c u r i t y i n accordance w i t h t h e established policies
a n d procedures o f t h e organization.
Control
Information^ecurity A l l employees o f t h e organization and, w h e r e relevant, contrac-
A.7.2.2 awarenessv education t o r s shall receive a p p r o p r i a t e awareness education and t r a i n i n g
and t r a i n i n g and r e g u l a r updates i n organizational policies and procedures, as
relevant for t h e i r job f u n c t i o n .
Control . - ~ ™,i i

A.7.2.3 Disciplinary process There shall be a f o r m a l a n d c o m m u n i c a t e d d i s c i p l i n a r y process

i n place t o take action against employees w h o have c o m m i t t e d an
i n f o r m a t i o n s e c u r i t y breach.
A.7.3 T e r m i n a t i o n a n d cliange c f e m p l o y m e n t
Objective: To p r o t e c t the organization's interests as p a r t of the process o f c h a n g i n g o r t e r m i n a t i n g
employment.
Control
T e r m i n a t i o n o r change
A.7.3.1 of employment respon- I n f o r m a t i o n s e c u r i t y responsibilities and duties t h a t r e m a i n v a l i d
sibilities after t e r m i n a t i o n o r change o f e m p l o y m e n t shall be defined, com-
m u n i c a t e d to t h e employee o r c o n t r a c t o r a n d enforced.
A.8 Asset m a n a g e m e n t
A.8.1 Responsibility for a s s e t s

© ISO/lEC 2013 All rights reserved

BS ISO/lEC 27001:2013
ISO/lEC 27001:2013(E)

Table A . l (continued)

Objective: To identify organizational assets and define a p p r o p r i a t e protection responsibilities.

Control

A.8.1.1 I n v e n t o r y o f assets Assets associated w i t h i n f o r m a t i o n and i n f o r m a t i o n processing

facilities shall be i d e n t i f i e d and an i n v e n t o r y o f these assets shall
be d r a w n up a n d m a i n t a i n e d .
Control ,
A.8.1.2 Ownership of assets
Assets m a i n t a i n e d i n t h e i n v e n t o r y shall be o w n e d .
Control
Acceptable use o f Rules for t h e acceptable use o f i n f o r m a t i o n a n d p f asjets associated
A.8.1.3
assets w i t h i n f o r m a t i o n and i n f o r m a t i o n processing fátíiUhes shall be
i d e n t i f i e d , documented a n d implemented.,^ ijf
Control 4^ .^Ssi»-

A.8.1.4 R e t u r n o f assets A l l employees and e x t e r n a l p a r t y usej-s shall r e t u r n all of the

o r g a n i z a t i o n a l assets i n t h e i r posses|il)n upon t e r m i n a t i o n o f t h e i r
employment, contract or agreerñent.
A.8.2 Information classification %
Objective: To ensure t h a t i n f o r m a t i o n receives an a p p r o p r i a t e level o f p r o t e c t i o n i n accordance w i t h
its i m p o r t a n c e t o the organization.
Control
Classification of infor- I n f o r m a t i o n shall be classified i n terms o f legal requirements,
A.8.2.1
mation valué, c r i t i c a l i t y and s e n s i t i v i t y t o unauthorised disclosure o r
m o d i f i c a t i o n . - , iiv
Control
Labelling of i n f o r m a - A n apipropriate set o f procedures for i n f o r m a t i o n labelling shall be
A.8.2.2
tion developed a n d i m p l e m e n t e d i n accordance w i t h the i n f o r m a t i o n
classif\cation scheme adopted b y the organization.
Contfvf
\
A.8.2.3 H a n d l i n g o f assets Procedures for h a n d l i n g assets shall be developed and imple-
mented in accordance w i t h the i n f o r m a t i o n classification scheme
adopted by t h e organization.
A.8.3 Media handling "-^^'^
Objective: To prevent u n a u t h o r i z e d disclosure, m o d i f i c a t i o n , removal o r d e s t r u c t i o n o f i n f o r m a t i o n
stored on media, ^¡r '^,.„/
Control
Manageqient o f remov- Procedures shall be i m p l e m e n t e d for the management of remov-
A.8.3.1
able media able m e d i a i n accordance w i t h the classification scheme adopted b y
the organization,
Control
A.8.3.2 Disposal of media Media shall be disposed of securely w h e n no longer r e q u i r e d , using
f o r m a l procedures.
Control <KÍ;.:.; ; . : ;
Physical media t r a n s -
A.8.3.3 Media c o n t a i n i n g i n f o r m a t i o n shall be protected against u n a u t h o r -
fer
ized access, misuse o r c o r r u p t i o n d u r i n g t r a n s p o r t a t i o n .
A.9 A c c e s s control
A.9.1 B u s i n e s s r e q u i r e m e n t s of a c c e s s c o n t r o l

12 © ISO/IEC 2013 - All rights reserved

 BS ISO/lEC 27001:2013
ISO/lEC 27001:2013(E)

Table A . l (continued)

Objective: To l i m i t access t o i n f o r m a t i o n and i n f o r m a t i o n processing facilities.

Control

A.9.1.1 Access c o n t r o l policy A n access c o n t r o l policy shall be established, d o c u m e n t e d a n d

r e v i e w e d based on business and i n f o r m a t i o n s e c u r i t y r e q u i r e -
ments.
Control
Access to n e t w o r k s
A.9.1.2 Users shall only be p r o v i d e d w i t h access t o the net^vork a n d net-
and n e t w o r k services
w o r k services t h a t they have been specifically a u t h o r i z e d t o use.
A.9.2 User access m a n a g e m e n t
Objective: To ensure a u t h o r i z e d user access a n d t o prevent u n a u t h o r i z e d aceess t o systems and ser-
vices. .^d
Control '*
User r e g i s t r a t i o n and
A.92.1 A f o r m a l user r e g i s t r a t i o n a n d d e - r e g i s t r a t i o n process shall be
de-registration
i m p l e m e n t e d t o enable assignmgnt of access r i g h t s .
Control
User access p r o v i s i o n - A f o r m a l user access p r o v i s i o n i n g process shall be i m p l e m e n t e d t o
A.9.2.2
assign o r revoke access rights for a l l user types t o a l l systems a n d
services.
Control
Management o f p r i v i -
A.92.3 The a l l o c a t i o n a n d use of p r i v i l e g e d access r i g h t s shall be
leged access rights
restricté^ and c o n t r o l l e d .

Management o f secret Contíol

A.9.2.4 authentication infor- The a l l & t a t i o n o f secret authentication i n f o r m a t i o n shall be con-
mation of users t r o l l e d t h r o u g h a f o r m a l management process.

Review o f user access^,' <^ntrol

A.92.5
rights ^1^^^ Ásset o w n e r s shall r e v i e w users' access r i g h t s a t r e g u l a r i n t e r v a l s .

Control

Removal o r a ^ \ t m é n t The access r i g h t s of a l l employees and e x t e r n a l p a r t y users t o

A9.2.6 i n f o r m a t i o n a n d i n f o r m a t i o n processing facilities shall be r e m o v e d
of access rigftS*
u p o n t e r m i n a t i o n of t h e i r employment, c o n t r a c t o r agreement, o r
adjusted u p o n change.
A.9.3 User r e s p o n s i b i l i t i e s
Objectivp; To ¡nake users accountable for safeguarding t h e i r a u t h e n t i c a t i o n i n f o r m a t i o n .
Control i .¡
USe of secret authenti-
A.93.1 Users shall be r e q u i r e d to follow t h e organization's practices i n t h e
cation i n f o r m a t i o n
use o f secret a u t h e n t i c a t i o n i n f o r m a t i o n .
A.9.4 System and application access c o n t r o l
Objective; To prevent u n a u t h o r i z e d access t o systems and applications.
Control
I n f o r m a t i o n access
A.94.1 Access t o i n f o r m a t i o n and application system f u n c t i o n s shall be
restriction
r e s t r i c t e d i n accordance w i t h the access c o n t r o l policy.
Control
Secure log-on proce-
A.9.4.2 W h e r e r e q u i r e d by t h e access c o n t r o l policy, access t o systems and
dures
applications shall be c o n t r o l l e d b y a secure log-on procedure.

© ISO/lEC 2013 - All rights reserved 13

BS ISO/lEC 27001:2013
ISO/lEC 27001:2013(E)

Table A . l (continued)

Control
Password manage-
A.9.4.3 Password management systems shall be Interactive and shall
m e n t system
ensure q u a l i t y passwords.
Control ... . ; , .
Use o f p r i v i l e g e d u t i l - The use o f u t i l i t y p r o g r a m s t h a t m i g h t be capable of o v e r r i d i n g
A.9.4.4
ity p r o g r a m s system and a p p l i c a t i o n c o n t r o l s shall be r e s t r i c t e d and t i g h t l y
controlled.

Access c o n t r o l t o p r o - Control "w'**'

A.9.4.5
g r a m source code Access t o p r o g r a m source code shall be r e s t r i c t e d : p '
A.IO Cryptography
A.10.1 C r y p t o g r a p h i c c o n t r o l s
Objective: To ensure p r o p e r and effective use of c r y p t o g r a p h y t o p r o t e c t the confidentiaHty, a u t h e n -
t i c i t y and/or i n t e g r i t y o f i n f o r m a t i o n . „
Control
Policy on t h e use o f
A.10.1.1
c r y p t o g r a p h i c c o n t r o l s A p o l i c y on t h e use of c r y p t o g r a p h i c controls for p r o t e c t i o n o f
i n f o r m a t i o n shall be developed and implemented.
Control ,,.
A.10.1.2 Key management A p o l i c y on t h e use, p r o t e c t i o n a n d l i f e t i m e of c r y p t o g r a p h i c keys
shall be developed a n d ÍÍQplemented t h r o u g h t h e i r w h o l e lifecycle.
A.ll Physical a n d e n v i r o n m e n t a l security
A . 1 1 . 1 S e c u r e á re a s
Objective; To p r e v e n t u n a u t h o r i z e d physical access damage and interference to t h e organization's
i n f o r m a t i o n and i n f o r m a t i o n processing facilitiSs.
Contra!
Physical s e c u r i t y Security p e r i meters shall be defined and used to p r o t e c t áreas t h a t
A.11.1.1
perimeter c o n t a i n either sensitive o r c r i t i c a l i n f o r m a t i o n and i n f o r m a t i o n
processing facilities.
Control
A.11.1.2 Physical e n t r y c o n t r o l s Secure áreas shall be p r o t e c t e d b y a p p r o p r i a t e e n t r y c o n t r o l s t o
ensure t h a t o n l y a u t h o r i z e d personnel are allowed access.
Control
Securingofüces.***
A.11.1.3 Physical s e c u r i t y for offices, r o o m s and facilities shall be designed
r o o m s a n d facilities
and applied.

P r o t e c t i n g against Control - ,.
A.11.1.4 e x t e r n a l and e n v i r o n - Physical p r o t e c t i o n against n a t u r a l disasters, malicious a t t a c k o r
mental threats accidents shall be designed and applied.
Control
W o r k i n g i n secure
A.11.1.5 Procedures for w o r k i n g i n secure áreas shall be designed and
áreas
applied.
Control

Delivery a n d loading Access points such as d e l i v e r y and loading áreas and o t h e r points
A.11.1.6 w h e r e u n a u t h o r i z e d persons c o u l d enter t h e premises shall be
áreas
c o n t r o l l e d a n d , i f possible, isolated f r o m i n f o r m a t i o n processing
facilities t o avoid u n a u t h o r i z e d access.

14 © ISO/IEC 2013 - All rights reserved

 BS ISO/lEC 27001:2013
ISO/lEC 27001:2013(E)

Table A . l (continued]

A.11.2 E q u i p m e n t
Objective: To prevent loss, damage, t h e f t o r c o m p r o m i s e o f assets and i n t e r r u p t i o n t o the organiza-
tion's operations.
Control
Equipment s i t i n g and E q u i p m e n t shall be s i t e d a n d protected to reduce the risks f r o m
A.11.2.1
protection e n v i r o n m e n t a l t h r e a t s a n d hazards, and o p p o r t u n i t i e s for unau-
t h o r i z e d access.
Control
A.11.2.2 S u p p o r t i n g Utilities Equipment shall be p r o t e c t e d f r o m power fa'lures and other dis-
r u p t i o n s caused by failures i n s u p p o r t i n g Utilities.
Control í

A.11.2.3 Cabling s e c u r i t y Power and t e l e c o m m u n i c a t i o n s cabling c a r r y i n g data o r support-

i n g i n f o r m a t i o n services shall be protected f r o m i n t e r c e p t i o n ,
interference o r damage.
Control
Equipment m a i n t e -
A.11.2.4 E q u i p m e n t shall be correctíy m a i n t a i n e d to ensure its continued
nance
a v a i l a b i l i t y and integriCXi,
Control
A.11.2.5 Removal o f assets Equipment, inforjriation o r s o f t w a r e shall not be t a k e n off-site
without prior authorization.

Security of equipment Control 4, i : : . . 3 : s-->- ; •

A.11.2.6 and assets off-prem- Secuírity shall be applied t o off-site assets t a k i n g i n t o account t h e
ises differetüjrisks o f w o r k i n g outside the organization's premises.
Control
Secure disposal o r r e - Í j^H items o f e q u i p m e n t c o n t a i n i n g storage media shall be v e r i f i e d
A.11.2.7
use o f e q u i p m e n t |ó*ensure t h a t any sensitive data and licensed s o f t w a r e has been
r e m o v e d o r securely o v e r w r i t t e n p r i o r to disposal o r re-use.
Control
Unattended user
A.11.2.8 Users shall ensure t h a t u n a t t e n d e d equipment has appropriate
equipment.
protection.
Control
Clear desk and clear A clear desk p o l i c y for papers and removable storage media and
A.11.2.9
ser e en policy a clear screen policy for i n f o r m a t i o n processing facilities shall be
adopted.
A.12 Operations security
A.12.1 Operational procedures and responsibilities
Objective: To ensure correct and secure operations o f i n f o r m a t i o n processing facilities.
Control
Documented operating
A.12.1.1 Operating procedures shall be documented and made available t o
procedures
all users w h o need t h e m .
Control

A.12.1.2 Change management Changes t o the o r g a n i z a t i o n , business processes, i n f o r m a t i o n p r o -

cessing facilities and systems t h a t affect i n f o r m a t i o n s e c u r i t y shall
be c o n t r o l l e d .

© ISO/lEC 2013 ~ All rights reserved

15
BS ISO/lEC 27001:2013
ISO/lEC 27001:2013(E)

Table A . l (continued)

Control

A.12.1.3 Capacity management The use o f resources s h a l l b e m o n i t o r e d , t u n e d and projections

made o f f u t u r e capacity r e q u i r e m e n t s t o ensure t h e r e q u i r e d sys-
t e m performance.

Separation o f devel- Control

opment, t e s t i n g and Development, t e s t i n g , a n d o p e r a t i o n a l environments shall be sepa-
A.12.1.4
operational e n v i r o n - rated t o reduce the r i s k s o f u n a u t h o r i z e d access o r chances to t h e
ments operational environment.
A.12.2 P r o t e c t i o n f r o m m a l w a r e
Objective: To ensure t h a t i n f o r m a t i o n and i n f o r m a t i o n processing facihties are protected against
malware. ,
Control ''"^< 'f«^*
Controls against m a l - Detection, p r e v e n t i o n a n d recovery controjs to p r o t e c t against
A.12.2.1
ware m a l w a r e shall be i m p l e m e n t e d , combtned w i t h a p p r o p r i a t e user
awareness.
A.12.3 B a c k u p
Objective: To p r o t e c t against loss o f data. _ ^.,

Control S.'^a,^ — -

A.12.3.1 I n f o r m a t i o n backup Backup copies of i n f o r m a t i o n , s o f t w a r e and system images shall be

t a k e n and tested r e g u l a r l y i n accordance w i t h an agreed backup
policy.
A.12.4 Logging a n d m o n i t o r i n g
Objective: To r e c o r d events and genérate evidence.»'
Control

A.12.4.1 Event l o g g i n g Event Iqgs r e c o r d i n g u s e r activities, exceptions, faults and infor-

m a t i o n s e c u r i t y events shall be produced, k e p t and r e g u l a r l y
revievtfed.
Control
P r o t e c t i o n of log infor-
A.12.4.2 Logging facilities a n d log i n f o r m a t i o n shall be protected against
mation
t a m p e r i n g and u n a u t h o r i z e d access.
Control
Administratoi^nd
A.12.4.3 System a d m i n i s t r a t o r a n d system operator activities shall be
operator | > | j ^ J
logged a n d the logs p r o t e c t e d and r e g u l a r l y reviewed.
Control

A.12.4.4 Clock s y n c h r o n i s a t i o n The d o c k s o f a l l r e l e v a n t i n f o r m a t i o n processing systems w i t h i n

an o r g a n i z a t i o n o r s e c u r i t y d o m a i n shall be synchronised t o a sin-
gle reference t i m e source.
A.12.5 C o n t r o l of o p e r a t i o n a l s o f t w a r e
Objective: To ensure t h e i n t e g r i t y of o p e r a t i o n a l systems.

Instaílation of soft- Control

A.12.5.1 w a r e on operational Procedures shall be i m p l e m e n t e d t o c o n t r o l the instaílation of soft-
systems w a r e on operational systems.
A.12.6 Technical v u l n e r a b i l i t y management
Objective: To p r e v e n t e x p l o i t a t i o n o f t e c h n i c a l v u l n e r a b i l i t i e s .

16 © ISO/IEC 2013 - All rights reserved

 BS ISO/lEC 27001:2013
ISO/lEC 27001:2013(E)

Table A . l [continued)

Control

Management o f t e c h n i - I n f o r m a t i o n about technical v u l n e r a b i l i t i e s of i n f o r m a t i o n systems

A.12.6.1 being used shall be obtained i n a t i m e l y fashion, t h e organization's
cal v u l n e r a b i l i t i e s
exposure t o such v u l n e r a b i l i t i e s evaluated and appropriate meas-
ures t a k e n t o address t h e associated risk.
Control
Restrictions on soft-
A.12.6.2 Rules governing the instaílation o f s o f t w a r e b y users shall be
w a r e instaílation
established and implemented.
A.12.7 I n f o r m a t i o n s y s t e m s a u d i t consíderations
Objective; To m i n i m i s e t h e impact o f a u d i t activities on operational s y s t e m s . .
Control
I n f o r m a t i o n systems A u d i t r e q u i r e m e n t s a n d activities i n v o l v i n g v e r i f i c a t i o n of opera-
A.12.7.1
audit controls / ' t t i o n a l systems shall be carefully planned and agreed to m i n i m i s e
d i s r u p t i o n s t o business processes.
A.13 Communications security
A.13.1 N e t w o r k s e c u r i t y management . \
Objective; To ensure the p r o t e c t i o n o f i n f o r m a t i o n i n net-works and its s u p p o r t i n g i n f o r m a t i o n p r o -
cessing facilities.
Control
A.13.1.1 N e t w o r k controls N e t w o r k s shall be managed and c o n t r o l l e d t o p r o t e c t i n f o r m a t i o n
ín systeius arid applications.
Cont^^

Security o f n e t w o r k SacujiitS^fhechanisms, service levéis a n d management r e q u i r e -

A.13.1.2 ments b f all n e t w o r k services shall be i d e n t i f i e d a n d included i n
services
1 n e t w o r k services agreements, w h e t h e r these services are p r o v i d e d
in-house o r outsourced.
Control
Segregation i n net-,
A.13.1.3 Groups o f i n f o r m a t i o n services, users a n d i n f o r m a t i o n systems
works
shall be segregated on n e t w o r k s .
A.13.2 I n f o r m a t i o n t r a n s f e r
Objective; To m a i n t a i n t h e s e c u r i t y o f i n f o r m a t i o n t r a n s f e r r e d w i t h i n an o r g a n i z a t i o n and w i t h any
external entity, .
Control - r ; (
/
intoronation transfer
A.13.2.r^ |>olicies a n d proce- F o r m a l t r a n s f e r policies, procedures and controls shall be i n place
átires t o p r o t e c t the t r a n s f e r of i n f o r m a t i o n t h r o u g h t h e use of a l l types
o f c o m m u n i c a t i o n facilities.
Control
Agreements on infor-
A.13.2.2 Agreements shall address the secure transfer of business i n f o r m a -
m a t i o n transfer
t i o n b e t w e e n t h e o r g a n i z a t i o n a n d e x t e r n a l parties.
Control
A.13.2.3 Electronic messaging I n f o r m a t i o n involved i n electronic messaging shall be a p p r o p r i -
ately protected.

© ISO/IEC 2013 - All rights reserved

17
BS ISO/IEC 27001:2013
ISO/lEC 27001:2013(E)

Table A . l (continued)

Control .,
C o n f i d e n t i a l i t y o r n o n - Requirements for c o n f i d e n t i a l i t y o r non-disclosure agreements
A.13.2.4
disclosure agreements r e f l e c t i n g the organization's needs for t h e p r o t e c t i o n of i n f o r m a -
t i o n shall be i d e n t i f i e d , r e g u l a r l y r e v i e w e d and documented.
A.14 S y s t e m a c q u i s i t i o n , development a n d m a i n t e n a n c e
A.14.1 S e c u r i t y r e q u i r e m e n t s of i n f o r m a t i o n s y s t e m s
Objective: To ensure t h a t i n f o r m a t i o n s e c u r i t y is an i n t e g r a l p a r t o f i n f o r m a t i o n systems ácross the
e n t i r e lifecycle. This also includes t h e r e q u i r e m e n t s for i n f o r m a t i o n systems w h i c h p r o v i d e services
over public n e t w o r k s .
Control
Information security
A.14.1.1 r e q u i r e m e n t s analysis T h e i n f o r m a t i o n s e c u r i t y related r e q u i r e m e n t s shall be included i n
and specification t h e r e q u i r e m e n t s for n e w i n f o r m a t i o n systems o r enhancements t o
e x i s t i n g i n f o r m a t i o n systems.
Control
Securing a p p l i c a t i o n
A.14.1.2 services on public I n f o r m a t i o n i n v o l v e d i n applicaíipn se.fvices passing over public
networks n e t w o r k s shall be p r o t e c t e d f r o m f r a u d u l e n t a c t i v i t y , c o n t r a c t dis-
p u t e and u n a u t h o r i z e d disclosure and m o d i f i c a t i o n .
Control

Protecting application I n f o r m a t i o n i n v o l v e d i i i a p p l i c a t i o n service transactions shall be

A.14.1.3 p r o t e c t e d t o p r e v e n t incojnplete t r a n s m i s s i o n , m i s - r o u t i n g , unau-
services t r a n s a c t i o n s
t h o r i z e d message altpration, u n a u t h o r i z e d disclosure, u n a u t h o r -
ized message düplication o r replay.
A.14.2 S e c u r i t y i n development a n d s u p p o r t p r o c e s s e s
Objective: To ensure t h a t i n f o r m a t i o n s e c u r t t y is designed a n d i m p l e m e n t e d w i t h i n t h e development
lifecycle of i n f o r m a t i o n systems.
Control
Secure development
A.14.2.1 Rules for t h e development of s o f t w a r e and systems shall be estab-
policy
lished a n d applied t o developments w i t h i n t h e organization.
Control
System change c o n t r o l
A.14.2.2 Changes t o systems w i t h i n t h e development lifecycle shall be con-
procedures
t r o l l e d b y t h e use o f f o r m a l change c o n t r o l procedures.

Technical r e v i e w of
applications a f i e r
A.14.2.3
operating platform
change?
Control
W h e n o p e r a t i n g p l a t f o r m s are changed, business c r i t i c a l applica-
t i o n s shall be r e v i e w e d and tested t o ensure there is no adverse
i m p a c t o n o r g a n i z a t i o n a l operations o r security.

Restrictions o n Control
A.14.2.4 changes t o s o f t w a r e M o d i f i c a t i o n s t o s o f t w a r e packages shall be discouraged, l i m i t e d t o
packages necessary changes and all changes shall be s t r i c t l y c o n t r o l l e d .
Control
Secure system engi- Principies for engíneering secure systems shall be established,
A.14.2.5
neering principies d o c u m e n t e d , m a i n t a i n e d and applied t o any i n f o r m a t i o n system
i m p l e m e n t a t i o n efforts.

r 4 . . ,

18 © ISO/lEC 2013 - All rights reserved

 BS ISO/IEC 27001:2013
ISO/lEC 27001:2013(E)

Table A . l [continued]

Control
Secure development Organizations shall establish and a p p r o p r i a t e l y p r o t e c t secure
A.14.2.6
environment development e n v i r o n m e n t s for system development and i n t e g r a -
t i o n efforts t h a t cover t h e e n t i r e system development lifecycle.
Control
Outsourced develop-
A.14.2.7 T h e o r g a n i z a t i o n s h a l l supervise and m o n i t o r the a c t i v i t y o f out-
ment -"r.i> • »
sourced system development.
Control
System s e c u r i t y test-
A.14.2.8 Testing o f s e c u r i t y f u n c t i o n a l i t y shall be c a r r i e d o u t d u r i n g devel-
ing
opment. . ',
Control "
System acceptance
A.14.2.9 Acceptance t e s t i n g p r o g r a m s and r lated c r i t e r i a shall be estab-
testing
lished for n e w i n f o r m a t i o n systemá; upgrades and n e w versions.

A.14.3 Test data

Objective: To ensure the p r o t e c t i o n o f d a t a used for testing.
Control
A.14.3.1 P r o t e c t i o n o f test d a t a
Test data shall be séfécled carefully, p r o t e c t e d a n d c o n t r o l l e d .
A.15 Supplier r e l a t i o n s h i p s
A . 1 5 . 1 Information s e c u r i t y i n s u p p l i e r r e l a t i o n s h i p s
Objective: To ensure p r o t e c t i o n of t h e organization's assets t h a t is accessible b y suppliers.
Control,;. . .
Information security
A.15.1.1 policy for supplier I n f o r m a t i o n s e c u r i t y r e q u i r e m e n t s for m i t i g a t i n g the risks associ-
relationships a t e d with supplier's access t o the organization's assets shall be
agreed w i t h the supplier a n d documented.
Control
Addressing s e c u r i t y ' Áll relevant i n f o r m a t i o n s e c u r i t y r e q u i r e m e n t s s h a l l be established
A.15.1.2 w i t h i n supplier agree- a n d agreed w i t h each supplier t h a t may access, process, store,
ments c o m m u n i c a t e , o r provide IT i n f r a s t r u c t u r e components for, t h e
organization's i n f o r m a t i o n .
Control
InformatiOjT and com-
A.15.1.3 municatioQ technology Agreements w i t h suppliers shall include r e q u i r e m e n t s t o address
su^ply Chain t h e i n f o r m a t i o n s e c u r i t y r i s k s associated w i t h i n f o r m a t i o n a n d
Communications technology services and p r o d u c t s u p p l y c h a i n .
A.15.2 S i i g p l i e r s e r v i c e d e l i v e r y m a n a g e m e n t
Objective: To m a i n t a i n an agreed level of i n f o r m a t i o n s e c u r i t y and service delivery i n l i n e w i t h sup-
plier agreements.
Control
M o n i t o r i n g and r e v i e w
A.15.2.1 Organizations shall r e g u l a r l y monitor, r e v i e w a n d audit s u p p l i e r
of supplier services
service delivery.
Control

Changes t o the provisión of services by suppliers, i n c l u d i n g

Managing changes t o m a i n t a i n i n g a n d i m p r o v i n g e x i s t i n g i n f o r m a t i o n s e c u r i t y policies,
A.15.2.2
supplier services procedures a n d controls, shall be managed, t a k i n g account o f t h e
c r i t i c a l i t y o f business i n f o r m a t i o n , systems a n d processes involved
a n d re-assessment of risks.

© ISO/IEC 2013 - All rights reserved 19

BS ISO/lEC 27001:2013
ISO/IEC 27001:2013{E)

Table A . l (continued)

A.16 I n f o r m a t i o n security incident management

A.16.1 Management of i n f o r m a t i o n s e c u r i t y i n c i d e n t s a n d i m p r o v e m e n t s
Objective: To ensure a consistent and effective approach t o t h e management of i n f o r m a t i o n s e c u r i t y
incidents, i n c l u d i n g c o m m u n i c a t i o n on s e c u r i t y events and weaknesses.
Control
Responsibilities a n d Management responsibilities and procedures shall be established
A.16.1.1
procedures t o ensure a quick, effective a n d o r d e r l y response t o i n f o r m a t i o n
s e c u r i t y incidents.
Control á>V
Reporting i n f o r m a t i o n
A.16.1.2 I n f o r m a t i o n s e c u r i t y events shall be r e p o r t e d t h f o u g h a p p r o p r i a t e
s e c u r i t y events
management channels as q u i c k l y as possible, „
Control

Reporting i n f o r m a t i o n Employees a n d contractors using t h e organization's i n f o r m a t i o n

A.16.1.3
s e c u r i t y weaknesses
Assessment o f a n d
A.16.1.4 decisión o n i n f o r m a -
t i o n s e c u r i t y events
Response t o i n f o r m a -
A.16.1.5
t i o n s e c u r i t y incidents I n f o r m a t i o n s e c u r i t y incidents shall be responded t o i n accordance
Learning from
A.16.1.6 information security
incidents
systems a n d services shall be r e q u i r e d t o note and r e p o r t a n y
observed o r suspected informatíiptj.sef u r i t y v/eaknesses i n sys-
tems o r services.
Control ' S ^ .
I n f o r m a t i o n s e c u r i t y ev^ntSiShalJ be assessed and i t shall be
decided i f t h e y are t o be classified as i n f o r m a t i o n s e c u r i t y i n c i -
dents. ' %
Control ^
w i t h t h e dqcuíheftted procedures.
Control
KnowJ^dge'gained f r o m analysing a n d resolving i n f o r m a t i o n secu-
r i t y , hK^idents shall be used t o reduce the l i k e l i h o o d o r i m p a c t of
futureincidents.
Control

A.16.1.7 CoUection o f evidence T h e o r g a n i z a t i o n shall define and apply procedures for t h e iden-
t i f i c a t i o n , collection, acquisition and preservation o f i n f o r m a t i o n ,
w h i c h can serve as evidence.
A.17 Information s e c u r i t y a s p e c t s of b u s i n e s s continuity m a n a g e m e n t
A.17.1 Information se£urity c o n t i n u i t y
Objective: Infor'malioh s e c u r i t y c o n t i n u i t y shall be embedded i n t h e organization's business c o n t i n u -
i t y management sj^tems.
Control
Planning i n f o r m a t i o n The o r g a n i z a t i o n shall d e t e r m i n e its r e q u i r e m e n t s for i n f o r m a t i o n
A.17.1.1
security continuity s e c u r i t y a n d t h e c o n t i n u i t y of i n f o r m a t i o n s e c u r i t y management i n
adverse s i t u a t i o n s , e.g. d u r i n g a crisis o r disaster.
Control
i m p l e m e n t i n g infor- The o r g a n i z a t i o n shall establish, document, i m p l e m e n t a n d m a i n -
A.17.1.2 m a t i o n s e c u r i t y conti- t a i n processes, procedures and controls t o ensure the r e q u i r e d
nuity level o f c o n t i n u i t y for i n f o r m a t i o n s e c u r i t y d u r i n g a n adverse situa-
tion.

20 © ISO/IEC 2013 - All rights reserved

 BS ISO/IEC 27001:2013
ISO/lEC 27001:2013(E)

Table A . l [continued)

Verify, r e v i e w and
A.17.1.3 evalúate i n f o r m a t i o n
security continuity
A.17.2 Redundancíes
Control
The o r g a n i z a t i o n shall v e r i f y the established and i m p l e m e n t e d
i n f o r m a t i o n s e c u r i t y c o n t i n u i t y controls at regular i n t e r v a l s i n
o r d e r t o ensure t h a t they are valid and effective d u r i n g adverse
situations.

Objective: To ensure a v a i l a b i l i t y of i n f o r m a t i o n processing facilities.

A v a i l a b i l i t y o f infor- Control
A.17.2.1 m a t i o n processing I n f o r m a t i o n processing facilities shall be implemented w i t h r e d u n -
facilities dancy sufficient t o meet a v a i l a b i l i t y requirements.
A.18 Compliance j r
A.18.1 Compliance w i t h legal a n d c o n t r a c t u a l r e q u i r e m e n t s
Objective: To avoid breaches of legal, s t a t u t o r y , r e g u l a t o r y o r c o n t r a c t u a l obligations related t o i n f o r -
m a t i o n s e c u r i t y and of a n y s e c u r i t y r e q u i r e m e n t s . .,
Control
Identification of a p p l i -
cable legislation and A l l r e l e v a n t legislativa s t a t u t o r y , regulatory, c o n t r a c t u a l r e q u i r e -
A.18.1.1 ments a n d t h e organizatitín's approach to meet these r e q u i r e m e n t s
contractual require-
ments shall be e x p l i c i t l y .idenj-ffied, documented and k e p t up to date for
each i n f o r m a t i o n s y s t e m and t h e organization.
Control

Intellectual p r o p e r t y A p p r o p r i a t e procedures shall be implemented t o ensure c o m p l i -

A.18.1.2 ance w i t h tegislative, r e g u l a t o r y and contractual r e q u i r e m e n t s
rights
related-tb¡intellectual p r o p e r t y r i g h t s and use of p r o p r i e t a r y soft-
w^are p r o d u c t s .
Control

A.18.1.3 Protection of records JRecords s h a l l b e p r o t e c t e d f r o m loss, destruction, falsification,

u n a u t h o r i z e d access and u n a u t h o r i z e d reléase, i n accordance w i t h
legislatory, r e g u l a t o r y , c o n t r a c t u a l and business r e q u i r e m e n t s .
Control
Privacy a n d p w t e t t i o n
A.18.1.4 o f personally i d e n t i f i - Privacy a n d p r o t e c t i o n of personally identifiable i n f o r m a t i o n shall
able i n f o r m a t i o n be e n s u r e d as r e q u i r e d i n relevant legislation and r e g u l a t i o n w h e r e
'\ applicable.
Control
Rejíulatíon of c r y p t o -
A.18.1.5 C r y p t o g r a p h i c controls shall be used i n compliance w i t h all r e l -
graphic c o n t r o l s
_ _ evant agreements, legislation and regulations.
A.18.2 Information s e c u r i t y r e v i e w s
Objective: To ensure t h a t i n f o r m a t i o n s e c u r i t y is i m p l e m e n t e d a n d operated i n accordance w i t h t h e
o r g a n i z a t i o n a l policies a n d procedures.
Control

The organization's approach to managing i n f o r m a t i o n s e c u r i t y a n d

Independent r e v i e w of its i m p l e m e n t a t i o n (i.e. c o n t r o l objectives, controls, policies, p r o -
A.18.2.1
information security cesses and procedures for i n f o r m a t i o n security) shall be r e v i e w e d
i n d e p e n d e n t l y at p l a n n e d i n t e r v a l s o r when significant changes
occur

© ISO/lEC 2013 - All rights reserved

21
BS ISO/lEC 27001:2013
ISO/IEC 27001:2013(E)

Table A . l [continued)

Control
Compliance w i t h Managers shall r e g u l a r l y r e v i e w t h e compliance of i n f o r m a t i o n
A.18.2.2 s e c u r i t y policies a n d processing a n d procedures w i t h i n t h e i r área of responsibiUty w i t h
standards t h e a p p r o p r i a t e s e c u r i t y policies, s t a n d a r d s and any o t h e r s e c u r i t y
requirements.
Control
Technical compliance I n f o r m a t i o n systems shall be r e g u l a r l y reviewed for con>pliance
A.18.2.3
review w i t h the organization's i n f o r m a t i o n s e c u r i t y policies a á s t a n d -
ards. -i

22 © ISO/IEC 2013 - All rights reserved

 BS ISO/lEC 27001:2013
ISO/lEC 27001:2013(E)

Bibliography

[1] ISO/IEC 27002:2013, Information technology — Security Techniques — Code of practice for
information security controls ¡

[2] ISO/IEC 27003, Information technology — Security techniques — Information security management
system implementation guidance

[3] ISO/IEC 27004, Information technology — Security techniques — Information security

management — Measurement •

[4] ISO/IEC27005, Information technology—Security techniques—Information ¿ecurity risk management

[5] ISO 31000:2009, Risk management — Principies and guidelines

[6] ISO/IEC Directives, P a r t 1, Consolidated ISO Supplement - Procedures specific to ISO, 2012

© ISO/IEC 2013 - All rights reserved

23
N O C O P Y I N G WTTHQUT BSI PERMiSSION EXCEPT A S PERMITTED B Y C O P Y R I G H T L A W

About US
W e b t i n g together business, i n d u s ü y , governmeni, consumets, innovatois
and others t o shape their combjned expefience a n d expenise into standards
-based sobtions.
The knowledge embodled in our standards has been carefully assembled In
a dependable (ormat a n d relined ttitough our open consultation process.
Organizalfons o l all sizes a n d across all sector^ choose standards to help
t h e m achieve their goals.
Information on standards
W e can provide you w i t h the knowledge that your o f g a n i z a t í o n needs
to succeed. Find o u t more about British Standards b y visíting o u r website a t
bsIgroup.corrVstandards or contacting our Customer Services t e a m o r
JCiwwledge Centre.
Buying standards
Revisions
Our British Standards and other p u b l ) i : ^ l c ^ ^ e ^ d a t e d by amendment or r e v i s i ó n .
W e continually improve t h e quaiit/bf p r o d u c í s a n d services t o benefft your
business. If you find an inaccuracy ol. artitsguity w i t h i n a Britisn Standard or other
BSI publication please i n f o r m t b s Knowiodge Centre.
Copyright
A l l t h e data, s o f t w a n r a n d « j o c o m e n t a t i o n set o u t in all British Standards and
other BSI publications a m the property o f a n d c o p y r i g h t e d by BSI, or some petson
or entity t h a t o v m s copyright i n t h e i n f o r m a t i o n used (such as t h e inlemationaf
standardization,!)oa>l!sl a n d has formally licensed such i n f o r m a t i o n t o BSI l o i
commercial p l j i j l l c i í j o n a n d use. Except as p e r m i t t e d under t h e Copyright, Designs
a n d P a t e n í i - A c t í l S B S n o extract may be reproduced, stored in a retrieval system
or t r á f i i n s U f í i i n any f o r m c r by any means - electronic, p h o t o c o p y i n g , recording
or otherAise - w i t h o u t prior w r i t t e n permission f r o m BSI. Delails a n d advice can
b e o b t a i n e d f r o m t h e Copyright & ticensing [ > e p a n m e n l .

You can buy and d o w n l o a d POf versions o f BSI publications. including British ^
and a d o p t e d European a n d International standards, through o u r w e b s i t e at
Uséful Contacts:
bsigroup.corrVshop, w t i e i e hard copies can also b e puichased. >s Customar Servicas
If y o u need International a n d foreign standards f r o m other Standards D e v e l o p i r e r t Tal: + 4 4 8 4 5 0 8 6 9 0 0 t
Organizations. hard copies can be ordered f r o m o u r Customer Services \fiam? Email (orden): 0rder5@bsigr0up.com
Email (enquirles): cservtcesabsigroup com
Subscriptions | Subscriptions
Our range of subscripllon services are designed t o make using 5tandst3%.
Tel: +44 8 4 5 086 9001
easier í o f you, f o r further infornriatlon o n our s u t í s c n p t i o n produCfü gcx tO'
Email: s u b s c r i p t i o n s © b s i g r o u p . c o m
bsigroup.corTVsubscrtptions.

W i t h B r i t i s h S t a n d a r d s O n l i n e (BSOL) you'll have Instant ^ e s s t o over 5 5 , 0 0 0 Knowladga Centre

Biitish a n d adopted Euiopean a n d internallonal s t a n d í i d s f f i j n í - y o u r desktop. Tel: + 4 4 2 0 8 9 9 6 7004
K's available 24/7 and is refreshed dally so you'll atwayq up t o ^ t e . Email: knowledgecenlre9bslgroup com
You can keep In touch w i t h standards developments "átid receive substantial
Copyright 81 Ucensing
discounls o n t h e putchase pnce of standards, b o ( h «í sfigle copy a n d subscripllon
Tel; + 4 4 2 0 8 9 9 6 7 0 7 0
l o f m a t , b y becoming a BSI S u b s r l b l n g M a m b e f ;
PLUS ¡s an updating service exclus^e t o BSIi'Suhsí|ibing Members, Y o u will
Email: copyrlght©bsigroup com
automatically receive the latest hard c o p f C i y e i É r s t a n d a i d s w h e n t h e / r e
revised o r replaced, \

To find o u t mae about b e c o n s f í j a 851 Subscnbing Member a n d t h e benefits

of membetship, please visit fesigrotip conyshop.
W r t h a M u i a - U s a r N a t w o r í c iM^ce ( M U N L ) you are able t o host standards
publications o n your intranet ticéftces can cover as f e w oí as many users as y o u
w i s h W i t h updates supplied as soon as t h e / r e available, you can he sure your
docuinentdtion is c u r i e n t For further inforrrwtion, email b s m u s a l e s t í b s i g t c x j p . c Q m .

BSI Croup Headquarters

3 8 9 C h i s w i c k H i g h R o a d L o n d o n W 4 AAL U K

bsí ...making excellence a habit."