ISO IEC 27000-2016 Overview and vocabulary.pdf
《ISO IEC 27000-2016 Overview and vocabulary.pdf》由会员分享,可在线阅读,更多相关《ISO IEC 27000-2016 Overview and vocabulary.pdf(42页珍藏版)》请在冰点文库上搜索。
InformationtechnologySecuritytechniquesInformationsecuritymanagementsystemsOverviewandvocabularyTechnologiesdelinformationTechniquesdescuritSystmesdegestiondescuritdelinformationVuedensembleetvocabulaireINTERNATIONALSTANDARDISO/IEC27000ReferencenumberISO/IEC27000:
2016(E)Fourthedition2016-02-15ISO/IEC2016iiISO/IEC2016AllrightsreservedCOPYRIGHTPROTECTEDDOCUMENTISO/IEC2016,PublishedinSwitzerlandAllrightsreserved.Unlessotherwisespecified,nopartofthispublicationmaybereproducedorutilizedotherwiseinanyformorbyanymeans,electronicormechanical,includingphotocopying,orpostingontheinternetoranintranet,withoutpriorwrittenpermission.PermissioncanberequestedfromeitherISOattheaddressbeloworISOsmemberbodyinthecountryoftherequester.ISOcopyrightofficeCh.deBlandonnet8CP401CH-1214Vernier,Geneva,SwitzerlandTel.+41227490111Fax+41227490947copyrightiso.orgwww.iso.orgISO/IEC27000:
2016(E)ISO/IEC27000:
2016(E)Foreword.v0Introduction.10.1Overview.10.2ISMSfamilyofstandards.10.3PurposeofthisInternationalStandard.21Scope.22Termsanddefinitions.23Informationsecuritymanagementsystems.143.1General.143.2WhatisanISMS?
.143.2.1Overviewandprinciples.143.2.2Information.153.2.3Informationsecurity.153.2.4Management.153.2.5Managementsystem.163.3Processapproach.163.4WhyanISMSisimportant.163.5Establishing,monitoring,maintainingandimprovinganISMS.173.5.1Overview.173.5.2Identifyinginformationsecurityrequirements.173.5.3Assessinginformationsecurityrisks.183.5.4Treatinginformationsecurityrisks.183.5.5Selectingandimplementingcontrols.183.5.6Monitor,maintainandimprovetheeffectivenessoftheISMS.193.5.7Continualimprovement.193.6ISMScriticalsuccessfactors.203.7BenefitsoftheISMSfamilyofstandards.204ISMSfamilyofstandards.214.1Generalinformation.214.2Standardsdescribinganoverviewandterminology.224.2.1ISO/IEC27000(thisInternationalStandard).224.3Standardsspecifyingrequirements.224.3.1ISO/IEC27001.224.3.2ISO/IEC27006.224.4Standardsdescribinggeneralguidelines.224.4.1ISO/IEC27002.224.4.2ISO/IEC27003.234.4.3ISO/IEC27004.234.4.4ISO/IEC27005.234.4.5ISO/IEC27007.234.4.6ISO/IECTR27008.234.4.7ISO/IEC27013.244.4.8ISO/IEC27014.244.4.9ISO/IECTR27016.244.5Standardsdescribingsector-specificguidelines.254.5.1ISO/IEC27010.254.5.2ISO/IEC27011.254.5.3ISO/IECTR27015.254.5.4ISO/IEC27017.254.5.5ISO/IEC27018.264.5.6ISO/IECTR27019.264.5.7ISO27799.26ISO/IEC2016AllrightsreservediiiContentsPageISO/IEC27000:
2016(E)AnnexA(informative)Verbalformsfortheexpressionofprovisions.28AnnexB(informative)Termandtermownership.29Bibliography.33ivISO/IEC2016AllrightsreservedISO/IEC27000:
2016(E)ForewordISO(theInternationalOrganizationforStandardization)andIEC(theInternationalElectrotechnicalCommission)formthespecializedsystemforworldwidestandardization.NationalbodiesthataremembersofISOorIECparticipateinthedevelopmentofInternationalStandardsthroughtechnicalcommitteesestablishedbytherespectiveorganizationtodealwithparticularfieldsoftechnicalactivity.ISOandIECtechnicalcommitteescollaborateinfieldsofmutualinterest.Otherinternationalorganizations,governmentalandnon-governmental,inliaisonwithISOandIEC,alsotakepartinthework.Inthefieldofinformationtechnology,ISOandIEChaveestablishedajointtechnicalcommittee,ISO/IECJTC1.TheproceduresusedtodevelopthisdocumentandthoseintendedforitsfurthermaintenancearedescribedintheISO/IECDirectives,Part1.Inparticularthedifferentapprovalcriterianeededforthedifferenttypesofdocumentshouldbenoted.ThisdocumentwasdraftedinaccordancewiththeeditorialrulesoftheISO/IECDirectives,Part2(seewww.iso.org/directives).Attentionisdrawntothepossibilitythatsomeoftheelementsofthisdocumentmaybethesubjectofpatentrights.ISOandIECshallnotbeheldresponsibleforidentifyinganyorallsuchpatentrights.DetailsofanypatentrightsidentifiedduringthedevelopmentofthedocumentwillbeintheIntroductionand/orontheISOlistofpatentdeclarationsreceived(seewww.iso.org/patents).Anytradenameusedinthisdocumentisinformationgivenfortheconvenienceofusersanddoesnotconstituteanendorsement.ForanexplanationonthemeaningofISOspecifictermsandexpressionsrelatedtoconformityassessment,aswellasinformationaboutISOsadherencetotheWTOprinciplesintheTechnicalBarrierstoTrade(TBT)seethefollowingURL:
Foreword-SupplementaryinformationThecommitteeresponsibleforthisdocumentisISO/IECJTC1,Informationtechnology,SC27,ITSecuritytechniques.Thisfourtheditioncancelsandreplacesthethirdedition(ISO/IEC27000:
2014),whichhasbeentechnicallyrevised.ISO/IEC2016AllrightsreservedvInformationtechnologySecuritytechniquesInformationsecuritymanagementsystemsOverviewandvocabulary0Introduction0.1OverviewInternationalStandardsformanagementsystemsprovideamodeltofollowinsettingupandoperatingamanagementsystem.Thismodelincorporatesthefeaturesonwhichexpertsinthefieldhavereachedaconsensusasbeingtheinternationalstateoftheart.ISO/IECJTC1/SC27maintainsanexpertcommitteededicatedtothedevelopmentofinternationalmanagementsystemsstandardsforinformationsecurity,otherwiseknownastheInformationSecurityManagementSystem(ISMS)familyofstandards.ThroughtheuseoftheISMSfamilyofstandards,organizationscandevelopandimplementaframeworkformanagingthesecurityoftheirinformationassetsincludingfinancialinformation,intellectualproperty,andemployeedetails,orinformationentrustedtothembycustomersorthirdparties.ThesestandardscanalsobeusedtoprepareforanindependentassessmentoftheirISMSappliedtotheprotectionofinformation.0.2ISMSfamilyofstandardsTheISMSfamilyofstandards(seeClause4)isintendedtoassistorganizationsofalltypesandsizestoimplementandoperateanISMSandconsistsofthefollowingInternationalStandards,underthegeneraltitleInformationtechnologySecuritytechniques(givenbelowinnumericalorder):
ISO/IEC27000,InformationsecuritymanagementsystemsOverviewandvocabularyISO/IEC27001,InformationsecuritymanagementsystemsRequirementsISO/IEC27002,CodeofpracticeforinformationsecuritycontrolsISO/IEC27003,InformationsecuritymanagementsystemimplementationguidanceISO/IEC27004,InformationsecuritymanagementMeasurementISO/IEC27005,InformationsecurityriskmanagementISO/IEC27006,RequirementsforbodiesprovidingauditandcertificationofinformationsecuritymanagementsystemsISO/IEC27007,GuidelinesforinformationsecuritymanagementsystemsauditingISO/IECTR27008,GuidelinesforauditorsoninformationsecuritycontrolsISO/IEC27009,Sector-specificapplicationofISO/IEC27001RequirementsISO/IEC27010,Informationsecuritymanagementforinter-sectorandinter-organizationalcommunicationsISO/IEC27011,InformationsecuritymanagementguidelinesfortelecommunicationsorganizationsbasedonISO/IEC27002ISO/IEC27013,GuidanceontheintegratedimplementationofISO/IEC27001andISO/IEC20000-1INTERNATIONALSTANDARDISO/IEC27000:
2016(E)ISO/IEC2016Allrightsreserved1ISO/IEC27000:
2016(E)ISO/IEC27014,GovernanceofinformationsecurityISO/IECTR27015,InformationsecuritymanagementguidelinesforfinancialservicesISO/IECTR27016,InformationsecuritymanagementOrganizationaleconomicsISO/IEC27017,CodeofpracticeforinformationsecuritycontrolsbasedonISO/IEC27002forcloudservicesISO/IEC27018,Codeofpracticeforprotectionofpersonallyidentifiableinformation(PII)inpubliccloudsactingasPIIprocessorsISO/IEC27019,InformationsecuritymanagementguidelinesbasedonISO/IEC27002forprocesscontrolsystemsspecifictotheenergyutilityindustryNOTEThegeneraltitle“InformationtechnologySecuritytechniques”indicatesthattheseInternationalStandardswerepreparedbyJointTechnicalCommitteeISO/IECJTC1,Informationtechnology,SubcommitteeSC27,ITSecuritytechniques.InternationalStandardsnotunderthesamegeneraltitlethatarealsopartoftheISMSfamilyofstandardsareasfollows:
ISO27799,HealthinformaticsInformationsecuritymanagementinhealthusingISO/IEC270020.3PurposeofthisInternationalStandardThisInternationalStandardprovidesanoverviewofinformationsecuritymanagementsystemsanddefinesrelatedterms.NOTEAnnexAprovidesclarificationonhowverbalformsareusedtoexpressrequirementsand/orguidanceintheISMSfamilyofstandards.TheISMSfamilyofstandardsincludesstandardsthata)definerequirementsforanISMSandforthosecertifyingsuchsystems,b)providedirectsupport,detailedguidanceand/orinterpretationfortheoverallprocesstoestablish,implement,maintain,andimproveanISMS,c)addresssector-specificguidelinesforISMS,andd)addressconformityassessmentforISMS.ThetermsanddefinitionsprovidedinthisInternationalStandardcovercommonlyusedtermsanddefinitionsintheISMSfamilyofstandards,donotcoveralltermsanddefinitionsappliedwithintheISMSfamilyofstandards,anddonotlimittheISMSfamilyofstandardsindefiningnewtermsforuse.1ScopeThisInternationalStandardprovidestheoverviewofinformationsecuritymanagementsystems,andtermsanddefinitionscommonlyusedintheISMSfamilyofstandards.ThisInternationalStandardisapplicabletoalltypesandsizesoforganization(mercialenterprises,governmentagencies,not-for-profitorganizations).2TermsanddefinitionsForthepurposesofthisdocument,thefollowingtermsanddefinitionsapply.2ISO/IEC2016AllrightsreservedISO/IEC27000:
2016(E)2.1accesscontrolmeanstoensurethataccesstoassetsisauthorizedand