Professional Documents
Culture Documents
Information technoJogy
Security techniques —
management systems
Requirements
National foreword
This publication does not purport to include all the necessary (líovisions
of a contrae!. Users are responsible for Its correct application.,
This British Standard was pubüshed under the authority of the Standards
Policy and Strategy Committee on 1 October 2013.
Amendments/Corrigenda issued since publication
Dato Textaffect¿d
INTERNATIONAL ¿S« I S O / I E C
STANDARD 27001
Second e d i t i o n
2013-10-01
Information technology — S e c u r i t y
t e c h n i q u e s — Infoiiftation s e c u r i t y
m a n a g e m e n t systems — R e q u i r e m e n t s
Technologies de l'informatí^ — Techniques de sécurité — Systémes
de management de lasécunté de ¡'information — Exigences
a.. \'
Reference n u m b e r
iSO/lEC 2 7 0 0 1 : 2 0 1 3 ( E )
isollEQ
©ISO/IEC 2 0 1 3
BS ISO/lEC 27001:2013
iSO/lEC 27001:2013{E)
© ISO/IEC 2013
Al! rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or meciianical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permíssion can be requested from either ISO at the address below or ISO's member body in the country of
the requester.
ISO copyright office ^„ .sfirii^uísa»-
Case póstale 56 • C H-1211 Geneva 20
Tel.+ 41 22 749 01 1 1
Fax+ 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
Contents page
Foreword iv
0 Introduction , , v
1 Scope , : ,..
2 Normativo r e f e r e n t e s .
3 T e r m s a n d deflnitions
4 Context of the organization . C - -
4.1 Understanding the organization and its context '
4.2 Understanding the needs and expectations o f interested parties
4.3 D e t e r m i n i n g the scope o f t h e i n f o r m a t i o n security managem ' ystem
4.4 I n f o r m a t i o n security management system .^n , 2
5 Leadership , 2
5.1 Leadership and c o m m i t m e n t Z 2
5.2 Policy,,. 4 • 2
5.3 Organizational roles, responsibilities and authonües' 3
6 Planning , \. 3
6.1 Actions to address risks and o p p o r t u n i t i e s ^ , „., 3
6.2 I n f o r m a t i o n security objectives and planríin|*ta achieve t h e m ,. 5
7 Support. ,..„^^sK. , .., 5
7.1 Resources..: ^ ^ ^ J . . . 5
7.2 Competence , - 5
7.3 Awareness , 5
7.4 Communication /-v^*^ 6
7.5 Documented informatíonJ ^i^, 6
8 Operation ' ' 7
8.1 Operational p l a n n m g and control 7
8.2 I n f o r m a t i o n secunDi^nsk assessment , : 7
8.3 Information securityjisk treatment , , 7
9 Performance evaluation. , 7
9.1 M o n i t o r i n g , mé¡surement, analysis a n d evaluation 7
9.2 Internal a u d i t j , : ^ 8
9.3 Management r e v i e w , „ 8
Foreword
O Introduction
0.1 General
0.2 C o m p a t i b i l i t y w i t h othefgpiaíágeraent s y s t e m s t a n d a r d s , ;
1 Scope
.r ' <
2 Normative references • * ^ \'
The foUowing documents, i n v l i o l e o r i n p a r t , are normadv«ly referenced i n t h i s document and are
indispensable for its a p p l i c a t i o n . F o r dated referencesVonly the e d i t i o n cited applies. For undated
references, t h e latest e d i t i o n o i t h e referenced d o c u m e n t ( i n c l u d i n g any amendments] applies.
The organization s h a l l déíegn inte e x t e r n a l and i n t e r n a ! issues t h a t are relevant t o its purpose and t h a t
affect its a b i l i t y to achieve^the ¡atended outcome(s3 of i t s i n f o r m a t i o n s e c u r i t y management system.
i . " ,?
NOTE Determinrrig;.tliese issiies refers to establishing the external and internal context ofthe organization
considered in Llause 5,3 of ISO 3LOOO:2009[Í].
NOTE T h e requirements cf interested parties may include legal and regulatory requirements and
contractual obligations.
4.3 D e t e r m i n i n g t h e s c o p e of t h e i n f o r m a t i o n s e c u r i t y m a n a g e m e n t s y s t e m
b) t h e r e q u i r e m e n t s r e f e r r e d t o i n í2: and
5 Leadership ^ ^r, i o r / . - i : • \,
g) p r o m o t i n g continual imjjuov^ment; a n d
a) is a p p r o p r i a t e to t h e purpose o f t h e o r g a n i z a t i o n ;
T h e i n f o r m a t i o n s e c u r i t y policy shall:
e) be available as documented i n f o r m a t i o n ;
6 Planning
6,1 A c t i o n s to a d d r e s s r i s k s a n d o p p o r t u n i t i e s
6.1.1 General
c) achieve c o n t i n u a l i m p r o v e m e n t . -« .
é) howto ' \
6.1.2 Information s e c u r i t y r i s k a s s e s s m e n t
2) c r i t e r i a for p e r f o r m i n g i n f o r m a t i o n s e c u r i t y r i s k assessments;
6.1.3 Information s e c u r i t y r i s k t r e a t m e n t
NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and
controls listed in AstaHüjA are not exhaustive and additional control objectives and controls may be needed.
. ^ /
d) produce a ^ a t ' e m e n t of A p p l i c a b i l i t y t h a t contains t h e necessary controls [see £lX^ b) and c)) and
justificatiorTfor ¡nclusions, w h e t h e r they are i m p l e m e n t e d o r not, and t h e j u s t i f i c a t i o n for exclusions
of controls f r o m Annex A;
NOTE The information security risk assessment and treatment process in this International Standard aligns
w i t h the principies and generic guidelines provided in ISO SlOOOiy.
6.2 I n f o r m a t i o n s e c u r i t y o b j e c t i v e s a n d p l a n n i n g to a c h i e v e t h e m <
g) w h a t resources w i l l be r e q u i r e d ; nolJeínur \
h) w h o w i l l be responsible;
i) w h e n i t w i l l be completed; a n d ^^--««2^
7.1 Resources * ^ . . f
b) e n s u i é'thL.i; these persons are competent on the basis of appropriate education, t r a i n i n g , or experience;
7.3 Awareness
a) t h e i n f o r m a t i o n security policy;
c) t h e i m p l i c a t i o n s of n o t c o n f o r m i n g w i t h t h e i n f o r m a t i o n s e c u r i t y management system r e q u i r e m e n t s .
7.4 Communication
a) on w h a t t o communicate; . , j ., , • • - ^ 1 ^ *
b) w h e n t o communicate; . ^ . '
c) w i t h w h o m to communicate;
Í7t.
d) w h o shall communicate; and
7.5.1 General
T h e organization's i n f o r m a t i o n s e c u r i t y management system s h j l l include: . • . ••
a] d o c u m e n t e d i n f o r m a t i o n r e q u i r e d b y t h i s I n t e r n a t i o n a ! Standard; and • i
NOTE The extent of documented information lor jiti information security management sy.-Jtem can differ
from one organization to another due to: : %
1] the size oforganization and its type o f á c t i v i t i é s , processes, products and services; , , , ,, H
D o c u m e n t e d i n f o r m a t i o n r e q u i r e d b y t h e i n f o r m a t i o n s e c u r i t y management system a n d b y t h i s
I n t e r n a t i o n a l S t a n d a r d shall be c o n t r o l l e d to ensure: i : . , . . i , -w ; ¡«i
For t h e c o n t r o l o f d o c u m e n t e d i n f o r m a t i o n , t h e o r g a n i z a t i o n s h a l l address t h e f o l l o w i n g a c t i v i t i e s ,
as applicable:
f) r e t e n t i o n and d i s p o s i t i o n .
8.2 I n f o r m a t i o n s e c u r i t y risk a s s e s s m e n t
The o r g a n i z a t i o n s h a l ^ P ^ t a i n d o c u m e n t e d i n f o r m a t i o n o f t h e r e s u l t s o f t h e i n f o r m a t i o n s e c u r i t y
r i s k assessments. i
8.3 I n f o r m a t i o n s e c u r i t y risk t r e a t m e n t - . ;
The o r g a n i z a t i o n s h a l l r e t a i n d o c u m e n t e d i n f o r m a t i o n o f t h e r e s u l t s o f t h e i n f o r m a t i o n s e c u r i t y
risk treatment.
9 Performance evaluation
b) t h e m e t h o d s for m o n i t o r i n g , m e a s u r e m e n t , a n a l y s i s a n d e v a l u a t i o n , as applicable, t o e n s u r e
valid results;
NOTE T h e m e t h o d s selected s h o u l d p r o d u c e c o m p a r a b l e a n d r e p r o d u c i b l e r e s u l t s t o be c o n s i d e r e d v a l i d .
c) w h e n t h e m o n i t o r i n g and m e a s u r i n g shall be p e r f o r m e d ;
d) w h o shall m o n i t o r a n d measure;
a) conforms t o C.-'l.J
2) t h e r e q u i r e m e n t s of this I n t e r n a t i o n a l Standard;
b] is effectively i m p l e m e n t e d a n d m a i n t a i n e d .
Theorganizationshall: ,
c) feedback o n t h e i n f o r m a t i o n s e c u r i t y performance, i n c l u d i n g t r e n d s i n ;
1] n o n c o n f o r m i t i e s a n d c o r r e c t i v e actions;
2) m o n i t o r i n g a n d m e a s u r e m e n t results;
3) a u d i t results; a n d
4) f u l f i l m e n t o f i n f o r m a t i o n s e c u r i t y objectives; : u c i SÜ.
d) feedback f r o m interested p a r t i e s ;
f) o p p o r t u n i t i e s for continual i m p r o v e m e n t .
b) evalúate the need for action t o elimínate the causes o f n o n c o n f o r m i t y , i n o r d e r t h a t i t does not r e c u r
or occur elsewhere, by:
1) revievving the n o n c o n f o r m i t y ; , -
3) d e t e r m i n i n g i f s i m i l a r n o n c o n f o r m i t i e s e x i s t . o r c o u l d p o t e n t i a l l y occur; '
10.2 C o n t i n u a l i m p r o v e m e n t
AnnexA
[normative]
T a b l e A . l — C o n t r o l objectives a n d c o n t r o l s j ' C*
Contact w i t h a u t h o r i - Control
A.6.1.3
ties A p p r o p r i a t e contacts w i t h relevant a u t h o r i t i e s shall be m a i n t a i n e d .
Control
Contact w i t h specia! A p p r o p r i a t e contacts w i t h special i n t e r e s t groups o r other special-
A.6.1.4
i n t e r e s t groups ist s e c u r i t y f o r u m s and professional associations shall be m a i n -
tained.
Control
Inform.ation s e c u r i t y
A.6.1.5
i n project management I n f o r m a t i o n s e c u r i t y shall be addressed i n project management,
regardless of the t y p e o f t h e project.
A.6.2 Mobíle d e v i c e s a n d t e l e w o r k i n g
Objective: To ensure t h e s e c u r i t y o f t e l e w o r k i n g and use o f mobile devices.
Control . . . . .
A.6.2.1 Mobile device p o l i c y A p o l i c y and s u p p o r t i n g s e c u r i t y measures shall be adopted t o
manage t h e r i s k s i n t r o d u c e d b y using mobile devices.
Control
Table A . l (continued)
Table A . l (continued)
Control
Table A . l (continued)
Control
Password manage-
A.9.4.3 Password management systems shall be Interactive and shall
m e n t system
ensure q u a l i t y passwords.
Control ... . ; , .
Use o f p r i v i l e g e d u t i l - The use o f u t i l i t y p r o g r a m s t h a t m i g h t be capable of o v e r r i d i n g
A.9.4.4
ity p r o g r a m s system and a p p l i c a t i o n c o n t r o l s shall be r e s t r i c t e d and t i g h t l y
controlled.
P r o t e c t i n g against Control - ,.
A.11.1.4 e x t e r n a l and e n v i r o n - Physical p r o t e c t i o n against n a t u r a l disasters, malicious a t t a c k o r
mental threats accidents shall be designed and applied.
Control
W o r k i n g i n secure
A.11.1.5 Procedures for w o r k i n g i n secure áreas shall be designed and
áreas
applied.
Control
Delivery a n d loading Access points such as d e l i v e r y and loading áreas and o t h e r points
A.11.1.6 w h e r e u n a u t h o r i z e d persons c o u l d enter t h e premises shall be
áreas
c o n t r o l l e d a n d , i f possible, isolated f r o m i n f o r m a t i o n processing
facilities t o avoid u n a u t h o r i z e d access.
Table A . l (continued]
A.11.2 E q u i p m e n t
Objective: To prevent loss, damage, t h e f t o r c o m p r o m i s e o f assets and i n t e r r u p t i o n t o the organiza-
tion's operations.
Control
Equipment s i t i n g and E q u i p m e n t shall be s i t e d a n d protected to reduce the risks f r o m
A.11.2.1
protection e n v i r o n m e n t a l t h r e a t s a n d hazards, and o p p o r t u n i t i e s for unau-
t h o r i z e d access.
Control
A.11.2.2 S u p p o r t i n g Utilities Equipment shall be p r o t e c t e d f r o m power fa'lures and other dis-
r u p t i o n s caused by failures i n s u p p o r t i n g Utilities.
Control í
Table A . l (continued)
Control
Control S.'^a,^ — -
Table A . l [continued)
Control
Table A . l (continued)
Control .,
C o n f i d e n t i a l i t y o r n o n - Requirements for c o n f i d e n t i a l i t y o r non-disclosure agreements
A.13.2.4
disclosure agreements r e f l e c t i n g the organization's needs for t h e p r o t e c t i o n of i n f o r m a -
t i o n shall be i d e n t i f i e d , r e g u l a r l y r e v i e w e d and documented.
A.14 S y s t e m a c q u i s i t i o n , development a n d m a i n t e n a n c e
A.14.1 S e c u r i t y r e q u i r e m e n t s of i n f o r m a t i o n s y s t e m s
Objective: To ensure t h a t i n f o r m a t i o n s e c u r i t y is an i n t e g r a l p a r t o f i n f o r m a t i o n systems ácross the
e n t i r e lifecycle. This also includes t h e r e q u i r e m e n t s for i n f o r m a t i o n systems w h i c h p r o v i d e services
over public n e t w o r k s .
Control
Information security
A.14.1.1 r e q u i r e m e n t s analysis T h e i n f o r m a t i o n s e c u r i t y related r e q u i r e m e n t s shall be included i n
and specification t h e r e q u i r e m e n t s for n e w i n f o r m a t i o n systems o r enhancements t o
e x i s t i n g i n f o r m a t i o n systems.
Control
Securing a p p l i c a t i o n
A.14.1.2 services on public I n f o r m a t i o n i n v o l v e d i n applicaíipn se.fvices passing over public
networks n e t w o r k s shall be p r o t e c t e d f r o m f r a u d u l e n t a c t i v i t y , c o n t r a c t dis-
p u t e and u n a u t h o r i z e d disclosure and m o d i f i c a t i o n .
Control
Technical r e v i e w of Control
applications a f i e r W h e n o p e r a t i n g p l a t f o r m s are changed, business c r i t i c a l applica-
A.14.2.3
operating platform t i o n s shall be r e v i e w e d and tested t o ensure there is no adverse
change? i m p a c t o n o r g a n i z a t i o n a l operations o r security.
Restrictions o n Control
A.14.2.4 changes t o s o f t w a r e M o d i f i c a t i o n s t o s o f t w a r e packages shall be discouraged, l i m i t e d t o
packages necessary changes and all changes shall be s t r i c t l y c o n t r o l l e d .
Control
Secure system engi- Principies for engíneering secure systems shall be established,
A.14.2.5
neering principies d o c u m e n t e d , m a i n t a i n e d and applied t o any i n f o r m a t i o n system
i m p l e m e n t a t i o n efforts.
r 4 . . ,
Table A . l [continued]
Control
Secure development Organizations shall establish and a p p r o p r i a t e l y p r o t e c t secure
A.14.2.6
environment development e n v i r o n m e n t s for system development and i n t e g r a -
t i o n efforts t h a t cover t h e e n t i r e system development lifecycle.
Control
Outsourced develop-
A.14.2.7 T h e o r g a n i z a t i o n s h a l l supervise and m o n i t o r the a c t i v i t y o f out-
ment -"r.i> • »
sourced system development.
Control
System s e c u r i t y test-
A.14.2.8 Testing o f s e c u r i t y f u n c t i o n a l i t y shall be c a r r i e d o u t d u r i n g devel-
ing
opment. . ',
Control "
System acceptance
A.14.2.9 Acceptance t e s t i n g p r o g r a m s and r lated c r i t e r i a shall be estab-
testing
lished for n e w i n f o r m a t i o n systemá; upgrades and n e w versions.
Table A . l (continued)
A.16.1.7 CoUection o f evidence T h e o r g a n i z a t i o n shall define and apply procedures for t h e iden-
t i f i c a t i o n , collection, acquisition and preservation o f i n f o r m a t i o n ,
w h i c h can serve as evidence.
A.17 Information s e c u r i t y a s p e c t s of b u s i n e s s continuity m a n a g e m e n t
A.17.1 Information se£urity c o n t i n u i t y
Objective: Infor'malioh s e c u r i t y c o n t i n u i t y shall be embedded i n t h e organization's business c o n t i n u -
i t y management sj^tems.
Control
Planning i n f o r m a t i o n The o r g a n i z a t i o n shall d e t e r m i n e its r e q u i r e m e n t s for i n f o r m a t i o n
A.17.1.1
security continuity s e c u r i t y a n d t h e c o n t i n u i t y of i n f o r m a t i o n s e c u r i t y management i n
adverse s i t u a t i o n s , e.g. d u r i n g a crisis o r disaster.
Control
i m p l e m e n t i n g infor- The o r g a n i z a t i o n shall establish, document, i m p l e m e n t a n d m a i n -
A.17.1.2 m a t i o n s e c u r i t y conti- t a i n processes, procedures and controls t o ensure the r e q u i r e d
nuity level o f c o n t i n u i t y for i n f o r m a t i o n s e c u r i t y d u r i n g a n adverse situa-
tion.
Table A . l [continued)
Control
Verify, r e v i e w and The o r g a n i z a t i o n shall v e r i f y the established and i m p l e m e n t e d
A.17.1.3 evalúate i n f o r m a t i o n i n f o r m a t i o n s e c u r i t y c o n t i n u i t y controls at regular i n t e r v a l s i n
security continuity o r d e r t o ensure t h a t they are valid and effective d u r i n g adverse
situations.
A.17.2 Redundancíes
A v a i l a b i l i t y o f infor- Control
A.17.2.1 m a t i o n processing I n f o r m a t i o n processing facilities shall be implemented w i t h r e d u n -
facilities dancy sufficient t o meet a v a i l a b i l i t y requirements.
A.18 Compliance j r
A.18.1 Compliance w i t h legal a n d c o n t r a c t u a l r e q u i r e m e n t s
Objective: To avoid breaches of legal, s t a t u t o r y , r e g u l a t o r y o r c o n t r a c t u a l obligations related t o i n f o r -
m a t i o n s e c u r i t y and of a n y s e c u r i t y r e q u i r e m e n t s . .,
Control
Identification of a p p l i -
cable legislation and A l l r e l e v a n t legislativa s t a t u t o r y , regulatory, c o n t r a c t u a l r e q u i r e -
A.18.1.1 ments a n d t h e organizatitín's approach to meet these r e q u i r e m e n t s
contractual require-
ments shall be e x p l i c i t l y .idenj-ffied, documented and k e p t up to date for
each i n f o r m a t i o n s y s t e m and t h e organization.
Control
Table A . l [continued)
Control
Compliance w i t h Managers shall r e g u l a r l y r e v i e w t h e compliance of i n f o r m a t i o n
A.18.2.2 s e c u r i t y policies a n d processing a n d procedures w i t h i n t h e i r área of responsibiUty w i t h
standards t h e a p p r o p r i a t e s e c u r i t y policies, s t a n d a r d s and any o t h e r s e c u r i t y
requirements.
Control
Technical compliance I n f o r m a t i o n systems shall be r e g u l a r l y reviewed for con>pliance
A.18.2.3
review w i t h the organization's i n f o r m a t i o n s e c u r i t y policies a á s t a n d -
ards. -i
Bibliography
[1] ISO/IEC 27002:2013, Information technology — Security Techniques — Code of practice for
information security controls ¡
[2] ISO/IEC 27003, Information technology — Security techniques — Information security management
system implementation guidance
[6] ISO/IEC Directives, P a r t 1, Consolidated ISO Supplement - Procedures specific to ISO, 2012
About US Revisions
W e b t i n g together business, i n d u s ü y , governmeni, consumets, innovatois Our British Standards and other p u b l ) i : ^ l c ^ ^ e ^ d a t e d by amendment or r e v i s i ó n .
and others t o shape their combjned expefience a n d expenise into standards W e continually improve t h e quaiit/bf p r o d u c í s a n d services t o benefft your
-based sobtions. business. If you find an inaccuracy ol. artitsguity w i t h i n a Britisn Standard or other
The knowledge embodled in our standards has been carefully assembled In BSI publication please i n f o r m t b s Knowiodge Centre.
a dependable (ormat a n d relined ttitough our open consultation process.
Organizalfons o l all sizes a n d across all sector^ choose standards to help Copyright
t h e m achieve their goals. A l l t h e data, s o f t w a n r a n d « j o c o m e n t a t i o n set o u t in all British Standards and
other BSI publications a m the property o f a n d c o p y r i g h t e d by BSI, or some petson
Information on standards or entity t h a t o v m s copyright i n t h e i n f o r m a t i o n used (such as t h e inlemationaf
W e can provide you w i t h the knowledge that your o f g a n i z a t í o n needs standardization,!)oa>l!sl a n d has formally licensed such i n f o r m a t i o n t o BSI l o i
to succeed. Find o u t more about British Standards b y visíting o u r website a t commercial p l j i j l l c i í j o n a n d use. Except as p e r m i t t e d under t h e Copyright, Designs
bsIgroup.corrVstandards or contacting our Customer Services t e a m o r a n d P a t e n í i - A c t í l S B S n o extract may be reproduced, stored in a retrieval system
JCiwwledge Centre. or t r á f i i n s U f í i i n any f o r m c r by any means - electronic, p h o t o c o p y i n g , recording
or otherAise - w i t h o u t prior w r i t t e n permission f r o m BSI. Delails a n d advice can
Buying standards b e o b t a i n e d f r o m t h e Copyright & ticensing [ > e p a n m e n l .
You can buy and d o w n l o a d POf versions o f BSI publications. including British ^
and a d o p t e d European a n d International standards, through o u r w e b s i t e at
Uséful Contacts:
bsigroup.corrVshop, w t i e i e hard copies can also b e puichased. >s Customar Servicas
If y o u need International a n d foreign standards f r o m other Standards D e v e l o p i r e r t Tal: + 4 4 8 4 5 0 8 6 9 0 0 t
Organizations. hard copies can be ordered f r o m o u r Customer Services \fiam? Email (orden): 0rder5@bsigr0up.com
Email (enquirles): cservtcesabsigroup com
Subscriptions | Subscriptions
Our range of subscripllon services are designed t o make using 5tandst3%.
Tel: +44 8 4 5 086 9001
easier í o f you, f o r further infornriatlon o n our s u t í s c n p t i o n produCfü gcx tO'
Email: s u b s c r i p t i o n s © b s i g r o u p . c o m
bsigroup.corTVsubscrtptions.