ISO/IEC 27001:2005
(Main)Information technology — Security techniques — Information security management systems — Requirements
Information technology — Security techniques — Information security management systems — Requirements
ISO/IEC 27001:2005 covers all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations). ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties. ISO/IEC 27001:2005 is intended to be suitable for several different types of use, including the following: use within organizations to formulate security requirements and objectives; use within organizations as a way to ensure that security risks are cost effectively managed; use within organizations to ensure compliance with laws and regulations; use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met; definition of new information security management processes; identification and clarification of existing information security management processes; use by the management of organizations to determine the status of information security management activities; use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization; use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons; implementation of business-enabling information security; use by organizations to provide relevant information about information security to customers.
Technologies de l'information — Techniques de sécurité — Systèmes de management de la sécurité de l'information — Exigences
L'ISO/CEI 27001:2005 couvre tous les types d'organismes (par exemple entreprises commerciales, organismes publics, organismes à but non lucratif). L'ISO/CEI 27001:2005 spécifie les exigences relatives à l'établissement, à la mise en œuvre, au fonctionnement, à la surveillance et au réexamen, à la mise à jour et à l'amélioration d'un SMSI documenté dans le contexte des risques globaux liés à l'activité de l'organisme. Le présent document spécifie les exigences relatives à la mise en œuvre des mesures de sécurité adaptées aux besoins de chaque organisme ou à leurs parties constitutives. L'ISO/CEI 27001:2005 est destiné à assurer le choix de mesures de sécurité adéquates et proportionnées qui protègent les actifs et donnent confiance aux parties intéressées.
Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske varnosti - Zahteve
Ta mednarodni standard zajema vse vrste organizacij (npr. trgovinska podjetja, vladne agencije, neprofitne organizacije). Ta mednarodni standard določa zahteve za postavitev, izvajanje, delovanje, nadzorovanje, pregledovanje, vzdrževanje in izboljševanje dokumentiranega ISMS znotraj konteksta celotnega poslovnega tveganja organizacij. Določa zahteve za izvedbo varnostnih ukrepov, prilagojenih za potrebe posameznih organizacij ali njihovih delov. ISMS je namenjen temu, da zagotovi izbor primernih in sorazmernih varnostnih ukrepov, ki ščitijo informacijske vire, ter da daje zainteresiranim strankam zaupanje. OPOMBA 1: Sklicevanja na »posel« v tem mednarodnem standardu se morajo razlagati na široko, da pomenijo tiste dejavnosti, ki so bistvo namenov za obstoj organizacij. OPOMBA 2: ISO/IEC 17799 zagotavlja vodilo za izvajanje, ki se lahko uporabi pri načrtovanju ukrepov.
General Information
Relations
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 27001
First edition
2005-10-15
Information technology — Security
techniques — Information security
management systems — Requirements
Technologies de l'information — Techniques de sécurité — Systèmes
de gestion de sécurité de l'information — Exigences
Reference number
ISO/IEC 27001:2005(E)
©
ISO/IEC 2005
---------------------- Page: 1 ----------------------
ISO/IEC 27001:2005(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
© ISO/IEC 2005
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2005 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27001:2005(E)
Contents Page
Foreword. iv
0 Introduction. v
0.1 General. v
0.2 Process approach. v
0.3 Compatibility with other management systems. vi
1 Scope .1
1.1 General.1
1.2 Application .1
2 Normative references .1
3 Terms and definitions .2
4 Information security management system .3
4.1 General requirements.3
4.2 Establishing and managing the ISMS.4
4.2.1 Establish the ISMS.4
4.2.2 Implement and operate the ISMS .6
4.2.3 Monitor and review the ISMS.6
4.2.4 Maintain and improve the ISMS.7
4.3 Documentation requirements.7
4.3.1 General.7
4.3.2 Control of documents .8
4.3.3 Control of records.8
5 Management responsibility .9
5.1 Management commitment .9
5.2 Resource management .9
5.2.1 Provision of resources.9
5.2.2 Training, awareness and competence.9
6 Internal ISMS audits.10
7 Management review of the ISMS.10
7.1 General.10
7.2 Review input.10
7.3 Review output .11
8 ISMS improvement.11
8.1 Continual improvement.11
8.2 Corrective action.11
8.3 Preventive action .12
Annex A (normative) Control objectives and controls.13
Annex B (informative) OECD principles and this International Standard .30
Annex C (informative) Correspondence between ISO 9001:2000, ISO 14001:2004 and this
International Standard.31
Bibliography .34
© ISO/IEC 2005 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27001:2005(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27001 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
iv © ISO/IEC 2005 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27001:2005(E)
0 Introduction
0.1 General
This International Standard has been prepared to provide a model for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The
adoption of an ISMS should be a strategic decision for an organization. The design and implementation of an
organization’s ISMS is influenced by their needs and objectives, security requirements, the processes
employed and the size and structure of the organization. These and their supporting systems are expected to
change over time. It is expected that an ISMS implementation will be scaled in accordance with the needs of
the organization, e.g. a simple situation requires a simple ISMS solution.
This International Standard can be used in order to assess conformance by interested internal and external
parties.
0.2 Process approach
This International Standard adopts a process approach for establishing, implementing, operating, monitoring,
reviewing, maintaining and improving an organization's ISMS.
An organization needs to identify and manage many activities in order to function effectively. Any activity using
resources and managed in order to enable the transformation of inputs into outputs can be considered to be a
process. Often the output from one process directly forms the input to the next process.
The application of a system of processes within an organization, together with the identification and
interactions of these processes, and their management, can be referred to as a “process approach”.
The process approach for information security management presented in this International Standard
encourages its users to emphasize the importance of:
a) understanding an organization’s information security requirements and the need to establish policy and
objectives for information security;
b) implementing and operating controls to manage an organization's information security risks in the context
of the organization’s overall business risks;
c) monitoring and reviewing the performance and effectiveness of the ISMS; and
d) continual improvement based on objective measurement.
This International Standard adopts the "Plan-Do-Check-Act" (PDCA) model, which is applied to structure all
ISMS processes. Figure 1 illustrates how an ISMS takes as input the information security requirements and
expectations of the interested parties and through the necessary actions and processes produces information
security outcomes that meets those requirements and expectations. Figure 1 also illustrates the links in the
processes presented in Clauses 4, 5, 6, 7 and 8.
1)
The adoption of the PDCA model will also reflect the principles as set out in the OECD Guidelines (2002)
governing the security of information systems and networks. This International Standard provides a robust
model for implementing the principles in those guidelines governing risk assessment, security design and
implementation, security management and reassessment.
1) OECD Guidelines for the Security of Information Systems and Networks — Towards a Culture of Security. Paris:
OECD, July 2002. www.oecd.org
© ISO/IEC 2005 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 27001:2005(E)
EXAMPLE 1
A requirement might be that breaches of information security will not cause serious financial damage to an
organization and/or cause embarrassment to the organization.
EXAMPLE 2
An expectation might be that if a serious incident occurs — perhaps hacking of an organization’s eBusiness
web site — there should be people with sufficient training in appropriate procedures to minimize the impact.
PlPlaann
InIntteereresstteedd InIntteererestestedd
PaParrttiieess PaParrttiieess
EEssttablishablish
EsEstatabblliisshh
ISISMSMS
ISISMSMS
IImmpleplemmentent and and MaMaiinntatainin a anndd
IImmpleplemmentent and and MMaaintintaain andin and
DoDo AcActt
opeoperatratee t thhe e IISSMMSS iimmprove tprove thhee IISSMMSS
operatoperate te the he IISSMMSS iimmprovprove te the he IISSMMSS
MMoonniittoor andr and
MMonitonitoor anr andd
revreviiew tew the he IISSMMSS
IInnffoormrmatatioion n
rerevivieeww t thhee ISISMSMS
MManagedanaged
securisecurittyy
infinfoorrmmatation ion
requirerequiremmentents s
ChCheecckk
securisecurittyy
andand exp expeeccttatationsions
Figure 1 — PDCA model applied to ISMS processes
Plan (establish the ISMS)
Establish ISMS policy, objectives, processes and procedures relevant to
managing risk and improving information security to deliver results in
accordance with an organization’s overall policies and objectives.
Do (implement and operate
Implement and operate the ISMS policy, controls, processes and
the ISMS) procedures.
Check (monitor and review Assess and, where applicable, measure process performance against
the ISMS)
ISMS policy, objectives and practical experience and report the results to
management for review.
Act (maintain and improve Take corrective and preventive actions, based on the results of the internal
the ISMS)
ISMS audit and management review or other relevant information, to
achieve continual improvement of the ISMS.
0.3 Compatibility with other management systems
This International Standard is aligned with ISO 9001:2000 and ISO 14001:2004 in order to support consistent
and integrated implementation and operation with related management standards. One suitably designed
management system can thus satisfy the requirements of all these standards. Table C.1 illustrates the
relationship between the clauses of this International Standard, ISO 9001:2000 and ISO 14001:2004.
This International Standard is designed to enable an organization to align or integrate its ISMS with related
management system requirements.
vi © ISO/IEC 2005 – All rights reserved
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27001:2005(E)
Information technology — Security techniques — Information
security management systems — Requirements
IMPORTANT — This publication does not purport to include all the necessary provisions of a contract.
Users are responsible for its correct application. Compliance with an International Standard does not
in itself confer immunity from legal obligations.
1 Scope
1.1 General
This International Standard covers all types of organizations (e.g. commercial enterprises, government
agencies, non-profit organizations). This International Standard specifies the requirements for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the
context of the organization’s overall business risks. It specifies requirements for the implementation of security
controls customized to the needs of individual organizations or parts thereof.
The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect
information assets and give confidence to interested parties.
NOTE 1: References to ‘business’ in this International Standard should be interpreted broadly to mean those activities
that are core to the purposes for the organization’s existence.
NOTE 2: ISO/IEC 17799 provides implementation guidance that can be used when designing controls.
1.2 Application
The requirements set out in this International Standard are generic and are intended to be applicable to all
organizations, regardless of type, size and nature. Excluding any of the requirements specified in Clauses 4,
5, 6, 7, and 8 is not acceptable when an organization claims conformity to this International Standard.
Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be justified and
evidence needs to be provided that the associated risks have been accepted by accountable persons. Where
any controls are excluded, claims of conformity to this International Standard are not acceptable unless such
exclusions do not affect the organization’s ability, and/or responsibility, to provide information security that
meets the security requirements determined by risk assessment and applicable legal or regulatory
requirements.
NOTE: If an organization already has an operative business process management system (e.g. in relation with
ISO 9001 or ISO 14001), it is preferable in most cases to satisfy the requirements of this International Standard within this
existing management system.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 17799:2005, Information technology — Security techniques — Code of practice for information
security management
© ISO/IEC 2005 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC 27001:2005(E)
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
asset
anything that has value to the organization
[ISO/IEC 13335-1:2004]
3.2
availability
the property of being accessible and usable upon demand by an authorized entity
[ISO/IEC 13335-1:2004]
3.3
confidentiality
the property that information is not made available or disclosed to unauthorized individuals, entities, or
processes
[ISO/IEC 13335-1:2004]
3.4
information security
preservation of confidentiality, integrity and availability of information; in addition, other properties such as
authenticity, accountability, non-repudiation and reliability can also be involved
[ISO/IEC 17799:2005]
3.5
information security event
an identified occurrence of a system, service or network state indicating a possible breach of information
security policy or failure of safeguards, or a previously unknown situation that may be security relevant
[ISO/IEC TR 18044:2004]
3.6
information security incident
a single or a series of unwanted or unexpected information security events that have a significant probability
of compromising business operations and threatening information security
[ISO/IEC TR 18044:2004]
3.7
information security management system
ISMS
that part of the overall management system, based on a business risk approach, to establish, implement,
operate, monitor, review, maintain and improve information security
NOTE: The management system includes organizational structure, policies, planning activities, responsibilities,
practices, procedures, processes and resources.
3.8
integrity
the property of safeguarding the accuracy and completeness of assets
[ISO/IEC 13335-1:2004]
3.9
residual risk
the risk remaining after risk treatment
[ISO/IEC Guide 73:2002]
2 © ISO/IEC 2005 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 27001:2005(E)
3.10
risk acceptance
decision to accept a risk
[ISO/IEC Guide 73:2002]
3.11
risk analysis
systematic use of information to identify sources and to estimate the risk
[ISO/IEC Guide 73:2002]
3.12
risk assessment
overall process of risk analysis and risk evaluation
[ISO/IEC Guide 73:2002]
3.13
risk evaluation
process of comparing the estimated risk against given risk criteria to determine the significance of the risk
[ISO/IEC Guide 73:2002]
3.14
risk management
coordinated activities to direct and control an organization with regard to risk
[ISO/IEC Guide 73:2002]
3.15
risk treatment
process of selection and implementation of measures to modify risk
[ISO/IEC Guide 73:2002]
NOTE: In this International Standard the term ‘control’ is used as a synonym for ‘measure’.
3.16
statement of applicability
documented statement describing the control objectives and controls that are relevant and applicable to the
organization’s ISMS.
NOTE: Control objectives and controls are based on the results and conclusions of the risk assessment and risk
treatment processes, legal or regulatory requirements, contractual obligations and the organization’s business
requirements for information security.
4 Information security management system
4.1 General requirements
The organization shall establish, implement, operate, monitor, review, maintain and improve a documented
ISMS within the context of the organization’s overall business activities and the risks it faces. For the purposes
of this International Standard the process used is based on the PDCA model shown in Figure 1.
© ISO/IEC 2005 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC 27001:2005(E)
4.2 Establishing and managing the ISMS
4.2.1 Establish the ISMS
The organization shall do the following.
a) Define the scope and boundaries of the ISMS in terms of the characteristics of the business, the
organization, its location, assets and technology, and including details of and justification for any
exclusions from the scope (see 1.2).
b) Define an ISMS policy in terms of the characteristics of the business, the organization, its location, assets
and technology that:
1) includes a framework for setting objectives and establishes an overall sense of direction and
principles for action with regard to information security;
2) takes into account business and legal or regulatory requirements, and contractual security
obligations;
3) aligns with the organization’s strategic risk management context in which the establishment and
maintenance of the ISMS will take place;
4) establishes criteria against which risk will be evaluated (see 4.2.1c)); and
5) has been approved by management.
NOTE: For the purposes of this International Standard, the ISMS policy is considered as a superset of the
information security policy. These policies can be described in one document.
c) Define the risk assessment approach of the organization.
1) Identify a risk assessment methodology that is suited to the ISMS, and the identified business
information security, legal and regulatory requirements.
2) Develop criteria for accepting risks and identify the acceptable levels of risk. (see 5.1f)).
The risk assessment methodology selected shall ensure that risk assessments produce comparable and
reproducible results.
NOTE: There are different methodologies for risk assessment. Examples of risk assessment methodologies are
discussed in ISO/IEC TR 13335-3, Information technology — Guidelines for the management of IT Security —
Techniques for the management of IT Security.
d) Identify the risks.
2)
1) Identify the assets within the scope of the ISMS, and the owners of these assets.
2) Identify the threats to those assets.
3) Identify the vulnerabilities that might be exploited by the threats.
4) Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.
2) The term ‘owner’ identifies an individual or entity that has approved management responsibility for controlling the
production, development, maintenance, use and security of the assets. The term ’owner’ does not mean that the person
actually has any property rights to the asset.
4 © ISO/IEC 2005 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 27001:2005(E)
e) Analyse and evaluate the risks.
1) Assess the business impacts upon the organization that might result from security failures, taking into
account the consequences of a loss of confidentiality, integrity or availability of the assets.
2) Assess the realistic likelihood of security failures occurring in the light of prevailing threats and
vulnerabilities, and impacts associated with these assets, and the controls currently implemented.
3) Estimate the levels of risks.
4) Determine whether the risks are acceptable or require treatment using the criteria for accepting risks
established in 4.2.1c)2).
f) Identify and evaluate options for the treatment of risks.
Possible actions include:
1) applying appropriate controls;
2) knowingly and objectively accepting risks, providing they clearly satisfy the organization’s policies
and the criteria for accepting risks (see 4.2.1c)2));
3) avoiding risks; and
4) transferring the associated business risks to other parties, e.g. insurers, suppliers.
g) Select control objectives and controls for the treatment of risks.
Control objectives and controls shall be selected and implemented to meet the requirements identified by
the risk assessment and risk treatment process. This selection shall take account of the criteria for
accepting risks (see 4.2.1c)2)) as well as legal, regulatory and contractual requirements.
The control objectives and controls from Annex A shall be selected as part of this process as suitable to
cover the identified requirements.
The control objectives and controls listed in Annex A are not exhaustive and additional control objectives
and controls may also be selected.
NOTE: Annex A contains a comprehensive list of control objectives and controls that have been found to be
commonly relevant in organizations. Users of this International Standard are directed to Annex A as a starting point
for control selection to ensure that no important control options are overlooked.
h) Obtain management approval of the proposed residual risks.
i) Obtain management authorization to implement and operate the ISMS.
j) Prepare a Statement of Applicability.
A Statement of Applicability shall be prepared that includes the following:
1) the control objectives and controls selected in 4.2.1g) and the reasons for their selection;
2) the control objectives and controls currently implemented (see 4.2.1e)2)); and
3) the exclusion of any control objectives and controls in Annex A and the justification for their
exclusion.
NOTE: The Statement of Applicability provides a summary of decisions concerning risk treatment. Justifying
exclusions provides a cross-check that no controls have been inadvertently omitted.
© ISO/IEC 2005 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO/IEC 27001:2005(E)
4.2.2 Implement and operate the ISMS
The organization shall do the following.
a) Formulate a risk treatment plan that identifies the appropriate management action, resources,
responsibilities and priorities for managing information security risks (see 5).
b) Implement the risk treatment plan in order to achieve the identified control objectives, which includes
consideration of funding and allocation of roles and responsibilities.
c) Implement controls selected in 4.2.1g) to meet the control objectives.
d) Define how to measure the effectiveness of the selected controls or groups of controls and specify how
these measurements are to be used to assess control effectiveness to produce comparable and
reproducible results (see 4.2.3c)).
NOTE: Measuring the effectiveness of controls allows managers and staff to determine how well controls achieve
planned control objectives.
e) Implement training and awareness programmes (see 5.2.2).
f) Manage operation of the ISMS.
g) Manage resources for the ISMS (see 5.2).
h) Implement procedures and other controls capable of enabling prompt detection of security events and
response to security incidents (see 4.2.3a)).
4.2.3 Monitor and review the ISMS
The organization shall do the following.
a) Execute monitoring and reviewing procedures and other controls to:
1) promptly detect errors in the results of processing;
2) promptly identify attempted and successful security breaches and incidents;
3) enable management to determine whether the security activities delegated to people or implemented
by information technology are performing as expected;
4) help detect security events and thereby prevent security incidents by the use of indicators; and
5) determine whether the actions taken to resolve a breach of security were effective.
b) Undertake regular reviews of the effectiveness of the ISMS (including meeting ISMS policy and
objectives, and review of security controls) taking into account results of securit
...
SLOVENSKI STANDARD
SIST ISO/IEC 27001:2010
01-oktober-2010
Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske
varnosti - Zahteve
Information technology - Security techniques - Information security management systems
- Requirements
Technologies de l'information - Techniques de sécurité - Systèmes de gestion de la
sécurité de l'information - Exigences
Ta slovenski standard je istoveten z: ISO/IEC 27001:2005
ICS:
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
SIST ISO/IEC 27001:2010 en,fr
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST ISO/IEC 27001:2010
---------------------- Page: 2 ----------------------
SIST ISO/IEC 27001:2010
INTERNATIONAL ISO/IEC
STANDARD 27001
First edition
2005-10-15
Information technology — Security
techniques — Information security
management systems — Requirements
Technologies de l'information — Techniques de sécurité — Systèmes
de gestion de sécurité de l'information — Exigences
Reference number
ISO/IEC 27001:2005(E)
©
ISO/IEC 2005
---------------------- Page: 3 ----------------------
SIST ISO/IEC 27001:2010
ISO/IEC 27001:2005(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
© ISO/IEC 2005
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2005 – All rights reserved
---------------------- Page: 4 ----------------------
SIST ISO/IEC 27001:2010
ISO/IEC 27001:2005(E)
Contents Page
Foreword. iv
0 Introduction. v
0.1 General. v
0.2 Process approach. v
0.3 Compatibility with other management systems. vi
1 Scope .1
1.1 General.1
1.2 Application .1
2 Normative references .1
3 Terms and definitions .2
4 Information security management system .3
4.1 General requirements.3
4.2 Establishing and managing the ISMS.4
4.2.1 Establish the ISMS.4
4.2.2 Implement and operate the ISMS .6
4.2.3 Monitor and review the ISMS.6
4.2.4 Maintain and improve the ISMS.7
4.3 Documentation requirements.7
4.3.1 General.7
4.3.2 Control of documents .8
4.3.3 Control of records.8
5 Management responsibility .9
5.1 Management commitment .9
5.2 Resource management .9
5.2.1 Provision of resources.9
5.2.2 Training, awareness and competence.9
6 Internal ISMS audits.10
7 Management review of the ISMS.10
7.1 General.10
7.2 Review input.10
7.3 Review output .11
8 ISMS improvement.11
8.1 Continual improvement.11
8.2 Corrective action.11
8.3 Preventive action .12
Annex A (normative) Control objectives and controls.13
Annex B (informative) OECD principles and this International Standard .30
Annex C (informative) Correspondence between ISO 9001:2000, ISO 14001:2004 and this
International Standard.31
Bibliography .34
© ISO/IEC 2005 – All rights reserved iii
---------------------- Page: 5 ----------------------
SIST ISO/IEC 27001:2010
ISO/IEC 27001:2005(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27001 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
iv © ISO/IEC 2005 – All rights reserved
---------------------- Page: 6 ----------------------
SIST ISO/IEC 27001:2010
ISO/IEC 27001:2005(E)
0 Introduction
0.1 General
This International Standard has been prepared to provide a model for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The
adoption of an ISMS should be a strategic decision for an organization. The design and implementation of an
organization’s ISMS is influenced by their needs and objectives, security requirements, the processes
employed and the size and structure of the organization. These and their supporting systems are expected to
change over time. It is expected that an ISMS implementation will be scaled in accordance with the needs of
the organization, e.g. a simple situation requires a simple ISMS solution.
This International Standard can be used in order to assess conformance by interested internal and external
parties.
0.2 Process approach
This International Standard adopts a process approach for establishing, implementing, operating, monitoring,
reviewing, maintaining and improving an organization's ISMS.
An organization needs to identify and manage many activities in order to function effectively. Any activity using
resources and managed in order to enable the transformation of inputs into outputs can be considered to be a
process. Often the output from one process directly forms the input to the next process.
The application of a system of processes within an organization, together with the identification and
interactions of these processes, and their management, can be referred to as a “process approach”.
The process approach for information security management presented in this International Standard
encourages its users to emphasize the importance of:
a) understanding an organization’s information security requirements and the need to establish policy and
objectives for information security;
b) implementing and operating controls to manage an organization's information security risks in the context
of the organization’s overall business risks;
c) monitoring and reviewing the performance and effectiveness of the ISMS; and
d) continual improvement based on objective measurement.
This International Standard adopts the "Plan-Do-Check-Act" (PDCA) model, which is applied to structure all
ISMS processes. Figure 1 illustrates how an ISMS takes as input the information security requirements and
expectations of the interested parties and through the necessary actions and processes produces information
security outcomes that meets those requirements and expectations. Figure 1 also illustrates the links in the
processes presented in Clauses 4, 5, 6, 7 and 8.
1)
The adoption of the PDCA model will also reflect the principles as set out in the OECD Guidelines (2002)
governing the security of information systems and networks. This International Standard provides a robust
model for implementing the principles in those guidelines governing risk assessment, security design and
implementation, security management and reassessment.
1) OECD Guidelines for the Security of Information Systems and Networks — Towards a Culture of Security. Paris:
OECD, July 2002. www.oecd.org
© ISO/IEC 2005 – All rights reserved v
---------------------- Page: 7 ----------------------
SIST ISO/IEC 27001:2010
ISO/IEC 27001:2005(E)
EXAMPLE 1
A requirement might be that breaches of information security will not cause serious financial damage to an
organization and/or cause embarrassment to the organization.
EXAMPLE 2
An expectation might be that if a serious incident occurs — perhaps hacking of an organization’s eBusiness
web site — there should be people with sufficient training in appropriate procedures to minimize the impact.
PlPlaann
InIntteereresstteedd InIntteererestestedd
PaParrttiieess PaParrttiieess
EEssttablishablish
EsEstatabblliisshh
ISISMSMS
ISISMSMS
IImmpleplemmentent and and MaMaiinntatainin a anndd
IImmpleplemmentent and and MMaaintintaain andin and
DoDo AcActt
opeoperatratee t thhe e IISSMMSS iimmprove tprove thhee IISSMMSS
operatoperate te the he IISSMMSS iimmprovprove te the he IISSMMSS
MMoonniittoor andr and
MMonitonitoor anr andd
revreviiew tew the he IISSMMSS
IInnffoormrmatatioion n
rerevivieeww t thhee ISISMSMS
MManagedanaged
securisecurittyy
infinfoorrmmatation ion
requirerequiremmentents s
ChCheecckk
securisecurittyy
andand exp expeeccttatationsions
Figure 1 — PDCA model applied to ISMS processes
Plan (establish the ISMS)
Establish ISMS policy, objectives, processes and procedures relevant to
managing risk and improving information security to deliver results in
accordance with an organization’s overall policies and objectives.
Do (implement and operate
Implement and operate the ISMS policy, controls, processes and
the ISMS) procedures.
Check (monitor and review Assess and, where applicable, measure process performance against
the ISMS)
ISMS policy, objectives and practical experience and report the results to
management for review.
Act (maintain and improve Take corrective and preventive actions, based on the results of the internal
the ISMS)
ISMS audit and management review or other relevant information, to
achieve continual improvement of the ISMS.
0.3 Compatibility with other management systems
This International Standard is aligned with ISO 9001:2000 and ISO 14001:2004 in order to support consistent
and integrated implementation and operation with related management standards. One suitably designed
management system can thus satisfy the requirements of all these standards. Table C.1 illustrates the
relationship between the clauses of this International Standard, ISO 9001:2000 and ISO 14001:2004.
This International Standard is designed to enable an organization to align or integrate its ISMS with related
management system requirements.
vi © ISO/IEC 2005 – All rights reserved
---------------------- Page: 8 ----------------------
SIST ISO/IEC 27001:2010
INTERNATIONAL STANDARD ISO/IEC 27001:2005(E)
Information technology — Security techniques — Information
security management systems — Requirements
IMPORTANT — This publication does not purport to include all the necessary provisions of a contract.
Users are responsible for its correct application. Compliance with an International Standard does not
in itself confer immunity from legal obligations.
1 Scope
1.1 General
This International Standard covers all types of organizations (e.g. commercial enterprises, government
agencies, non-profit organizations). This International Standard specifies the requirements for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the
context of the organization’s overall business risks. It specifies requirements for the implementation of security
controls customized to the needs of individual organizations or parts thereof.
The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect
information assets and give confidence to interested parties.
NOTE 1: References to ‘business’ in this International Standard should be interpreted broadly to mean those activities
that are core to the purposes for the organization’s existence.
NOTE 2: ISO/IEC 17799 provides implementation guidance that can be used when designing controls.
1.2 Application
The requirements set out in this International Standard are generic and are intended to be applicable to all
organizations, regardless of type, size and nature. Excluding any of the requirements specified in Clauses 4,
5, 6, 7, and 8 is not acceptable when an organization claims conformity to this International Standard.
Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be justified and
evidence needs to be provided that the associated risks have been accepted by accountable persons. Where
any controls are excluded, claims of conformity to this International Standard are not acceptable unless such
exclusions do not affect the organization’s ability, and/or responsibility, to provide information security that
meets the security requirements determined by risk assessment and applicable legal or regulatory
requirements.
NOTE: If an organization already has an operative business process management system (e.g. in relation with
ISO 9001 or ISO 14001), it is preferable in most cases to satisfy the requirements of this International Standard within this
existing management system.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 17799:2005, Information technology — Security techniques — Code of practice for information
security management
© ISO/IEC 2005 – All rights reserved 1
---------------------- Page: 9 ----------------------
SIST ISO/IEC 27001:2010
ISO/IEC 27001:2005(E)
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
asset
anything that has value to the organization
[ISO/IEC 13335-1:2004]
3.2
availability
the property of being accessible and usable upon demand by an authorized entity
[ISO/IEC 13335-1:2004]
3.3
confidentiality
the property that information is not made available or disclosed to unauthorized individuals, entities, or
processes
[ISO/IEC 13335-1:2004]
3.4
information security
preservation of confidentiality, integrity and availability of information; in addition, other properties such as
authenticity, accountability, non-repudiation and reliability can also be involved
[ISO/IEC 17799:2005]
3.5
information security event
an identified occurrence of a system, service or network state indicating a possible breach of information
security policy or failure of safeguards, or a previously unknown situation that may be security relevant
[ISO/IEC TR 18044:2004]
3.6
information security incident
a single or a series of unwanted or unexpected information security events that have a significant probability
of compromising business operations and threatening information security
[ISO/IEC TR 18044:2004]
3.7
information security management system
ISMS
that part of the overall management system, based on a business risk approach, to establish, implement,
operate, monitor, review, maintain and improve information security
NOTE: The management system includes organizational structure, policies, planning activities, responsibilities,
practices, procedures, processes and resources.
3.8
integrity
the property of safeguarding the accuracy and completeness of assets
[ISO/IEC 13335-1:2004]
3.9
residual risk
the risk remaining after risk treatment
[ISO/IEC Guide 73:2002]
2 © ISO/IEC 2005 – All rights reserved
---------------------- Page: 10 ----------------------
SIST ISO/IEC 27001:2010
ISO/IEC 27001:2005(E)
3.10
risk acceptance
decision to accept a risk
[ISO/IEC Guide 73:2002]
3.11
risk analysis
systematic use of information to identify sources and to estimate the risk
[ISO/IEC Guide 73:2002]
3.12
risk assessment
overall process of risk analysis and risk evaluation
[ISO/IEC Guide 73:2002]
3.13
risk evaluation
process of comparing the estimated risk against given risk criteria to determine the significance of the risk
[ISO/IEC Guide 73:2002]
3.14
risk management
coordinated activities to direct and control an organization with regard to risk
[ISO/IEC Guide 73:2002]
3.15
risk treatment
process of selection and implementation of measures to modify risk
[ISO/IEC Guide 73:2002]
NOTE: In this International Standard the term ‘control’ is used as a synonym for ‘measure’.
3.16
statement of applicability
documented statement describing the control objectives and controls that are relevant and applicable to the
organization’s ISMS.
NOTE: Control objectives and controls are based on the results and conclusions of the risk assessment and risk
treatment processes, legal or regulatory requirements, contractual obligations and the organization’s business
requirements for information security.
4 Information security management system
4.1 General requirements
The organization shall establish, implement, operate, monitor, review, maintain and improve a documented
ISMS within the context of the organization’s overall business activities and the risks it faces. For the purposes
of this International Standard the process used is based on the PDCA model shown in Figure 1.
© ISO/IEC 2005 – All rights reserved 3
---------------------- Page: 11 ----------------------
SIST ISO/IEC 27001:2010
ISO/IEC 27001:2005(E)
4.2 Establishing and managing the ISMS
4.2.1 Establish the ISMS
The organization shall do the following.
a) Define the scope and boundaries of the ISMS in terms of the characteristics of the business, the
organization, its location, assets and technology, and including details of and justification for any
exclusions from the scope (see 1.2).
b) Define an ISMS policy in terms of the characteristics of the business, the organization, its location, assets
and technology that:
1) includes a framework for setting objectives and establishes an overall sense of direction and
principles for action with regard to information security;
2) takes into account business and legal or regulatory requirements, and contractual security
obligations;
3) aligns with the organization’s strategic risk management context in which the establishment and
maintenance of the ISMS will take place;
4) establishes criteria against which risk will be evaluated (see 4.2.1c)); and
5) has been approved by management.
NOTE: For the purposes of this International Standard, the ISMS policy is considered as a superset of the
information security policy. These policies can be described in one document.
c) Define the risk assessment approach of the organization.
1) Identify a risk assessment methodology that is suited to the ISMS, and the identified business
information security, legal and regulatory requirements.
2) Develop criteria for accepting risks and identify the acceptable levels of risk. (see 5.1f)).
The risk assessment methodology selected shall ensure that risk assessments produce comparable and
reproducible results.
NOTE: There are different methodologies for risk assessment. Examples of risk assessment methodologies are
discussed in ISO/IEC TR 13335-3, Information technology — Guidelines for the management of IT Security —
Techniques for the management of IT Security.
d) Identify the risks.
2)
1) Identify the assets within the scope of the ISMS, and the owners of these assets.
2) Identify the threats to those assets.
3) Identify the vulnerabilities that might be exploited by the threats.
4) Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.
2) The term ‘owner’ identifies an individual or entity that has approved management responsibility for controlling the
production, development, maintenance, use and security of the assets. The term ’owner’ does not mean that the person
actually has any property rights to the asset.
4 © ISO/IEC 2005 – All rights reserved
---------------------- Page: 12 ----------------------
SIST ISO/IEC 27001:2010
ISO/IEC 27001:2005(E)
e) Analyse and evaluate the risks.
1) Assess the business impacts upon the organization that might result from security failures, taking into
account the consequences of a loss of confidentiality, integrity or availability of the assets.
2) Assess the realistic likelihood of security failures occurring in the light of prevailing threats and
vulnerabilities, and impacts associated with these assets, and the controls currently implemented.
3) Estimate the levels of risks.
4) Determine whether the risks are acceptable or require treatment using the criteria for accepting risks
established in 4.2.1c)2).
f) Identify and evaluate options for the treatment of risks.
Possible actions include:
1) applying appropriate controls;
2) knowingly and objectively accepting risks, providing they clearly satisfy the organization’s policies
and the criteria for accepting risks (see 4.2.1c)2));
3) avoiding risks; and
4) transferring the associated business risks to other parties, e.g. insurers, suppliers.
g) Select control objectives and controls for the treatment of risks.
Control objectives and controls shall be selected and implemented to meet the requirements identified by
the risk assessment and risk treatment process. This selection shall take account of the criteria for
accepting risks (see 4.2.1c)2)) as well as legal, regulatory and contractual requirements.
The control objectives and controls from Annex A shall be selected as part of this process as suitable to
cover the identified requirements.
The control objectives and controls listed in Annex A are not exhaustive and additional control objectives
and controls may also be selected.
NOTE: Annex A contains a comprehensive list of control objectives and controls that have been found to be
commonly relevant in organizations. Users of this International Standard are directed to Annex A as a starting point
for control selection to ensure that no important control options are overlooked.
h) Obtain management approval of the proposed residual risks.
i) Obtain management authorization to implement and operate the ISMS.
j) Prepare a Statement of Applicability.
A Statement of Applicability shall be prepared that includes the following:
1) the control objectives and controls selected in 4.2.1g) and the reasons for their selection;
2) the control objectives and controls currently implemented (see 4.2.1e)2)); and
3) the exclusion of any control objectives and controls in Annex A and the justification for their
exclusion.
NOTE: The Statement of Applicability provides a summary of decisions concerning risk treatment. Justifying
exclusions provides a cross-check that no controls have been inadvertently omitted.
© ISO/IEC 2005 – All rights reserved 5
---------------------- Page: 13 ----------------------
SIST ISO/IEC 27001:2010
ISO/IEC 27001:2005(E)
4.2.2 Implement and operate the ISMS
The organization shall do the following.
a) Formulate a risk treatment plan that identifies the appropriate management action, resources,
responsibilities and priorities for managing information security risks (see 5).
b) Implement the risk treatment plan in order to achieve the identified control objectives, which includes
consideration of funding and allocation of roles and responsibilities.
c) Implement controls selected in 4.2.1g) to meet the control objectives.
d) Define how to measure the effectiveness of the selected controls or groups of controls and specify how
these measurements are to be used to assess control effectiveness to produce comparable and
reproducible results (see 4.2.3c)).
NOTE: Measuring the effectiveness of controls allows managers and staff to determine how well controls achieve
pla
...
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Information technology – Security techniques – Information security management systems – RequirementsInformation technology – Security techniques – Information security management systems – RequirementsTa slovenski standard je istoveten z:oSIST ISO/IEC 27001:2006en35.040Nabori znakov in kodiranje informacijCharacter sets and information codingICS:SLOVENSKI
STANDARDoSIST ISO/IEC 27001:200601-maj-2006
Reference numberISO/IEC 27001:2005(E)© ISO/IEC 2005
INTERNATIONAL STANDARD ISO/IEC27001First edition2005-10-15Information technology — Security techniques — Information security management systems — Requirements Technologies de l'information — Techniques de sécurité — Systèmes de gestion de sécurité de l'information — Exigences
ISO/IEC 27001:2005(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
©
ISO/IEC 2005 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 • CH-1211 Geneva 20 Tel.
+ 41 22 749 01 11 Fax
+ 41 22 749 09 47 E-mail
copyright@iso.org Web
www.iso.org Published in Switzerland
ii © ISO/IEC 2005 – All rights reserved
ISO/IEC 27001:2005(E) © ISO/IEC 2005 – All rights reserved iiiContents Page Foreword.iv 0 Introduction.v 0.1 General.v 0.2 Process approach.v 0.3 Compatibility with other management systems.vi 1 Scope.1 1.1 General.1 1.2 Application.1 2 Normative references.1 3 Terms and definitions.2 4 Information security management system.3 4.1 General requirements.3 4.2 Establishing and managing the ISMS.4 4.2.1 Establish the ISMS.4 4.2.2 Implement and operate the ISMS.6 4.2.3 Monitor and review the ISMS.6 4.2.4 Maintain and improve the ISMS.7 4.3 Documentation requirements.7 4.3.1 General.7 4.3.2 Control of documents.8 4.3.3 Control of records.8 5 Management responsibility.9 5.1 Management commitment.9 5.2 Resource management.9 5.2.1 Provision of resources.9 5.2.2 Training, awareness and competence.9 6 Internal ISMS audits.10 7 Management review of the ISMS.10 7.1 General.10 7.2 Review input.10 7.3 Review output.11 8 ISMS improvement.11 8.1 Continual improvement.11 8.2 Corrective action.11 8.3 Preventive action.12 Annex A (normative)
Control objectives and controls.13 Annex B (informative)
OECD principles and this International Standard.30 Annex C (informative)
Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard.31 Bibliography.34
ISO/IEC 27001:2005(E) iv © ISO/IEC 2005 – All rights reserved
Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27001 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.
ISO/IEC 27001:2005(E) © ISO/IEC 2005 – All rights reserved v0 Introduction 0.1 General This International Standard has been prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The adoption of an ISMS should be a strategic decision for an organization. The design and implementation of an organization’s ISMS is influenced by their needs and objectives, security requirements, the processes employed and the size and structure of the organization. These and their supporting systems are expected to change over time. It is expected that an ISMS implementation will be scaled in accordance with the needs of the organization, e.g. a simple situation requires a simple ISMS solution. This International Standard can be used in order to assess conformance by interested internal and external parties. 0.2 Process approach This International Standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's ISMS. An organization needs to identify and manage many activities in order to function effectively. Any activity using resources and managed in order to enable the transformation of inputs into outputs can be considered to be a process. Often the output from one process directly forms the input to the next process. The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management, can be referred to as a “process approach”. The process approach for information security management presented in this International Standard encourages its users to emphasize the importance of: a) understanding an organization’s information security requirements and the need to establish policy and objectives for information security; b) implementing and operating controls to manage an organization's information security risks in the context of the organization’s overall business risks; c) monitoring and reviewing the performance and effectiveness of the ISMS; and d) continual improvement based on objective measurement. This International Standard adopts the "Plan-Do-Check-Act" (PDCA) model, which is applied to structure all ISMS processes. Figure 1 illustrates how an ISMS takes as input the information security requirements and expectations of the interested parties and through the necessary actions and processes produces information security outcomes that meets those requirements and expectations. Figure 1 also illustrates the links in the processes presented in Clauses 4, 5, 6, 7 and 8. The adoption of the PDCA model will also reflect the principles as set out in the OECD Guidelines (2002)1) governing the security of information systems and networks. This International Standard provides a robust model for implementing the principles in those guidelines governing risk assessment, security design and implementation, security management and reassessment.
1) OECD Guidelines for the Security of Information Systems and Networks — Towards a Culture of Security. Paris: OECD, July 2002. www.oecd.org
ISO/IEC 27001:2005(E) vi © ISO/IEC 2005 – All rights reserved
EXAMPLE 1 A requirement might be that breaches of information security will not cause serious financial damage to an organization and/or cause embarrassment to the organization.
EXAMPLE 2 An expectation might be that if a serious incident occurs — perhaps hacking of an organization’s eBusiness web site — there should be people with sufficient training in appropriate procedures to minimize the impact.
InterestedParties Managed information securityInformation security requirements and expectationsInterestedParties PlanDoCheckActMonitor andreview the ISMSMonitor andreview the ISMSImplement andoperate the ISMSImplement andoperate the ISMSMaintain andimprove the ISMSMaintain andimprove the ISMSEstablishISMSEstablishISMSInterestedParties Managed information securityInformation security requirements and expectationsInterestedParties PlanDoCheckActMonitor andreview the ISMSMonitor andreview the ISMSImplement andoperate the ISMSImplement andoperate the ISMSMaintain andimprove the ISMSMaintain andimprove the ISMSEstablishISMSEstablishISMS Figure 1 — PDCA model applied to ISMS processes
Plan (establish the ISMS) Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives. Do (implement and operate the ISMS) Implement and operate the ISMS policy, controls, processes and procedures. Check (monitor and review the ISMS) Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review. Act (maintain and improve the ISMS) Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.
0.3 Compatibility with other management systems This International Standard is aligned with ISO 9001:2000 and ISO 14001:2004 in order to support consistent and integrated implementation and operation with related management standards. One suitably designed management system can thus satisfy the requirements of all these standards. Table C.1 illustrates the relationship between the clauses of this International Standard, ISO 9001:2000 and ISO 14001:2004. This International Standard is designed to enable an organization to align or integrate its ISMS with related management system requirements.
INTERNATIONAL STANDARD ISO/IEC 27001:2005(E) © ISO/IEC 2005 – All rights reserved 1Information technology — Security techniques — Information security management systems — Requirements IMPORTANT — This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. Compliance with an International Standard does not in itself confer immunity from legal obligations. 1 Scope 1.1 General This International Standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations). This International Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties. NOTE 1: References to ‘business’ in this International Standard should be interpreted broadly to mean those activities that are core to the purposes for the organization’s existence. NOTE 2: ISO/IEC 17799 provides implementation guidance that can be used when designing controls. 1.2 Application The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size and nature. Excluding any of the requirements specified in Clauses 4, 5, 6, 7, and 8 is not acceptable when an organization claims conformity to this International Standard. Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be justified and evidence needs to be provided that the associated risks have been accepted by accountable persons. Where any controls are excluded, claims of conformity to this International Standard are not acceptable unless such exclusions do not affect the organization’s ability, and/or responsibility, to provide information security that meets the security requirements determined by risk assessment and applicable legal or regulatory requirements. NOTE: If an organization already has an operative business process management system (e.g. in relation with ISO 9001 or ISO 14001), it is preferable in most cases to satisfy the requirements of this International Standard within this existing management system. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 17799:2005, Information technology — Security techniques — Code of practice for information security management
ISO/IEC 27001:2005(E) 2 © ISO/IEC 2005 – All rights reserved 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 asset anything that has value to the organization [ISO/IEC 13335-1:2004] 3.2 availability the property of being accessible and usable upon demand by an authorized entity [ISO/IEC 13335-1:2004] 3.3 confidentiality the property that information is not made available or disclosed to unauthorized individuals, entities, or processes [ISO/IEC 13335-1:2004] 3.4 information security preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved [ISO/IEC 17799:2005] 3.5 information security event an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant [ISO/IEC TR 18044:2004] 3.6 information security incident a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security [ISO/IEC TR 18044:2004] 3.7 information security management system ISMS that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security NOTE: The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources. 3.8 integrity the property of safeguarding the accuracy and completeness of assets [ISO/IEC 13335-1:2004] 3.9 residual risk the risk remaining after risk treatment [ISO/IEC Guide 73:2002]
ISO/IEC 27001:2005(E) © ISO/IEC 2005 – All rights reserved 33.10 risk acceptance decision to accept a risk [ISO/IEC Guide 73:2002] 3.11 risk analysis systematic use of information to identify sources and to estimate the risk [ISO/IEC Guide 73:2002] 3.12 risk assessment overall process of risk analysis and risk evaluation [ISO/IEC Guide 73:2002] 3.13 risk evaluation process of comparing the estimated risk against given risk criteria to determine the significance of the risk [ISO/IEC Guide 73:2002] 3.14 risk management coordinated activities to direct and control an organization with regard to risk [ISO/IEC Guide 73:2002] 3.15 risk treatment process of selection and implementation of measures to modify risk [ISO/IEC Guide 73:2002] NOTE: In this International Standard the term ‘control’ is used as a synonym for ‘measure’. 3.16 statement of applicability documented statement describing the control objectives and controls that are relevant and applicable to the organization’s ISMS. NOTE: Control objectives and controls are based on the results and conclusions of the risk assessment and risk treatment processes, legal or regulatory requirements, contractual obligations and the organization’s business requirements for information security. 4 Information security management system 4.1 General requirements The organization shall establish, implement, operate, monitor, review, maintain and improve a documented ISMS within the context of the organization’s overall business activities and the risks it faces. For the purposes of this International Standard the process used is based on the PDCA model shown in Figure 1.
ISO/IEC 27001:2005(E) 4 © ISO/IEC 2005 – All rights reserved 4.2 Establishing and managing the ISMS 4.2.1 Establish the ISMS The organization shall do the following. a) Define the scope and boundaries of the ISMS in terms of the characteristics of the business, the organization, its location, assets and technology, and including details of and justification for any exclusions from the scope (see 1.2). b) Define an ISMS policy in terms of the characteristics of the business, the organization, its location, assets and technology that: 1) includes a framework for setting objectives and establishes an overall sense of direction and principles for action with regard to information security; 2) takes into account business and legal or regulatory requirements, and contractual security obligations; 3) aligns with the organization’s strategic risk management context in which the establishment and maintenance of the ISMS will take place; 4) establishes criteria against which risk will be evaluated (see 4.2.1c)); and 5) has been approved by management. NOTE:
For the purposes of this International Standard, the ISMS policy is considered as a superset of the information security policy. These policies can be described in one document. c) Define the risk assessment approach of the organization. 1) Identify a risk assessment methodology that is suited to the ISMS, and the identified business information security, legal and regulatory requirements.
2) Develop criteria for accepting risks and identify the acceptable levels of risk. (see 5.1f)). The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible results. NOTE:
There are different methodologies for risk assessment. Examples of risk assessment methodologies are discussed in ISO/IEC TR 13335-3, Information technology — Guidelines for the management of IT Security — Techniques for the management of IT Security. d) Identify the risks. 1) Identify the assets within the scope of the ISMS, and the owners2) of these assets. 2) Identify the threats to those assets. 3) Identify the vulnerabilities that might be exploited by the threats. 4) Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.
2) The term ‘owner’ identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets. The term ’owner’ does not mean that the person actually has any property rights to the asset.
ISO/IEC 27001:2005(E) © ISO/IEC 2005 – All rights reserved 5e) Analyse and evaluate the risks. 1) Assess the business impacts upon the organization that might result from security failures, taking into account the consequences of a loss of confidentiality, integrity or availability of the assets. 2) Assess the realistic likelihood of security failures occurring in the light of prevailing threats and vulnerabilities, and impacts associated with these assets, and the controls currently implemented. 3) Estimate the levels of risks. 4) Determine whether the risks are acceptable or require treatment using the criteria for accepting risks established in 4.2.1c)2). f) Identify and evaluate options for the treatment of risks. Possible actions include: 1) applying appropriate controls; 2) knowingly and objectively accepting risks, providing they clearly satisfy the organization’s policies and the criteria for accepting risks (see 4.2.1c)2)); 3) avoiding risks; and 4) transferring the associated business risks to other parties, e.g. insurers, suppliers. g) Select control objectives and controls for the treatment of risks. Control objectives and controls shall be selected and implemented to meet the requirements identified by the risk assessment and risk treatment process. This selection shall take account of the criteria for accepting risks (see 4.2.1c)2)) as well as legal, regulatory and contractual requirements. The control objectives and controls from Annex A shall be selected as part of this process as suitable to cover the identified requirements. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may also be selected. NOTE:
Annex A contains a comprehensive list of control objectives and controls that have been found to be commonly relevant in organizations. Users of this International Standard are directed to Annex A as a starting point for control selection to ensure that no important control options are overlooked. h) Obtain management approval of the proposed residual risks. i) Obtain management authorization to implement and operate the ISMS. j) Prepare a Statement of Applicability. A Statement of Applicability shall be prepared that includes the following: 1) the control objectives and controls selected in 4.2.1g) and the reasons for their selection; 2) the control objectives and controls currently implemented (see 4.2.1e)2)); and 3) the exclusion of any control objectives and controls in Annex A and the justification for their exclusion. NOTE:
The Statement of Applicability provides a summary of decisions concerning risk treatment. Justifying exclusions provides a cross-check that no controls have been inadvertently omitted.
ISO/IEC 27001:2005(E) 6 © ISO/IEC 2005 – All rights reserved 4.2.2 Implement and operate the ISMS The organization shall do the following. a) Formulate a risk treatment plan that identifies the appropriate management action, resources, responsibilities and priorities for managing information security risks (see 5). b) Implement the risk treatment plan in order to achieve the identified control objectives, which includes consideration of funding and allocation of roles and responsibilities. c) Implement controls selected in 4.2.1g) to meet the control objectives. d) Define how to measure the effectiveness of the selected controls or groups of controls and specify how these measurements are to be used to assess control effectiveness to produce comparable and reproducible results (see 4.2.3c)). NOTE:
Measuring the effectiveness of controls allows managers and staff to determine how well controls achieve planned control objectives. e) Implement training and awareness programmes (see 5.2.2). f) Manage operation of the ISMS. g) Manage resources for the ISMS (see 5.2). h) Implement procedures and other controls capable of enabling prompt detection of security events and response to security incidents (see 4.2.3a)). 4.2.3 Monitor and review the ISMS The organization shall do the following. a) Execute monitoring and reviewing procedures and other controls to: 1) promptly detect errors in the results of processing; 2) promptly identify attempted and successful security breaches and incidents; 3) enable management to determine whether the security activities delegated to people or implemented by information technology are performing as expected;
4) help detect security events and thereby prevent security incidents by the use of indicators; and 5) determine whether the actions taken to resolve a breach of security were effective. b) Undertake regular reviews of the effectiveness of the ISMS (including meeting ISMS policy and objectives, and review of security controls) taking into account results of security audits, incidents, results from effectiveness measurements, suggestions and feedback from all interested parties. c) Measure the effectiveness of controls to verify that security requirements have been met. d) Review risk assessments at planned intervals and review the residual risks and the identified acceptable levels of risks, taking into account changes to: 1) the organization; 2) technology; 3) business objectives and processes;
ISO/IEC 27001:2005(E) © ISO/IEC 2005 – All rights reserved 74) identified threats; 5) effectiveness of the implemented controls; and 6) external events, such as changes to the legal or regulatory environme
...
NORME ISO/CEI
INTERNATIONALE 27001
Première édition
2005-10-15
Technologies de l'information —
Techniques de sécurité — Systèmes de
gestion de la sécurité de l'information —
Exigences
Information technology — Security techniques — Information security
management systems — Requirements
Numéro de référence
ISO/CEI 27001:2005(F)
©
ISO/CEI 2005
---------------------- Page: 1 ----------------------
ISO/CEI 27001:2005(F)
PDF – Exonération de responsabilité
Le présent fichier PDF peut contenir des polices de caractères intégrées. Conformément aux conditions de licence d'Adobe, ce fichier
peut être imprimé ou visualisé, mais ne doit pas être modifié à moins que l'ordinateur employé à cet effet ne bénéficie d'une licence
autorisant l'utilisation de ces polices et que celles-ci y soient installées. Lors du téléchargement de ce fichier, les parties concernées
acceptent de fait la responsabilité de ne pas enfreindre les conditions de licence d'Adobe. Le Secrétariat central de l'ISO décline toute
responsabilité en la matière.
Adobe est une marque déposée d'Adobe Systems Incorporated.
Les détails relatifs aux produits logiciels utilisés pour la création du présent fichier PDF sont disponibles dans la rubrique General Info
du fichier; les paramètres de création PDF ont été optimisés pour l'impression. Toutes les mesures ont été prises pour garantir
l'exploitation de ce fichier par les comités membres de l'ISO. Dans le cas peu probable où surviendrait un problème d'utilisation,
veuillez en informer le Secrétariat central à l'adresse donnée ci-dessous.
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO/CEI 2005
Droits de reproduction réservés. Sauf prescription différente, aucune partie de cette publication ne peut être reproduite ni utilisée sous
quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et les microfilms, sans l'accord écrit
de l'ISO à l'adresse ci-après ou du comité membre de l'ISO dans le pays du demandeur.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax. + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Version française parue en 2007
Publié en Suisse
ii © ISO/CEI 2005 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO/CEI 27001:2005(F)
Sommaire Page
Avant-propos. iv
0 Introduction . v
1 Domaine d'application. 1
1.1 Généralités . 1
1.2 Application . 1
2 Références normatives . 2
3 Termes et définitions. 2
4 SMSI . 4
4.1 Exigences générales . 4
4.2 Établissement et management du SMSI.4
4.2.1 Établissement du SMSI . 4
4.2.2 Mise en œuvre et fonctionnement du SMSI . 6
4.2.3 Surveillance et réexamen du SMSI . 7
4.2.4 Mise à jour et amélioration du SMSI . 8
4.3 Exigences relatives à la documentation. 8
4.3.1 Généralités . 8
4.3.2 Maîtrise des documents. 9
4.3.3 Maîtrise des enregistrements . 9
5 Responsabilité de la direction. 9
5.1 Implication de la direction . 9
5.2 Management des ressources . 10
5.2.1 Mise à disposition des ressources . 10
5.2.2 Formation, sensibilisation et compétence. 10
6 Audits internes du SMSI . 11
7 Revue de direction du SMSI . 11
7.1 Généralités . 11
7.2 Éléments d'entrée du réexamen. 11
7.3 Éléments de sortie du réexamen. 12
8 Amélioration du SMSI. 12
8.1 Amélioration continue. 12
8.2 Action corrective. 12
8.3 Action préventive. 13
Annexe A (normative) Objectifs de sécurité et mesures de sécurité . 14
Annexe B (informative) Les principes de l'OCDE et la présente Norme internationale. 31
Annexe C (informative) Correspondance entre l'ISO 9001:2000, l'ISO 14001:2004 et la présente
Norme internationale. 32
Bibliographie . 34
© ISO/CEI 2005 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO/CEI 27001:2005(F)
Avant-propos
L'ISO (Organisation internationale de normalisation) et la CEI (Commission électrotechnique internationale)
forment le système spécialisé de la normalisation mondiale. Les organismes nationaux membres de l'ISO ou
de la CEI participent au développement de Normes internationales par l'intermédiaire des comités techniques
créés par l'organisation concernée afin de s'occuper des domaines particuliers de l'activité technique. Les
comités techniques de l'ISO et de la CEI collaborent dans des domaines d'intérêt commun. D'autres
organisations internationales, gouvernementales et non gouvernementales, en liaison avec l'ISO et la CEI
participent également aux travaux. Dans le domaine des technologies de l'information, l'ISO et la CEI ont créé
un comité technique mixte, l'ISO/CEI JTC 1.
Les Normes internationales sont rédigées conformément aux règles données dans les Directives ISO/CEI,
Partie 2.
La tâche principale du comité technique mixte est d'élaborer les Normes internationales. Les projets de
Normes internationales adoptés par le comité technique mixte sont soumis aux organismes nationaux pour
vote. Leur publication comme Normes internationales requiert l'approbation de 75 % au moins des
organismes nationaux votants.
L'attention est appelée sur le fait que certains des éléments du présent document peuvent faire l'objet de
droits de propriété intellectuelle ou de droits analogues. L'ISO et la CEI ne sauraient être tenues pour
responsables de ne pas avoir identifié de tels droits de propriété et averti de leur existence.
L'ISO/CEI 27001 a été élaborée par le comité technique mixte ISO/CEI JTC 1, Technologies de l'information,
sous-comité SC 27, Techniques de sécurité des technologies de l'information.
iv © ISO/CEI 2005 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO/CEI 27001:2005(F)
0 Introduction
0.1 Généralités
La présente norme internationale a été élaborée pour fournir un modèle d'établissement, de mise en œuvre,
de fonctionnement, de surveillance, de réexamen, de mise à jour et d'amélioration d'un SMSI (Système de
Management de la Sécurité de l’Information). Il convient que l'adoption d'un SMSI relève d'une décision
stratégique de l'organisme. La conception et la mise en œuvre du SMSI d'un organisme tiennent compte des
besoins et des objectifs, des exigences de sécurité, des processus mis en œuvre, ainsi que la taille et de la
structure de l'organisme. Ces éléments, ainsi que leurs systèmes connexes doivent évoluer avec le temps. Il
convient d'adapter la mise en œuvre du SMSI conformément aux besoins de l'organisme, par exemple une
situation simple requiert une solution SMSI tout aussi simple.
La présente norme internationale peut être utilisée pour des audits d’évaluation de la conformité, réalisés par
des intervenants internes ou externes.
0.2 Approche processus
La présente norme internationale encourage l'adoption d'une approche processus pour l'établissement, la
mise en œuvre, le fonctionnement, la surveillance et le réexamen, la mise à jour et l'amélioration du SMSI
d'un organisme.
Tout organisme doit identifier et gérer de nombreuses activités de manière à fonctionner de manière efficace.
Toute activité utilisant des ressources et gérée de manière à permettre la transformation d'éléments d'entrée
en éléments de sortie, peut être considérée comme un processus. L'élément de sortie d'un processus
constitue souvent l'élément d'entrée du processus suivant.
"L'approche processus" désigne l'application d'un système de processus au sein d'un organisme, ainsi que
l'identification, les interactions et le management de ces processus.
L'approche processus pour le management de la sécurité de l'information présentée dans cette norme
internationale incite ses utilisateurs à souligner l'importance de:
a) la compréhension des exigences relatives à la sécurité de l'information d'un organisme, et la nécessité de
mettre en place une politique et des objectifs en matière de sécurité de l'information;
b) la mise en œuvre et l'exploitation des mesures de gestion des risques liés à la sécurité de l'information
d'un organisme dans le contexte des risques globaux liés à l'activité de l'organisme;
c) la surveillance et le réexamen des performances et de l'efficacité du SMSI;
d) l'amélioration continue du système sur la base de mesures objectives.
La présente norme internationale adopte le modèle de processus "Planifier-Déployer-Contrôler-Agir" (PDCA)
ou roue de Deming qui est appliqué à la structure de tous les processus d’un SMSI. La Figure 1 illustre
comment un SMSI utilise comme élément d'entrée les exigences relatives à la sécurité de l'information et les
attentes des parties intéressées, et comment il produit, par les actions et processus nécessaires, les résultats
de sécurité de l'information qui satisfont ces exigences et ces attentes. La Figure 1 illustre également les liens
entre les processus présentés dans les chapitres 4, 5, 6, 7 et 8.
© ISO/CEI 2005 – Tous droits réservés v
---------------------- Page: 5 ----------------------
ISO/CEI 27001:2005(F)
L'adoption du modèle PDCA reflète également les principes fixés dans les lignes directrices de l'OCDE
1)
(2002) qui régissent la sécurité des systèmes et des réseaux d'information. La présente norme internationale
fournit un modèle solide de mise en œuvre de ces principes dans les lignes directrices régissant l'appréciation
des risques, la conception et la mise en œuvre de la sécurité, ainsi que la gestion et la réévaluation de cette
même sécurité.
EXEMPLE 1
Une exigence pourrait être que toute violation de la sécurité de l'information n'entraînera aucun préjudice financier grave
et/ou ne portera aucunement atteinte à l'organisme.
EXEMPLE 2
On pourrait s’attendre à ce que si un incident grave survient, par exemple le piratage informatique du site Web de
commerce en ligne de l'organisme, celui-ci dispose de personnes suffisamment formées aux procédures convenables
pour réduire l’impact de cet incident.
Figure 1 — Modèle PDCA appliqué aux processus SMSI
Planifier (établissement du
Etablir la politique, les objectifs, les processus et les procédures du SMSI relatives à la
SMSI) gestion du risque et à l'amélioration de la sécurité de l'information de manière à fournir
des résultats conformément aux politiques et aux objectifs globaux de l'organisme.
Déployer (mise en oeuvre et Mettre en œuvre et exploiter la politique, les mesures, les processus et les procédures
fonctionnement du SMSI) du SMSI.
Contrôler (surveillance et Evaluer et, le cas échéant, mesurer les performances des processus par rapport à la
réexamen du SMSI) politique, aux objectifs et à l'expérience pratique et rendre compte des résultats à la
direction pour réexamen.
Agir (mise à jour et Entreprendre les actions correctives et préventives, sur la base des résultats de l'audit
amélioration du SMSI)
interne du SMSI et de la revue de direction, ou d'autres informations pertinentes, pour
une amélioration continue dudit système.
1) Lignes directrices de l'OCDE régissant la sécurité des systèmes et réseaux d'information — Vers une culture de la
sécurité. Paris: OCDE, Juillet 2002. www.oecd.org
vi © ISO/CEI 2005 – Tous droits réservés
---------------------- Page: 6 ----------------------
ISO/CEI 27001:2005(F)
0.3 Compatibilité avec d'autres systèmes de management
La présente norme internationale est alignée sur l’ISO 9001:2000 et l’ISO 14001:2004 afin de permettre une
mise en œuvre et un fonctionnement cohérents et intégrés avec les autres normes de management. Un
système de management convenablement conçu peut ainsi satisfaire les exigences de toutes ces normes. Le
Tableau C.1 illustre la relation entre les articles et les paragraphes de la présente norme internationale et les
normes ISO 9001:2000 et ISO 14001:2004.
La présente norme internationale a été conçue de manière à permettre à un organisme d'aligner ou d'intégrer
son SMSI avec les exigences des autres systèmes de management.
© ISO/CEI 2005 – Tous droits réservés vii
---------------------- Page: 7 ----------------------
NORME INTERNATIONALE ISO/CEI 27001:2005(F)
Technologies de l'information — Techniques de sécurité —
Systèmes de gestion de la sécurité de l'information —
Exigences
IMPORTANT — La présente publication n'a pas pour objectif d'inclure toutes les dispositions
nécessaires à un contrat. Les utilisateurs sont responsables de son application dans les conditions
appropriées. La conformité à une norme ISO/CEI ne confère aucune exemption à la satisfaction des
obligations légales.
1 Domaine d'application
1.1 Généralités
La présente Norme internationale couvre tous les types d'organismes (par exemple entreprises commerciales,
organismes publics, organismes à but non lucratif). La présente Norme internationale spécifie les exigences
relatives à l'établissement, à la mise en œuvre, au fonctionnement, à la surveillance et au réexamen, à la
mise à jour et à l'amélioration d'un SMSI documenté dans le contexte des risques globaux liés à l'activité de
l'organisme. Le présent document spécifie les exigences relatives à la mise en œuvre des mesures de
sécurité adaptées aux besoins de chaque organisme ou à leurs parties constitutives.
Le SMSI est destiné à assurer le choix de mesures de sécurité adéquates et proportionnées qui protègent les
actifs et donnent confiance aux parties intéressées.
NOTE 1 Il convient d'interpréter les références à "l‘activité" dans la présente norme au sens large. Elles désignent les
activités centrées sur les objectifs.
NOTE 2 L'ISO/CEI 17799 fournit des préconisations de mise en œuvre qui peuvent être utilisées lors de
l'établissement des mesures.
1.2 Application
Les exigences fixées dans la présente Norme internationale sont génériques et prévues pour s'appliquer à
tout organisme, quels que soient son type, sa taille et sa nature. L'exclusion de l'une des exigences spécifiées
aux Articles 4, 5, 6, 7 et 8 n'est pas acceptable lorsqu'un organisme revendique la conformité à la présente
Norme internationale.
Toute exclusion des mesures jugée nécessaire pour satisfaire les critères d'acceptation du risque doit être
justifiée et preuve doit être faite que les risques associés ont été acceptés par les personnes responsables.
Lorsque des mesures sont exclues, les demandes de conformité à la présente Norme internationale ne sont
acceptables que si ces exclusions n'affectent pas l'aptitude et/ou la responsabilité de l'organisme à assurer
une sécurité de l'information conforme aux exigences de sécurité déterminées par l'appréciation du risque et
les exigences réglementaires applicables.
NOTE Si un organisme dispose déjà d'un système opérationnel de management des processus métier (par exemple
en rapport avec l'ISO 9001 ou l'ISO 14001), il est préférable, dans la plupart des cas de satisfaire les exigences de la
présente norme dans le cadre de ce système de management existant.
© ISO/CEI 2005 – Tous droits réservés 1
---------------------- Page: 8 ----------------------
ISO/CEI 27001:2005(F)
2 Références normatives
Les documents de référence suivants sont indispensables pour l'application du présent document. Pour les
références datées, seule l'édition citée s'applique. Pour les références non datées, la dernière édition du
document de référence s'applique (y compris les éventuels amendements).
ISO/CEI 17799:2005, Technologies de l'information — Techniques de sécurité — Code de bonne pratique
pour la gestion de la sécurité de l'information
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions suivants s’appliquent.
3.1
actif
tout élément représentant de la valeur pour l’organisme
[ISO/CEI 13335-1:2004]
3.2
disponibilité
propriété d'être accessible et utilisable à la demande par une entité autorisée
[ISO/CEI 13335-1:2004]
3.3
confidentialité
propriété selon laquelle l'information n'est pas rendue accessible ou divulguée à des personnes, entités ou
processus non autorisés
[ISO/CEI 13335-1:2004]
3.4
sécurité de l'information
protection de la confidentialité, de l’intégrité et de la disponibilité de l’information; en outre, d’autres propriétés,
telles que l’authenticité, l’imputabilité, la non-répudiation et la fiabilité, peuvent également être concernées
[ISO/CEI 17799:2005]
3.5
événement lié à la sécurité de l'information
occurrence identifiée d'un état d'un système, d'un service ou d'un réseau indiquant une faille possible dans la
politique de sécurité de l'information ou un échec des moyens de protection, ou encore une situation inconnue
jusqu'alors et pouvant relever de la sécurité
[ISO/CEI TR 18044:2004]
3.6
incident lié à la sécurité de l'information
un ou plusieurs événements intéressant la sécurité de l'information indésirable(s) ou inattendu(s) présentant
une probabilité forte de compromettre les opérations liées à l'activité de l'organisme et de menacer la sécurité
de l'information
[ISO/CEI TR 18044:2004]
2 © ISO/CEI 2005 – Tous droits réservés
---------------------- Page: 9 ----------------------
ISO/CEI 27001:2005(F)
3.7
système de management de la sécurité de l’information (SMSI)
partie du système de management global, basée sur une approche du risque lié à l'activité, visant à établir,
mettre en œuvre, exploiter, surveiller, réexaminer, tenir à jour et améliorer la sécurité de l'information
NOTE Le système de management inclut l'organisation, les politiques, les activités de planification, les
responsabilités, les pratiques, les procédures, les processus et les ressources.
3.8
intégrité
propriété de protection de l'exactitude et de l'exhaustivité des actifs
[ISO/CEI 13335-1:2004]
3.9
risque résiduel
risque subsistant après le traitement du risque
[ISO/CEI Guide 73:2002]
3.10
acceptation du risque
décision d'accepter un risque
[ISO/CEI Guide 73:2002]
3.11
analyse du risque
utilisation systématique d'informations pour identifier les sources et pour estimer le risque
[ISO/CEI Guide 73:2002]
3.12
appréciation du risque
ensemble du processus d'analyse du risque et d'évaluation du risque
[ISO/CEI Guide 73:2002]
3.13
évaluation du risque
processus de comparaison du risque estimé avec des critères de risque donnés pour en déterminer
l’importance
[ISO/CEI Guide 73:2002]
3.14
management du risque
activités coordonnées visant à diriger et piloter un organisme vis-à-vis du risque
[ISO/CEI Guide 73:2002]
3.15
traitement du risque
processus de sélection et de mise en œuvre des mesures visant à diminuer le risque
[ISO/CEI Guide 73:2002]
NOTE Dans la présente Norme internationale, le terme "contrôle" est utilisé comme synonyme de "mesure".
© ISO/CEI 2005 – Tous droits réservés 3
---------------------- Page: 10 ----------------------
ISO/CEI 27001:2005(F)
3.16
déclaration d'applicabilité (DdA)
déclaration documentée décrivant les objectifs de sécurité, ainsi que les mesures appropriées et applicables
au SMSI d'un organisme
NOTE Les objectifs de sécurité et les mesures de sécurité proprement dites sont basés sur les résultats et les
conclusions des processus de l'appréciation du risque et de traitement du risque, les exigences légales ou réglementaires,
les obligations contractuelles et les exigences métier de l'organisme, relatives à la sécurité de l'information.
4 SMSI
4.1 Exigences générales
L'organisme doit établir, mettre en œuvre, exploiter, surveiller, réexaminer, tenir à jour et améliorer un SMSI
documenté dans le contexte des activités commerciales d'ensemble de l'organisme et des risques auxquels
elles sont confrontées. Pour les besoins de la présente Norme internationale, le processus utilisé est basé sur
le modèle PDCA illustré à la Figure 1.
4.2 Établissement et management du SMSI
4.2.1 Établissement du SMSI
L'organisme doit effectuer les tâches suivantes:
a) définir le domaine d'application et les limites du SMSI en termes de caractéristiques de l'activité, de
l'organisme, de son emplacement, de ses actifs, de sa technologie, ainsi que des détails et de la
justification de toutes exclusions du domaine d'application (voir 1.2);
b) définir une politique pour le SMSI en termes de caractéristiques de l'activité, de l'organisme, de son
emplacement, de ses actifs, et de sa technologie, qui:
1) inclut un cadre pour fixer les objectifs et indiquer une orientation générale et des principes d'action
concernant la sécurité de l'information;
2) tient compte des exigences liées à l'activité et des exigences légales ou réglementaires, ainsi que
des obligations de sécurité contractuelles;
3) s'aligne sur le contexte de management du risque stratégique auquel est exposé l'organisme, dans
lequel se dérouleront l'établissement et la mise à jour du SMSI;
4) établit les critères d'évaluation future du risque [voir 4.2.1c)];
5) a été approuvée par la direction.
NOTE Pour les besoins du présent document, les politiques relatives au SMSI sont considérées comme un
surensemble de la politique relative à la sécurité de l'information. Ces politiques peuvent être décrites dans un seul
document.
c) définir l'approche d'appréciation du risque de l'organisme:
1) identifier une méthodologie d'appréciation du risque adaptée au SMSI, ainsi qu'à la sécurité de
l'information identifiée de l'organisme et aux exigences légales et réglementaires;
2) développer des critères d'acceptation des risques et identifier les niveaux de risque acceptables.
[voir 5.1f)];
4 © ISO/CEI 2005 – Tous droits réservés
---------------------- Page: 11 ----------------------
ISO/CEI 27001:2005(F)
La méthodologie d'appréciation du risque choisie doit assurer que les appréciations du risque produisent
des résultats comparables et reproductibles.
NOTE Il existe différentes méthodologies d'appréciation du risque. Des exemples de méthodologies d’appréciation
du risque sont présentés dans l’ISO/CEI TR 13335-3, Technologies de l’information — Lignes directrices pour la
gestion de sécurité IT — Partie 3: Techniques pour la gestion de sécurité IT.
d) identifier les risques:
2)
1) identifier les actifs relevant du domaine d'application du SMSI, ainsi que leurs propriétaires ;
2) identifier les menaces auxquelles sont confrontés ces actifs;
3) identifier les vulnérabilités qui pourraient être exploitées par les menaces;
4) identifier les impacts que les pertes de confidentialité, d'intégrité et de disponibilité peuvent avoir sur
les actifs;
e) analyser et évaluer les risques:
1) évaluer l'impact sur l'activité de l'organisme qui pourrait découler d'une défaillance de la sécurité, en
tenant compte des conséquences d'une perte de confidentialité, intégrité ou disponibilité des actifs;
2) évaluer la probabilité réaliste d'une défaillance de sécurité de cette nature au vu des menaces et des
vulnérabilités prédominantes, des impacts associés à ces actifs et des mesures actuellement mises
en œuvre;
3) estimer les niveaux des risques;
4) déterminer si les risques sont acceptables ou nécessitent un traitement, en utilisant les critères
d'acceptation des risques établis en [4.2.1c)2)];
f) identifier et évaluer les choix de traitement des risques;
Les actions possibles comprennent:
1) l'application de mesures appropriées;
2) l'acceptation des risques en connaissance de cause et avec objectivité, dans la mesure où ils sont
acceptables au regard des politiques de l'organisme et des critères d'acceptation des risques
[voir 4.2.1c)2)];
3) l’évitement ou le refus des risques;
4) le transfert des risques liés à l'activité associés, à des tiers, par exemple assureurs, fournisseurs;
g) sélectionner les objectifs de sécurité et les mesures de sécurité proprement dites pour le traitement des
risques.
Les objectifs de sécurité et les mesures de sécurité proprement dites doivent être sélectionnés et mis en
œuvre pour répondre aux exigences identifiées par le processus d'appréciation du risque et de traitement
du risque. Cette sélection doit tenir compte des critères d'acceptation des risques [voir 4.2.1c)] ainsi que
des exigences légales, réglementaires et contractuelles.
2) Le terme "propriétaire" identifie une personne ou une entité ayant accepté la responsabilité du contrôle de la
production, de la mise au point, de la maintenance, de l’utilisation et de la protection des actifs. Ce terme ne signifie pas
que la personne jouit à proprement parler de droits de propriété sur l'actif.
© ISO/CEI 2005 – Tous droits réservés 5
---------------------- Page: 12 ----------------------
ISO/CEI 27001:2005(F)
Les objectifs de sécurité et les mesures de sécurité proprement dites définis à l'Annexe A doivent être
sélectionnés comme partie intégrante de ce processus, dans la mesure où ils peuvent satisfaire à ces
exigences.
Les objectifs de sécurité et les mesures de sécurité proprement dites énumérés à l'Annexe A ne sont pas
exhaustifs et des objectifs de sécurité et des mesures de sécurité proprement dites additionnels peuvent
également être sélectionnés.
NOTE L'Annexe A contient une liste complète d'objectifs de sécurité et des mesures de sécurité proprement dites qui
se sont révélés communément appropriés aux organismes. Les utilisateurs de la présente Norme internationale doivent
se reporter à l'Annexe A comme point de départ de sélection des mesures de sécurité, afin de s'assurer qu'aucune option
importante de sécurité n'est négligée.
h) obtenir l'approbation par la direction des risques résiduels présentés;
i) obtenir l'autorisation de la direction pour mettre en œuvre et exploiter le SMSI;
j) préparer une DdA;
Une DdA doit être élaborée et inclure les informations suivantes:
1) les objectifs de sécurité et les mesures de sécurité proprement dites, sélectionnés en 4.2.1g) et les
raisons pour lesquelles ils ont été sélectionnés;
2) les objectifs de
...
SLOVENSKI SIST ISO/IEC 27001
STANDARD
oktober 2010
Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve
Information technology – Security techniques – Information security management
systems – Requirements
Technologies de l'information – Techniques de sécurité – Systèmes de gestion
de la sécurité de l'information – Exigences
Referenčna oznaka
ICS 35.040 SIST ISO/IEC 27001:2010 (sl)
Nadaljevanje na straneh 2 do 35
© 2013-05: Slovenski inštitut za standardizacijo. Razmnoževanje ali kopiranje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST ISO/IEC 27001 : 2010
NACIONALNI UVOD
Standard SIST ISO/IEC 27001 (sl), Informacijska tehnologija – Varnostne tehnike – Sistemi
upravljanja informacijske varnosti – Zahteve, 2010, ima status slovenskega standarda in je istoveten
mednarodnemu standardu ISO/IEC 27001 (en), Information technology – Security techniques –
Information security management systems – Requirements, prva izdaja, 2005-10-15.
NACIONALNI PREDGOVOR
Mednarodni standard ISO/IEC 27001:2005 je pripravil pododbor združenega tehničnega odbora
Mednarodne organizacije za standardizacijo in Mednarodne elektrotehniške komisije ISO/IEC JTC
1/SC 27 Varnostne tehnike v informacijski tehnologiji.
Slovenski standard SIST ISO/IEC 27001:2010 je prevod mednarodnega standarda ISO/IEC
27001:2005. Slovenski standard SIST ISO/IEC 27001:2010 je pripravil tehnični odbor SIST/TC ITC
Informacijska tehnologija. V primeru spora glede besedila slovenskega prevoda je odločilen izvirni
mednarodni standard v angleškem jeziku.
Odločitev za izdajo tega standarda je dne 23. aprila 2010 sprejel SIST/TC ITC Informacijska
tehnologija.
OSNOVA ZA IZDAJO STANDARDA
– privzem standarda ISO/IEC 27001:2005
OPOMBE
– Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO/IEC
27001:2010 to pomeni “slovenski standard”.
– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
– Definicije pojmov so povzete po naslednjih mednarodnih standardih:
ISO/IEC 13335-1, Information technology – Security techniques – Management of information
and communications technology security – Part 1: Concepts and models for information and
communications technology security management
ISO/IEC 17799, Informacijska tehnologija – Kodeks upravljanja varovanja informacij
ISO/IEC TR 18044, Information technology – Security techniques – Information security incident
management
ISO/IEC Guide 73, Risk management – Vocabulary
– V besedilu SIST ISO/IEC 27001 so v točkah 0.3, 1.1, 1.2, 2, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.8, 3.9,
3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 6 in v dodatku navedeni mednarodni standardi ISO 9001,
ISO/IEC 13335-1, ISO/IEC 13335-3, ISO/IEC 13335-4, ISO/IEC 17799, ISO/IEC TR 18044, ISO
19011, ISO 14001, ISO/IEC Guide 62 in ISO/IEC Guide 73. Pri tem je vedno mišljena njihova
zadnja izdaja.
– Standard ISO/IEC 17799 je bil leta 2007 preštevilčen v ISO/IEC 27002.
2
---------------------- Page: 2 ----------------------
SIST ISO/IEC 27001 : 2010
VSEBINA Stran
Predgovor .4
0 Uvod .5
0.1 Splošno.5
0.2 Procesni pristop.5
0.3 Združljivost z drugimi sistemi upravljanja.6
1 Področje uporabe .7
1.1 Splošno.7
1.2 Uporaba.7
2 Zveza s standardi .7
3 Izrazi in definicije .8
4 Sistem upravljanja informacijske varnosti . 10
4.1 Splošne zahteve. 10
4.2 Vzpostavljanje in upravljanje SUIV. 10
4.2.1 Vzpostavi SUIV. 10
4.2.2 Izvedi in vodi delovanje SUIV. 11
4.2.3 Spremljaj in pregleduj SUIV . 12
4.2.4 Vzdržuj in izboljšuj SUIV. 12
4.3 Zahteve glede dokumentacije . 13
4.3.1 Splošno. 13
4.3.2 Obvladovanje dokumentov. 13
4.3.3 Obvladovanje zapisov . 14
5 Odgovornost vodstva. 14
5.1 Zavezanost vodstva. 14
5.2 Upravljanje virov. 14
5.2.1 Priskrba virov. 14
5.2.2 Usposabljanje, zavedanje in usposobljenost . 15
6 Notranje presoje SUIV. 15
7 Vodstveni pregled SUIV . 15
7.1 Splošno. 15
7.2 Vhodi pregleda . 15
7.3 Izhodi pregleda. 16
8 Izboljševanje SUIV . 16
8.1 Nenehno izboljševanje . 16
8.2 Popravni ukrepi. 16
8.3 Preprečevalni ukrepi. 17
Dodatek A (normativni): Cilji kontrol in kontrole . 18
Dodatek B (informativni): Smernice OECD in ta mednarodni standard . 32
Dodatek C (informativni): Primerjava med ISO 9001:2000, ISO 14001:2004
in tem mednarodnim standardom . 33
Literatura. 35
3
---------------------- Page: 3 ----------------------
SIST ISO/IEC 27001 : 2010
Predgovor
ISO (Mednarodna organizacija za standardizacijo) in IEC (Mednarodna elektrotehniška komisija)
tvorita specializiran sistem za svetovno standardizacijo. Nacionalni organi, ki so člani ISO ali IEC,
sodelujejo pri pripravi mednarodnih standardov prek tehničnih odborov, ki jih za obravnavanje
določenih strokovnih področij ustanovi ustrezna organizacija. Tehnični odbori ISO in IEC sodelujejo na
področjih skupnega interesa. Pri delu sodelujejo tudi druge mednarodne, vladne in nevladne
organizacije, povezane z ISO in IEC. Na področju informacijske tehnologije sta ISO in IEC vzpostavila
združeni tehnični odbor ISO/IEC JTC 1.
Mednarodni standardi so pripravljeni v skladu s pravili, podanimi v 2. delu Direktiv ISO/IEC.
Glavna naloga tehničnih odborov je priprava mednarodnih standardov. Osnutki mednarodnih
standardov, ki jih sprejmejo tehnični odbori, se pošljejo vsem članom v glasovanje. Za objavo
mednarodnega standarda je treba pridobiti soglasje najmanj 75 odstotkov članov, ki se udeležijo
glasovanja.
Opozoriti je treba na možnost, da je lahko nekaj elementov tega mednarodnega standarda predmet
patentnih pravic. ISO in IEC ne prevzemata odgovornosti za prepoznavanje katerih koli ali vseh takih
patentnih pravic.
ISO/IEC 27001 je pripravil združeni tehnični odbor JTC ISO/IEC 1 Informacijska tehnologija, pododbor
SC 27 Varnostne tehnike IT.
4
---------------------- Page: 4 ----------------------
SIST ISO/IEC 27001 : 2010
0 Uvod
0.1 Splošno
Ta mednarodni standard je bil pripravljen, da zagotovi model za vzpostavitev, izvajanje, delovanje,
spremljanje, pregledovanje, vzdrževanje in izboljševanje sistema upravljanja informacijske varnosti
(SUIV). Odločitev za SUIV naj bi bila strateška odločitev za organizacijo. Na snovanje in izvedbo SUIV
organizacije vplivajo njene potrebe in cilji, varnostne zahteve, vpeljani procesi ter velikost in struktura
organizacije. Ti dejavniki in njihovi podporni sistemi se bodo po pričakovanjih s časom spreminjali.
Pričakuje se, da se bo izvedba SUIV prilagajala potrebam organizacije, na primer enostavno stanje
zahteva enostavno rešitev SUIV.
Ta mednarodni standard lahko notranje in zunanje stranke uporabijo za oceno skladnosti.
0.2 Procesni pristop
Ta mednarodni standard privzema procesni pristop k vzpostavitvi, izvajanju, delovanju, spremljanju,
pregledovanju, vzdrževanju in izboljševanju SUIV organizacije.
Organizacija mora prepoznati in upravljati številne aktivnosti, da bi delovala uspešno. Vsaka aktivnost,
ki uporablja vire in se upravlja, da bi omogočila preoblikovanje vhodov v izhode, se lahko šteje, da je
proces. Pogosto izhod iz enega procesa predstavlja neposredni vhod v drug proces.
Uporaba sistema procesov v organizaciji skupaj s prepoznavanjem in medsebojnim delovanjem teh
procesov ter njihovim upravljanjem se lahko imenuje "procesni pristop".
Procesni pristop pri upravljanju informacijske varnosti, ki je predstavljen v tem mednarodnem
standardu, spodbuja svoje uporabnike, da se poudari pomen:
a) razumevanja zahtev informacijske varnosti organizacije ter potreb po vzpostavitvi politike in ciljev
informacijske varnosti,
b) izvajanja in delovanja kontrol za obvladovanje informacijskih varnostnih tveganj organizacije
znotraj celotnih poslovnih tveganj organizacije,
c) spremljanja in pregledovanja delovanja in uspešnosti SUIV ter
d) nenehnega izboljševanja na podlagi objektivnih meritev.
Ta mednarodni standard privzema model "načrtuj-izvedi-preveri-ukrepaj" (PDCA), ki se uporablja za
strukturiranje vseh procesov SUIV. Slika 1 prikazuje, kako SUIV na vhodu sprejema zahteve
informacijske varnosti in pričakovanja zainteresiranih strank ter s pomočjo potrebnih ukrepov in
procesov proizvede izhode informacijske varnosti, ki izpolnjujejo te zahteve in pričakovanja. Slika 1
ponazarja tudi povezave v procesih, ki so predstavljeni v točkah 4, 5, 6, 7 in 8.
1
Privzem modela PDCA bo prav tako odražal načela, določena v Smernicah OECD (2001) , ki urejajo
varnost informacijskih sistemov in omrežij. Ta mednarodni standard zagotavlja trden model za
izvajanje načel iz teh smernic, ki urejajo ocenjevanje tveganja, zasnovo in izvedbo varnosti ter
upravljanje in ponovno ocenjevanje varnosti.
PRIMER 1:
Zahteva je lahko, da kršitve informacijske varnosti ne bodo povzročile resne finančne škode
organizaciji in/ali jo osramotile.
PRIMER 2:
Pričakuje se lahko, da če se zgodi resen incident – morda vdor na spletno stran organizacije,
namenjeno e-poslovanju, naj bi bili na voljo ljudje, ki so zadostno usposobljeni v postopkih za čim
uspešnejše zmanjšanje tega vpliva.
1
OECD Guidelines for the Security of Information Systems and Networks – Towards a Culture of Security. Paris: OECD,
julij 2002. www.oecd.org.
5
---------------------- Page: 5 ----------------------
SIST ISO/IEC 27001 : 2010
Načrtuj
Zainteresirane
Zainteresirane
stranke
stranke
Vzpostavi SUIV
Izvedi in vodi
Vzdržuj in izboljšuj
Izvedi Ukrepaj
delovanje SUIV
SUIV
Spremljaj in
pregleduj SUIV
Zahteve in
pričakovanja
glede Preverja Upravljana
Preveri
informacijske j informacijska
varnost
varnosti
Slika 1: Model PDCA, uporabljen pri procesih SUIV
Načrtuj (vzpostavi SUIV) Vzpostavi politiko SUIV, cilje, procese in postopke, ki so potrebni za
obvladovanje tveganja in izboljševanje informacijske varnosti, tako, da
se dosežejo rezultati v skladu s splošnimi politikami in cilji organizacije.
Izvedi (izvedi in vodi Izvedi in vodi delovanje politik, kontrol, procesov in postopkov SUIV.
delovanje SUIV)
Preveri (spremljaj in Oceni, in kjer je mogoče, meri delovanje procesa glede na politiko
pregleduj SUIV) SUIV, cilje in praktične izkušnje ter poročaj o rezultatih vodstvu, da jih
pregleda.
Ukrepaj (vzdržuj in Na podlagi rezultatov notranjih presoj SUIV, vodstvenih pregledov in
izboljšuj SUIV) drugih pomembnih informacij izvedi popravne in preprečevalne
ukrepe, da bi se dosegalo nenehno izboljševanje SUIV.
0.3 Združljivost z drugimi sistemi upravljanja
Ta mednarodni standard je usklajen z ISO 9001:2000 in ISO 14001:2004, da bi se podprli dosledna in
združena izvedba in delovanje po ustreznih standardih za upravljanje. En primerno zasnovan sistem
upravljanja lahko tako zadovolji zahteve vseh teh standardov. Preglednica C.1 ponazarja odnose med
točkami tega mednarodnega standarda, ISO 9001:2000 in ISO 14001:2004.
Ta mednarodni standard je zasnovan, da omogoči organizaciji uskladitev ali združevanje njenega
SUIV z zahtevami ustreznih sistemov upravljanja.
6
---------------------- Page: 6 ----------------------
SIST ISO/IEC 27001 : 2010
Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve
POMEMBNO – To delo nima namena vključevati vseh potrebnih določb pogodbe. Uporabniki
so odgovorni za njegovo pravilno uporabo. Skladnost z mednarodnim standardom sama po
sebi ne odvezuje od zakonskih obveznosti.
1 Področje uporabe
1.1 Splošno
Ta mednarodni standard je namenjen vsem vrstam organizacij (na primer komercialnim podjetjem,
državnim organom, nepridobitnim organizacijam). Ta mednarodni standard določa zahteve za
vzpostavitev, izvajanje, delovanje, spremljanje, pregledovanje, vzdrževanje in izboljševanje
dokumentiranega SUIV znotraj celotnih poslovnih tveganj organizacije. Določa zahteve za izvedbo
varnostnih kontrol, ki so prilagojene potrebam posameznih organizacij ali njihovih delov.
SUIV je zasnovan, da zagotavlja izbiro primernih in sorazmernih varnostnih kontrol, ki ščitijo
informacije in vzbujajo zaupanje zainteresiranim strankam.
OPOMBA 1: Sklici na "poslovanje" v tem mednarodnem standardu naj se razumejo širše, da pomenijo tiste dejavnosti, ki so
temeljne za namene obstoja organizacije.
OPOMBA 2: ISO/IEC 17799 zagotavlja smernice za izvedbo, ki se lahko uporabijo pri snovanju kontrol.
1.2 Uporaba
Zahteve, postavljene v tem mednarodnem standardu, so generične in so namenjene uporabi v vseh
organizacijah ne glede na vrsto, velikost in naravo. Izključevanje katere koli zahteve, določene v
točkah 4, 5, 6, 7 in 8, ni sprejemljivo, kadar organizacija zagotavlja skladnost s tem mednarodnim
standardom.
Vsakršno izključitev kontrol, za katere se je ugotovilo, da so potrebne za zadovoljevanje kriterijev za
sprejem tveganja, je treba utemeljiti in zagotoviti je treba dokaze, da so odgovorne osebe sprejele s
tem povezana tveganja. Kadar so katere koli kontrole izključene, trditve o skladnosti s tem
mednarodnim standardom niso sprejemljive, razen če takšne izključitve ne vplivajo na sposobnost
organizacije in/ali odgovornost, da zagotavlja informacijsko varnost, ki dosega varnostne zahteve,
določene z ocenjevanjem tveganja, in ustrezne zahteve zakonodaje in predpisov.
OPOMBA: Če organizacija že ima delujoč sistem upravljanja poslovnih procesov (na primer v povezavi z ISO 9001 ali ISO
14001), je v večini primerov boljše, da se zahteve tega mednarodnega standarda izpolnijo znotraj tega
obstoječega sistema upravljanja.
2 Zveza s standardi
Za uporabo tega standarda so nujno potrebni naslednji navedeni dokumenti. Pri datiranih sklicevanjih se
uporablja zgolj navedena izdaja. Pri nedatiranih sklicevanjih se uporablja zadnja izdaja navedenega
dokumenta (vključno z dopolnili).
ISO/IEC 17799:2005 Informacijska tehnologija – Varnostne tehnike – Pravila obnašanja pri
upravljanju informacijske varnosti
7
---------------------- Page: 7 ----------------------
SIST ISO/IEC 27001 : 2010
3 Izrazi in definicije
V tem dokumentu so uporabljeni naslednji izrazi in definicije.
3.1
dobrina
kar koli, kar ima vrednost za organizacijo
[ISO/IEC 13335-1:2004]
3.2
razpoložljivost
lastnost, da je nekaj na zahtevo pooblaščenega subjekta dostopno in uporabno
[ISO/IEC 13335-1:2004]
3.3
zaupnost
lastnost, da informacija ni na voljo ali razkrita nepooblaščenim posameznikom, subjektom ali
procesom
[ISO/IEC 13335-1:2004]
3.4
informacijska varnost
ohranjanje zaupnosti, celovitosti in razpoložljivosti informacije, dodatno so lahko vključene tudi druge
lastnosti, kot so verodostojnost, odgovornost, nezanikanje in zanesljivost
[ISO/IEC 17799:2005]
3.5
informacijski varnostni dogodek
prepoznano dogajanje v sistemu, storitvi ali omrežju, ki kaže na morebitno kršitev informacijske
varnosti, politike ali odpovedi kontrol ali na do tedaj še neznano okoliščino, ki je lahko pomembna za
varnost
[ISO/IEC TR 18044:2004]
3.6
informacijski varnostni incident
eden ali več neželenih ali nepričakovanih informacijskih varnostnih dogodkov, ki predstavljajo veliko
verjetnost ogrožanja poslovnih dejavnosti in informacijske varnosti
[ISO/IEC TR 18044:2004]
3.7
sistem upravljanja informacijske varnosti
SUIV
del celotnega sistema upravljanja, ki temelji na pristopu poslovnega tveganja in ki je namenjen
vzpostavitvi, izvedbi, delovanju, spremljanju, pregledovanju, vzdrževanju in izboljševanju informacijske
varnosti
OPOMBA: Sistem upravljanja vključuje organizacijsko strukturo, politike, aktivnosti načrtovanja, odgovornosti, prakse,
postopke, procese in vire.
3.8
celovitost
lastnost varovanja točnosti in celovitosti dobrin
[ISO/IEC 13335-1:2004]
8
---------------------- Page: 8 ----------------------
SIST ISO/IEC 27001 : 2010
3.9
preostalo tveganje
tveganje, ki ostane po obravnavanju tveganja
[ISO/IEC Guide 73:2002]
3.10
sprejetje tveganja
odločitev, da se tveganje sprejme
[ISO/IEC Guide 73:2002]
3.11
analiza tveganja
sistematična uporaba informacij za prepoznavanje virov in ocenjevanje tveganja
[ISO/IEC Guide 73:2002]
3.12
ocenjevanje tveganja
celovit proces analize tveganja in vrednotenja tveganja
[ISO/IEC Guide 73:2002]
3.13
vrednotenje tveganja
proces, s katerim se ocenjeno tveganje primerja s kriterijem tveganja, da se določi pomembnost
tveganja
[ISO/IEC Guide 73:2002]
3.14
obvladovanje tveganja
usklajene aktivnosti organizacije za usmerjanje in nadzor tveganja
[ISO/IEC Guide 73:2002]
3.15
obravnavanje tveganja
proces izbire in izvedbe ukrepov za spremembo tveganja
[ISO/IEC Guide 73:2002]
OPOMBA: V tem mednarodnem standardu se izraz "kontrola" uporablja kot sinonim za "ukrep".
3.16
izjava o uporabnosti
dokumentirana izjava, ki opisuje cilje kontrole in kontrole, ki so pomembni in uporabni za SUIV
organizacije
OPOMBA: Cilji kontrole in kontrole temeljijo na rezultatih in ugotovitvah procesov ocenjevanja tveganja in obravnavanja
tveganja, zahtevah zakonodaje in predpisov, pogodbenih obveznostih in poslovnih zahtevah za informacijsko
varnost organizacije.
9
---------------------- Page: 9 ----------------------
SIST ISO/IEC 27001 : 2010
4 Sistem upravljanja informacijske varnosti
4.1 Splošne zahteve
Organizacija mora vzpostaviti, izvesti, voditi delovanje, spremljati, pregledovati, vzdrževati in
izboljševati dokumentirani SUIV znotraj celotnih poslovnih dejavnosti organizacije in tveganj, s katerimi
se sooča. V tem mednarodnem standardu je uporabljen proces, ki temelji na modelu PDCA in je
prikazan na sliki 1.
4.2 Vzpostavljanje in upravljanje SUIV
4.2.1 Vzpostavi SUIV
Organizacija mora storiti naslednje:
a) določiti obseg in meje SUIV glede na značilnosti poslovanja, organizacije, svoje lokacije, dobrine
in tehnologijo, vključno s podrobnostmi in utemeljitvami za vse izključitve iz obsega (glej 1.2);
b) določiti politiko SUIV glede na značilnosti poslovanja, organizacije, svoje lokacije, dobrine in
tehnologije, tako da:
1) vključi okvir za postavljanje ciljev ter vzpostavi celoten občutek za usmeritev in načela za
ukrepanje v zvezi z informacijsko varnostjo,
2) upošteva zahteve poslovanja, zakonodaje in predpisov ter pogodbene varnostne dolžnosti,
3) uskladi z okoliščinami strateškega obvladovanja tveganja organizacije, v katerih bosta
vzpostavitev in vzdrževanje SUIV potekali,
4) vzpostavi kriterije za vrednotenje tveganja (glej 4.2.1.c)) in
5) jo odobri vodstvo;
OPOMBA: V tem mednarodnem standardu je politika SUIV mišljena kot razširitev informacijske varnostne politike. Ti
politiki se lahko zapišeta v enem dokumentu.
c) določiti pristop k ocenjevanju tveganja organizacije:
1) prepoznati metodologijo ocenjevanja tveganja, ki je primerna za SUIV in za prepoznane
zahteve varnosti poslovnih informacij, zakonodaje in predpisov,
2) razviti kriterije za sprejem tveganja in prepoznati sprejemljive ravni tveganja (glej 5.1.f));
Izbrana metodologija ocenjevanja tveganja mora zagotoviti, da ocenjevanja tveganja proizvedejo
primerljive in ponovljive rezultate.
OPOMBA: Obstajajo različne metodologije ocenjevanja tveganja. Primeri metodologij ocenjevanja tveganja so
obravnavani v ISO/IEC TR 13335-3, Informacijska tehnologija – Smernice za upravljanje informacijske
varnosti – Tehnike upravljanja informacijske varnosti.
d) prepoznati tveganja:
2
1) prepoznati dobrine, ki so zajete v SUIV, in njihove lastnike ,
2) prepoznati grožnje, ki ogrožajo te dobrine,
3) prepoznati ranljivosti, ki bi jih grožnje lahko izkoristile,
4) prepoznati vplive, ki bi jih izgube zaupnosti, celovitosti in razpoložljivosti lahko imele na te
dobrine;
e) analizirati in ovrednotiti tveganja:
1) oceniti poslovne vplive na organizacijo, ki bi lahko bili posledica varnostnih odpovedi, z
upoštevanjem posledic izgube zaupnosti, celovitosti ali razpoložljivosti dobrin,
2
Izraz "lastnik" označuje posameznika ali subjekt, ki ga vodstvo določi za odgovornega za nadzor proizvodnje, razvoja,
vzdrževanja, uporabe in varovanja dobrin. Izraz "lastnik" ne pomeni osebe, ki bi dejansko imela kakršne koli lastninske
pravice nad dobrino.
10
---------------------- Page: 10 ----------------------
SIST ISO/IEC 27001 : 2010
2) oceniti realno verjetnost pojava varnostnih odpovedi v luči prevladujočih groženj in ranljivosti
ter vplivov, povezanih s temi dobrinami, ter trenutno izvedenih kontrol,
3) oceniti ravni tveganja,
4) določiti, ali so tveganja sprejemljiva, ali zahtevati obravnavo z uporabo kriterijev za sprejem
tveganj, vzpostavljenih v 4.2.1.c)2);
f) prepoznati in vrednotiti možnosti obravnave tveganj:
Možni ukrepi so:
1) uporaba primernih kontrol,
2) zavestno in objektivno sprejemanje tveganj pod pogojem, da jasno zadovoljujejo politike
organizacije in kriterije za sprejem tveganj (glej 4.2.1.c)2),
3) izogibanje tveganjem in
4) prenos povezanih poslovnih tveganj na druge stranke, na primer zavarovalnice, dobavitelje;
g) izbrati cilje kontrol in kontrole za obravnavo tveganj;
Cilje kontrol in kontrole je treba izbrati in izvesti tako, da izpolnjujejo zahteve, prepoznane v
procesih ocenjevanja in obravnavanja tveganja. Izbira mora upoštevati kriterije za sprejem tveganj
(glej 4.2.1.c)2)) ter tudi zahteve zakonodaje, predpisov in pogodb.
Cilje kontrol in kontrole iz dodatka A je treba izbrati kot del tega procesa kot ustrezne za
zadovoljevanje prepoznanih zahtev.
Cilji kontrol in kontrole, navedeni v dodatku A, niso izčrpni in izbrati je mogoče dodatne cilje
kontrol in kontrole.
OPOMBA: Dodatek A vsebuje obsežen seznam ciljev kontrol in kontrol, za katere se je ugotovilo, da so pogosto
pomembni v organizacijah. Uporabniki tega mednarodnega standarda naj dodatek A upoštevajo kot
začetno točko za izbiro kontrol, da zagotovijo, da nobena pomembna možnost kontrole ni spregledana.
h) pridobiti odobritev vodstva glede predlaganih preostalih tveganj;
i) pridobiti pooblastilo vodstva za izvedbo in vodenje delovanja SUIV;
j) pripraviti izjavo o uporabnosti:
Izjavo o uporabnosti je treba pripraviti tako, da vključuje:
1) cilje kontrol in kontrole, izbrane v 4.2.1.g), in razloge za njihovo izbiro,
2) cilje kontrol in kontrole, ki se trenutno izvajajo (glej 4.2.1.e)2)), in
3) izključitev katerih koli ciljev kontrol in kontrol iz dodatka A in utemeljitev za njihovo izključitev.
OPOMBA: Izjava o uporabnosti je povzetek odločitev glede obravnavanja tveganja. Utemeljevanje izključitev
zagotavlja navzkrižno preverjanje, da nobene kontrole ne bi bile nehote izpuščene.
4.2.2 Izvedi in vodi delovanje SUIV
Organizacija mora storiti naslednje:
a) oblikovati načrt obravnavanja tveganja, ki prepozna ustrezni ukrep vodstva, vire, odgovornosti in
prednostne naloge za obvladovanje informacijskih varnostnih tveganj (glej 5);
b) izvesti načrt obravnavanja tveganja, da doseže prepoznane cilje kontrol, kar vključuje
upoštevanje zagotavljanja finančnih sredstev ter dodelitev vlog in odgovornosti;
c) izvesti kontrole, izbrane v 4.2.1.g), da doseže cilje kontrol;
d) določiti, kako meriti uspešnost izbranih kontrol ali skupin kontrol, in opredeliti, kako te meritve
uporabiti za oceno uspešnosti kontrol, da proizvede primerljive in ponovljive rezultate (glej
4.2.3.c));
OPOMBA: Merjenje uspešnosti kontrol omogoča vodstvu in osebju določiti, kako dobro kontrole dosegajo načrtovane
cilje kontrol.
11
---------------------- Page: 11 ----------------------
SIST ISO/IEC 27001 : 2010
e) izvesti programe usposabljanja in ozaveščanja (glej 5.2.2);
f) upravljati delovanje SUIV;
g) upravljati vire za SUIV (glej 5.2);
h) Izvesti postopke in druge kontrole, ki so sposobni omogočati hitro odkrivanje varnostnih dogodkov
in odzivanje na varnostne incidente (glej 4.2.3.a)).
4.2.3 Spremljaj in pregleduj SUIV
Organizacija mora storiti naslednje:
a) izpeljati postopke spremljanja in pregledovanja ter druge kontrole za:
1) hitro odkrivanje napak v rezultatih obdelav,
2) hitro prepoznavanje poskusov in uspešnih varnostnih kršitev in incidentov;
3) omogočanje vodstvu, da ugotovi, ali se varnostne aktivnosti, ki jih je dodelilo ljudem ali se
izvajajo z informacijsko tehnologijo, opravljajo v skladu s pričakovanji;
4) pomoč zaznavanju varnostnih dogodkov in tako preprečevanju varnostnih incidentov z
uporabo indikatorjev ter
5) ugotavljanje, ali so bili uspešni ukrepi, izvedeni za reševanje varnostne kršitve;
b) izvajati redne preglede uspešnosti SUIV (vključno z uresničevanjem politike in ciljev SUIV ter
pregledovanjem varnostnih kontrol) z upoštevanjem rezultatov varnostnih presoj, incidentov,
rezultatov merjenja uspešnosti, predlogov in povratnih informacij vseh zainteresiranih strank;
c) meriti uspešnost kontrol, da preveri, ali so izpolnjene varnostne zahteve.
d) pregledovati ocenjevanja tveganja v načrtovanih časovnih presledkih ter pregledovati preostala
tveganja in prepoznane sprejemljive ravni tveganj z upoštevanjem sprememb v:
1) organizaciji,
2) tehnologiji,
3) poslovnih ciljih in procesih,
4) prepoznanih grožnjah,
5) uspešnosti izvedenih kontrol ter
6) zunanjih dogodkih, kot so spremembe v zakonodajnem in regulativnem okolju, spre
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.