ISO IEC 27002-2022Information security, cybersecurity and privacy protection — Information.pdf

《ISO IEC 27002-2022Information security, cybersecurity and privacy protection — Information.pdf》由会员分享，可在线阅读，更多相关《ISO IEC 27002-2022Information security, cybersecurity and privacy protection — Information.pdf（164页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、Information security,cybersecurity and privacy protection Information security controlsScurit de linformation,cyberscurit et protection de la vie prive Mesures de scurit de linformationINTERNATIONAL STANDARDISO/IEC 27002Third edition 2022-02Reference number ISO/IEC 27002:2022(E)ISO/IEC 2022iiISO/IEC

2、 27002:2022(E)COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2022All rights reserved.Unless otherwise specified,or required in the context of its implementation,no part of this publication may be reproduced or utilized otherwise in any form or by any means,electronic or mechanical,including photocopying,or po

3、sting on the internet or an intranet,without prior written permission.Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCP 401 Ch.de Blandonnet 8CH-1214 Vernier,GenevaPhone:+41 22 749 01 11Email:copyrightiso.orgWe

4、bsite:www.iso.orgPublished in Switzerland ISO/IEC 2022 All rights reserved-,-,-ISO/IEC 27002:2022(E)Foreword.viIntroduction.vii1 Scope.12 Normative references.13Terms,definitionsandabbreviatedterms.13.1 Terms and definitions.13.2 Abbreviated terms.64 Structure of this document.74.1 Clauses.74.2 Them

5、es and attributes.84.3 Control layout.95 Organizational controls.95.1 Policies for information security.95.2 Information security roles and responsibilities.115.3 Segregation of duties.125.4 Management responsibilities.135.5 Contact with authorities.145.6 Contact with special interest groups.155.7 T

6、hreat intelligence.155.8 Information security in project management.175.9 Inventory of information and other associated assets.185.10 Acceptable use of information and other associated assets.205.11 Return of assets.215.12 Classification of information.225.13 Labelling of information.235.14 Informat

7、ion transfer.245.15 Access control.275.16 Identity management.295.17 Authentication information.305.18 Access rights.325.19 Information security in supplier relationships.335.20 Addressing information security within supplier agreements.355.21 Managing information security in the ICT supply chain.37

8、5.22 Monitoring,review and change management of supplier services.395.23 Information security for use of cloud services.415.24 Information security incident management planning and preparation.435.25 Assessment and decision on information security events.445.26 Response to information security incid

9、ents.455.27 Learning from information security incidents.465.28 Collection of evidence.465.29 Information security during disruption.485.30 ICT readiness for business continuity.485.31 Legal,statutory,regulatory and contractual requirements.505.32 Intellectual property rights.515.33 Protection of re

10、cords.535.34 Privacy and protection of PII.545.35 Independent review of information security.555.36 Compliance with policies,rules and standards for information security.565.37 Documented operating procedures.576 People controls.586.1 Screening.586.2 Terms and conditions of employment.59iii ISO/IEC

11、2022 All rights reserved Contents Page-,-,-ISO/IEC 27002:2022(E)6.3 Information security awareness,education and training.606.4 Disciplinary process.626.5 Responsibilities after termination or change of employment.636.6 Confidentiality or non-disclosure agreements.636.7 Remote working.656.8 Informat

12、ion security event reporting.667 Physical controls.677.1 Physical security perimeters.677.2 Physical entry.687.3 Securing offices,rooms and facilities.707.4 Physical security monitoring.707.5 Protecting against physical and environmental threats.717.6 Working in secure areas.727.7 Clear desk and cle

13、ar screen.737.8 Equipment siting and protection.747.9 Security of assets off-premises.757.10 Storage media.767.11 Supporting utilities.777.12 Cabling security.787.13 Equipment maintenance.797.14 Secure disposal or re-use of equipment.808 Technological controls.818.1 User endpoint devices.818.2 Privi

14、leged access rights.838.3 Information access restriction.848.4 Access to source code.868.5 Secure authentication.878.6 Capacity management.898.7 Protection against malware.908.8 Management of technical vulnerabilities.928.9 Configuration management.958.10 Information deletion.978.11 Data masking.988

15、.12 Data leakage prevention.1008.13 Information backup.1018.14 Redundancy of information processing facilities.1028.15 Logging.1038.16 Monitoring activities.1068.17 Clock synchronization.1088.18 Use of privileged utility programs.1098.19 Installation of software on operational systems.1108.20 Networ

16、ks security.1118.21 Security of network services.1128.22 Segregation of networks.1138.23 Web filtering.1148.24 Use of cryptography.1158.25 Secure development life cycle.1178.26 Application security requirements.1188.27 Secure system architecture and engineering principles.1208.28 Secure coding.1228.

17、29 Security testing in development and acceptance.1248.30 Outsourced development.1268.31 Separation of development,test and production environments.1278.32 Change management.1288.33 Test information.1298.34 Protection of information systems during audit testing.130Annex A(informative)Using attribute

18、s.132iv ISO/IEC 2022 All rights reserved-,-,-ISO/IEC 27002:2022(E)Annex B(informative)Correspondence of ISO/IEC 27002:2022(this document)with ISO/IEC 27002:2013.143Bibliography.150v ISO/IEC 2022 All rights reserved -,-,-ISO/IEC 27002:2022(E)ForewordISO(the International Organization for Standardizat

19、ion)and IEC(the International Electrotechnical Commission)form the specialized system for worldwide standardization.National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal

20、 with particular fields of technical activity.ISO and IEC technical committees collaborate in fields of mutual interest.Other international organizations,governmental and non-governmental,in liaison with ISO and IEC,also take part in the work.The procedures used to develop this document and those in

21、tended for its further maintenance are described in the ISO/IEC Directives,Part 1.In particular,the different approval criteria needed for the different types of document should be noted.This document was drafted in accordance with the editorial rules of the ISO/IEC Directives,Part 2(see www.iso.org

22、/directives or www.iec.ch/members_experts/refdocs).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights.ISO and IEC shall not be held responsible for identifying any or all such patent rights.Details of any patent rights identified duri

23、ng the development of the document will be in the Introduction and/or on the ISO list of patent declarations received(see www.iso.org/patents)or the IEC list of patent declarations received(see patents.iec.ch).Any trade name used in this document is information given for the convenience of users and

24、 does not constitute an endorsement.For an explanation of the voluntary nature of standards,the meaning of ISO specific terms and expressions related to conformity assessment,as well as information about ISOs adherence to the World Trade Organization(WTO)principles in the Technical Barriers to Trade

25、(TBT)see www.iso.org/iso/foreword.html.In the IEC,see www.iec.ch/understanding-standards.This document was prepared by Joint Technical Committee ISO/IEC JTC 1,Information technology,Subcommittee SC 27,Information security,cybersecurity and privacy protection.This third edition cancels and replaces t

26、he second edition(ISO/IEC 27002:2013),which has been technically revised.It also incorporates the Technical Corrigenda ISO/IEC 27002:2013/Cor.1:2014 and ISO/IEC 27002:2013/Cor.2:2015.The main changes are as follows:the title has been modified;the structure of the document has been changed,presenting

27、 the controls using a simple taxonomy and associated attributes;some controls have been merged,some deleted and several new controls have been introduced.The complete correspondence can be found in Annex B.Any feedback or questions on this document should be directed to the users national standards

28、body.A complete listing of these bodies can be found at www.iso.org/members.html and www.iec.ch/national-committees.vi ISO/IEC 2022 All rights reserved-,-,-ISO/IEC 27002:2022(E)Introduction0.1 Background and contextThis document is designed for organizations of all types and sizes.It is to be used a

29、s a reference for determining and implementing controls for information security risk treatment in an information security management system(ISMS)based on ISO/IEC 27001.It can also be used as a guidance document for organizations determining and implementing commonly accepted information security co

30、ntrols.Furthermore,this document is intended for use in developing industry and organization-specific information security management guidelines,taking into consideration their specific information security risk environment(s).Organizational or environment-specific controls other than those included

31、 in this document can be determined through risk assessment as necessary.Organizations of all types and sizes(including public and private sector,commercial and non-profit)create,collect,process,store,transmit and dispose of information in many forms,including electronic,physical and verbal(e.g.conv

32、ersations and presentations).The value of information goes beyond written words,numbers and images:knowledge,concepts,ideas and brands are examples of intangible forms of information.In an interconnected world,information and other associated assets deserve or require protection against various risk

33、 sources,whether natural,accidental or deliberate.Information security is achieved by implementing a suitable set of controls,including policies,rules,processes,procedures,organizational structures and software and hardware functions.To meet its specific security and business objectives,the organiza

34、tion should define,implement,monitor,review and improve these controls where necessary.An ISMS such as that specified in ISO/IEC 27001 takes a holistic,coordinated view of the organizations information security risks in order to determine and implement a comprehensive suite of information security c

35、ontrols within the overall framework of a coherent management system.Many information systems,including their management and operations,have not been designed to be secure in terms of an ISMS as specified in ISO/IEC 27001 and this document.The level of security that can be achieved only through tech

36、nological measures is limited and should be supported by appropriate management activities and organizational processes.Identifying which controls should be in place requires careful planning and attention to detail while carrying out risk treatment.A successful ISMS requires support from all person

37、nel in the organization.It can also require participation from other interested parties,such as shareholders or suppliers.Advice from subject matter experts can also be needed.A suitable,adequate and effective information security management system provides assurance to the organizations management

38、and other interested parties that their information and other associated assets are kept reasonably secure and protected against threats and harm,thereby enabling the organization to achieve the stated business objectives.0.2 Information security requirementsIt is essential that an organization dete

39、rmines its information security requirements.There are three main sources of information security requirements:a)the assessment of risks to the organization,taking into account the organizations overall business strategy and objectives.This can be facilitated or supported through an information secu

40、rity-specific risk assessment.This should result in the determination of the controls necessary to ensure that the residual risk to the organization meets its risk acceptance criteria;b)the legal,statutory,regulatory and contractual requirements that an organization and its interested parties(tradin

41、g partners,service providers,etc.)have to comply with and their socio-cultural environment;vii ISO/IEC 2022 All rights reserved ISO/IEC 27002:2022(E)c)the set of principles,objectives and business requirements for all the steps of the life cycle of information that an organization has developed to s

42、upport its operations.0.3 ControlsA control is defined as a measure that modifies or maintains risk.Some of the controls in this document are controls that modify risk,while others maintain risk.An information security policy,for example,can only maintain risk,whereas compliance with the information

43、 security policy can modify risk.Moreover,some controls describe the same generic measure in different risk contexts.This document provides a generic mixture of organizational,people,physical and technological information security controls derived from internationally recognized best practices.0.4 D

44、etermining controlsDetermining controls is dependent on the organizations decisions following a risk assessment,with a clearly defined scope.Decisions related to identified risks should be based on the criteria for risk acceptance,risk treatment options and the risk management approach applied by th

45、e organization.The determination of controls should also take into consideration all relevant national and international legislation and regulations.Control determination also depends on the manner in which controls interact with one another to provide defence in depth.The organization can design co

46、ntrols as required or identify them from any source.In specifying such controls,the organization should consider the resources and investment needed to implement and operate a control against the business value realized.See ISO/IEC TR 27016 for guidance on decisions regarding the investment in an IS

47、MS and the economic consequences of these decisions in the context of competing requirements for resources.There should be a balance between the resources deployed for implementing controls and the potential resulting business impact from security incidents in the absence of those controls.The resul

48、ts of a risk assessment should help guide and determine the appropriate management action,priorities for managing information security risks and for implementing controls determined necessary to protect against these risks.Some of the controls in this document can be considered as guiding principles

49、 for information security management and as being applicable for most organizations.More information about determining controls and other risk treatment options can be found in ISO/IEC 27005.0.5Developingorganization-specificguidelinesThis document can be regarded as a starting point for developing

50、organization-specific guidelines.Not all of the controls and guidance in this document can be applicable to all organizations.Additional controls and guidelines not included in this document can also be required to address the specific needs of the organization and the risks that have been identifie