Research on ISO/IEC27000 Series Standards
First introduce two terms:
ISO: International Organization for Standardization International Organization for Standardization is an international non-governmental organization in the field of standardization. ISO was established in 1947, and China is a full member of ISO.
IEC: International Electrotechnical Commission International Electrotechnical Commission, established in 1906, is the world's earliest established international electrotechnical standardization organization, responsible for international standardization in the fields of electrical engineering and electronic engineering.
We introduce a part:
ISO/IEC 27000 Information Security Management System Overview and Vocabulary are adopted as: GB/T29246—2012/ISO/IEC27000:2009 "Information Technology Security Technology Information Security Management System Overview and Vocabulary"
ISO/IEC 27001 Information Security Management The system requirements are adopted as: GB/T22080—2016/ISO/IEC27001: 2013 "Information Technology Security Technical Information Security Management System Requirements"
ISO/IEC 27002 Information Security Management Practice Code (or information security management practical rules) was adopted as: GB/T22081—2016/ISO/IEC27002: 2013 "Information Technology Security Technology Information Security Control Practice Guide"
ISO/IEC 27003 Information Security Management System Implementation Guide
ISO/IEC 27004 Information Security Management Measurement Guidelines and Index Framework
ISO/IEC 27005 Information Security Risk Management Guide
ISO27001 is the main standard of the ISO27000 series. Various organizations can establish their own information security management system (ISMS) in accordance with the requirements of ISO27001 and pass the certification.
Let's analyze in detail ISO27001 (according to: ISO27001:2013).
First, the requirements of ISO27001 are divided into 14 categories (ie A.5-A.18), and each category has its own requirements.
A.5 Information security strategy
A.5.1 Information security management direction
A.5.1.1 Information security strategy The
information security strategy set should be defined, approved, published and communicated to employees and relevant external parties by the manager.
A.5.1.2 Review of the information security strategy The
information security strategy shall be reviewed at planned intervals or when major changes occur to ensure its continued suitability, adequacy and effectiveness.
A.6 Information security organization
A.6.1 Internal organization
A.6.1.1 Information security roles and responsibilities
All information security responsibilities should be defined and assigned.
A.6.1.2 Separation
of responsibilities The conflicting responsibilities and scope of responsibilities should be separated to reduce the chance of unauthorized or unconscious modification or improper use of organizational assets.
A.6.1.3 Contact
with the supervisory authority Appropriate contact with the supervisory authority should be maintained.
A.6.1.4 Contact
with special interest groups Appropriate contacts should be maintained with special interest groups, other professional safety associations or industry associations.
A.6.1.5 Information security
in project management Regardless of the type of project, information security issues should be addressed in project management.
A.6.2 Mobile devices and remote office
A.6.2.1 Mobile device strategy
Security strategies and supporting security measures should be adopted to manage the risks caused by the use of mobile devices.
A.6.2.2 Telecommuting
Security policies and supporting security measures shall be implemented to protect the access, processing or storage of information in remote office locations.
A.7 Human Resources Security
A.7.1 Before Appointment
A.7.1.1 Personnel Screening In
accordance with relevant laws, regulations, and ethics, conduct background checks on employees, contract personnel and contractors, and the survey should meet business needs and the types of information to be accessed And known risks.
A.7.1.2 Terms and conditions of appointment The
contractual agreement between employees and contractors should stipulate their and the organization's information security responsibilities.
A.7.2 During appointment
A.7.2.1 Management responsibilities
Management should require employees, contractors and contractor users to apply information security policies and procedures that comply with the organization's established information security policies and procedures.
A.7.2.2 Information security awareness education and training
All employees, related contract personnel and contractor personnel in the organization shall receive appropriate awareness training, and regularly update organizational strategies and procedures related to their work.
A.7.2.3 Disciplinary procedures Formal disciplinary procedures
shall be established and communicated, and employees who violate the security policy shall be punished accordingly.
A.7.3 Termination or change of
appointment A.7.3.1 Responsibility for termination or change of appointment
Information security responsibilities and obligations shall be defined to remain effective after termination or change of employment, and shall be communicated and implemented to employees and contractors.
A.8 Asset management
A.8.1 Responsible for assets
A.8.1.1 Asset inventory The asset inventory
of information assets and information processing facilities related assets shall be determined, and the asset inventory shall be formulated and maintained.
A.8.1.2 Asset Responsible Person/Ownership The
assets in the asset list should be designated as the asset owner.
A.8.1.3 Reasonable use of assets The rules for the reasonable use of
information and information processing facilities related assets shall be identified, documented and implemented.
A.8.1.4 Return of assets
After the termination of the employment contract or agreement, all employees and external users shall return all the organizational assets they use.
A.8.2 Information classification A.8.2.1 Information classification
Information
should be classified according to regulations, value, importance, and sensitivity to protect information from unauthorized disclosure or tampering.
A.8.2.2 Information identification
Appropriate information identification procedures should be developed and implemented, and matched with the organization's information classification scheme.
A.8.2.3 Asset handling procedures
should be developed and implemented to match the organization's information classification scheme.
A.8.3 Media handling
A.8.3.1 Management
of removable media The management procedures for removable media should be implemented and matched with the organization's classification scheme.
A.8.3.2 Destruction of
the media When the media is no longer needed, it should be reliably and safely disposed of in accordance with formal procedures.
A.8.3.3 Physical media transmission
The media containing information should be protected to prevent unauthorized access, abuse or damage during transportation.
A.9 Access control
A.9.1 Business requirements
for access control A.9.1.1 Access control strategy
A documented access control strategy should be established, and the strategy should be reviewed according to business and security requirements.
A.9.1.2 The use policy of network services
should only allow users to access networks and network services that are expressly authorized to use.
A.9.2 User access management
A.9.2.1 User registration and deregistration
A formal user registration and deregistration procedure shall be implemented to be able to assign access rights.
A.9.2.2 Provision of user access rights
Regardless of the type of user, when granting or revoking rights to all systems and services, a formal user access configuration procedure should be implemented.
A.9.2.3 Privilege management
The allocation and use of privileges should be restricted and controlled.
A.9.2.4 Management of
user secret authentication information The distribution of authority for user secret authentication information should be controlled through a formal management process.
A.9.2.5 Review of user access rights
Asset owners should review user access rights on a regular basis.
A.9.2.6 Revocation or adjustment of access rights
After the termination and adjustment of employment contracts or agreements with all employees and contractors, the access rights of their information and information processing facilities shall be deleted or adjusted accordingly.
A.9.3 User responsibilities
A.9.3.1 Use of secret authentication information
Users should be required to follow the organization's practices to use their secret authentication information.
A.9.4 System and application access control
A.9.4.1 Information access restriction
Access to information and application system functions should be restricted based on access control policies.
A.9.4.2 Security login program
When access control is required, a secure login program should be used to control access to the system and applications.
A.9.4.3 Password management system
An interactive password management system shall be used to ensure password quality.
A.9.4.4 Use of privileged utility programs The use
of tools and programs that can override system and application authority control should be restricted and strictly controlled.
A.9.4.5 Access control
of program source code Access to program source code should be restricted. (Continue to update tomorrow~)
A.10 Cryptography
A.10.1 Password control
A.10.1.1 Password use control policy
In order to protect information, a strategy for encryption control measures should be developed and implemented.
A.10.1.2 Key management
For the use, protection and validity management of encryption keys, a strategy that runs through the entire life cycle of keys should be developed and implemented.
A.11 Physical and environmental security
A.11.1 Security area
A.11.1.1 Physical security boundary A security boundary
shall be defined to protect the area containing sensitive or critical information and information processing facilities.
A.11.1.2 Physical access control The
security area should be protected by appropriate access control to ensure that only authorized personnel can enter.
A.11.1.3 Security
protection of offices, rooms and facilities The physical security of offices, rooms and all equipment should be designed and implemented to protect.
A.11.1.4 Security protection against external and environmental threats
Physical protection measures should be designed and applied to deal with natural disasters, malicious attacks or accidents.
A.11.1.5 Working in a safe area Procedures for working in a safe area
should be designed and applied.
A.11.1.6 Delivery and handover area/delivery and loading area
access areas such as loading and unloading areas, and other places where unauthorized persons may enter should be controlled, if possible, information processing facilities should be isolated to prevent unauthorized access .
A.11.2 Equipment
A.11.2.1 Equipment placement and protection Equipment
should be properly placed and protected to reduce threats and hazards from the environment and reduce the chance of unauthorized access.
A.11.2.2 Supporting equipment The equipment
shall be protected from power outages and other interruptions caused by the failure of supporting facilities.
A.11.2.3 Cable security
The power and communication cables that transmit data or support information services should be protected from interruption or damage.
A.11.2.4 Equipment maintenance Equipment
should be properly maintained to ensure its continuous availability and integrity.
A.11.2.5 Asset transfer
Without authorization, no equipment, information and software may be taken away.
A.11.2.6 Off-site equipment and asset security.
Off-site assets should be secured, taking into account the different risks of working outside the organization's boundaries.
A.11.2.7 Equipment scrap or reuse
All equipment containing storage media should be checked before scrapping or reuse to ensure that any sensitive data and authorized software are deleted or rewritten safely.
A.11.2.8 Unattended user equipment The
user should ensure that unattended equipment is properly protected.
A.11.2.9 Clearing the desktop and clearing the screen The strategy
of clearing the desktop paper and removable storage media, as well as the strategy of clearing the screen of information processing facilities should be adopted.
A.12 Operational safety
A.12.1 Operating procedures and responsibilities
A.12.1.1 Documented operating procedures Documented operating procedures
should be prepared and ensured that all users who need it are available.
A.12.1.2 Change management The change of the
organization, business processes, information processing facilities, and systems that affect information security should be controlled.
A.12.1.3 Capacity management
The use of resources should be monitored and adjusted, and future capacity requirements should be reflected to ensure system performance.
A.12.1.4 Separation of development, testing, and operating environments The development, testing, and operating environments
should be separated to reduce the risk of unauthorized access or changes to the operating environment.
A.12.2 Malware protection
A.12.2.1 Malware control The
detection, prevention and recovery measures should be implemented to deal with malware, combined with appropriate user awareness programs.
A.12.3 Backup
A.12.3.1 Information backup
Back up information, software and system images according to the established backup strategy, and test them regularly.
A.12.4 Recording and monitoring
A.12.4.1 Event log A log
should be generated to record user activities, accidents and information security events. The log should be kept and reviewed regularly.
A.12.4.2 Protection of log information The
log facility and log information should be protected from tampering and unauthorized access.
A.12.4.3 Administrator and operator logs
should record the activities of system administrators and system operators, and carry out log protection and regular review.
A.12.4.4 Clock synchronization
The clocks of all relevant information processing systems within the organization or security domain should be synchronized according to a single reference time source.
A.12.5 Control of
operating software A.12.5.1 Installation of operating system software The
program shall control the installation of operating system software.
A.12.6 Management of technical vulnerabilities
A.12.6.1 Management
of technical vulnerabilities The information on the technical vulnerabilities of the information system used by the organization shall be obtained in a timely manner, the vulnerabilities shall be evaluated, and appropriate measures shall be taken to solve the related risks.
A.12.6.2 Restricted software
installation Rules for managing user software installation should be established and implemented.
A.12.7 Information system audit considerations
A.12.7.1 Information system audit control
The audit requirements and activities involved in operating system verification should be carefully planned and permitted to minimize interruption to the business process.
A.13 Communication security
A.13.1 Network security management
A.13.1.1 Network control The
network should be managed and controlled to protect system and application information.
A.13.1.2 Security of
network services The security mechanisms, service levels, and management requirements of all network services should be identified and included in the network service agreement, regardless of whether such services are provided internally or outsourced.
A.13.1.3 Network isolation
Information services, users and information systems should be isolated on the network.
A.13.2 Information transmission
A.13.2.1 Information transmission strategies and procedures
Formal transmission strategies, procedures and controls should be established to protect the safety of all types of information transmitted through communication facilities.
A.13.2.2 Information Transmission Agreement The
agreement should address the secure transmission of business information between the organization and external parties.
A.13.2.3 Electronic messages
The information in electronic messages should be properly protected.
A.13.2.4 Confidentiality or non-disclosure agreement The
organization's confidentiality or non-disclosure agreement should be identified, regularly reviewed and recorded, and the agreement should reflect the organization's requirements for information protection.
A.14 System acquisition, development and maintenance
A.14.1 Information system security requirements
A.14.1.1 Security requirements analysis and specification
New information systems or improvements to existing information systems should include information security-related requirements.
A.14.1.2 Protecting the security of
application services on public networks The information transmitted through public networks in application services should be protected to prevent fraud, contract disputes, unauthorized leakage and modification.
A.14.1.3 Protection of application service transactions/transmissions
should protect the information in the application service transmission to prevent incomplete transmission, routing errors, unauthorized message modification, unauthorized leakage, unauthorized copying and replay of information .
A.14.2 Security in the development and support process
A.14.2.1 Security development strategy The
organization's internal software and system development guidelines should be established.
A.14.2.2 Change control procedures
A formal change control procedure shall be adopted to control the implementation of system changes in the development life cycle.
A.14.2.3 Technical evaluation of applications after the
operating platform is changed When the operating platform is changed, critical business application systems should be reviewed and tested to ensure that the changes will not have a negative impact on the organization's operations or safety.
A.14.2.4 Restrictions on software package changes The software package changes are
not encouraged, and necessary changes must be strictly controlled.
A.14.2.5 System development procedures/engineering principles of safety systems The engineering principles of safety systems
should be established, recorded, maintained and applied, and implemented in any information system.
A.14.2.6 Safe development environment The
organization shall establish and properly ensure the safety of the development environment during system development and integration throughout the system development life cycle.
A.14.2.7 Outsourcing development The
organization shall supervise and monitor system outsourcing development activities.
A.14.2.8 System security testing
During the development process, security testing should be carried out.
A.14.2.9 System acceptance test
The acceptance test procedures and related standards for new information systems, system upgrades and new versions should be established.
A.14.3 Test data
A.14.3.1 Test data protection Test data
should be carefully selected, protected and controlled.
A.15 Supply relationship
A.15.1 Security of
supply relationship A.15.1.1 Information security strategy
of supply relationship In order to reduce the risks caused by the supplier's access to the organization's assets, it is advisable to negotiate with the supplier and record relevant information security requirements.
A.15.1.2 Emphasize safety in supplier agreements The agreement
signed with each supplier shall cover all relevant safety requirements. For example, it may involve the access, processing, storage, and communication of the organization's IT infrastructure components and information.
A.15.1.3 Information and communication technology supply chain
Supplier agreements should include information, communication technology services, and product supply chain related information security risks.
A.15.2 Supplier service delivery management
A.15.2.1 Monitoring and review of supplier services The
organization shall regularly monitor, review and review the service delivery of suppliers.
A.15.2.2 Supplier service change management The change of supplier services
shall be managed, including maintaining and improving existing information security strategies, procedures and control measures, and considering the reassessment of the criticality and risk of business information, systems and processes.
A.16 Information security incident management
A.16.1 Information security incident management and continuous improvement
A.16.1.1 Responsibilities and procedures
Management responsibilities and procedures should be established to respond to information security incidents quickly, effectively and in an orderly manner.
A.16.1.2 Reporting information security incidents Information security incidents
should be reported as soon as possible through appropriate management channels.
A.16.1.3 Report information security weaknesses
Employees and contractors who use the organization's information systems and services should be required to pay attention to and report any discovered or suspected information security weaknesses in the systems or services.
A.16.1.4 Evaluation and determination of information security incidents Information security incidents
should be evaluated to determine whether they are identified as information security incidents.
A.16.1.5 Information security incident response Information security incidents
shall be responded to in accordance with documented procedures.
A.16.1.6 Reviewing information security incidents/learning from information security incidents
The knowledge gained from analyzing and solving information security incidents should be used to reduce the possibility or impact of future incidents.
A.16.1.7 Collecting evidence The
organization shall establish and adopt procedures to identify, collect, collect and store information that can be used as evidence.
A.17 Information security business continuity management
A.17.1 Information security continuity
A.17.1.1 Planning the continuity of information security The
organization shall determine its needs to ensure information security and continuity of information security management under adverse circumstances Sex, such as in a crisis or disaster.
A.17.1.2 Achieve continuity of information security The
organization shall establish, record, implement, and maintain procedures and control processes to ensure the continuity of information security required during an adverse situation.
A.17.1.3 Verification, review and evaluation of the continuity of information security The
organization shall periodically verify the established and implemented information security continuity controls to ensure that they are effective and equally effective under adverse circumstances.
A.17.2 Redundancy
A.17.2.1 Availability of
information processing facilities Information processing facilities should implement sufficient redundancy to meet availability requirements.
A.18 Compliance
A.18.1 Compliance with the requirements of laws and contracts
A.18.1.1 The requirements for identifying and using laws and contracts
should clearly specify all relevant laws, regulations, and contract requirements, as well as the organization’s methods to meet these requirements and document them, And update it for each information system and organization.
A.18.1.2 Intellectual property rights (IPR)
should implement appropriate procedures to ensure compliance with laws, regulations and contract requirements related to intellectual property rights and the use of proprietary software products.
A.18.1.3 Protecting records The records
shall be protected from loss, destruction, unauthorized access and unauthorized release, or forgery and tampering in accordance with laws, regulations, contracts, and business requirements.
A.18.1.4 The privacy and protection of personally identifiable information
shall ensure that the privacy and protection of personally identifiable information are required in accordance with applicable laws and regulations.
A.18.1.5 Encryption control laws and regulations
When using password control, ensure compliance with relevant agreements, laws and regulations.
A.18.2 Information security review
A.18.2.1 The independent review of information security
should review the organization’s information security management methods and their implementation (e.g., information security control objectives, control measures, Strategies, processes and procedures) for independent review.
A.18.2.2 Compliance with security policies and standards
Managers should periodically review that information processing and procedures comply with appropriate security policies, standards and any other security requirements within their scope of responsibility.
A.18.2.3 Technical compliance inspection The degree of compliance between the
information system and the organization's information security policies and standards shall be regularly reviewed.