INTERNATIONAL ISO/IEC STANDARD 27002 Information technology — Security techniques — Code of practice for information security controls Technologie nfrmetion —Tacnigus de sécurité — Code de bonne prtigue pour le managamant dete sécurité de information woke 7002200305) cesonecaoi3180/18 27002:2013(6) AX comcnrenorcrn voce Sm samen itm ctr ee tae rn. nado urcrp ge ee os Sm Sean aaa ma ational Some Sea ‘ top 201 ae reed10 2 “ Information security polis... Si "Management aircon or lormaton Organization of information security. Si ineral ongntzstion 62 Mobledeviees end teeworidngs 42. Danngempeyment= 73 Termination and change of employment. Asset management - 1 Responsibly frases. 82 Inormation dacafieton. 83° Mediahanding Access control. Ba ponner roqiremants faces contr 92. Useracessmamagenert nn 93° User responses 94 System and pplaton aces conc. 32 Equipment. Operations security. 121” Operational powedares and respanablies 122. Potecton rom malware 423 Badapen a 5 is 129 Information sytem sue constderions.— Communications security SBT" Networesecurty management 132 formation wanser = ‘system acquisition, development and maintenance nn Yat” secant roguremens of Information ysters.——— 142 Secu ndevelopment and support processes — M30 testdata ‘Supplier elationsips 1ST Information secant insupplerrlaonsips— ‘etsonec 2013 -agseserad ‘cry 150/1EC27002:2013(6)1s0/1e¢27002:2013(6) 182. Supplier sence delivery management 16 Information security incident management. 46" Managerant of slornaton secur scons and inprovenents 7 18 Compltanc 181" Compliance wih eg ad conractal requires. 182 _Tnvormaton secu reviews _Bibography " ‘otic amis ateghsreseet1s0/1Bc 27002:2013;(8) Foreword 190 (he lnterntional Organization for Stndardleation) and IEC (he ternational Electrotechnical Commision) forthe specialized system for worldwide andarchaion National beds that are ‘homers of SO o IC pariate f the development of Ineerational Standards through tecnicl fornmittoes established by the respective organization to deel with partclr fll of technical ‘Stig. 60 and IEC teccaleommiteses collaborate nel of mal interest Other ncrstionl Srgznlzations governmental and non goverment son with [90 and TE, also al part inthe ‘wor Inthe lof formation tchneagy 90 and TEC have established = on tecaealcommites, Isonecyre lacerations Standard are drafted in accordance with he rulasgven in tho 1S0/1EC Directives. Part ISO1EC 27002 was prepared by Joint Technical Committe ISO/IEC JTC 1, Information technology Subeammtece $27, [Seer ocnigues “Atention i drawn to the posit shat some ofthe elements ofthis document may be the subject of Dateat rights 190 shal ot be eld esponsibe or ientfyng any or alluch patent ight. ‘Tis second edition cancels and replaces the first edison (150/18 27002:2005), which has been ‘ecko and structurally revised 21sec 20 rg remeed ,1s0/1e¢27002:2013(E) 0 Introduction 01 Badkgroundand context ‘This international Standard is designed fr rganzations to use as a reference fr selecting controls Weitsn se process of tplementing an Information Secarty Management System (SMS) based on ISoytec prdotial or as 2 guidance dacuient for oganiatons Implementing commonly acopted Infematon security contra, This standard We also ftende forte fn developing dusty and fongetaationspeiie information security management guldelies, taking into corsieration thir ‘peli infrmation sect sk envronmont) Onpnizaons of al ype an sie Gchding public and private sect, omer nd non arot) Collec process stare and transmit information nang ors inulng lctronte physi and vera (eg conversations and presentations). ‘Thavale finformation goes beyond he written words, numbersandimages knowl concept ideas Andbrandsareexamplesofineangiicformsf information In anfatercornecteq word nfrmatonand ‘sted processes sete actors and personne nvaied ater operaton, henling nd protein sre ast hat lke otter important business assets, ae Valuable to an organization's busines and Consequently deserve or requir protection spans various hazards. Asses are sect to Both deliberate and acientl threats while the related processes ystems ‘etworks and people have inherent vulnerablites Changes to business processas end systems OF “ther external anges (uch ne new Ins and reptons) tay create naw Information security "ks ‘Thecore, given the muito waprin which treats could ae advanagaofulnraes harm ‘rorganiaston, Intrmation security rss are always presen fective Information secur reduces ‘hae sky protecting the organtation agatest treats and vlerolites, spate reduces impacts Information security is sehaved by implementing asuiableset of control tcluding pales processes procedures orgunlastonal strictures and software snd hardvare fonctions. These conrls teed to EriSabshadinplementod monltored reviewed so mmproved hare necazary co ensuro thatthe ‘Spoiicsacuriy and business ajetives ofthe organization are mat. An ISHS suchas tha speed in iBoyite 2700u ates a holt coordinated view ofthe organlaatonsnformaton secur iss ‘onder fo lplamentacompretensve suite of information security certo under he overall aewore tacohorent management stm. ‘any information systems have natbeen designed be securein th sense f1$0/18¢ 270010 ands anlar eseuy hrc aceasta slestppored ‘Sy mpropriate management and procedures Idnsying whch controls shouldbe n place reaules ‘arf planing and stention to deal A scroal ISVS requires support by al employees nthe rpniztoneean also require partpation rom shareholders, sapplers or other exteroal parts. ‘Sposa advice rom external paris can tbe needed Inamore general sens effective information security lsoassuresmanagementand other stakeholders thatthe organaation® asses are veasonaly safe and protected against har, Chere acting as 8 busines enabler 0.2 Informacion security requirements tisesntilhatmorgeiaon ents secur erent There artis mainsoureof Secrgreqrenens 2) the sent of ik oh rman aig account he raat over ies J “strategy and objectives. Through a risk assessment, threats to assets are identified, valnerability to TossAbedWoccunanseovatedondpaontlinpecasinted 1) the tga, statutory, regulatory and contractual regulremests tht an organization, is trading parents contrntor and eric provers have sally, and thelr soco-ulturalenronests ” ‘ets 2018 ategeser1so/tec 27002:2013(8) the sto principles, objectives and businees requirements for information handling. processing, ‘Morn communicating archiving that norgntzation has develope to suppers operates. Resources employed in implementing contol ned to be balanced against the business harm ike to es rom secur iapes inthe aemner of hase corals The results ofa sk assessment wil ‘up guide and derarmine tho appropriate management secon and rors for managing information ‘ech risus en for implementing controle seeeed wo protect against these risks |so/tse 2700S provides information security sk tnanagement gldanc, nlading advice on rik "stsoment ik treatment rise aseptancs sk communication risk monttoringand sk review 03 Selectingeontrts Control can be selected from this standard frm other controlsets,ornew controls can be designed rmmoecspecfic needs as appropriate. ‘The sleton of contol s dependent upon orgenzational decisions based on the citer for rs. {eeptaneerateatnetoptions andthe generaiiskminagemen approschapaletotheorganzaton, {ndshould alo be subject tall savant stone] eel ncermaton legislation and equations. Control Selection ls depends on the manner in which conels interact to provide defence indepth. Some of the controls inthis stander canbe considered as gulding principle for information security Banagement and spplisble for mast organizations The controls re explained in ore detail below Blongwithimplementtion guidance Nornformation abou slectingcontolsandotherrsktrestment ‘pon an be found is ISO/IEC 270080 0.4 Developing your own guidelines “Tis lternatonal Standard may be regarded asa starting polo for developing organizatenspeciic Flslines Not al ofthe contr and guidance Inds code of pracace may be applabl urtermare ‘ional contol and gldelines not nuded in the standard ray bo reared. When documents are ‘evelopodconainingsdatonl uldlnsorontastnaybeusfltoielaecross references uses Inthe reandard where aplealetofalitate compliance cecng ty altars and busines partners. 05 Lifeeyete considerations Information hat 3 natura Mecyce fom craton and origination through strap, processing, se nd "tanomisson tos eventual darren or decay The val of and rise, astetseay vary ding er lfm eg unauthorted disclosure o thf a company’s ranca accueil sigan after ‘hey hav bea foal publsbed) btinormation sarory remainimporcanttosome extentatal 30s loformation systems have lifecycle within which thy aro concave pec, cesignd, develope, test implemented see maintain and eventual eed from service andesposed ot nformation Sceury sould be taken into account at every stage New system developments and changes tensting "ystamt present opportunities forargantzaanstoupaate and improve seceity coro akig etal Iodine nd exrrene sed projected ilormaton security rks Ino acount 0.6 Relatedstandards hile this standard offers guidance on abroad range of Information secrity controls that are commonly apoied i many diferent organzations, ta rmatnng standards in the ISO/IEC 27000 family provide complementary advice or regulemonts on other aspects ofthe overall process of ‘managinginformaten secur Refer o180/1EC27000 fers onerlintrocuctontobothISMSeand the fara of stndards 150/18627000 [rovies a lesary, formally defining most ofthe terms aed throughost Se ISO/IEC 27000 fly of ‘Randards and daseibes the seope and abjectives er exch member ofthe ar. (o1sonnc2018-agead wINTERNATIONAL STANDARD, 1S0/1EC27002:20131F) Information technology — Security techniques — Code of practice for information security controls 1 Scope ‘his International andar gies guidelines fr organtationl Information socority standards and information security managetient practices including the selection, Implementation and management tt eontrastaing inf consderton the oganiatonsnfornaton cea rik environment ‘This International Standard iedesigned tobe used by organizations tha intent 2) select controls within the proces of pleating an Information Security Management Systm based on IS0/1EC 270018 2) implement commonly cepted information secarty contol develop thelr own information security menagement guidelines. 2 Normative references ‘Te flowing documents, whole orf part are normative referenced inthis document and are Inuispenabl for le appicston. for date flerenss, an tha edton cited apples. for undated "leonce the atest eon ofthe rfornceddocumestGecliding ny amendments) pls. |SQ/IBC 27000, Information ecology — Secrty tebniquer — Information security management _ptons — Overiewand vocabulary 3. Terms and definitions For the purpose ofthe docoman the terms nd dfntlon given in S0/TEC27000 spp. 4 Structure of this standard this sandard contains 14 security control clauses cllecvelycontatning taal of 35 main securty Catagories and 114 controls 4 Clauses ach clause dfning socrty controls contains one or more main security categories. ‘Theorderoftheceusesinthisstandand doesnot imply thirimportanceDependingonthocirumstaces Surly contre rom any oral uses cocl be iporsane, therefore each organization applying this Standard should dentiyeoleale controls how imporan® hese are nd thelr appliationorndlvital Fisness proceses Furthurmor, its in hi standard ae tn poy ere 42. Control categories ach sin secur contol category contalns: 2) acontro objective stating what tobe achieved 1) one ormare contol thatcan be applied to achlow ths control objective, ‘oinecz01s- aie ceed 11s0 nec 27002:2013(8) ‘control descriptions are structured allows: content Defines the speci contol statment to sats the contra objective ‘mlementation gudsnce Provides moce detailed information to suport the impleentation ofthe control and meeting the onto jective. The guidance may aot be ental sulle or suficent nal situations and may ot fhintth organisations speie contol requirements. ‘oeerinformaton ‘roves farther information that may ned to be considered, fr example egal considerations and ‘arenes wo athe staneards, theres no ole nfrmation tobe proved ths part isnot shown. 5 Information security policies 541 Management direction for information security [Dojecva To provide management direction and suppor for aformation security accordance with [ouiness regurements snd elevart ws and regulations S14 Polices for information security onal | set of policies for information security should be defined, approved by management, published and ‘Somunietedtoemployees and relevant exert partes, Insplementaton guise ‘the highest eve organlzatons should define an “information seartypalcy” whic is epproved by ‘aneganentandwihsetsoutthe rgantzte’sapproachtomanagingits information security objects Informatien security polices should address requlrments created by 3) business tracey: 1) regulation lgiation and contracts 6 thecarrentand projet information security threat environment ‘The information security pliy shoud contain statements concerning: 4) defnition of inormation secur, objectives and principles to guide all ectvtes relating to Ittormaton security 1) assignment of general atd specific responsible for Information security ‘etned roles, agement t0 6) processesforhanding evations and exception. ‘Ata ower eel the informatio secur policy shoul be supported by toplespcifc polls which A ie nota of horse sci nr sb ae pel soured ‘Mares the needa of certain target groupe idiot orantaon of cover crtain pies, Examples of suc policy topes nee 5) acces contol (ease): 2 cesoec2018-anrgsceet1s0/1ec 27002:2013(E) 1) formation lasication (and handling) (see 82); ©) physica and environment security Ge Claus 1) 4) end ser vented topics sch 8 1) acceptable vse of assets ee BL. 2) clear deskand car sereen (20 11.29 3) information transfor (00 182.1; 4) mobile device and teleworking (22) 5) restrictinson software installations and use (see 12.65.24 ©) backup (0 32); 1) Information wanster 0813.2 protection from malware 0232.2) 1h) management of tchnis vulnerabilities Soe 1263) 1) cryptographic controls Clause; 1D commnications security (ee Clause 13 1) privacy and protection of personally ientfibe formation (#18: 1) supplier relaionships ee Cause 1) ‘These poles shouldbe communicated to employees and relevant extereal partes in form chats felevet accessible and undertandabe to the ntnded ead, aft content of 20 "Information Escurity awareness edveaton andtrsiningproamme” (ee 22.2) ther intemaion ‘The need for internal polices for information security varies aeros organizations. Interaal polices fre eepectaly useful in larger tnd more complex organtatans whore those ding 30d approving the expecta levels of contol ae segrerted from those implementing the contol or Insert where pai spies to many diferent peopl or uncon inthe organtaton, Plies for Information “eeuritycxn be red n'a single “information security poley” document or asa sto dial but elated documents any ofthe normation ecurypolesaredistributed onside the ongantation, care should be taken ‘ott dsclase conden ifortation. Somecrganizationsueotertermsforthese poli documents, suchas'Standards Directives" or "Rules 5:12 Review of he policies for information security Seats, ‘The polices or information scurty shouldbe reviwod at planned intervals rif sigalicant changes eeu to ensue thelr continuing satay, adequacy and eflectiveness, Inmplemenaton guldance ach policy shoul hve an owner who has approved management responsi fr che dovelopment, FevlewandevaastionofthepocierTherevcwshondincudeassesingopportuniteforimprovement ‘ithe organizations poles snl spprosrh to managing information seat In responsetachangestO ‘the organizational environment, busines circumstances, gal eonditons or ednicaleavlranment feo ee203 aera 3180/18¢27002:2013(6) “toereview fpoticsfornformationstcuty shoud take thereslsofmanagementreviewsintoaccount anagement approval fora revsod policy shoud be obtatne 6. Organization of information security 6:1 Internal organization [oes To enaiga management framework oat and control te implementation and lpertion of formation security within th organization {64.1 Information security roles and responsbities ‘content -Altinformation security responses shouldbe defined end allocated smplementationgudance ‘Aoeaton of information security responses should he done in accordance with the iformation tales (s1-, Responstes or the protection of ndvidual assets and for caring out se Fearon scarey processes sould be Wenfed. Responebities for formation Secity spline ess In prticuar for acenpane of residual sks sould be dein, These ek aa Sl be cuppereeced where pecesar, with more detailed guldance fr specific ‘jb infration proces oli Lol epee forte protection f sets 2 fr ‘ry ot spect security processes should be defines. Individte wih lloeatd information secrity responsbes may delegate security tas to thes rail they remain acountable and should decermine that any elegated tasks have been correctly performed Areas for wh indiiduls are responsible shoul bestate. tn parcel the olowingshaud tke pace «the ase and information security processes shold be denied and defined: 1) the enity responsible foreach asst or nformation socurty process should be assigned andthe {Rats fais responsibilty shouldbe documented ee 84.2 6 suoriation evel should be defined and documented: 4) tobe abeto fli responsbissin the information security area te appointed individuals shoxld (abs rleaatin dhe sees and be given opportanies to keep uptodate with developments 1) cooeination abd oversight of Information secarty aspects of supplier relatonships sould be denied and documents, ‘terinfomation Many organizations appoint an information security manager to take overall responstbilty forthe RR, Santa plementation of information ecurty and to sport he entiation of contol. However espostlity fo resourcing ad implementing the controls wil often emia with india ee pe toms prac 1s apo an ower foreach asset who then becomes responsible Torleay.to-cy protection, (64.2. Segregation of dutes ont 4 ‘etsonec amis areas180 /1EC 27002:2013(6) Confitng duties and areas of responsibilty should be segregted to rduce opportunities for ‘Rautorted or unintentional modeaton or misuse fhe rganaato's eset. ‘mpemenction guidance Care should be taken Bat no single person can access, modify oF use assets without authorization (or detcton. The inition ofan event sould be separted from ls authoriallon The poss of ‘allsion shoud be eoasdered in designing the conto. Small orgataations may find segregation of dis dificult to achove, but he principle shuld be plied sfaras possible and practeable- Whenever ts duMcul to segregate other controls suchas ‘niering facies aud trails apd management supervision shoal be consered. ‘berinformation Segregation of duties sa method for reducing the risk of accidental or deliberate misuse of an rginlzations assets 613 contact with authortes Seat Appropriate contacts wit relevent authries shouldbe maintains Amplemestation guidance ‘Organizations should Rave procedures in place that specify when and by wom autores (eg aw flocs, reghatay hes, iprviory stores) soul be inated onl bow nied information secrity incidents shouldbe reported tn ately manoe (fs suspected that avs may have been brokes), therinformstion organizations under atackom thelnteraet may nee authoriestotake action againsttheaiacksource, Maintaining such contacts may bea requirement to support nfrmation security inden: management (Gee Cus 16) othe business conknuty end contingecy planning process (eee Clase 7) cantacts ‘jth-regulatary boies are also asl fo antetpste and prepare for upcoming changes (naw or ‘aulaions which ave robe inplemonte by the organiza, Contacts with ther atrrtes inelae Ute, ensngancy sevice, acrcty seppiers ad eal and safety og fie departments (In rection with bisineeconsny),telecmmmunicaion provers (i connection wih ine rousing ‘naval ang water supple in connection wit cooing eles or ogpme) 644 Contatwith special interest groups Seat Appropriate contacts with special interest groups or other specials security Forums an profesional ‘Rodations shouldbe mainesned [Implementation guidance ‘Merbarship in pecal interest group or forums shoul be considered as ameansto 4} Improve knowlege about best practices and stay upto date with eovant security iformaton; 1) ensure the understandingfthe information security enviroamentis curentand compet; 1) reclve early warnings of slerts, advisores and patches pertaining to attacks and vulnerable, 8) gain access to specialist information securky avis ‘eisonsc aniseed 51 share and exchange formation about new ecologies, products, threats or vulnerabiie, 1) provide sutabelisson pits when dealing wth information security icons ee Clause 16 ‘ber oration Informatio sharingegremens can be estblshedtoirproecooperation and coordination ofsecurty tSsun Suc agrenstssould ently requirement protection of configentat inormaton. 65. tmormation secry in projectmanagement onal Information secur shouldbe addressed in project management regardless ofthe ype ofthe project dnglemsntaton guidance ‘nfrmaton secur shouldbe integrin the organiza prjectmanegmentmatods tense Eatinfrmato sary calor Gentiod and adersedaegurtats project Tsapples gnarl ‘ny project regardless of ts characte 2 profet or care business process, ality management ‘ndthersupportingprocesses The projet management methods ase should requis that 1) information searity objectives ae inched in project objectives: 1) am information security rs assessment is conducted at an early stage ofthe projct > dntfy necessary contol, (6) information seerty spare fal phases ofthe apple projet methodology. Information security implications shoud be addressed and rovlewed regularly in all projets [esponiblties for information securty shouldbe dtined and alloca to spctedrles fied tn the project management methods. 62 Mobile devices and teleworking [beeen Te easarethesee of elewarlangand us of ble devices 62.1 Mobile device policy antral Apalicy and supporting security measure shoul be adopted to manage the is introduced by using mobile devices Implementation guldanc ‘When wsing mobile devices, specal care should be taken to ensure that busines information is not Compromisd The mabe davies policy should take into stcount the risks ef working with medic fevees in unprotected enronments “Theta deve pole shoal consider: 2} registration of moble devies, 1b) requirements for physi protection; 0) rerricon ofsotwareinstalatin: 4) requiemants for mobile device software versions andor apolying patches, ©) restriction ofenenestion to information services; 6 (etn 2013-alrge rsd180/18¢-27002:2013(E) 1) seers contol: 1) cryptographic techniques: 1) mabware protection 1) remote dssbling, erasure or lockout 9) backups, 1) sage of web services and web pos. ate sould be taken when usingmabil devas in public places meeting rooms and ater anproected Sten Frotecton shouldbe in lac tosvad the unauthortaed acess too discnsure othe ivormation ‘Hored and processed by thesedeices. eg uslngeryptographictecnlques (oe Cause20)andentorsing {sv of secre suthententioninormation oe). Mobile devices boul azote physically protected gas theftespctally when et for example in cars Shot fre transport botl room conferene canes and meeting places. A specfe procedure ‘nein account legal Insurance and other sear requrements ofthe organization should be ‘sable for eases theft orlon of moble devices Devies carrying important sentiveor real ‘cas information sowld note left uneteadea end, where posible, sould be phystall locked ‘Shao speci nck shou based to secure te devless, ‘Trang shoud be arranged for personnel using mobile devices tora htrawarenessfthe onal ‘a esing rm his way of worldng andthe contra tat shouldbe implomonted. ‘Where the able device policy allows the we of prvatsy owned mobile devices, he ply and related Secarty measures shuld also conser 2) separation of private and business use ofthe devices, including using software to support sch Separation Sta protect business eataon private Gave 1) proviclg asses to business information only afar users have signed an end user agreement Ecimowiedping ther dws (physical protcton, sofware updating, ee), walving cDersip of ‘Sikes te elwing emo wig a data to organztionin east deft orlass ofthe deco ‘rwhennalongenothorzed use the servi Tispobey nsedstotakeaccountof privacy eisai, tersnformation “Mobledovce wireless connection ate silat athe typesofnetwork connection buthaveimporant Uierestes that sould be consdered when dentiyingeonere Typical leence are 2) some witless security protocols areimmatureand have known weakresses, 1) Information stored on mobile devices may note backed-up because of iited network bandwidth ‘orbeemise bie devices ay not be connected at he tnes when backupsare scheduled. Mobile devices generally share common functions, eg networking, Intanet access, ema and le Minding with hed ue eviews Information security contol forte moble devices ereraly consst ioe sped te ed we ever and thse resents ae byrne oe ‘rgpnzation's premises. 622. Teleworking ota ‘policy and supporting security measures shouldbe mpemntd to protec information acessd, processedor stored at leworag ses. ‘Amplementaton guidance (©0202 lege rsd 7180/18 27002:2013(8) ‘Organizations allowing teleworking sctities should see policy tat defines the conditions and ‘Perictons fer using wleworking Where deemed applicable and allowed by a, he faiwing mates ‘Shoulabe considered 4} theexistng physical securty ofthe teleworking sit, takngintosecountthe physical security ofthe building andthe local entronment 1) the proposed physi teleworking environment 6) the communtations security requirements, aking into account the nad fr remote acest the trgantzatons inurl stern he sna of fe iatormation tat wl be accessed ad passed ver the communication inkand the sensi ofthe taal stem: 4 the provision of vitual desktop accss that prevents processing and storage of information on provately owned equlpaent 1) the threat of unauthorized access to information or resources fom other persons using the sccommedaton eg family nd fiends; 1 the ose of home networks and requirements or restrctons on the configurstion of wiralass hetworkserices, 12 palsies and procedaesto prevent depute concerning ightsto intelectual property deeloped on Beata owned equipment scrsto privat owned equine overt thascuryoftemctineordaringanivestgatin 9 Sicha be posal oye snare, 1) softwaceicensing agreements that are such hat organizations may become abe for lcesing for ‘lant sotwnre on workstations owe privataly by emplojees or external party Ses |) ealware protection and firewall requirements. ‘The gidelines and arrangement tobe considered shuld include 2} the peovsin of stable equlpment and storage farniture for the teleworking activities, where che ‘se ofprivately owned equipmenthat ist under the cotrl othe organization isotallowed; 1) seefintion of he work permitted the hous of work, the clasicaton of afrmatio hat may be Feld and the internal systems and grvies thatthe tlaworsersauthortzd te aces ©) the provision of table communication equipment neading methods for securing remote aces @) physial security, ©) rules and guldance on fly and visor acces to equipment and formation 1) the provision of hardware and software suppor and maistonance 1) the provision oftnsurance, 1) the procedure for hackupand business coniity 1) auditand secuety monitoring: |) tevocation of sthorty and access rights, and the return of equipment when the tleworking [ete aetenmince, ber infrmation ‘Teewarkingrefertoallformsof workoutsideof he office ncatngnon-traition] workenvironments {uch as thoge refered toa “tlecommuting“lenble worgplace remote work and "Viral Wark 8 fe sopsc2013-Alegersered1s0/1Ec 27002:2013(8) 7 Human resource security 7A. Prior to employment (Objective: To ensure that employees and contartors understand Wier eaponsbilses andre se [Soe forthe oles for whch they are considered, 744 Screening cont ‘Background verification checks on all canldates for employment shold be caried out in accordance ‘wih evant regutlonsand ete an soul be proportionate business raqultements, he ‘Ghee af the iormation tobe accessed and the perceived sks ‘nmlenentationeuldance Verfation should take into account all relevant privacy, protection of porsonally ientiable Information sna employment based layslaton and shold wher przted, ele the ll ng: 1) svlabtyofsatefictory character references, one buses and one personl 1 averifetin (or completeness abd accuracy) ofthe applleant’ cesium vise; 9 contrmation of aimed academic and profesional qaliistios: independent identity veriieation (passportor sla docursent} mare detaled verfiaton, such creat review orevow af erin cords. ten an ili re fapeiltreaton sty le raat sl male sue 4) haste necessary competence to perform the security role 1) canbetrusted totake onthe ole, epoca ifthe eels critical for the organization ‘here ajo, ether on intl appointment or on promotion, favales the person having acess fo Information processing fees ad in para tess are handing cnfdenlinforeation, ‘lnanel information or highly confident nformtio, the ergantaation soul also conser Farther, ‘more cetaledverfatons Procedures should define criteria and lnktator or verification reviews, eg whois eligible to screen ropieand how, when and why vercaton reviewsarecarred out ‘A screening process should also be ensre fr contractors: those cases, the agrocment between the ganization andthe contractor should spe responses for conducting the screening ad the nofieation procdares that need to be fale sreenng has nt been complete orf the resus [Eve easefor doubt concern Information on al candidates blng considered for poston within he ongantzation sould be elt’ {nRtadl nerordnce hey pron opting opening ral lpnton te candles ch Snore sctorchond shout he sreening atte 7.42 Termsand conditions of employment contd ‘Th cootractual agreements with employes and contractors shou tte tel se he organizations ‘espoasibilties fo information secur fo sopte203-Ategherasred °10/1 27002:2013(E) ‘mlementation guldance “The contractual obligations for employees o contractors should afc the organization’ pies for Information seurtyn adit ocarfyingand stating 2 Shaka emeoet and arash arg sin iets nation hse ‘ofidenclity or namdacarure agreement prior Being piven sees offormation processing fetes ee 13.23) 1) ebeempoyeesor contractor’ ga responsibiitiesand rights eg regarding copyright lawsor data protection legislation (ee 1B..2and 18.4 ©) responses forthe dassfestion of information and managomert of organizational assets [Ssocated wth formation information processigfoclterand ivormationservcoshancled by the employee ot contractor (Gs Gust 8) {responses of the emplaye o contractor forthe handling of normation received from other ‘onpanig or enteral parties 1) aetonstobe taken ftheemloyeeor contactor dlsrogardsthe organizations security requirements Geez) ste ty mop ibm nie seca Tem ety ut nes none lt Pe en ec ec cas Spam timate here appropiate, responsbities contained within the tems andcondons of employment should {tin or adtined period ater the en ofthe employment See 23) ‘ther information Acad ofcondacemaybeured tostattheeplaye'sor contractor slnormationsecrty responses garding confidently, dat protection, ets appropriate use ofthe organizations equipment and {alten wel as reputable practices expected Wythe organization An exteral party, wit which 5 contractor ir anocoted, caw be rogue to enter into contractual arangoments on Beal ofthe ontraced nail 72. During employment (Goes: To ensure that enployens and cnsaetors are aware and fll dha formation secur] [respnstiis. 724 Management responsibiites contd Management should reqs allemployees od contractor to apy inormatio secur in accordance ‘ihe polctrandrcsarer othe gpnenta Implementation guidance Management responses shold fctide ensuing that employees nd contractor: 4) are propery breed on thet aformation security role and response prior to being ranted caus to confident information or information ystems are provided with guidelines to state teformationsecury expectations of thelr role within the 10 esonec2ns-alpereaenndIs0/ik¢ 27002-2013(8) © are motivated ful the formation ecurity policies ofthe orgnlzation: 4) achlove a level of awareness on information sacurtyecevant other roles and responses ‘within the orgsniation (se 22.24 ©) conform tothe terms and conetions of ployment which izclades the organizations information “seoary ply snd appropiate methods of workin: 1) continue to have the appropriate ss and qualifications and are educated on regula bass; 1} are provided with an anonymous reporting channel report violation of tnformation sciity Polis o procedures (whist lowing) Management should demonstrate support of information ecu palice, proceduresandcontrls, and Setnsa roe mada, ber nfrmation employeesand contractors are nota aware ofthe information ‘Chune considerable darageto an erganzation, Motivated personne ‘Gt lewerfnfomation security neldens ty responses hey an likely tae mare cable and Poor managemert can caus persone to fel undervalued reculkng na negative information security {tmpact on te organisation Por cxaiple poor management can ead to information security being ‘opie or penal misuse of te crgantstions se 722 Information securty awareness education and training Sentech [Allemployesofthe orgenization and, where relevant contractors should recalveappropratezwareness Seta tring ad repr vats in rattles eh proce 5 ran ‘herb fostion. Implementation guna ‘an information security awareness programme shoud aim to make enplajees and, where relevant, ‘hvtractors aware of thelr responsibles for information security and the means by Which those Fesponstices ae eschargee ‘an information security awareness programme shoul be established in ne with the organization's Information security pices ana raovantprococres, taking into consderaten ce organiata's Inforaton co be proceed andthe control that have ben mplomonte to protect the Information “The awareness programe should include anuber of awareness rasing seiies such as campalgns (eg an“oformation security Gay") and istingbooklets or newsletters “The awareness programme shouldbe planned taking nto consideration the employees roles in the ‘organlzation and where relevant the ogantatio’s expectation othe awareses of contractors, The fctivicer nthe awareness programe shoal be scheduled over ‘ine, preferably rel s0 thatthe Stiles ao repented and cover new emplajecs and contractors. The awareness programme should leo he upat epsarys estays nine wits organlzattonal polices and pocedires and shouldbe then sone learnt ron information security ldots Awareness training should be performed ae required by the organizations information security Swarense programme Ataresesstrallngcan use diferent delivery media including cassroonybase, ‘istance laren web-based, sel'pcodand others. Information ecrity education ard raining should also cover general spect suchas 9) stating management’ commitment information security throughout the organization: eWoac 2n2- age ne u1s0/1ec 27002:2013(8) 1) the need to become falar with and comply with applicable Information securey rules and ‘blgators, as defined n polices, standard laws, egalatons, contacts and agresmorts ©) personal accountsilty fr ones own actions snd nations, and genera oeponsibites tars Securing r protecting information belonging the organisation and externa partis 4) base infrmation security procedures (uch as Information security incident reporting) ahd ‘asl controls such as password secur, malware contra and dea desks. ©) contact pets and esoure or ation nformstion and acviesoninformaton security matters ‘eld further information secartyedvaton and ening terials Information secure education and trainngsbould take place periodical education and rng pplieto those who ransfer to new positions or roles with substantial ferent information Securty ‘egelrements not justtonew starters and should ake place before the alebecomes ace. ‘The organization should develop the educstion and training programme In order to conduct the ‘education and trainingeffecively The programme sould be nine withthe orgalzations information ‘Security pois and savant procedures aig nto consideration the organizations information to be prottced andthe contol hat have been implemented to protect te Infrmation- The programme Should consider diferent forms of educztion si training estore orm stad, her ngarmation hen composing an awareness programme is important not ony to cas onthe what’ ad "how’, Dutals tie wy eis portant that emplayees understand the a of nornation Security athe potential impact postive and raga onthe organtzstion of tar on bebsvan ‘Awareness, education and raining can be pa of or condutod In collaboration vith, other traning ‘ties, fr example general MT or gonoral security waling. Awaresess, eduction and Ualning lite shoul be sutbleand relevant othe nalts toes cesponstltes and sel. -Anaseesomentftheeaplayee understanding coulbe conducted atthe endo an awarenesseducation fndtraning cours toast rowedge transfor 7.23 Disciplinary process Control ‘Thee should bea formal and communicated dsciplinary process in place to take action agaist employees who have commited an information scuty breath Implementation guidance ‘The disciplinary process should nat be conumenced without prior verfiation that an information {seonty brea has oscuro (te 36.2) ‘The formal disciplinary proces shuld ensure correct and fair treatment for employees who are suspected of conmlting breaches of information seco. The formal disciplinary proces sould Dovid ora graduated response that ates into consdertion factors sich asthe ntire and gray lf the breach ena pect on business whether orn tis a fit ox Tepes offen, whethet or ot ‘theviolter was property ead relevant eisation business contracte and othe factors se require ‘The dicpinary process should also be usd as deterrent to preven employee rom vsatig the tanto formation secur ples and procedures and any ote information sect" ‘reaches, etberate breaches may ree immediate sens thaniofomation ‘The pinay processcan also become a mtivaton on incentive if postive sametons are define’ forremarkable behaviour with regards tolnformaton sear. 2 ‘otsmc a2 ategerseres180/18 27002:2013(8) 73 Termination and change of employment (Bsecive To protee the organization’ interests as par ofthe process of changing or tealatn 73. Termination or change of employment responsibilities coma, Information security responses and dis that rematn valid after tarmloation or change of “employment should be eine. communicated to the eaves or contactor abd enforced, ‘mplementaton guidance ‘The communiaton of termination responsilites should Include on-going information security -equements and legal responsbltes and where appropriate, responses contaned within ay onde aac ez) ersacnaionsoempeymenee 2) ming fora dfinod ponoa after the end ofthe enpiayee's or contractor's enplayment Responses and duties sl valid after termination of employment shouldbe contsined in the ‘Safed or contractor's terme and concitons af employment: oe 2.2) Changes of responsibilty or employment should be managed as the termination of the curent ‘esponsbityorempoyent combined with Unita of te naw responsibly er employment ‘tberinformation “The human resouresfaneton i generally responsible fr the overall termination process 2nd works Together with the supervising manager of the person leaving to manage the information security [npectofthe seven procedires Inthe ease afscontacor provided through a extertal ary, (8 {rmination process ndertaen byte extemal art i accordance with the contrat betwee the ‘rguniaton and he exterel party ik may be necessary ta inform employees, customers or contracines of changes 10 personnel and ‘Operating arrangements 8 Asset management BA Responsibility for assets (Baecive Te iy organaationalaants and dein ion esponnbies LA Inventory orassets Sonteah ‘Avot sociated with information and information processing facies shoud bo detied and an Inventory hese assets should be daw up and malttlned Amplementaton guidance ‘hn organization should identity assets relevant ty che beeyele of igormation and documens tee Importance The fete ofinfrmatio shuld inde ean processing, storage ransmsson, dee ion “ndestuction Documents shoal be maintained i dada or exsing nettarasasepprepeate “The aset inventory should be accurate upto date consistentand aligned with other inventaris, Foreachoftheidentisedasiets,ownershpoftheasetshouldboassgned cee 8 ZJandthedassifeation hold beidentn see 2) 07202 ege reer 2180 16 27002:2013(6) ther nfarmation Inenaris of assets help to ensure that effective protection takes plac, and may als be requlred for ‘ther pout, such as heath dente insarane or inancial ate management reasons |SO/IEC 2700SHH provides examples of assets that might need tobe considered by the organization ‘ony ents Te rcs cing vey fens nan important preva "slemanagement fee ais 180/15 27000 and s0/18C 270050. 812. Ownership ofassets contd ‘Assets malntalned inthe inventory shouldbe owe, Implantation guidance Individuals aswell ag other entities having approved management responsi forte asset iecyle ‘aly tobe asigned as asset owners. A proces to ensure timely assignment ose ownership is usualy implemented Ownership should be ‘signed when sets are created or wen asete are tranaerred tote oganiaation, The aust owner ‘houldberesponsble for th proper managoment oan asst over the whole asset je, ‘The asset owner shoul 5) ensure that antets are inventoried: ) ensure hat assets are appropritely casi and protected: 6) define and periodically review aces estrctions and clasfcations to important assets, aking {nto acount ppesble acces contro pices ensure properhanling when theasetis dated or destroyed, uber infemtion ‘The Idenied owner can be either an individual or an eatty who has approved management ‘omponsity for eoeraling the whole eye an asst. The enti owner does not necesa7 Inaveany property rights tothe asst. outie ass may bo dlogated, og, to cstoinn looking after the assets on 2 daily basis, uc the ‘responsiblity remalas withthe owe. In complex information syste, ray be uel to designate groups of assets which act opeher to Dprovidsa parca service Inti eae the owner of tls services accountable forthe delivery ofthe Service iuding the operation otsassts. 813. Acceptable use fasts antes, Rules forte acceptable wae of information and of asses associated with information and information processing facies shuld be entiied, documented and plese nmplamenaton gudance Employes and external party users sing or having acess othe organizations asses shou be mde {tre ofthe information secur reqlrement otha organaatlos assets esodated with information {in information processing facilites and resoucas. They shouldbe responsive for ther ase of =my Information processing resources and of ay sudh use cared ou under thet respons, “ ‘e198 2013-Atrisresered150/160 27002:2013(0) 814 Return ofassets contest Allemplayees and external party uses should return all ofthe organlatinal assts nth possession {pon termination her employnane, contracsor agreement. ‘plementation guidance ‘The ermicatin process shoeld be formalzed toincade the return fll previously issued physi and ‘eetronie eset owuedby or entrusted to the ganization. J case whore an emplayee or external party wer purchases the oganlzatonsequpment or uses their own prsonlequoment pocesures ould be olowed to ensure thallrlaant informations tranafrred tothe orpanization and seeurly erased from the eguproent (See 11.27). {ncaseswhere anemployocarextornalpaty user as krowiedgthatisimportantoongongoperations, {hat information shi be documented ad resfered tothe organisation Daring the notice period of termination, the organization should control unauthorized copying of relevant information eg tntelactual propery) by terminated employes and contractors. 82. Information classifieation [jective To ensure tat information receives an pproprinte owl of proecion acre wih ltstmmportanc tate organkzion. 824 Classicaton ofinformation ‘cone ‘nformatien shoul Be caste fn trms fla egulements, value, cially and Senstity to Uisuthoreed eelsure or mosifenion, Implementation gudance Classifiations and associated protective contol for information should take acount ofbusiness needs forsharingor resting information, nel a8 legal equreman Asset athe tian information an lea be elasfedincontormance with dassfeaionofinfrmaion which stared In process by oF tthereisehandled or protected by the asset. (vines oftformation asst should be accountable for thelr clasficaton. ‘The classiation scheme shald inode conventions for dassifiation and erteria for review of {he dasstenuon over te. Te level of protectan inthe scheme shoul be assessed by stay efdenali. nerty and aay an any ober reclremars forthe afratien conser ‘Thescheme shuld Be alignedto the acces conta pally ee). “clove shouldb given aramethatmalossenesinthecontertofthecacsifiationschemet pplition ‘Thesehome shouldbe consstentacrossthe whale rganizationsothatoveryonewilliasiy information {ndselaed aot inthesaine way have common understandingofpoteceon regerementsan spy heapproprste protection. Cassifiation shouldbe includ nthe organizations processes ane consistent and caherent across ‘he organization Results of castfcation shoul inset velo ofasets depending on thelr sesity nd nal tothe organization, eg fn terms of conden iegrltyand aval. Rest of ‘asifeaion sould be updated fo accordance with changes of thelr Value, sentvity a eritealty {through harley ‘therinformation ‘o1somre 201s angus sored 61s0/1b¢ 27002:2013(6) Cassfcaton provides people who deal with Information with a concise ination of how to handle Sa protec Creating groups of Information with lar protection neds and speiinginloration ‘Sceurityprocedtes th apy toalehelnormationineachgrouptactresthie his approach reduces ‘Heneod fo case-by-case fel aoesstrentand custom desghofeontal lufarmation can cease tobe sensitive or rita after 2 certain period of tine, for exazpl, when the [afermation har bon made pulle These pect shold be taken ot account as over clasfiation can esd ta the implementation of nneceesaryconraeresstngin atonal expense ron the contrary ‘unde asincaton can endanger te achevereat ef business bjectves. ‘Anexampeofsninforition confidentiality dasifcaton schema could bebased onfourlvesas flows: 3} Aieosur causes no harm: 1) lacorur causes minor embarrassment or minor operational inconvenience; ©) icorare hata sigaiticant shar term impact on operation or tactical objectives: 4) scorure bas serious impact on Jong term strategie objectives or puts the survival ofthe ‘rgunation tse 822 Labelingof information contd An apron tof procures or nforatin being soll be deve and neers a ‘Sceorlngs with ha nfrmation cascaten scheme adopted by the organi “Implementation guidance” Procedures for information labeling need to cove information and its related assets in physical and ‘estrone formats. The labelling should velc: tha casiication scheme established ty G2 The [bee should be easly recoguizabl. The procedures should give gldance on where and how labels "rv attached in coniraion of ow the information esenese othe assets are handled depending ‘nthe pes of mada Te procedures can define cares whore labling i omitted, e labeling o not onidendal information to reduce workdoas, Bmpoyees ahd contractors should be made ware of labeling procedures. ‘utputrom systems containing information thats cased a bong sonsttveor rial shoul carry Sn spproprate caaicton abe ‘ubeetnfomaion “Labeling flee information ia key requirement for information shaving arrangements Physical Iabeleand mstadste are commen forma ibeling Lallling of nformatonand erelsta ossets can sometimeshave negative effects Clattedaseeare ‘isle ldentfynd accordingly t steal by inaers or external stackes 823. Handlingotassets Scontea, Procaaresfo banding sats shosldbedeeopndinplenentedinsccrdancewiththeinfomaton lessen sebeme ape he crane lamentation guldanc Procedures should be drawn up for handling, processing, storing and communicating iformation ‘oraatnt wih ts claslfeston (te B23) 16 owonec 033 -atrigsreseed