Professional Documents
Culture Documents
Iso 27000 2018 Standards For Information Security
Iso 27000 2018 Standards For Information Security
I N TERNATIONAL ISO/IEC
S TANDARD 2 7000
Fifth editio n
2 0 1 8- 0 2
Reference numb er
I SO /I EC 2 7 0 0 0 : 2 0 1 8 (E )
© I SO /I E C 2 0 1 8
© I SO /I EC 2 0 1 8
All rights reserved. Unless otherwise specified, or required in the context o f its implementation, no part o f this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country o f the requester.
ISO copyright o ffice
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www. iso .o rg
Published in Switzerland
Contents Page
Foreword .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. iv
Introduction . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . v
1 Scope . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 1
2 Normative references . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 1
4.2.2 Information . . . . . . .. . . . . . . . . .. . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. 12
4.2.4 Management . . . .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. 12
5.2 Standard describing an overview and terminology: ISO/IEC 27000 (this document) .. . . . . . . . 19
5.3 Standards speci fying requirements . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . 19
5.3.1 ISO/IEC 27001 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 19
5.3.2 ISO/IEC 27006 . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 20
Foreword
ISO (the International Organization for Standardization) is a worldwide federation o f national standards
bodies (ISO member bodies). The work o f preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters o f
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the di fferent approval criteria needed for the
di fferent types o f ISO documents should be noted. This document was dra fted in accordance with the
editorial rules o f the ISO/IEC Directives, Part 2 (see www. iso . org/direc tives) .
Attention is drawn to the possibility that some o f the elements o f this document may be the subject o f
patent rights. ISO shall not be held responsible for identi fying any or all such patent rights. Details o f
any patent rights identified during the development o f the document will be in the Introduction and/or
on the ISO list o f patent declarations received (see www. iso . org/patents) .
Any trade name used in this document is in formation given for the convenience o f users and does not
constitute an endorsement.
For an explanation on the voluntary nature o f standards, the meaning o f ISO specific terms and
expressions related to con formity assessment, as well as in formation about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www. iso . org/ iso/foreword . htm l .
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, SC 27, IT
Security techniques.
This fi fth edition cancels and replaces the fourth edition (ISO/IEC 27000:2016), which has been
technically revised. The main changes compared to the previous edition are as follows:
— the Introduction has been reworded;
— some terms and definitions have been removed;
— Clause 3 has been aligned on the high-level structure for MSS;
— Clause 5 has been updated to reflect the changes in the standards concerned;
— Annexes A and B have been deleted.
Introduction
0.1 O verview
I nternationa l Sta ndard s for management s ys tem s provide a mo del to fol low in s e tti ng up a nd
op erati ng a management s ys tem . T h i s mo del i ncor p orate s the fe atu re s on wh ich exp er ts i n the field
have re ache d a con s en s u s as b ei ng the i nternationa l s tate o f the a r t. I S O/I E C J TC 1/S C 2 7 mai ntai n s an
exp er t com m itte e de d ic ate d to the development o f i nternationa l management s ys tem s s tandard s for
i n formation s e c u rity, o ther wi s e known a s the I n formation S e c u rity M anagement s ys tem (I S M S ) fam i ly
o f s tandard s .
T h rough the u s e o f the I S M S fam i ly o f s ta ndard s , organ i z ation s c a n develop and i mplement a fra mework
for managi ng the s e c u rity o f thei r i n formation as s e ts , i nclud i ng fi na nc ia l i n formation, i ntel le c tua l
s tandard s c an a l s o b e u s e d to prep are for an i ndep endent a s s e s s ment o f thei r I S M S appl ie d to the
b) provide d i re c t s upp or t, de tai le d gu idance a nd/or i nter pre tation for the overa l l pro ce s s to e s tabl i s h,
— “s ha l l” i nd ic ate s a re qu i rement;
I n formation marke d as " NO T E " is for gu ida nce in unders ta nd i ng or clari fyi ng the as s o c iate d
re qu i rement. “No te s to entr y” u s e d i n C lau s e 3 provide add itiona l i n formation that s upp lements the
term i nolo gic a l data and c an contai n provi s ion s relati ng to the u s e o f a term .
1 Scope
This document provides the overview o f in formation security management systems (ISMS). It also
provides terms and definitions commonly used in the ISMS family o f standards. This document is
applicable to all types and sizes o f organization (e.g. commercial enterprises, government agencies, not-
for-profit organizations).
2 Normative references
3.2
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized
use o f an asset
3.3
audit
systematic, independent and documented process (3.54) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: An internal audit is conducted by the organization itsel f, or by an external party on its behal f.
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
3 .4
audit scope
extent and boundaries o f an audit (3.3 )
[SOURCE: ISO 19011:2011, 3.14, modified — Note 1 to entry has been deleted.]
3.5
authentication
provision o f assurance that a claimed characteristic o f an entity is correct
3 .6
authenticity
property that an entity is what it claims to be
3 .7
availability
property o f being accessible and usable on demand by an authorized entity
3.8
base measure
measure (3.42) defined in terms o f an attribute and the method for quanti fying it
Note 1 to entry: A base measure is functionally independent o f other measures.
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.3, modified — Note 2 to entry has been deleted.]
3 .9
competence
ability to apply knowledge and skills to achieve intended results
3 .10
confidentiality
property that in formation is not made available or disclosed to unauthorized individuals, entities, or
processes (3.54)
3 .11
conformity
fulfilment o f a requirement (3.56 )
3 .1 2
consequence
outcome o f an event (3.21) a ffecting objectives (3.49 )
Note 1 to entry: An event can lead to a range o f consequences.
Note 2 to entry: A consequence can be certain or uncertain and, in the context o f in formation security, is usually
negative.
Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 4 to entry: Initial consequences can escalate through knock-on e ffects.
[SOURCE: ISO Guide 73:2009, 3.6.1.3, modified — Note 2 to entry has been changed a fter “and”.]
3 .13
continual improvement
recurring activity to enhance performance (3.52 )
3 .14
control
measure that is modi fying risk (3.61)
Note 1 to entry: Controls include any process (3.54), policy (3.53), device, practice, or other actions which modi fy
risk (3.61 ) .
Note 2 to entry: It is possible that controls not always exert the intended or assumed modi fying e ffect.
[SOURCE: ISO Guide 73:2009, 3.8.1.1 — Note 2 to entry has been changed.]
3 .15
control obj ective
statement describing what is to be achieved as a result o f implementing controls (3.14)
3 .16
correction
action to eliminate a detected nonconformity (3.47 )
3 .17
corrective action
action to eliminate the cause o f a nonconformity (3.47) and to prevent recurrence
3 .18
derived measure
measure (3.42) that is defined as a function o f two or more values o f base measures (3.8 )
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.8, modified — Note 1 to entry has been deleted.]
3 .19
documented information
in formation required to be controlled and maintained by an organization (3.50) and the medium on
which it is contained
Note 1 to entry: Documented in formation can be in any format and media and from any source.
Note 2 to entry: Documented in formation can re fer to
— the management system ( 3.41), including related processes (3.54);
— in formation created in order for the organization (3.50) to operate (documentation);
— evidence o f results achieved (records).
3.20
effectiveness
extent to which planned activities are realized and planned results achieved
3 . 21
event
occurrence or change o f a particular set o f circumstances
Note 1 to entry: An event can be one or more occurrences, and can have several causes.
Note 2 to entry: An event can consist o f something not happening.
Note 3 to entry: An event can sometimes be re ferred to as an “incident” or “accident”.
[SOURCE: ISO Guide 73:2009, 3.5.1.3, modified — Note 4 to entry has been deleted.]
3.22
external context
externa l envi ronment i n wh ich the orga ni z ation s e eks to ach ieve its objectives (3 .49 )
— the c u ltu ra l , s o c ia l , p ol itic a l , le ga l , re g u l ato r y, fi n a nc ia l , te ch nolo gic a l , e cono m ic, n atu ra l a nd co mp e titive
[S O U RC E : I S O Gu ide 7 3 : 2 0 0 9, 3 . 3 .1 .1]
3.23
governance of information security
s ys tem by wh ich an organization’s (3 . 5 0 ) information security (3 . 2 8 ) ac tivitie s are d i re c te d and
control led
3.24
governing body
p ers on or group o f p e ople who are accou ntable for the performance ( 3 . 5 2 ) and con form ity o f the
organization (3 . 5 0 )
3 .25
indicator
measure (3 .42 ) that provide s a n e s ti mate or eva luation
3.26
information need
i n s ight ne ce s s ar y to ma nage objectives (3 .49) , go a l s , ri s ks and problem s
3 . 27
information processing facilities
any i n formation pro ce s s i ng s ys tem, s er vice or i n fra s truc tu re, or the phys ic a l lo c ation hou s i ng it
3.28
information security
pre s er vation o f confidentiality (3 .10) , integrity (3 . 3 6) and availability (3 .7 ) o f i n formation
N o te 1 to entr y: I n add ition , o ther prop er tie s , s uch a s authenticity ( 3 . 6 ) , accou ntab i l ity, non-repudiation ( 3 . 4 8) ,
a nd reliability (3 . 5 5 ) c a n a l s o b e i nvol ve d .
3.29
information security continuity
processes (3 . 5 4) a nd pro ce du re s for en s u ri ng conti nue d information security (3 . 2 8) op eration s
3.30
information security event
identi fie d o cc u rrence o f a s ys tem, s er vice or ne twork s tate i nd ic ati ng a p o s s ible bre ach o f information
s e c u rity (3 . 2 8 ) policy (3 . 5 3 ) or fa i lu re of controls (3 .14) , or a previou s ly u n known s ituation th at c an b e
s e c u rity releva nt
3 . 31
information security incident
s i ngle or a s erie s o f u nwa nte d or u ne xp e c te d information security events (3 . 3 0) th at h ave a s ign i fic a nt
prob abi l ity o f comprom i s i ng bu s i ne s s op eration s and th re aten i ng information security (3 . 2 8 )
3 . 32
information security incident management
set of processes (3.54) for detecting, reporting, assessing, responding to, dealing with, and learning
from information security incidents (3.31 )
3.33
information security management s ystem (ISMS) professional
person who establishes, implements, maintains and continuously improves one or more in formation
security management system processes (3.54)
3.34
information sharing community
group of organizations (3.50) that agree to share in formation
Note 1 to entry: An organization can be an individual.
3 . 35
information system
set o f applications, services, in formation technology assets, or other in formation-handling components
3.36
integrity
property o f accuracy and completeness
3 . 37
interested party (preferred term)
stakeholder (admitted term)
p erson or organization (3.50) that can a ffect, be a ffected by, or perceive itsel f to be a ffected by a decision
or activity
3.38
internal context
internal environment in which the organization (3.50) seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— governance, organizational structure, roles and accountabilities;
— policies ( 3.53), objectives ( 3.49), and the strategies that are in place to achieve them;
— the capabilities, understood in terms o f resources and knowledge (e.g. capital, time, people, processes (3.54),
systems and technologies);
— information systems (3.35), in formation flows and decision-making processes (both formal and in formal);
— relationships with, and perceptions and values o f, internal stakeholders (3.37);
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— f orm and extent o f contractual relationships.
[SOURCE: ISO Guide 73:2009, 3.3.1.2]
3.39
level of risk
magnitude o f a risk ( 3.61) expressed in terms o f the combination o f consequences (3.12) and their
likelihood (3.40 )
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — “or combination o f risks” has been deleted in the
definition.]
3 .40
likelihood
chance o f something happening
[SOURCE: ISO Guide 73:2009, 3.6.1.1, modified — Notes 1 and 2 to entry have been deleted.]
3 .41
management system
set o f interrelated or interacting elements o f an organization (3.50) to establish policies ( 3.53) and
objectives (3.49) and processes (3.54) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning
and operation.
Note 3 to entry: The scope o f a management system may include the whole o f the organization, specific and
identified functions o f the organization, specific and identified sections o f the organization, or one or more
functions across a group o f organizations.
3 .42
measure
variable to which a value is assigned as the result o f measurement (3.43 )
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.15, modified — Note 2 to entry has been deleted.]
3 .43
measurement
process (3.54) to determine a value
3 .44
measurement function
algorithm or calculation per formed to combine two or more base measures (3.8 )
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.20]
3 .45
measurement method
logical sequence o f operations, described generically, used in quanti fying an attribute with respect to a
specified scale
Note 1 to entry: The type o f measurement method depends on the nature o f the operations used to quanti fy an
attribute (3.4). Two types can be distinguished:
3 .49
obj ective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to di fferent disciplines (such as financial, health and sa fety, and
environmental goals) and can apply at di fferent levels [such as strategic, organization-wide, project, product and
process ( 3.54)].
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an
operational criterion, as an in formation security objective or by the use o f other words with similar meaning (e.g.
aim, goal, or target).
Note 4 to entry: In the context o f in formation security management systems, in formation security objectives are
set by the organization, consistent with the in formation security policy, to achieve specific results.
3 . 50
organization
person or group o f people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.49 )
Note 1 to entry: The concept o f organization includes but is not limited to sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereo f, whether incorporated
or not, public or private.
3 . 51
outsource
make an arrangement where an external organization (3.50) per forms part o f an organization’s function
orprocess (3.54)
Note 1 to entry: An external organization is outside the scope o f the management system ( 3.41), although the
outs ource d func tion or pro ces s i s with i n the s cop e.
3 . 52
performance
measurable result
Note 1 to entry: Per formance can relate either to quantitative or qualitative findings.
Note 2 to entry: Per formance can relate to the management o f activities, processes (3.54), products (including
services), systems or organizations (3.50 ) .
3 . 53
policy
intentions and direction o f an organization (3.50), as formally expressed by its top management (3.75 )
3.54
process
set o f interrelated or interacting activities which trans forms inputs into outputs
3 . 55
reliability
property o f consistent intended behaviour and results
3.56
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and
interested parties that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, for example in documented in formation.
3 . 57
residual risk
risk (3.61) remaining a fter risk treatment (3.72 )
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risk can also be re ferred to as “retained risk”.
3.58
review
activity undertaken to determine the suitability, adequacy and effectiveness (3.20) o f the subject matter
to achieve established objectives (3.49 )
[SOURCE: ISO Guide 73:2009, 3.8.2.2, modified — Note 1 to entry has been deleted.]
3 . 59
review obj ect
specific item being reviewed
3 .60
review obj ective
statement describing what is to be achieved as a result o f a review (3.59 )
3 .61
risk
e ffect o f uncertainty on objectives (3.49 )
Note 1 to entry: An e ffect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, o f deficiency o f in formation related to, understanding or
knowledge o f, an event, its consequence, or likelihood.
Note 3 to entry: Risk is o ften characterized by re ference to potential “events” (as defined in ISO Guide 73:2009,
3.5.1.3) and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination o f these.
Note 4 to entry: Risk is o ften expressed in terms o f a combination o f the consequences o f an event (including
changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) o f occurrence.
Note 5 to entry: In the context o f in formation security management systems, in formation security risks can be
expressed as e ffect o f uncertainty on in formation security objectives.
Note 6 to entry: In formation security risk is associated with the potential that threats will exploit vulnerabilities
o f an in formation asset or group o f in formation assets and thereby cause harm to an organization.
3 .62
risk acceptance
in formed decision to take a particular risk (3.61)
Note 1 to entry: Risk acceptance can occur without risk treatment (3.72 ) or duri ng the process ( 3.54) o f risk
treatment.
Note 2 to entry: Accepted risks are subject to monitoring (3.46) and review (3.58 ) .
[SOURCE: ISO Guide 73:2009, 3.7.1.6]
3 .63
risk analysis
process (3.54) to comprehend the nature o f risk (3.61) and to determine the level of risk (3.39 )
Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.67) and decisions about risk treatment (3.72 ) .
Note 2 to entry: Risk analysis includes risk estimation.
[SOURCE: ISO Guide 73:2009, 3.6.1]
3 .6 4
risk assessment
overa l l process (3 . 5 4) of risk identification ( 3 . 6 8) , risk analysis (3 . 63 ) and risk evaluation ( 3 . 67 )
[S OU RC E : I S O Gu ide 7 3 : 2 0 0 9, 3 .4.1]
3 .65
risk communication and consultation
s e t o f conti nua l a nd iterati ve processes (3 . 5 4) that an orga ni z ation conduc ts to provide, sh are or ob tai n
i n formation, and to engage i n d i a lo gue with stakeholders (3 . 3 7 ) regard i ng the ma nagement o f risk (3 . 61)
N o te 1 to entr y: T he i n fo rm ation can rel ate to the e xi s tence , n atu re , for m , likelihood ( 3 . 41) , s ign i fic a nce ,
No te 2 to entr y: C on s u ltation i s a two -way pro ces s o f i n forme d com mu n ication b etwe en an organization (3 . 5 0) and
its s takeholders on an is s ue prior to making a de ci s ion or de term in ing a di re c tion on that i s s ue . C on s u ltation is
3 .66
risk criteria
term s o f re ference aga i n s t wh ich the s ign i fic ance o f risk (3 . 61) i s eva luate d
N o te 2 to entr y: Ri s k c r iter ia c a n b e der ive d fro m s ta nda rd s , l aws , policies (3 . 5 3 ) a nd o ther requirements (3 . 5 6 ) .
[S OU RC E : I S O Gu ide 7 3 : 2 0 0 9, 3 . 3 .1 . 3 ]
3 .67
risk evaluation
process ( 3 . 5 4) o f comp a ri ng the re s u lts o f risk analysis ( 3 . 6 3 ) with risk criteria ( 3 . 6 6 ) to determine
whether the risk (3 . 61) and/or its magn itude i s accep table or tolerable
[S OU RC E : I S O Gu ide 7 3 : 2 0 0 9, 3 .7.1]
3 .68
r i s k i d e n t i fi c a t i o n
N o te 1 to entr y: Ri s k identi fic ation i nvol ve s the identi fic ation o f r i s k s o u rce s , events (3 . 2 1) , thei r c au s e s a nd thei r
p o tenti a l consequences (3 .1 2 ) .
N o te 2 to entr y: Ri s k identi fic ation c a n i nvol ve h i s to r ic a l d ata, the ore tic a l a n a l ys i s , i n for me d a nd e xp er t o pi n io n s ,
a nd stakeholders’ ( 3 . 3 7 ) ne ed s .
[S OU RC E : I S O Gu ide 7 3 : 2 0 0 9, 3 . 5 .1]
3 .69
risk management
co ord i nate d ac tivitie s to d i re c t and control an organization ( 3 . 5 0) with re ga rd to risk (3 . 61)
[S OU RC E : I S O Gu ide 7 3 : 2 0 0 9, 2 .1]
3 .70
risk management process
s ys tematic appl ic ation o f ma nagement policies ( 3 . 5 3 ) , pro ce du re s and prac tice s to the ac tivitie s o f
com mun icati ng , con s u lti ng , e s tabl i sh i ng the conte xt and identi fyi ng , a na lys i ng , eva luati ng , tre ati ng ,
3 .71
risk owner
p ers on or entity with the accou ntabi l ity and authority to manage a risk (3 . 61)
[S O U RC E : I S O Gu ide 7 3 : 2 0 0 9, 3 . 5 .1 . 5 ]
3 .72
risk treatment
process (3 . 5 4) to mo d i fy risk (3 . 61 )
— ta ki ng o r i nc re a s i n g ri s k i n order to pu rs ue a n op p or tu n ity;
— ch a n gi n g the likelihood (3 . 4 0) ;
— ch a n gi n g the consequences (3 .1 2 ) ;
[S O U RC E : I S O Gu ide 7 3 : 2 0 0 9 , 3 . 8 . 1 , mo d i fie d — “ de c i s io n” h a s b e e n re p l ac e d b y “c ho i c e ” i n N o te 1
to e ntr y.]
3 .73
security implementation standard
do c u ment s p e ci fyi ng authori ze d ways for re a l i z i ng s e c u rity
3 .74
threat
p o tentia l c au s e o f an u nwante d i nc ident, wh ich c a n re s u lt i n harm to a s ys tem or organization (3 . 5 0 )
3 .75
top management
p ers on or group o f p e ople who d i re c ts and control s a n organization ( 3 . 5 0) at the h ighe s t level
N o te 1 to entr y: Top m a n agement h a s the p ower to dele gate author ity a nd p rovide re s o u rce s with i n the
orga n i z atio n .
N o te 2 to entr y: I f the s cop e o f the management system ( 3 . 41) co vers o n l y p a r t o f a n orga n i z ation , then top
Note 3 to entry: Top management is sometimes called executive management and can include Chie f Executive
O fficers, Chie f Financial O fficers, Chie f In formation O fficers, and similar roles.
3 .76
trusted information communication entity
autonomous organization ( 3.50) supporting in formation exchange within an information sharing
community (3.34)
3 .77
vulnerability
weakness o f an asset or control (3.14) that can be exploited by one or more threats (3.74)
4.1 General
An ISMS consists o f the policies, procedures, guidelines, and associated resources and activities,
collectively managed by an organization, in the pursuit o f protecting its in formation assets. An ISMS is
a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining
In formation is an asset that, like other important business assets, is essential to an organization’s
business and, consequently, needs to be suitably protected. In formation can be stored in many forms,
including: digital form (e.g. data files stored on electronic or optical media), material form (e.g. on
paper), as well as unrepresented in formation in the form o f knowledge o f the employees. In formation
can be transmitted by various means including: courier, electronic or verbal communication. Whatever
form in formation takes, or the means by which it is transmitted, it always needs appropriate protection.
In formation security ensures the confidentiality, availability and integrity o f in formation. In formation
security involves the application and management o f appropriate controls that involves consideration
o f a wide range o f threats, with the aim o f ensuring sustained business success and continuity, and
minimizing consequences o f in formation security incidents.
In formation security is achieved through the implementation o f an applicable set o f controls, selected
through the chosen risk management process and managed using an ISMS, including policies, processes,
procedures, organizational structures, so ftware and hardware to protect the identified in formation
assets. These controls need to be specified, implemented, monitored, reviewed and improved where
necessary, to ensure that the specific in formation security and business objectives o f the organization
are met. Relevant in formation security controls are expected to be seamlessly integrated with an
organization’s business processes.
4.2 .4 Management
Management involves activities to direct, control, and continually improve the organization within
appropriate structures. Management activities include the act, manner, or practice o f organizing,
handling, directing, supervising, and controlling resources. Management structures extend from one
person in a small organization to management hierarchies consisting o f many individuals in large
organizations.
In terms o f an ISMS, management involves the supervision and making o f decisions necessary to achieve
business objectives through the protection o f the organization’s in formation assets. Management o f
in formation security is expressed through the formulation and use o f in formation security policies,
procedures and guidelines, which are then applied throughout the organization by all individuals
associated with the organization.
Organizations need to identi fy and manage many activities in order to function e ffectively and
e fficiently. Any activity using resources needs to be managed to enable the trans formation o f inputs into
outputs using a set o f interrelated or interacting activities; this is also known as a process. The output
from one process can directly form the input to another process and generally this trans formation
is carried out under planned and controlled conditions. The application o f a system o f processes
within an organization, together with the identification and interactions o f these processes, and their
management, can be re ferred to as a “process approach”.
Risks associated with an organization’s in formation assets need to be addressed. Achieving in formation
security requires the management o f risk, and encompasses risks from physical, human and technology
related threats associated with all forms o f in formation within or used by the organization.
The adoption o f an ISMS is expected to be a strategic decision for an organization and it is necessary
that this decision is seamlessly integrated, scaled and updated in accordance with the needs o f the
organization.
The design and implementation o f an organization’s ISMS is influenced by the needs and objectives o f the
organization, the security requirements, the business processes employed and the size and structure
o f the organization. The design and operation o f an ISMS needs to reflect the interests and in formation
security requirements o f all o f the organization’s stakeholders including customers, suppliers, business
partners, shareholders and other relevant third parties.
In an interconnected world, in formation and related processes, systems, and networks constitute critical
business assets. Organizations and their in formation systems and networks face security threats from
a wide range o f sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire and
flood. Damage to in formation systems and networks caused by malicious code, computer hacking, and
denial o f service attacks have become more common, more ambitious, and increasingly sophisticated.
An ISMS is important to both public and private sector businesses. In any industry, an ISMS is an
enabler that supports e-business and is essential for risk management activities. The interconnection o f
public and private networks and the sharing o f in formation assets increase the di fficulty o f controlling
access to and handling o f in formation. In addition, the distribution o f mobile storage devices containing
in formation assets can weaken the e ffectiveness o f traditional controls. When organizations adopt
the ISMS family o f standards, the ability to apply consistent and mutually-recognizable in formation
security principles can be demonstrated to business partners and other interested parties.
In formation security is not always taken into account in the design and development o f in formation
systems. Further, in formation security is o ften thought o f as being a technical solution. However, the
in formation security that can be achieved through technical means is limited, and can be ine ffective
without being supported by appropriate management and procedures within the context o f an ISMS.
Integrating security into a functionally complete in formation system can be di fficult and costly. An ISMS
involves identi fying which controls are in place and requires care ful planning and attention to detail. As
an example, access controls, which can be technical (logical), physical, administrative (managerial) or a
combination, provide a means to ensure that access to in formation assets is authorized and restricted
based on the business and in formation security requirements.
The success ful adoption of an ISMS is important to protect in formation assets allowing an organization to:
a) achieve greater assurance that its in formation assets are adequately protected against threats on a
continual basis;
b) maintain a structured and comprehensive framework for identi fying and assessing in formation
security risks, selecting and applying applicable controls, and measuring and improving their
e ffectiveness;
c) continually improve its control environment; and
d) e ffectively achieve legal and regulatory compliance.
4.5 .1 Overview
An organization needs to undertake the following steps in establishing, monitoring, maintaining and
improving its ISMS:
a) identi fy in formation assets and their associated in formation security requirements (see 4.5.2);
b) assess in formation security risks (see 4.5.3) and treat in formation security risks (see 4.5.4);
c) select and implement relevant controls to manage unacceptable risks (see 4.5.5);
d) monitor, maintain and improve the e ffectiveness o f controls associated with the organization’s
in formation assets (see 4.5.6 ) .
To ensure the ISMS is e ffectively protecting the organization’s in formation assets on an ongoing
basis, it is necessary that steps a) to d) be continually repeated to identi fy changes in risks or in the
organization’s strategies or business objectives.
Within the overall strategy and business objectives o f the organization, its size and geographical spread,
in formation security requirements can be identified through an understanding o f the following:
a) identified in formation assets and their value;
b) business needs for in formation processing, storage and communication;
c) legal, regulatory, and contractual requirements.
Conducting a methodical assessment o f the risks associated with the organization’s in formation
assets involves analysing threats to in formation assets, vulnerabilities to and the likelihood o f a threat
M a nagi ng i n formation s e c u rity ri s ks re qui re s a s u itable ri s k as s e s s ment and ri s k tre atment me tho d
wh ich ca n i nclude an e s ti mation o f the co s ts and b enefits , lega l re qui rements , the concern s of
Ri s k a s s e s s ment shou ld identi fy, quanti fy, and prioriti ze ri s ks aga i n s t criteria for ri sk accep tance
and obj e c tive s relevant to the organ i z ation . T he re s u lts s hou ld gu ide and de term i ne the appropri ate
management ac tion a nd prioritie s for managi ng i n formation s e c u rity ri sks a nd for i mplementi ng
— the s ys tematic appro ach o f e s ti mati ng the magn itude o f ri s ks (ri s k ana lys i s) ; a nd
— the pro ce s s o f comp ari ng the e s ti mate d ri s ks agai n s t ri s k criteri a to de term i ne the s ign i fic ance o f
re qu i rements a nd i n the ri s k s ituation, for example i n the as s e ts , th re ats , vu l nerabi l itie s , i mp ac ts , the
ri sk eva luation, and when s ign i fic ant change s o cc u r. T he s e ri s k as s e s s ments s hou ld b e u nder ta ken i n a
me tho d ic a l man ner cap able o f pro duc i ng comp arable a nd repro duc ible re s u lts .
T he i n formation s e c u rity ri s k a s s e s s ment s hou ld h ave a cle arly defi ne d s cop e i n order to b e e ffe c tive
and s hou ld i nclude rel ation sh ip s with ri s k as s e s s ments i n o ther are as , i f appropri ate .
as s e s s ment, ri s k tre atment, ri s k accep tance, ri s k rep or ti ng , ri s k mon itori ng and ri s k review. E xample s
B e fore con s ideri ng the tre atment o f a ri s k, the organ i z ation s hou ld defi ne criteri a for de term i n i ng
i s low or that the co s t o f tre atment i s no t co s t- e ffe c ti ve for the orga n i z ation . Such de c i s ion s shou ld b e
recorded.
For e ach o f the ri s ks identi fie d fol lowi ng the ri sk as s e s s ment, a ri s k tre atment de c i s ion ne e d s to b e
made . Po s s ible op tion s for ri sk tre atment i nclude the fol lowi ng:
b) knowi ngly and obj e c tively accep ti ng ri s ks , provid i ng they cle a rly s ati s fy the organ i z ation’s p ol ic y
For tho s e ri s ks where the ri s k tre atment de ci s ion h as b e en to apply appropri ate control s , the s e control s
O nce i n formation s e c u rity re qui rements have b e en identi fie d (s e e 4. 5 . 2 ) , i n formation s e c u rity ri s ks to
the identi fie d i n formation as s e ts h ave b e en de term i ne d and a s s e s s e d (s e e 4. 5 . 3 ) a nd de c i s ion s for the
treatment o f in formation security risks have been made (see 4.5.4), then selection and implementation
o f controls for risk reduction apply.
Controls should ensure that risks are reduced to an acceptable level taking the following into account:
a) requirements and constraints o f national and international legislation and regulations;
b) organizational objectives;
c) operational requirements and constraints;
d) their cost o f implementation and operation in relation to the risks being reduced, and remaining
proportional to the organization’s requirements and constraints;
e) their objectives to monitor, evaluate and improve the e fficiency and e ffectiveness o f in formation
security controls to support the organization’s aims. The selection and implementation o f controls
should be documented within a statement o f applicability to assist with compliance requirements;
f ) the need to balance the investment in implementation and operation o f controls against the loss
likely to result from in formation security incidents.
The controls specified in ISO/IEC 27002 are acknowledged as best practices applicable to most
organizations and readily tailored to accommodate organizations o f various sizes and complexities.
Other standards in the ISMS family o f standards provide guidance on the selection and application o f
ISO/IEC 27002 controls for the ISMS.
In formation security controls should be considered at the systems and projects requirements
specification and design stage. Failure to do so can result in additional costs and less e ffective
solutions, and, in the worst case, inability to achieve adequate security. Controls can be selected from
ISO/IEC 27002 or from other control sets. Alternatively, new controls can be designed to meet the
specific needs o f the organization. It is necessary to recognize the possibility that some controls not
be applicable to every in formation system or environment, and not be practicable for all organizations.
Sometimes, implementing a chosen set o f controls takes time and, during that time, the level o f risk can
be higher than can be tolerated on a long-term basis. Risk criteria should cover tolerability o f risks on
a short-term basis while controls are being implemented. Interested parties should be in formed o f the
levels o f risk that are estimated or anticipated at di fferent points in time as controls are progressively
implemented.
It should be kept in mind that no set o f controls can achieve complete in formation security. Additional
management actions should be implemented to monitor, evaluate and improve the e fficiency and
e ffectiveness o f in formation security controls to support the organization’s aims.
The selection and implementation o f controls should be documented within a statement o f applicability
to assist with compliance requirements.
An organization needs to maintain and improve the ISMS through monitoring and assessing
per formance against organizational policies and objectives, and reporting the results to management
for review. This ISMS review checks that the ISMS includes specified controls that are suitable to treat
risks within the ISMS scope. Furthermore, based on the records o f these monitored areas, it provides
evidence o f verification and traceability o f corrective, preventive and improvement actions.
4.5 .7 Continual improvement
The aim o f continual improvement o f an ISMS is to increase the probability o f achieving objectives
concerning the preservation o f the confidentiality, availability and integrity o f in formation. The focus
o f continual improvement is seeking opportunities for improvement and not assuming that existing
management activities are good enough or as good as they can.
a) analysing and evaluating the existing situation to identi fy areas for improvement;
b) establishing the objectives for improvement;
c) searching for possible solutions to achieve the objectives;
d) evaluating these solutions and making a selection;
e) implementing the selected solution;
f ) measuring, veri fying, analysing and evaluating results o f the implementation to determine that the
objectives have been met;
g) ormalizing changes.
f
Results are reviewed, as necessary, to determine further opportunities for improvement. In this way,
improvement is a continual activity, i.e. actions are repeated frequently. Feedback from customers and
other interested parties, audits and review o f the in formation security management system can also be
used to identi fy opportunities for improvement.
A large number o f factors are critical to the success ful implementation o f an ISMS to allow an
organization to meet its business objectives. Examples o f critical success factors include the following:
a) in formation security policy, objectives, and activities aligned with objectives;
b) an approach and framework for designing, implementing, monitoring, maintaining, and improving
in formation security consistent with the organizational culture;
c) visible support and commitment from all levels o f management, especially top management;
d) an understanding o f in formation asset protection requirements achieved through the application
o f in formation security risk management (see ISO/IEC 27005);
e) an e ffective in formation security awareness, training and education programme, in forming all
employees and other relevant parties o f their in formation security obligations set forth in the
in formation security policies, standards, etc., and motivating them to act accordingly;
f ) an e ffective in formation security incident management process;
g) an e ffective business continuity management approach;
h) a measurement system used to evaluate per formance in in formation security management and
feedback suggestions for improvement.
An ISMS increases the likelihood o f an organization consistently achieving the critical success factors
required to protect its in formation assets.
4 . 7 B e n e fi ts o f th e I S M S f
a m i l y o f s ta n d a r d s
The benefits o f implementing an ISMS primarily result from a reduction in in formation security risks
(i.e. reducing the probability o f and/or impact caused by in formation security incidents). Specifically,
benefits realized for an organization to achieve sustainable success from the adoption o f the ISMS
family o f standards include the following:
a) a structured framework supporting the process o f speci fying, implementing, operating and
maintaining a comprehensive, cost-e ffective, value creating, integrated and aligned ISMS that
meets the organization’s needs across di fferent operations and sites;
b) a s s i s tance for management in con s i s tently ma nagi ng and op erati ng in a re s p on s ible man ner
thei r appro ach toward s i n formation s e c u rity ma nagement, with i n the contex t o f cor p orate ri sk
management and governance, i nclud i ng e duc ati ng and tra i n i ng bu s i ne s s and s ys tem owners on the
c) promo tion o f glob a l ly accep te d, go o d i n formation s e c urity prac tice s i n a non-pre s c rip tive man ner,
gi vi ng organ i z ation s the latitude to adop t and i mprove relevant control s that s uit thei r s p e c i fic
c i rc u m s tance s and to mai ntai n them i n the face o f i nterna l and e xterna l ch ange s;
d) provi s ion o f a com mon l anguage and concep tua l b as i s for i n formation s e c u rity, ma ki ng it e a s ier to
place con fidence i n bu s i ne s s p ar tners with a compl ia nt I S M S , e s p e c ia l ly i f they re qu i re cer ti fic ation
5 .1 General information
fo cused on:
— cer ti fic ation b o dy re qu i rements ( I S O/I EC 2 70 0 6 ) for tho s e cer ti fyi ng con for m ity with
I S O/I E C 2 70 01 ; a nd
— add itiona l re qu i rement framework for s e c tor- s p e ci fic i mplementation s o f the I S M S (I S O/I E C 2 70 0 9) .
Vocabulary standard -
Clause 5.2 27000
Requirement
standards - 27001 27006 27009
ISMS family of standards
Clause 5.3
Sector-speci?ic
guidelines standards - 27010 27011 27017 27018 27019
Clause 5.5
E ach o f the I S M S fa m i ly s tandard s i s de s crib e d b elow b y its typ e (or role) with i n the I S M S fam i ly of
wh ich form the s ubj e c t o f the I S M S fam i ly o f s tandard s and defi ne s relate d term s .
5 .3 .1 ISO/IEC 2 7001
Scope: T h i s do c ument s p e c i fie s the re qu i rements for e s tabl i sh i ng , i mplementi ng , op erati ng , mon itori n g ,
reviewi ng , mai ntai n i ng and i mprovi ng forma l i z e d i n formation s e c u rity management s ys tem s (I S M S )
with i n the conte xt o f the organ i z ation’s overa l l bu s i ne s s ri sks . It s p e ci fie s re qui rements for the
Purpose: ISO/IEC 27001 provides normative requirements for the development and operation o f
an ISMS, including a set o f controls for the control and mitigation o f the risks associated with the
in formation assets which the organization seeks to protect by operating its ISMS. Organizations
operating an ISMS may have its con formity audited and certified. The control objectives and controls
from ISO/IEC 27001:2013, Annex A shall be selected as part o f this ISMS process as appropriate to cover
the identified requirements. The control objectives and controls listed in ISO/IEC 27001:2013, Table A.1
are directly derived from and aligned with those listed in ISO/IEC 27002:2013, Clauses 5 to 18.
5 .3 .2 ISO/IEC 2 7006
In formation technology — Security techniques — Requirements for bodies providing audit and certification
of information security management systems
Scope: This document specifies requirements and provides guidance for bodies providing audit and
ISMS certification in accordance with ISO/IEC 27001, in addition to the requirements contained within
ISO/IEC 17021. It is primarily intended to support the accreditation o f certification bodies providing
ISMS certification according to ISO/IEC 27001.
The requirements contained in this document need to be demonstrated in terms o f competence and
reliability by anybody providing ISMS certification, and the guidance contained in this document
provides additional interpretation o f these requirements for anybody providing ISMS certification.
Purpose: ISO/IEC 27006 supplements ISO/IEC 17021 in providing the requirements by which
certification organizations are accredited, thus permitting these organizations to provide compliance
certifications consistently against the requirements set forth in ISO/IEC 27001.
5 .3 .3 ISO/IEC 2 7009
Scope: This document defines the requirements for the use o f ISO/IEC 27001 in any specific sector
(field, application area or market sector). It explains how to include requirements additional to those
in ISO/IEC 27001, how to refine any o f the ISO/IEC 27001 requirements, and how to include controls or
control sets in addition to ISO/IEC 27001:2013, Annex A.
Purpose: ISO/IEC 27009 ensures that additional or refined requirements are not in conflict with the
requirements in ISO/IEC 27001.
In formation technology — Security techniques — Code o f practice for in formation security controls
Scope: This document provides a list o f commonly accepted control objectives and best practice
controls to be used as implementation guidance when selecting and implementing controls for achieving
in formation security.
Purpose: ISO/IEC 27002 provides guidance on the implementation o f in formation security controls.
Specifically, Clauses 5 to 18 provide specific implementation advice and guidance on best practice in
support o f the controls specified in ISO/IEC 27001:2013, A.5 to A.18.
Scope: T h i s do c u ment provide s gu idel i ne s i ntende d to a s s i s t organ i z ation s to eva luate the i n formation
s e c u rity p er formance a nd the e ffe c tivene s s of the ISMS in order to fu l fi l the re qu i rements of
b) the mon itori ng and me a s urement o f the e ffe c tivene s s o f a n i n formation s e c u rity management
c) the ana lys i ng and the eva luati ng o f the re s u lts o f mon itori ng a nd me as u rement.
Scope: T h i s do c u ment provide s gu idel i ne s for i n formation s e c u rity ri s k management. T he appro ach
appro ach to assis t in s ati s fac tori ly i mplementi ng and fu l fi l l i ng the i n formation s e c u rity ri s k
Information technology — Security techniques — Guidelines for information security management systems
auditing
Scope: This do c ument provide s gu idance on conduc ti ng ISMS aud its , as wel l as guidance on the
comp e tence o f i n formation s e c urity ma nagement s ys tem aud itors , i n add ition to the gu idance contai ne d
ex terna l aud its o f an I S M S or to manage an I S M S aud it pro gra m me agai n s t the re qu i rements s p e c i fie d
in I S O/I E C 2 70 01 .
Information technology — Security techniques — Guidelines for auditors on information security controls
Scope: T h i s do c u ment provide s guidance on reviewi ng the i mplementation and op eration o f control s ,
i nclud i ng te ch n ic a l compl ia nce che cki ng of i n formation s ys tem control s , in compl i ance with an
Purpose: T hi s do cument provides a fo cus on reviews o f in formation s ecurity controls , including checking
o f technical compliance, agains t an in formation s ecurity implementation s tandard, which i s es tabli shed
by the organi z ation. It do es not intend to provide any s p eci fic guidance on compliance checking regarding
meas urement, risk as ses s ment or audit o f an I SM S as s p eci fied in I SO/I EC 2 70 0 4, I SO/I EC 2 70 05 or
I SO/I EC 2 70 07, res p ec tively. T hi s do cumentis not i ntended for management s ys tems audits .
Scope: This do c ument provide s guidance on the i ntegrate d i mplementation o f I S O/I E C 2 70 01 and
s p e c i fie d i n I S O/I E C 2 0 0 0 0 -1 .
I n prac tice, I S O/I E C 2 70 01 and I S O/I E C 2 0 0 0 0 -1 c a n a l s o b e i ntegrate d with o ther ma nagement s ys tem
s ta nda rd s , s uch as I S O 9 0 01 a nd I S O 14 0 01 .
Purpose: To provide organ i z ation s with a b e tter u nders tand i ng o f the ch arac teri s tics , s i m i l aritie s and
Scope: This do c u ment wi l l provide gu ida nce on pri nc iple s and pro ce s s e s for the governance of
i n formation s e c u rity, b y wh ich organ i z ation s c an eva luate, d i re c t a nd mon itor the management o f
i n formation s e c urity.
Purpose: I n formation s e c u rity h as b e come a key i s s ue for organ i z ation s . No t on ly a re there i ncre as i ng
governance re s p on s ibi l itie s , are i ncre a s i ngly re qu i re d to h ave overs ight o f i n formation s e c urity to
Scope: This do c u ment provide s a me tho dolo g y a l lowi ng organ i z ation s to b e tter u nders tand
e conom ic a l ly how to more acc u rately va lue thei r identi fie d i n formation a s s e ts , va lue the p o tenti a l
ri s ks to tho s e i n formation a s s e ts , appre ci ate the va lue that i n formation pro te c tion control s del iver to
i n formation a s s e ts .
Purpose: This do c u ment s upplements the ISMS fa m i ly o f s tanda rd s by overlayi ng an e conom ics
p ers p e c tive i n the pro te c tion o f an orga n i z ation’s i n formation as s e ts i n the conte xt o f the wider s o c ie ta l
envi ron ment i n wh ich an orga n i z ation op erate s and provid i ng guidance on how to apply orga n i z ationa l
Scope: T h i s do c u ment s p e c i fie s the re qu i rements o f comp e tence for I S M S pro fe s s iona l s le ad i ng or
i nvolve d i n e s tabl i sh i ng , i mplementi ng , ma i nta i ni ng and conti nua l ly i mprovi ng one or more i n formation
a) i nd ividua l s who wou ld l i ke to demon s trate thei r comp e tence a s i n formation s e c u rity ma nagement
b) organ i z ation s s e eki ng p o tentia l I S M S pro fe s s iona l c and idate s to defi ne the comp e tence re qu i re d
c) b o d ie s to develop cer ti fic ation for I S M S pro fe s s iona l s wh ich ne e d a b o dy o f knowle dge (B OK ) for
e xam i nation s ou rce s , and
d) organ i z ation s for e duc ation a nd trai n i ng , s uch as u n ivers itie s and vo c ationa l i n s titution s , to a l ign
thei r s yl l abu s e s a nd cou rs e s to the comp e tence re qu i rements for I S M S pro fe s s iona l s .
5 . 5 S ta n d a rd s d e s c r i b i n g s e c to r - s p e c i fi c g u i d e l i n e s
5 .5 .1 ISO/IEC 2 701 0
Information technology — Security techniques — Information security management for inter-sector and
inter-organizational communications
Scope: T his do c ument provide s gu idel i ne s in add ition to gu idance given in the I S O/I E C 2 70 0 0
fam i ly o f s tanda rd s for i mplementi ng i n formation s e c u rity ma nagement with i n i n formation sh ari ng
communities .
This do c u ment provide s control s a nd gu idance s p e ci fic a l ly rel ati ng to i n iti ati ng , i mplementi ng ,
mai ntai n i ng , and i mprovi ng i n formation s e c u rity in i nter- organ i z ationa l and i nter- s e c tor
com mu n ic ation s .
Purpose: T h i s do c u ment i s appl icable to a l l form s o f e xch ange a nd s hari ng o f s en s itive i n formation,
b o th publ ic a nd private, nationa l ly and i nternationa l ly, with i n the s a me i ndu s tr y or ma rke t s e c tor or
b e twe en s e c tors . I n p a r tic u l ar, it c an b e appl ic able to i n formation e xch ange s and sh ari ng rel ati ng to the
provi s ion, ma i ntenance a nd pro te c tion o f a n orga ni z ation’s or s tate’s c ritic a l i n fra s truc tu re .
5 .5 .2 ISO/IEC 2 701 1
In formation technology — Security techniques — Code o f practice for in formation security controls based
on ISO/IEC 27002 for telecommunications organizations
Scope: This do c ument provide s gu idel i ne s s upp or ti ng the i mplementation o f i n formation s e c u rity
Purpose: I S O/I E C 2 701 1 a l lows tele com mu n ic ation s organ i z ation s to me e t b as el i ne i n formation
s e c u rity ma nagement re qu i rements o f con fidentia l ity, i ntegrity, avai labi l ity and a ny o ther relevant
5 .5 .3 ISO/IEC 2 701 7
In formation technology — Security techniques — Code o f practice for in formation security controls based
on ISO/IEC 27002 for cloud services
Scope: I S O/I E C 2 7017 give s gu idel i ne s for i n formation s e c u rity control s appl ic able to the provi s ion a nd
— additional controls with implementation guidance that specifically relate to cloud services.
Purpose: This document provides controls and implementation guidance for both cloud service
providers and cloud service customers.
5 .5 .4 ISO/IEC 2 701 8
In formation technology — Security techniques — Code o f practice for protection o f personally identifiable
information (PII) in public clouds acting as PII processors
Scope: ISO/IEC 27018 establishes commonly accepted control objectives, controls and guidelines for
implementing measures to protect personally identifiable in formation (PII) in accordance with the
privacy principles in ISO/IEC 29100 for the public cloud computing environment.
Purpose: This document is applicable to organizations, including public and private companies,
government entities and not- for-profit organizations, which provide in formation processing services
as PII processors via cloud computing under contract to other organizations. The guidelines in this
document can also be relevant to organizations acting as PII controllers. However, it is possible that PII
controllers be subject to additional PII protection legislation, regulations and obligations, not applying
to PII processors, and these are not covered in this document.
5 .5 .5 ISO/IEC 2 701 9
Information technology — Security techniques — In formation security controls for the energy utility
industry
Scope: This document provides guidance based on ISO/IEC 27002:2013 applied to process control
systems used by the energy utility industry for controlling and monitoring the production or generation,
transmission, storage and distribution o f electric power, gas, oil and heat, and for the control o f
associated supporting processes. This includes in particular the following:
— central and distributed process control, monitoring and automation technology as well as
in formation systems used for their operation, such as programming and parameterization devices;
— digital controllers and automation components such as control and field devices or programmable
logic controllers (PLCs), including digital sensor and actuator elements;
— all further supporting in formation systems used in the process control domain, e.g. for supplementary
data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting
and documentation purposes;
— communication technology used in the process control domain, e.g. networks, telemetry, telecontrol
applications and remote control technology;
— advanced metering in frastructure (AMI) components, e.g. smart meters;
— measurement devices, e.g. for emission values;
— digital protection and sa fety systems, e.g. protection relays, sa fety PLCs, emergency governor
mechanisms;
— energy management systems, e.g. o f distributed energy resources (DER), electric charging
in frastructures, in private households, residential buildings or industrial customer installations;
— distributed components o f smart grid environments, e.g. in energy grids, in private households,
residential buildings or industrial customer installations;
— all so ftware, firmware and applications installed on above -mentioned systems, e.g. DMS (distribution
management system) applications or OMS (outage management system);
— any premises housing the above-mentioned equipment and systems;
Purpose: In addition to the security objectives and measures that are set forth in ISO/IEC 27002, this
document provides guidelines for systems used by energy utilities and energy suppliers on in formation
security controls which address further, special requirements.
5 .5 .6 ISO 2 7799
Scope: This document gives guidelines for organizational in formation security standards and
in formation security management practices including the selection, implementation and management
o f controls taking into consideration the organization’s in formation security risk environment(s).
This document provides implementation guidance for the controls described in ISO/IEC 27002
and supplements them where necessary, so that they can be e ffectively used for managing health
in formation security.
Purpose: ISO 27799 provides health organizations with an adaptation o f the ISO/IEC 27002 guidelines
unique to their industry sector which are additional to the guidance provided towards fulfilling the
requirements o f ISO/IEC 27001:2013, Annex A.
Bibliography
[3 ] Con formity assessment — Requirements for bodies providing audit and certification
I S O/ I E C 170 2 1 ,
of management systems
systems — Requirements
security controls
[2 2 ] I S O/I E C 2 7019, Information technology — Security techniques — Information security controls for