INTERNATIONAL ISO/IEC STANDARD 27002

1 Reference numberISO/IEC 27002 :2005(E) ISO/IEC 2005 INTERNATIONAL STANDARD ISO/IEC27002 First edition2005-06-15 Information technology Security techniques Code of practice for information security management Technologies de l'information Techniques de s curit Code de bonne pratique pour la gestion de la s curit de l'information ISO/IEC 27002 :2005(E) ISO/IEC 2005 All rights reserved iiiForeword ISO (the INTERNATIONAL Organization for Standardization) and IEC (the INTERNATIONAL Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of INTERNATIONAL standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest.

2 Other INTERNATIONAL organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. INTERNATIONAL standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare INTERNATIONAL standards . Draft INTERNATIONAL standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an INTERNATIONAL STANDARD requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27002 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.

3 This first edition of ISO/IEC 27002 comprises ISO/IEC 17799:2005 and ISO/IEC 17799:2005 :2007. Its technical content is identical to that of ISO/IEC 17799:2005. ISO/IEC 17799:2005 :2007 changes the reference number of the STANDARD from 17799 to 27002 . ISO/IEC 17799:2005 and ISO/IEC 17799:2005 :2007 are provisionally retained until publication of the second edition of ISO/IEC 27002 . ICS Ref. No. ISO/IEC 17799:2005 :2007(E) ISO/IEC 2007 All rights reserved Published in Switzerland INTERNATIONAL STANDARD ISO/IEC 17799:2005 TECHNICAL CORRIGENDUM 1 Published 2007-07-01 INTERNATIONAL ORGANIZATION FOR STANDARDIZATION МЕЖДУНАРОДНАЯ ОРГАНИЗАЦИЯ ПО СТАНДАРТИЗАЦИИ ORGANISATION INTERNATIONALE DE NORMALISATIONINTERNATIONAL ELECTROTECHNICAL COMMISSION МЕЖДУНАРОДНАЯ ЭЛЕКТРОТЕХНИЧЕСКАЯ КОМИССИЯ COMMISSION LECTROTECHNIQUE INTERNATIONALE Information technology Security techniques Code of practice for information security management TECHNICAL CORRIGENDUM 1 Technologies de l'information Techniques de s curit Code de bonne pratique pour la gestion de la s curit de l'information RECTIFICATIF TECHNIQUE 1 Technical Corrigendum 1 to ISO/IEC 17799:2005 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.

4 Throughout the document: Replace 17799 with 27002 . Please see the administrative notes on page iii RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICHTHEY ARE AWARE AND TO PROVIDE SUPPORT-ING DOCUMENTATION. IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT INTERNATIONAL standards MAY ONOCCASION HAVE TO BE CONSIDERED IN THELIGHT OF THEIR POTENTIAL TO BECOME STAN-DARDS TO WHICH REFERENCE MAY BE MADE INNATIONAL REGULATIONS. Reference numberISO/IEC FDIS 17799:2005(E) ISO/IEC 2005 FINAL DRAFT ISO/I EC JTC 1 Secretariat: ANSI Voting begins on: 2005-02-11 Voting terminates on: 2005-04-11 INTERNATIONAL STANDARD ISO/IECFDIS17799 Information technology Security techniques Code of practice for information security management Technologies de l'information Techniques de s curit Code de pratique pour la gestion de s curit d'information ISO/IEC FDIS 17799:2005(E) iv ISO/IEC 2005 All rights reserved Contents Page VIII 0 INTRODUCTION.

5 IX WHAT IS INFORMATION SECURITY?..IX WHY INFORMATION SECURITY IS NEEDED? .. IX HOW TO ESTABLISH SECURITY REQUIREMENTS .. X ASSESSING SECURITY RISKS .. X SELECTING X INFORMATION SECURITY STARTING X CRITICAL SUCCESS FACTORS .. XI DEVELOPING YOUR OWN GUIDELINES .. XII 1 1 2 TERMS AND DEFINITIONS .. 1 3 STRUCTURE OF THIS 4 CLAUSES .. 4 MAIN SECURITY 4 4 RISK ASSESSMENT AND 5 ASSESSING SECURITY RISKS .. 5 TREATING SECURITY 5 5 SECURITY POLICY .. 7 INFORMATION SECURITY 7 Information security policy document .. 7 Review of the information security 8 6 ORGANIZING INFORMATION 9 INTERNAL 9 Management commitment to information 9 Information security 10 Allocation of information security 10 Authorization process for information processing 11 Confidentiality 11 Contact with authorities.

6 12 Contact with special interest groups ..12 Independent review of information security .. 13 EXTERNAL PARTIES .. 14 Identification of risks related to external 14 Addressing security when dealing with customers .. 15 Addressing security in third party agreements .. 16 7 ASSET 19 RESPONSIBILITY FOR 19 Inventory of assets .. 19 Ownership of 20 Acceptable use of 20 INFORMATION 21 Classification 21 Information labeling and 8 HUMAN RESOURCES 23 PRIOR TO EMPLOYMENT .. 23 Roles and 23 ISO/IEC FDIS 17799:2005(E) ISO/IEC 2005 All rights reserved v Screening .. 23 Terms and conditions of employment .. 24 DURING EMPLOYMENT .. 25 Management 25 Information security awareness, education, and training.

7 26 Disciplinary 26 TERMINATION OR CHANGE OF 27 Termination responsibilities .. 27 Return of 27 Removal of access rights .. 28 9 PHYSICAL AND ENVIRONMENTAL SECURITY .. 29 SECURE AREAS .. 29 Physical security perimeter .. 29 Physical entry controls .. 30 Securing offices, rooms, and 30 Protecting against external and environmental 31 Working in secure 31 Public access, delivery, and loading 32 EQUIPMENT 32 Equipment siting and 32 Supporting utilities .. 33 Cabling 34 Equipment 34 Security of equipment 35 Secure disposal or re-use of 35 Removal of property .. 36 10 COMMUNICATIONS AND OPERATIONS 37 OPERATIONAL PROCEDURES AND RESPONSIBILITIES .. 37 Documented operating 37 Change management.

8 37 Segregation of duties .. 38 Separation of development, test, and operational 38 THIRD PARTY SERVICE DELIVERY MANAGEMENT .. 39 Service 39 Monitoring and review of third party 40 Managing changes to third party 40 SYSTEM PLANNING AND 41 Capacity management .. 41 System acceptance .. 41 PROTECTION AGAINST MALICIOUS AND MOBILE 42 Controls against malicious 42 Controls against mobile code .. 43 BACK-UP .. 44 Information back-up .. 44 NETWORK SECURITY 45 Network 45 Security of network services .. 46 MEDIA HANDLING .. 46 Management of removable 46 Disposal of media .. 47 Information handling Security of system 48 EXCHANGE OF INFORMATION .. 48 Information exchange policies and 49 Exchange 50 Physical media in transit.

9 51 Electronic 52 Business information systems .. 52 ISO/IEC FDIS 17799:2005(E) vi ISO/IEC 2005 All rights reserved ELECTRONIC COMMERCE SERVICES .. 53 Electronic commerce .. 53 On-Line 54 Publicly available information .. 55 55 Audit logging .. 55 Monitoring system 56 Protection of log information ..57 Administrator and operator logs .. 58 Fault logging .. 58 Clock synchronization .. 58 11 ACCESS CONTROL .. 60 BUSINESS REQUIREMENT FOR ACCESS CONTROL .. 60 Access control 60 USER ACCESS 61 User 61 Privilege management .. 62 User password 62 Review of user access 63 USER 63 Password 64 Unattended user equipment .. 64 Clear desk and clear screen 65 NETWORK ACCESS 65 Policy on use of network 66 User authentication for external 66 Equipment identification in networks.

10 67 Remote diagnostic and configuration port protection .. 67 Segregation in networks .. 68 Network connection 68 Network routing control .. 69 OPERATING SYSTEM ACCESS 69 Secure log-on 69 User identification and authentication .. 70 Password management Use of system utilities .. 72 Session 72 Limitation of connection time .. 72 APPLICATION AND INFORMATION ACCESS CONTROL .. 73 Information access restriction .. 73 Sensitive system isolation .. 74 MOBILE COMPUTING AND 74 Mobile computing and 74 Teleworking .. 75 12 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND 77 SECURITY REQUIREMENTS OF INFORMATION 77 Security requirements analysis and 77 CORRECT PROCESSING IN APPLICATIONS .. 78 Input data 78 Control of internal 78 Message 79 Output data 79 CRYPTOGRAPHIC CONTROLS.