Sie sind auf Seite 1von 32

INTERNATIONAL

STANDARD

ISO/IEC
27001
Second edition
2013-10-01

Information technology Security


techniques Information security
management systems Requirements
Technologies de linformation Techniques de scurit Systmes
de management de la scurit de linformation Exigences

Reference number
ISO/IEC 27001:2013(E)

ISO/IEC 2013

ISO/IEC 27001:2013(E)

COPYRIGHT PROTECTED DOCUMENT


ISO/IEC 2013

                  
  


 

Tel. + 41 22 749 01 11


Web www.iso.org


ii

ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)

Contents

Foreword ........................................................................................................................................................................................................................................ iv
0

Introduction ...............................................................................................................................................................................................................v

Scope ................................................................................................................................................................................................................................. 1

Normative references ...................................................................................................................................................................................... 1

 ..................................................................................................................................................................................... 1

Context of the organization ....................................................................................................................................................................... 1



 ....................................................................................................... 1

 .............................................................. 1

 .......................................... 1

..................................................................................................................... 2

10

Leadership .................................................................................................................................................................................................................. 2

 ..................................................................................................................................................... 2

 ............................................................................................................................................................................................................... 2

.......................................................................................... 3

Planning......................................................................................................................................................................................................................... 3

 ................................................................................................................... 3

 ...................................................................

Support ........................................................................................................................................................................................................................... 5
7.1
Resources.....................................................................................................................................................................................................
7.2
Competence ...............................................................................................................................................................................................

 ...................................................................................................................................................................................................

 ......................................................................................................................................................................................

...............................................................................................................................................................

Operation ..................................................................................................................................................................................................................... 7

 .......................................................................................................................................... 7

................................................................................................................................. 7

 .................................................................................................................................... 7

Performance evaluation ............................................................................................................................................................................... 7



 ............................................................................................... 7

 ............................................................................................................................................................................................ 8

 ........................................................................................................................................................................... 8

Improvement ............................................................................................................................................................................................................ 9
  ................................................................................................................................. 9
  .................................................................................................................................................................. 9

Annex A Reference control objectives and controls ........................................................................................10


Bibliography ............................................................................................................................................................................................................................. 23

ISO/IEC 2013 All rights reserved

iii

ISO/IEC 27001:2013(E)

Foreword
          
           
             
            
  
  
   
ISO/IEC JTC 1.
  

  
             
               


  

             Information technology


IT Security techniques.

              


iv

ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)

Introduction

0.1

General

 










               

 

 


              


            
          
ISO/IEC 27003[2]  [3]  [4]
0.2

Compatibility with other management system standards

 
   






ISO/IEC 2013 All rights reserved

INTERNATIONAL STANDARD

ISO/IEC 27001:2013(E)

Information technology Security techniques


Information security management systems Requirements
1 Scope
         
            
 

             
 to 10
 

2 Normative references

               
             


   Information technology Security techniques Information security management


systems Overview and vocabulary

 
  

4 Context of the organization

4.1 Understanding the organization and its context







 [].

4.2 Understanding the needs and expectations of interested parties



 
 


           


4.3 Determining the scope of the information security management system

           

ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)



 4.1
 4.2

 




4.4 Information security management system


 

5 Leadership

5.1 Leadership and commitment


           


 

            


 

 


 

             

 

 


5.2 Policy



 

 

 

 



 
2

ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)

 

 

5.3 Organizational roles, responsibilities and authorities






 

 


 


6 Planning

6.1 Actions to address risks and opportunities


6.1.1

General


issues referred to in 4.14.2

 
 
 


 
e)

how to

           


 

6.1.2

Information security risk assessment



 
 

 

           


ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)

 

 


 

 

  c) 1) were


 
 

 

 

 

          

6.1.3

Information security risk treatment



            


             





 

NOTE 1
 


             
controls listed in 

 

of controls from 
 

 



process.


 
 [].

ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)

6.2 Information security objectives and planning to achieve them





 
 

 


 

 




 

 
 

 

 

7 Support

7.1 Resources



7.2 Competence



              


 

 


 





7.3 Awareness


 
ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)

 

 

7.4 Communication



 
 

 
 

 

7.5 Documented information


7.5.1

General


  

 



            

 
 
3)

the competence of persons.

7.5.2

Creating and updating


 

 
 

7.5.3

Control of documented information

           

 

 

ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)



 

 
 
 

            
             





8 Operation

8.1 Operational planning and control




.






8.2 Information security risk assessment

            


            


8.3 Information security risk treatment



            


9 Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation


            



 

ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)

            





 
 

 
 




9.2 Internal audit



 

 

  

 


 
          


 

 
 

 

9.3 Management review






 

 

 
 
 
 
8

ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)

 

 

 
 

            



10 Improvement

10.1 Nonconformity and corrective action



 
 
 

 

 

 

 

 

 

 




 
 

10.2 Continual improvement




ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)

Annex A

Reference control objectives and controls



listed in ISO/IEC 27002:2013[1].
Table A.1 Control objectives and controls

A.5

Information security policies

A.5.1 Management direction for information security




Control



Review of the poli

A.6




Control





Organization of information security

A.6.1 Internal organization





 Control
- ties







Control

ties

interest groups



Control


Control



Control

 


A.6.2 Mobile devices and teleworking


10

ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)

Table A.1 (continued)


Control






Control



sites.

A.7

Human resource security

A.7.1

Prior to employment


Control

A.7.1.1

Screening





Control

A.7.1.2

A.7.2

 



During employment


responsibilities.
A.7.2.1

Control
- 
bilities


Control

A.7.2.2

  



Control

A.7.2.3

A.7.3







Termination and change of employment



A.7.3.1

A.8

Control

- 
sibilities


Asset management

A.8.1 Responsibility for assets


ISO/IEC 2013 All rights reserved

11

ISO/IEC 27001:2013(E)

Table A.1 (continued)



Control

A.8.1.1



A.8.1.2



A.8.1.3

A.8.1.4








Control


Control




Control





 



Control

A.8.2.1

- 



Control

A.8.2.2

tion




Control

A.8.2.3



A.8.3 Media handling






Control

A.8.3.1

- 


Control

A.8.3.2

A.8.3.3



fer



Control



A.9

Access control

A.9.1

Business requirements of access control

12

ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)

Table A.1 (continued)



A.9.1.1

A.9.1.2







A.9.2 User access management

Control


ments.
Control



vices.
A.9.2.1

Control




Control

A.9.2.2

A.9.2.3

A.9.2.4




- 
ing

services.


Control




 Control
- 


 Control
rights

Control

 





A.9.3 User responsibilities


A.9.3.1
A.9.4

Control




System and application access control


A.9.4.1


restriction

A.9.4.2

Secure log-on procedures

ISO/IEC 2013 All rights reserved

Control



Control




13

ISO/IEC 27001:2013(E)

Table A.1 (continued)


A.9.4.3

A.9.4.4

A.10


Use of privileged util
Access control to pro

Cryptography

A.10.1 Cryptographic controls

Control


Control



controlled.
Control




A.10.1.1

Control

 

Control

A.10.1.2
A.11






Physical and environmental security

A.11.1 Secure areas



Control

A.11.1.1


perimeter




Control

A.11.1.2

A.11.1.3

A.11.1.4




14

 










Control



Control



Control



Control





ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)

Table A.1 (continued)


A.11.2 Equipment

Control

A.11.2.1

 
protection

Control

A.11.2.2 Supporting utilities



Control
A.11.2.3 
A.11.2.4

 



Control



Control




 Control
 
ises

Control

A.11.2.7

 





A.11.2.8

A.11.2.9

A.12




Operations security

Control


protection.
Control




A.12.1 Operational procedures and responsibilities


A.12.1.1

Control


procedures

Control

A.12.1.2 

ISO/IEC 2013 All rights reserved


be controlled.
15

ISO/IEC 27001:2013(E)

Table A.1 (continued)


Control
A.12.1.3  


A.12.1.4
ments

Control




A.12.2 Protection from malware



Control

A.12.2.1



A.12.3 Backup






Control

A.12.3.1 
A.12.4 Logging and monitoring





Control

A.12.4.1 Event logging

A.12.4.2


reviewed.

Control
Protection of log infor




A.12.4.3


Control



Control

A.12.4.4  
gle reference time source.

A.12.5 Control of operational software



 

Control



A.12.6 Technical vulnerability management


16

ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)

Table A.1 (continued)


Control


- 




Restrictions on soft


Control




A.12.7 Information systems audit considerations


Control

A.12.7.1

A.13





disruptions to business processes.

Communications security

A.13.1 Network security management



Control

A.13.1.1

A.13.1.2




services

A.13.1.3

A.13.2 Information transfer




Control



in-house or outsourced.

Control







A.13.2.1 dures
Agreements on inforA.13.2.2

A.13.2.3 

ISO/IEC 2013 All rights reserved

Control





Control



Control



17

ISO/IEC 27001:2013(E)

Table A.1 (continued)


Control
A.13.2.4

A.14

 
 

System acquisition, development and maintenance

A.14.1 Security requirements of information systems




A.14.1.1

A.14.1.2

A.14.1.3

Control

 




services on public

Control



Control

 
 

A.14.2 Security in development and support processes



A.14.2.1

Secure development

Control



Control

A.14.2.2
procedures




A.14.2.3


Restrictions on
A.14.2.4 


neering principles

18

Control



Control



Control





ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)

Table A.1 (continued)


Control

A.14.2.7

Secure development
environment

Outsourced development

A.14.2.8
ing
A.14.2.9


testing

A.14.3 Test data




Control


Control

opment.
Control




A.14.3.1
A.15



Supplier relationships

Control



A.15.1 Information security in supplier relationships







Control



Control



 - 
ments
 

Control
  




A.15.2 Supplier service delivery management


Control



of supplier services

Control



supplier services

ISO/IEC 2013 All rights reserved







19

ISO/IEC 27001:2013(E)

Table A.1 (continued)


A.16

Information security incident management

A.16.1 Management of information security incidents and improvements




Control


procedures





Control





Control

 
 
tems or services.




Control


dents.

Control

 
with the documented procedures.




incidents

Control


future incidents.
Control


A.17

Collection of evidence 




Information security aspects of business continuity management

A.17.1 Information security continuity

 
Control

A.17.1.1

 



Control

A.17.1.2

20

Implementing infor- 

tion.

ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)

Table A.1 (continued)


Control
A.17.1.3





A.17.2 Redundancies







A.17.2.1
A.18



Compliance

Control



A.18.1 Compliance with legal and contractual requirements


A.18.1.1

Control
 

ments

Control

A.18.1.2


rights



Control

A.18.1.3 Protection of records

A.18.1.4





Control

- 






Control



A.18.2 Information security reviews



Control


Independent review of A.18.2.1
 

occur.

ISO/IEC 2013 All rights reserved

21

ISO/IEC 27001:2013(E)

Table A.1 (continued)


Control

A.18.2.2 

A.18.2.3

22





Control

 
review


ISO/IEC 2013 All rights reserved

ISO/IEC 27001:2013(E)

Bibliography


   Information technology Security Techniques Code of practice for


information security controls

   Information technology Security techniques Information security


management Measurement

 Information technology Security techniques Information security management


system implementation guidance

[4]

ISO/IECInformation technology Security techniques Information security risk management

Risk management Principles and guidelines

   

ISO/IEC 2013 All rights reserved

23

This page is intentionally blank.

This page is intentionally blank.

ISO/IEC 27001:2013(E)




ISO/IEC 2013 All rights reserved