ISO_IEC_27001-2013信息安全管理体系要求

Informationtechnology—Securitytechniques—Informationsecuritymanagementsystems—RequirementsTechnologiesdel’information—Techniquesdesécurité—Systèmesdemanagementdelasécuritédel’information—Exigences©ISO/IEC2013INTERNATIONALSTANDARDISO/IEC27001Secondedition2013-10-01ReferencenumberISO/IEC27001:2013(E)ISO/IEC27001信息技术-安全技术-信息体系-要求Informationtechnology-Securitytechniques-Informationsecuritymanagementsystems-RequirementsISO/IEC27001:2013(E)iiiContentsPageForeword........................................................................................................................................................................................................................................ͳ0Introduction...............................................................................................................................................................................................................͵1Scope.................................................................................................................................................................................................................................ͷ2Normativereferences......................................................................................................................................................................................ͷ3 Terms and definitions.....................................................................................................................................................................................ͷ4Contextoftheorganization.......................................................................................................................................................................ͷ4.1Understandingtheorganizationanditscontext.......................................................................................................54.2Understandingtheneedsandexpectationsofinterestedparties..............................................................54.3Determiningthescopeoftheinformationsecuritymanagementsystem..........................................54.4Informationsecuritymanagementsystem.....................................................................................................................75Leadership..................................................................................................................................................................................................................75.1Leadershipandcommitment.....................................................................................................................................................75.2Policy...............................................................................................................................................................................................................75.3Organizationalroles,responsibilitiesandauthorities..........................................................................................96Planning.........................................................................................................................................................................................................................96.1Actionstoaddressrisksandopportunities...................................................................................................................96.2Informationsecurityobjectivesandplanningtoachievethem...................................................................137Support...........................................................................................................................................................................................................................137.1Resources.....................................................................................................................................................................................................137.2Competence...............................................................................................................................................................................................137.3Awareness...................................................................................................................................................................................................137.4Communication......................................................................................................................................................................................157.5Documentedinformation...............................................................................................................................................................158Operation.....................................................................................................................................................................................................................178.1Operationalplanningandcontrol..........................................................................................................................................178.2Informationsecurityriskassessment.................................................................................................................................178.3Informationsecurityrisktreatment....................................................................................................................................179Performanceevaluation...............................................................................................................................................................................179.1Monitoring,measurement,analysisandevaluation...............................................................................................179.2Internalaudit............................................................................................................................................................................................199.3Managementreview...........................................................................................................................................................................1910Improvement............................................................................................................................................................................................................2110.1Nonconformityandcorrectiveaction.................................................................................................................................2110.2Continualimprovement..................................................................................................................................................................21AnnexA(normative)Referencecontrolobjectivesandcontrols........................................................................................23Bibliography.............................................................................................................................................................................................................................49目次前言.............................................................................2引言............................................................................41范围................................................................................62规范性引用文件......................................................................63术语和定义..........................................................................64组织环境............................................................................65领导................................................................................86规划................................................................................107支持................................................................................148运行................................................................................189绩效评价............................................................................1810改进...............................................................................22附录A（规范性附录）参考控制目标和控制措施......................................24参考文献.............................................................................50ISO/IEC27001:2013(E)ForewordISO(theInternationalOrganizationforStandardization)andIEC(theInternationalElectrotechnicalCommission)formthespecializedsystemforworldwidestandardization.NationalbodiesthataremembersofISOorIECparticipateinthedevelopmentofInternationalStandardsthroughtechnicalcommitteesestablishedbytherespectiveorganizationtodealwithparticularfieldsoftechnicalactivity.ISOandIECtechnicalcommitteescollaborateinfieldsofmutualinterest.Otherinternationalorganizations,governmentalandnon-governmental,inliaisonwithISOandIEC,alsotakepartinthework.Inthefieldofinformationtechnology,ISOandIEChaveestablishedajointtechnicalcommittee,ISO/IECJTC1.InternationalStandardsaredraftedinaccordancewiththerulesgivenintheISO/IECDirectives,Part2.ThemaintaskofthejointtechnicalcommitteeistoprepareInternationalStandards.DraftInternationalStandardsadoptedbythejointtechnicalcommitteearecirculatedtonationalbodiesforvoting.PublicationasanInternationalStandardrequiresapprovalbyatleast75%ofthenationalbodiescastingavote.Attentionisdrawntothepossibilitythatsomeoftheelementsofthisdocumentmaybethesubjectofpatentrights.ISOandIECshallnotbeheldresponsibleforidentifyinganyorallsuchpatentrights.ISO/IEC27001waspreparedbyJointTechnicalCommitteeISO/IECJTC1,Informationtechnology,SubcommitteeSC27,ITSecuritytechniques.Thissecondeditioncancelsandreplacesthefirstedition(ISO/IEC27001:2005),whichhasbeentechnicallyrevised.1前言ISO（国际化组织）和IEC（国际电工委员会）是为国际标准化制定专门体制的国际组织。国家机构是ISO或IEC的成员，他们通过各自的组织建立技术委员会参与国际标准的制定，来处理特定领域的技术活动。ISO和IEC技术委员会在共同感兴趣的领域合作。其他国际组织、政府和非政府等机构，通过联络ISO和IEC参与这项工作。ISO和IEC已经在信息技术领域建立了一个联合技术委员会ISO/IECJTC1。国际标准的制定遵循ISO/IEC导则第2部分的规则。联合技术委员会的主要任务是起草国际标准，并将国际标准草案提交给国家机构投票表决。国际标准的出版发行必须至少75%以上的成员投票通过。本文件中的某些内容有可能涉及一些专利权问题，这一点应该引起注意。ISO和IEC不负责识别任何这样的专利权问题。ISO/IEC27001由联合技术委员会ISO/IECJTC1（信息技术）分委员会SC27（安全技术）起草。第二版进行了技术上的修订，并取消和替代第一版（ISO/IEC27001:2005）。2ISO/IEC27001:2013(E)0Introduction0.1GeneralThisInternationalStandardhasbeenpreparedtoproviderequirementsforestablishing,implementing,maintainingandcontinuallyimprovinganinformationsecuritymanagementsystem.Theadoptionofaninformationsecuritymanagementsystemisastrategicdecisionforanorganization.Theestablishmentandimplementationofanorganization’sinformationsecuritymanagementsystemisinfluencedbytheorganization’sneedsandobjectives,securityrequirements,theorganizationalprocessesusedandthesizeandstructureoftheorganization.Alloftheseinfluencingfactorsareexpectedtochangeovertime.Theinformationsecuritymanagementsystempreservestheconfidentiality,integrityandavailabilityofinformationbyapplyingariskmanagementprocessandgivesconfidencetointerestedpartiesthatrisksareadequatelymanaged.Itisimportantthattheinformationsecuritymanagementsystemispartofandintegratedwiththeorganization’sprocessesandoverallmanagementstructureandthatinformationsecurityisconsideredinthedesignofprocesses,informationsystems,andcontrols.Itisexpectedthataninformationsecuritymanagementsystemimplementationwillbescaledinaccordancewiththeneedsoftheorganization.ThisInternationalStandardcanbeusedbyinternalandexternalpartiestoassesstheorganization’sabilitytomeettheorganization’sowninformationsecurityrequirements.TheorderinwhichrequirementsarepresentedinthisInternationalStandarddoesnotreflecttheirimportanceorimplytheorderinwhichtheyaretobeimplemented.Thelistitemsareenumeratedforreferencepurposeonly.ISO/IEC27000describestheoverviewandthevocabularyofinformationsecuritymanagementsystems,referencingtheinformationsecuritymanagementsystemfamilyofstandards(includingISO/IEC27003[2],ISO/IEC27004[3]andISO/IEC27005[4]),withrelatedtermsanddefinitions.0.2CompatibilitywithothermanagementsystemstandardsThisInternationalStandardappliesthehigh-levelstructure,identicalsub-clausetitles,identicaltext,commonterms,andcoredefinitionsdefinedinAnnexSLofISO/IECDirectives,Part1,ConsolidatedISOSupplement,andthereforemaintainscompatibilitywithothermanagementsystemstandardsthathaveadoptedtheAnnexSL.ThiscommonapproachdefinedintheAnnexSLwillbeusefulforthoseorganizationsthatchoosetooperateasinglemanagementsystemthatmeetstherequirementsoftwoormoremanagementsystemstandards.3引言0.1总则本标准用于为建立、实施、保持和持续改进信息安全管理体系提供要求。采用信息安全管理体系是组织的一项战略性决策。一个组织信息安全管理体系的建立和实施受其需要和目标、安全要求、所采用的过程以及组织的规模和结构的影响。所有这些影响因素会不断发生变化。信息安全管理体系通过应用风险管理过程来保持信息的保密性、完整性和可用性，以充分管理风险并给予相关方信心。信息安全管理体系是组织过程和整体管理结构的一部分并与其整合在一起是非常重要的。信息安全在设计过程、信息系统、控制措施时就要考虑信息安全。按照组织的需要实施信息安全管理体系，是本标准所期望的。本标准可被内部和外部相关方使用，评估组织的能力是否满足组织自身信息安全要求。本标准中要求的顺序并不能反映他们的重要性或意味着他们的实施顺序。列举的条目仅用于参考目的。ISO/IEC27000描述了信息安全管理体系的概述和词汇，参考了信息安全管理体系标准族（包括ISO/IEC27003、ISO/IEC27004和ISO/IEC27005）以及相关的术语和定义。0.2与其他管理体系的兼容性本标准应用了ISO/IEC导则第一部分ISO补充部分附录SL中定义的高层结构、相同的子章节标题、相同文本、通用术语和核心定义。因此保持了与其它采用附录SL的管理体系标准的兼容性。附录SL定义的通用方法对那些选择运作单一管理体系（可同时满足两个或多个管理体系标准要求）的组织来说是十分有益的。4Informationtechnology—Securitytechniques—Informationsecuritymanagementsystems—Requirements1ScopeThisInternationalStandardspecifiestherequirementsforestablishing,implementing,maintainingandcontinuallyimprovinganinformationsecuritymanagementsystemwithinthecontextoftheorganization.ThisInternationalStandardalsoincludesrequirementsfortheassessmentandtreatmentofinformationsecurityriskstailoredtotheneedsoftheorganization.TherequirementssetoutinthisInternationalStandardaregenericandareintendedtobeapplicabletoallorganizations,regardlessoftype,sizeornature.ExcludinganyoftherequirementsspecifiedinClauses4to10isnotacceptablewhenanorganizationclaimsconformitytothisInternationalStandard.2NormativereferencesThefollowingdocuments,inwholeorinpart,arenormativelyreferencedinthisdocumentandareindispensableforitsapplication.Fordatedreferences,onlytheeditioncitedapplies.Forundatedreferences,thelatesteditionofthereferenceddocument(includinganyamendments)applies.ISO/IEC27000,Informationtechnology—Securitytechniques—Informationsecuritymanagementsystems—Overviewandvocabulary3 Terms and definitionsForthepurposesofthisdocument,thetermsanddefinitionsgiveninISO/IEC27000apply.4Contextoftheorganization4.1UnderstandingtheorganizationanditscontextTheorganizationshalldetermineexternalandinternalissuesthatarerelevanttoitspurposeandthataffectitsabilitytoachievetheintendedoutcome(s)ofitsinformationsecuritymanagementsystem.NOTEDeterminingtheseissuesreferstoestablishingtheexternalandinternalcontextoftheorganizationconsideredinClause5.3ofISO31000:2009[5].4.2UnderstandingtheneedsandexpectationsofinterestedpartiesTheorganizationshalldetermine:a)interestedpartiesthatarerelevanttotheinformationsecuritymanagementsystem;andb)therequirementsoftheseinterestedpartiesrelevanttoinformationsecurity.NOTETherequirementsofinterestedpartiesmayincludelegalandregulatoryrequirementsandcontractualobligations.4.3DeterminingthescopeoftheinformationsecuritymanagementsystemTheorganizationshalldeterminetheboundariesandapplicabilityoftheinformationsecuritymanagementsystemtoestablishitsscope.INTERNATIONALSTANDARDISO/IEC27001:2013(E5信息技术-安全技术-信息安全管理体系-要求1范围本标准从组织环境的角度，为建立、实施、运行、保持和持续改进信息安全管理体系规定了要求。本标准还规定了为适应组织需要而定制的信息安全风险评估和处置的要求。本标准规定的要求是通用的，适用于各种类型、规模和特性的组织。组织声称符合本标准时，对于第4章到第10章的要求不能删减。2规范性引用文件下列文件的全部或部分内容在本文件中进行了规范引用，对于其应用是必不可少的。凡是注日期的引用文件，只有引用的版本适用于本标准；凡是不注日期的引用文件，其最新版本（包括任何修改）适用于本标准。ISO/IEC27000，信息技术—安全技术—信息安全管理体系—概述和词汇3术语和定义ISO/IEC27000中的术语和定义适用于本标准。4组织环境4.1理解组织及其环境组织应确定与其目标相关并影响其实现信息安全管理体系预期结果的能力的外部和内部问题。注：确定这些问题涉及到建立组织的外部和内部环境，在ISO31000:2009[5]的5.3节考虑了这一事项。4.2理解相关方的需求和期望组织应确定：a)与信息安全管理体系有关的相关方；b)这些相关方与信息安全有关的要求注：相关方的要求可能包括法律法规要求和义务。4.3确定信息安全管理体系的范围组织应确定信息安全管理体系的边界和适用性，以建立其范围。6ISO/IEC27001:2013(E)Whendeterminingthisscope,theorganizationshallconsider:a)theexternalandinternalissuesreferredtoin4.1;b)therequirementsreferredtoin4.2;andc)interfacesanddependenciesbetweenactivitiesperformedbytheorganization,andthosethatareperformedbyotherorganizations.Thescopeshallbeavailableasdocumentedinformation.4.4InformationsecuritymanagementsystemTheorganizationshallestablish,implement,maintainandcontinuallyimproveaninformationsecuritymanagementsystem,inaccordancewiththerequirementsofthisInternationalStandard.5Leadership5.1LeadershipandcommitmentTopmanagementshalldemonstrateleadershipandcommitmentwithrespecttotheinformationsecuritymanagementsystemby:a)ensuringtheinformationsecuritypolicyandtheinformationsecurityobjectivesareestablishedandarecompatiblewiththestrategicdirectionoftheorganization;b)ensuringtheintegrationoftheinformationsecuritymanagementsystemrequirementsintotheorganization’sprocesses;c)ensuringthattheresourcesneededfortheinformationsecuritymanagementsystemareavailable;d)communicatingtheimportanceofeffectiveinformationsecuritymanagementandofconformingtotheinformationsecuritymanagementsystemrequirements;e)ensuringthattheinformationsecuritymanagementsystemachievesitsintendedoutcome(s);f)directingandsupportingpersonstocontributetotheeffectivenessoftheinformationsecuritymanagementsystem;g)promotingcontinualimprovement;andh)supportingotherrelevantmanagementrolestodemonstratetheirleadershipasitappliestotheirareasofresponsibility.5.2PolicyTopmanagementshallestablishaninformationsecuritypolicythat:a)isappropriatetothepurposeoftheorganization;b)includesinformationsecurityobjectives(see6.2)orprovidestheframeworkforsettinginformationsecurityobjectives;c)includesacommitmenttosatisfyapplicablerequirementsrelatedtoinformationsecurity;andd)includesacommitmenttocontinualimprovementoftheinformationsecuritymanagementsystem.Theinformationsecuritypolicyshall:e)beavailableasdocumentedinformation;7当确定该范围时，组织应考虑：a)在4.1中提及的外部和内部问题；b)在4.2中提及的要求；c)组织所执行的活动之间以及与其它组织的活动之间的接口和依赖性范围应文件化并保持可用性。4.4信息安全管理体系组织应按照本标准的要求建立、实施、保持和持续改进信息安全管理体系。5领导5.1领导和承诺高层管理者应通过下列方式展示其关于信息安全管理体系的领导力和承诺：a)确保建立信息安全方针和信息安全目标，并与组织的战略方向保持一致；b)确保将信息安全管理体系要求整合到组织的业务过程中；c)确保信息安全管理体系所需资源可用；d)传达信息安全管理有效实施、符合信息安全管理体系要求的重要性；e)确保信息安全管理体系实现其预期结果；f)指挥并支持人员为信息安全管理体系的有效实施作出贡献；g)促进持续改进；h)支持其他相关管理角色在其职责范围内展示他们的领导力。5.2方针高层管理者应建立信息安全方针，以：a)适于组织的目标；b)包含信息安全目标（见6.2）或设置信息安全目标提供框架；c)包含满足适用的信息安全相关要求的承诺；d)包含信息安全管理体系持续改进的承诺。信息安全方针应：e)文件化并保持可用性；8ISO/IEC27001:2013(E)f)becommunicatedwithintheorganization;andg)beavailabletointerestedparties,asappropriate.5.3Organizationalroles,responsibilitiesandauthoritiesTopmanagementshallensurethattheresponsibilitiesandauthoritiesforrolesrelevanttoinformationsecurityareassignedandcommunicated.Topmanagementshallassigntheresponsibilityandauthorityfor:a)ensuringthattheinformationsecuritymanagementsystemconformstotherequirementsofthisInternationalStandard;andb)reportingontheperformanceoftheinformationsecuritymanagementsystemtotopmanagement.NOTETopmanagementmayalsoassignresponsibilitiesandauthoritiesforreportingperformanceoftheinformationsecuritymanagementsystemwithintheorganization.6Planning6.1Actionstoaddressrisksandopportunities6.1.1GeneralWhenplanningfortheinformationsecuritymanagementsystem,theorganizationshallconsidertheissuesreferredtoin4.1andtherequirementsreferredtoin4.2anddeterminetherisksandopportunitiesthatneedtobeaddressedto:a)ensuretheinformationsecuritymanagementsystemcanachieveitsintendedoutcome(s);b)prevent,orreduce,undesiredeffects;andc)achievecontinualimprovement.Theorganizationshallplan:d)actionstoaddresstheserisksandopportunities;ande)howto1)integrateandimplementtheactionsintoitsinformationsecuritymanagementsystemprocesses;and2)evaluatetheeffectivenessoftheseactions.6.1.2InformationsecurityriskassessmentTheorganizationshalldefineandapplyaninformationsecurityriskassessmentprocessthat:a)establishesandmaintainsinformationsecurityriskcriteriathatinclude:1)theriskacceptancecriteria;and2)criteriaforperforminginformationsecurityriskassessments;b)ensuresthatrepeatedinformationsecurityriskassessmentsproduceconsistent,validandcomparableresults;9f)在组织内部进行传达；g)适当时，对