ISO/IEC 27001 Ersetzt / Remplace / Replaces: Ausgabe / Edition: SN ISO/IEC 2700

ISO/IEC 27001 Ersetzt / Remplace / Replaces: Ausgabe / Edition: SN ISO/IEC 27001:2005 2013-11 ICS Code: 35.040 Information technology - Security techniques - Information security management systems - Requirements In der vorliegenden Schweizer Norm ist die ISO/IEC 27001:2013 identisch abgedruckt. Dans la présente Norme Suisse le ISO/IEC 27001:2013 est reproduit identiquement. In this Swiss standard ISO/IEC 27001:2013 is reprinted identically. Für diese Norm ist das Normen-Komitee INB/NK 149 << Informationstechnologie >> des interdisziplinären Normenbereichs zuständig. La présente norme est de la compétence du comité de normalisation INB/NK 149 << Technologie de l'information >> du secteur interdisciplinaire de normalisation. The standardization committee INB/NK 149 << Information technology >> of the interdisciplinary sector is in charge of the present standard. 0012 SNV Ref Nr. / No. de réf / No ref.: Herausgeber / Editeur / Editor Vertrieb / Distribution © SNV Anzahl Seiten / Nombre de pages / Number of pages: SNV Schweizerische Normen-Vereinigung Bürglistrasse 29 CH-8400 Winterthur SNV Schweizerische Normen-Vereinigung Bürglistrasse 29 CH-8400 Winterthur SN ISO/IEC 27001:2013 en Preisklasse / Classe de prix / Price class: Gültig ab / Valide de / Valid from: 2013-11-01 23 – Leerseite / Page blanche – Information technology — Security techniques — Information security management systems — Requirements Technologies de l’information — Techniques de sécurité — Systèmes de management de la sécurité de l’information — Exigences © ISO/IEC 2013 INTERNATIONAL STANDARD ISO/IEC 27001 Second edition 2013-10-01 Reference number ISO/IEC 27001:2013(E) ISO/IEC 27001:2013(E) ii © ISO/IEC 2013 – All rights reserved COPYRIGHT PROTECTED DOCUMENT © ISO/IEC 2013 ŽŽ”‹‰Š–•”‡•‡”˜‡†ǤŽ‡••‘–Š‡”™‹•‡•’‡ ‹ϐ‹‡†ǡ‘’ƒ”–‘ˆ–Š‹•’—„Ž‹ ƒ–‹‘ƒ›„‡”‡’”‘†— ‡†‘”—–‹Ž‹œ‡†‘–Š‡”™‹•‡‹ƒ›ˆ‘” ‘”„›ƒ›‡ƒ•ǡ‡Ž‡ –”‘‹ ‘”‡ Šƒ‹ ƒŽǡ‹ Ž—†‹‰’Š‘–‘ ‘’›‹‰ǡ‘”’‘•–‹‰‘–Š‡‹–‡”‡–‘”ƒ‹–”ƒ‡–ǡ™‹–Š‘—–’”‹‘” ™”‹––‡’‡”‹••‹‘Ǥ‡”‹••‹‘ ƒ„‡”‡“—‡•–‡†ˆ”‘‡‹–Š‡” ƒ––Š‡ƒ††”‡••„‡Ž‘™‘” ǯ•‡„‡”„‘†›‹–Š‡ ‘—–”›‘ˆ –Š‡”‡“—‡•–‡”Ǥ  ‘’›”‹‰Š–‘ˆϐ‹ ‡ ƒ•‡’‘•–ƒŽ‡ͷ͸Ȉ Ǧͳʹͳͳ ‡‡˜ƒʹͲ Tel. + 41 22 749 01 11 ƒšΪͶͳʹʹ͹ͶͻͲͻͶ͹ Ǧƒ‹Ž ‘’›”‹‰Š–̷‹•‘Ǥ‘”‰ Web www.iso.org —„Ž‹•Š‡†‹™‹–œ‡”Žƒ† ISO/IEC 27001:2013(E) © ISO/IEC 2013 – All rights reserved iii Contents ƒ‰‡ Foreword ........................................................................................................................................................................................................................................iv 0 Introduction ...............................................................................................................................................................................................................v 1 Scope .................................................................................................................................................................................................................................1 2 Normative references ......................................................................................................................................................................................1 ͵ ‡”•ƒ††‡ϐ‹‹–‹‘• .....................................................................................................................................................................................1 4 Context of the organization .......................................................................................................................................................................1 ͶǤͳ †‡”•–ƒ†‹‰–Š‡‘”‰ƒ‹œƒ–‹‘ƒ†‹–• ‘–‡š– .......................................................................................................1 ͶǤʹ †‡”•–ƒ†‹‰–Š‡‡‡†•ƒ†‡š’‡ –ƒ–‹‘•‘ˆ‹–‡”‡•–‡†’ƒ”–‹‡• ..............................................................1 ͶǤ͵ ‡–‡”‹‹‰–Š‡• ‘’‡‘ˆ–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ ..........................................1 ͶǤͶ ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ ..................................................................................................................... 2 5 Leadership ..................................................................................................................................................................................................................2 ͷǤͳ ‡ƒ†‡”•Š‹’ƒ† ‘‹–‡– ..................................................................................................................................................... 2 ͷǤʹ ‘Ž‹ › ............................................................................................................................................................................................................... 2 ͷǤ͵ ”‰ƒ‹œƒ–‹‘ƒŽ”‘Ž‡•ǡ”‡•’‘•‹„‹Ž‹–‹‡•ƒ†ƒ—–Š‘”‹–‹‡•.......................................................................................... 3 6 Planning .........................................................................................................................................................................................................................3 ͸Ǥͳ  –‹‘•–‘ƒ††”‡••”‹••ƒ†‘’’‘”–—‹–‹‡• ................................................................................................................... 3 ͸Ǥʹ ˆ‘”ƒ–‹‘•‡ —”‹–›‘„Œ‡ –‹˜‡•ƒ†’Žƒ‹‰–‘ƒ Š‹‡˜‡–Š‡ ...................................................................ͷ 7 Support ...........................................................................................................................................................................................................................5 7.1 Resources ..................................................................................................................................................................................................... ͷ 7.2 Competence ............................................................................................................................................................................................... ͷ ͹Ǥ͵ ™ƒ”‡‡•• ................................................................................................................................................................................................... ͷ ͹ǤͶ ‘—‹ ƒ–‹‘ ...................................................................................................................................................................................... ͸ ͹Ǥͷ ‘ —‡–‡†‹ˆ‘”ƒ–‹‘ ............................................................................................................................................................... ͸ 8 Operation .....................................................................................................................................................................................................................7 ͺǤͳ ’‡”ƒ–‹‘ƒŽ’Žƒ‹‰ƒ† ‘–”‘Ž .......................................................................................................................................... 7 ͺǤʹ ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•ƒ••‡••‡–................................................................................................................................. 7 ͺǤ͵ ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•–”‡ƒ–‡– .................................................................................................................................... 7 9 Performance evaluation ...............................................................................................................................................................................7 ͻǤͳ ‘‹–‘”‹‰ǡ‡ƒ•—”‡‡–ǡƒƒŽ›•‹•ƒ†‡˜ƒŽ—ƒ–‹‘ ............................................................................................... 7 ͻǤʹ –‡”ƒŽƒ—†‹– ............................................................................................................................................................................................ 8 ͻǤ͵ ƒƒ‰‡‡–”‡˜‹‡™ ........................................................................................................................................................................... 8 10 Improvement ............................................................................................................................................................................................................9 ͳͲǤͳ ‘ ‘ˆ‘”‹–›ƒ† ‘””‡ –‹˜‡ƒ –‹‘ ................................................................................................................................. 9 ͳͲǤʹ ‘–‹—ƒŽ‹’”‘˜‡‡– .................................................................................................................................................................. 9 Annex A ȋ‘”ƒ–‹˜‡Ȍ Reference control objectives and controls ........................................................................................10 Bibliography .............................................................................................................................................................................................................................23 ISO/IEC 27001:2013(E) Foreword ȋ–Š‡ –‡”ƒ–‹‘ƒŽ”‰ƒ‹œƒ–‹‘ˆ‘”–ƒ†ƒ”†‹œƒ–‹‘Ȍƒ† ȋ–Š‡ –‡”ƒ–‹‘ƒŽŽ‡ –”‘–‡ Š‹ ƒŽ ‘‹••‹‘Ȍ ˆ‘” –Š‡ •’‡ ‹ƒŽ‹œ‡† •›•–‡ ˆ‘” ™‘”Ž†™‹†‡ •–ƒ†ƒ”†‹œƒ–‹‘Ǥ ƒ–‹‘ƒŽ „‘†‹‡• –Šƒ– ƒ”‡ ‡„‡”•‘ˆ ‘” ’ƒ”–‹ ‹’ƒ–‡‹–Š‡†‡˜‡Ž‘’‡–‘ˆ –‡”ƒ–‹‘ƒŽ–ƒ†ƒ”†•–Š”‘—‰Š–‡ Š‹ ƒŽ ‘‹––‡‡• ‡•–ƒ„Ž‹•Š‡† „› –Š‡ ”‡•’‡ –‹˜‡ ‘”‰ƒ‹œƒ–‹‘ –‘ †‡ƒŽ ™‹–Š ’ƒ”–‹ —Žƒ” ϐ‹‡Ž†• ‘ˆ –‡ Š‹ ƒŽ ƒ –‹˜‹–›Ǥ ƒ† –‡ Š‹ ƒŽ ‘‹––‡‡• ‘ŽŽƒ„‘”ƒ–‡‹ϐ‹‡Ž†•‘ˆ—–—ƒŽ‹–‡”‡•–Ǥ–Š‡”‹–‡”ƒ–‹‘ƒŽ ‘”‰ƒ‹œƒ–‹‘•ǡ‰‘˜‡”‡–ƒŽƒ†‘Ǧ‰‘˜‡”‡–ƒŽǡ‹Ž‹ƒ‹•‘™‹–Š ƒ† ǡƒŽ•‘–ƒ‡’ƒ”–‹–Š‡ ™‘”Ǥ –Š‡ϐ‹‡Ž†‘ˆ‹ˆ‘”ƒ–‹‘–‡ Š‘Ž‘‰›ǡ ƒ† Šƒ˜‡‡•–ƒ„Ž‹•Š‡†ƒŒ‘‹––‡ Š‹ ƒŽ ‘‹––‡‡ǡ ISO/IEC JTC 1. –‡”ƒ–‹‘ƒŽ–ƒ†ƒ”†•ƒ”‡†”ƒˆ–‡†‹ƒ ‘”†ƒ ‡™‹–Š–Š‡”—Ž‡•‰‹˜‡‹–Š‡ Ȁ ‹”‡ –‹˜‡•ǡƒ”–ʹǤ Š‡ƒ‹–ƒ•‘ˆ–Š‡Œ‘‹––‡ Š‹ ƒŽ ‘‹––‡‡‹•–‘’”‡’ƒ”‡ –‡”ƒ–‹‘ƒŽ–ƒ†ƒ”†•Ǥ”ƒˆ– –‡”ƒ–‹‘ƒŽ –ƒ†ƒ”†• ƒ†‘’–‡† „› –Š‡ Œ‘‹– –‡ Š‹ ƒŽ ‘‹––‡‡ ƒ”‡ ‹” —Žƒ–‡† –‘ ƒ–‹‘ƒŽ „‘†‹‡• ˆ‘” ˜‘–‹‰Ǥ —„Ž‹ ƒ–‹‘ ƒ• ƒ –‡”ƒ–‹‘ƒŽ –ƒ†ƒ”† ”‡“—‹”‡• ƒ’’”‘˜ƒŽ „› ƒ– Ž‡ƒ•– ͹ͷ Ψ ‘ˆ –Š‡ ƒ–‹‘ƒŽ „‘†‹‡• ƒ•–‹‰ƒ˜‘–‡Ǥ ––‡–‹‘‹•†”ƒ™–‘–Š‡’‘••‹„‹Ž‹–›–Šƒ–•‘‡‘ˆ–Š‡‡Ž‡‡–•‘ˆ–Š‹•†‘ —‡–ƒ›„‡–Š‡•—„Œ‡ –‘ˆ ’ƒ–‡–”‹‰Š–•Ǥ ƒ† •ŠƒŽŽ‘–„‡Š‡Ž†”‡•’‘•‹„Ž‡ˆ‘”‹†‡–‹ˆ›‹‰ƒ›‘”ƒŽŽ•— Š’ƒ–‡–”‹‰Š–•Ǥ Ȁ  ʹ͹ͲͲͳ ™ƒ• ’”‡’ƒ”‡† „› ‘‹– ‡ Š‹ ƒŽ ‘‹––‡‡ Ȁ   ͳǡ Information technologyǡ —„ ‘‹––‡‡ʹ͹ǡIT Security techniques. Š‹• •‡ ‘† ‡†‹–‹‘ ƒ ‡Ž• ƒ† ”‡’Žƒ ‡• –Š‡ ϐ‹”•– ‡†‹–‹‘ ȋ Ȁ  ʹ͹ͲͲͳǣʹͲͲͷȌǡ ™Š‹ Š Šƒ• „‡‡ –‡ Š‹ ƒŽŽ›”‡˜‹•‡†Ǥ iv © ISO/IEC 2013 – All rights reserved ISO/IEC 27001:2013(E) 0 Introduction 0.1 General Š‹• –‡”ƒ–‹‘ƒŽ–ƒ†ƒ”†Šƒ•„‡‡’”‡’ƒ”‡†–‘’”‘˜‹†‡”‡“—‹”‡‡–•ˆ‘”‡•–ƒ„Ž‹•Š‹‰ǡ‹’Ž‡‡–‹‰ǡ ƒ‹–ƒ‹‹‰ƒ† ‘–‹—ƒŽŽ›‹’”‘˜‹‰ƒ‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ǤŠ‡ƒ†‘’–‹‘‘ˆƒ ‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡‹•ƒ•–”ƒ–‡‰‹ †‡ ‹•‹‘ˆ‘”ƒ‘”‰ƒ‹œƒ–‹‘ǤŠ‡‡•–ƒ„Ž‹•Š‡– ƒ†‹’Ž‡‡–ƒ–‹‘‘ˆƒ‘”‰ƒ‹œƒ–‹‘ǯ•‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡‹•‹ϐŽ—‡ ‡†„›–Š‡ ‘”‰ƒ‹œƒ–‹‘ǯ•‡‡†•ƒ†‘„Œ‡ –‹˜‡•ǡ•‡ —”‹–›”‡“—‹”‡‡–•ǡ–Š‡‘”‰ƒ‹œƒ–‹‘ƒŽ’”‘ ‡••‡•—•‡†ƒ†–Š‡ •‹œ‡ƒ†•–”— –—”‡‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘ǤŽŽ‘ˆ–Š‡•‡‹ϐŽ—‡ ‹‰ˆƒ –‘”•ƒ”‡‡š’‡ –‡†–‘ Šƒ‰‡‘˜‡”–‹‡Ǥ Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡’”‡•‡”˜‡•–Š‡ ‘ϐ‹†‡–‹ƒŽ‹–›ǡ‹–‡‰”‹–›ƒ†ƒ˜ƒ‹Žƒ„‹Ž‹–› ‘ˆ‹ˆ‘”ƒ–‹‘„›ƒ’’Ž›‹‰ƒ”‹•ƒƒ‰‡‡–’”‘ ‡••ƒ†‰‹˜‡• ‘ϐ‹†‡ ‡–‘‹–‡”‡•–‡†’ƒ”–‹‡•–Šƒ– ”‹••ƒ”‡ƒ†‡“—ƒ–‡Ž›ƒƒ‰‡†Ǥ –‹•‹’‘”–ƒ––Šƒ––Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡‹•’ƒ”–‘ˆƒ†‹–‡‰”ƒ–‡†™‹–Š–Š‡ ‘”‰ƒ‹œƒ–‹‘ǯ•’”‘ ‡••‡•ƒ†‘˜‡”ƒŽŽƒƒ‰‡‡–•–”— –—”‡ƒ†–Šƒ–‹ˆ‘”ƒ–‹‘•‡ —”‹–›‹• ‘•‹†‡”‡† ‹–Š‡†‡•‹‰‘ˆ’”‘ ‡••‡•ǡ‹ˆ‘”ƒ–‹‘•›•–‡•ǡƒ† ‘–”‘Ž•Ǥ –‹•‡š’‡ –‡†–Šƒ–ƒ‹ˆ‘”ƒ–‹‘•‡ —”‹–› ƒƒ‰‡‡–•›•–‡‹’Ž‡‡–ƒ–‹‘™‹ŽŽ„‡• ƒŽ‡†‹ƒ ‘”†ƒ ‡™‹–Š–Š‡‡‡†•‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘Ǥ Š‹• –‡”ƒ–‹‘ƒŽ–ƒ†ƒ”† ƒ„‡—•‡†„›‹–‡”ƒŽƒ†‡š–‡”ƒŽ’ƒ”–‹‡•–‘ƒ••‡••–Š‡‘”‰ƒ‹œƒ–‹‘ǯ• ƒ„‹Ž‹–›–‘‡‡––Š‡‘”‰ƒ‹œƒ–‹‘ǯ•‘™‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‡“—‹”‡‡–•Ǥ Š‡‘”†‡”‹™Š‹ Š”‡“—‹”‡‡–•ƒ”‡’”‡•‡–‡†‹–Š‹• –‡”ƒ–‹‘ƒŽ–ƒ†ƒ”††‘‡•‘–”‡ϐŽ‡ ––Š‡‹” ‹’‘”–ƒ ‡‘”‹’Ž›–Š‡‘”†‡”‹™Š‹ Š–Š‡›ƒ”‡–‘„‡‹’Ž‡‡–‡†ǤŠ‡Ž‹•–‹–‡•ƒ”‡‡—‡”ƒ–‡†ˆ‘” ”‡ˆ‡”‡ ‡’—”’‘•‡‘Ž›Ǥ Ȁ  ʹ͹ͲͲͲ †‡• ”‹„‡• –Š‡ ‘˜‡”˜‹‡™ ƒ† –Š‡ ˜‘ ƒ„—Žƒ”› ‘ˆ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡– •›•–‡•ǡ ”‡ˆ‡”‡ ‹‰ –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡– •›•–‡ ˆƒ‹Ž› ‘ˆ •–ƒ†ƒ”†• ȋ‹ Ž—†‹‰ ISO/IEC 27003[2]ǡ Ȁ ʹ͹ͲͲͶ[3]ƒ† Ȁ ʹ͹ͲͲͷ[4]Ȍǡ™‹–Š”‡Žƒ–‡†–‡”•ƒ††‡ϐ‹‹–‹‘•Ǥ 0.2 Compatibility with other management system standards Š‹• –‡”ƒ–‹‘ƒŽ–ƒ†ƒ”†ƒ’’Ž‹‡•–Š‡Š‹‰ŠǦŽ‡˜‡Ž•–”— –—”‡ǡ‹†‡–‹ ƒŽ•—„Ǧ Žƒ—•‡–‹–Ž‡•ǡ‹†‡–‹ ƒŽ–‡š–ǡ ‘‘–‡”•ǡƒ† ‘”‡†‡ϐ‹‹–‹‘•†‡ϐ‹‡†‹‡š‘ˆ Ȁ ‹”‡ –‹˜‡•ǡƒ”–ͳǡ‘•‘Ž‹†ƒ–‡†  —’’Ž‡‡–ǡƒ†–Š‡”‡ˆ‘”‡ƒ‹–ƒ‹• ‘’ƒ–‹„‹Ž‹–›™‹–Š‘–Š‡”ƒƒ‰‡‡–•›•–‡•–ƒ†ƒ”†•–Šƒ–Šƒ˜‡ ƒ†‘’–‡†–Š‡‡šǤ Š‹• ‘‘ƒ’’”‘ƒ Š†‡ϐ‹‡†‹–Š‡‡š™‹ŽŽ„‡—•‡ˆ—Žˆ‘”–Š‘•‡‘”‰ƒ‹œƒ–‹‘•–Šƒ– Š‘‘•‡–‘‘’‡”ƒ–‡ ƒ•‹‰Ž‡ƒƒ‰‡‡–•›•–‡–Šƒ–‡‡–•–Š‡”‡“—‹”‡‡–•‘ˆ–™‘‘”‘”‡ƒƒ‰‡‡–•›•–‡•–ƒ†ƒ”†•Ǥ © ISO/IEC 2013 – All rights reserved v Information technology — Security techniques — Information security management systems — Requirements 1 Scope Š‹• –‡”ƒ–‹‘ƒŽ –ƒ†ƒ”† •’‡ ‹ϐ‹‡• –Š‡ ”‡“—‹”‡‡–• ˆ‘” ‡•–ƒ„Ž‹•Š‹‰ǡ ‹’Ž‡‡–‹‰ǡ ƒ‹–ƒ‹‹‰ ƒ† ‘–‹—ƒŽŽ› ‹’”‘˜‹‰ ƒ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡– •›•–‡ ™‹–Š‹ –Š‡ ‘–‡š– ‘ˆ –Š‡ ‘”‰ƒ‹œƒ–‹‘ǤŠ‹• –‡”ƒ–‹‘ƒŽ–ƒ†ƒ”†ƒŽ•‘‹ Ž—†‡•”‡“—‹”‡‡–•ˆ‘”–Š‡ƒ••‡••‡–ƒ†–”‡ƒ–‡– ‘ˆ‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹••–ƒ‹Ž‘”‡†–‘–Š‡‡‡†•‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘ǤŠ‡”‡“—‹”‡‡–••‡–‘—–‹–Š‹• –‡”ƒ–‹‘ƒŽ–ƒ†ƒ”†ƒ”‡‰‡‡”‹ ƒ†ƒ”‡‹–‡†‡†–‘„‡ƒ’’Ž‹ ƒ„Ž‡–‘ƒŽŽ‘”‰ƒ‹œƒ–‹‘•ǡ”‡‰ƒ”†Ž‡•• ‘ˆ–›’‡ǡ•‹œ‡‘”ƒ–—”‡Ǥš Ž—†‹‰ƒ›‘ˆ–Š‡”‡“—‹”‡‡–••’‡ ‹ϐ‹‡†‹Žƒ—•‡•Ͷ to 10‹•‘–ƒ ‡’–ƒ„Ž‡ ™Š‡ƒ‘”‰ƒ‹œƒ–‹‘ Žƒ‹• ‘ˆ‘”‹–›–‘–Š‹• –‡”ƒ–‹‘ƒŽ–ƒ†ƒ”†Ǥ 2 Normative references Š‡ˆ‘ŽŽ‘™‹‰†‘ —‡–•ǡ‹™Š‘Ž‡‘”‹’ƒ”–ǡƒ”‡‘”ƒ–‹˜‡Ž›”‡ˆ‡”‡ ‡†‹–Š‹•†‘ —‡–ƒ†ƒ”‡ ‹†‹•’‡•ƒ„Ž‡ ˆ‘” ‹–• ƒ’’Ž‹ ƒ–‹‘Ǥ ‘” †ƒ–‡† ”‡ˆ‡”‡ ‡•ǡ ‘Ž› –Š‡ ‡†‹–‹‘ ‹–‡† ƒ’’Ž‹‡•Ǥ ‘” —†ƒ–‡† ”‡ˆ‡”‡ ‡•ǡ–Š‡Žƒ–‡•–‡†‹–‹‘‘ˆ–Š‡”‡ˆ‡”‡ ‡††‘ —‡–ȋ‹ Ž—†‹‰ƒ›ƒ‡†‡–•Ȍƒ’’Ž‹‡•Ǥ Ȁ  ʹ͹ͲͲͲǡ Information technology — Security techniques — Information security management systems — Overview and vocabulary ͵ ‡”•ƒ††‡ϐ‹‹–‹‘• ‘”–Š‡’—”’‘•‡•‘ˆ–Š‹•†‘ —‡–ǡ–Š‡–‡”•ƒ††‡ϐ‹‹–‹‘•‰‹˜‡‹ Ȁ ʹ͹ͲͲͲƒ’’Ž›Ǥ 4 Context of the organization 4.1 Understanding the organization and its context Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ†‡–‡”‹‡‡š–‡”ƒŽƒ†‹–‡”ƒŽ‹••—‡•–Šƒ–ƒ”‡”‡Ž‡˜ƒ––‘‹–•’—”’‘•‡ƒ†–Šƒ– ƒˆˆ‡ –‹–•ƒ„‹Ž‹–›–‘ƒ Š‹‡˜‡–Š‡‹–‡†‡†‘—– ‘‡ȋ•Ȍ‘ˆ‹–•‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡Ǥ  ‡–‡”‹‹‰–Š‡•‡‹••—‡•”‡ˆ‡”•–‘‡•–ƒ„Ž‹•Š‹‰–Š‡‡š–‡”ƒŽƒ†‹–‡”ƒŽ ‘–‡š–‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘ ‘•‹†‡”‡†‹Žƒ—•‡ͷǤ͵‘ˆ ͵ͳͲͲͲǣʹͲͲͻ[ͷ]. 4.2 Understanding the needs and expectations of interested parties Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ†‡–‡”‹‡ǣ ƒȌ ‹–‡”‡•–‡†’ƒ”–‹‡•–Šƒ–ƒ”‡”‡Ž‡˜ƒ––‘–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡Ǣƒ† „Ȍ –Š‡”‡“—‹”‡‡–•‘ˆ–Š‡•‡‹–‡”‡•–‡†’ƒ”–‹‡•”‡Ž‡˜ƒ––‘‹ˆ‘”ƒ–‹‘•‡ —”‹–›Ǥ  Š‡ ”‡“—‹”‡‡–• ‘ˆ ‹–‡”‡•–‡† ’ƒ”–‹‡• ƒ› ‹ Ž—†‡ Ž‡‰ƒŽ ƒ† ”‡‰—Žƒ–‘”› ”‡“—‹”‡‡–• ƒ† ‘–”ƒ –—ƒŽ‘„Ž‹‰ƒ–‹‘•Ǥ 4.3 Determining the scope of the information security management system Š‡ ‘”‰ƒ‹œƒ–‹‘ •ŠƒŽŽ †‡–‡”‹‡ –Š‡ „‘—†ƒ”‹‡• ƒ† ƒ’’Ž‹ ƒ„‹Ž‹–› ‘ˆ –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡–•›•–‡–‘‡•–ƒ„Ž‹•Š‹–•• ‘’‡Ǥ INTERNATIONAL STANDARD ISO/IEC 27001:2013(E) © ISO/IEC 2013 – All rights reserved 1 ISO/IEC 27001:2013(E) Š‡†‡–‡”‹‹‰–Š‹•• ‘’‡ǡ–Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ ‘•‹†‡”ǣ ƒȌ –Š‡‡š–‡”ƒŽƒ†‹–‡”ƒŽ‹••—‡•”‡ˆ‡””‡†–‘‹4.1Ǣ „Ȍ –Š‡”‡“—‹”‡‡–•”‡ˆ‡””‡†–‘‹4.2Ǣƒ† Ȍ ‹–‡”ˆƒ ‡•ƒ††‡’‡†‡ ‹‡•„‡–™‡‡ƒ –‹˜‹–‹‡•’‡”ˆ‘”‡†„›–Š‡‘”‰ƒ‹œƒ–‹‘ǡƒ†–Š‘•‡–Šƒ–ƒ”‡ ’‡”ˆ‘”‡†„›‘–Š‡”‘”‰ƒ‹œƒ–‹‘•Ǥ Š‡• ‘’‡•ŠƒŽŽ„‡ƒ˜ƒ‹Žƒ„Ž‡ƒ•†‘ —‡–‡†‹ˆ‘”ƒ–‹‘Ǥ 4.4 Information security management system Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ‡•–ƒ„Ž‹•Šǡ‹’Ž‡‡–ǡƒ‹–ƒ‹ƒ† ‘–‹—ƒŽŽ›‹’”‘˜‡ƒ‹ˆ‘”ƒ–‹‘•‡ —”‹–› ƒƒ‰‡‡–•›•–‡ǡ‹ƒ ‘”†ƒ ‡™‹–Š–Š‡”‡“—‹”‡‡–•‘ˆ–Š‹• –‡”ƒ–‹‘ƒŽ–ƒ†ƒ”†Ǥ 5 Leadership 5.1 Leadership and commitment ‘’ ƒƒ‰‡‡– •ŠƒŽŽ †‡‘•–”ƒ–‡ Ž‡ƒ†‡”•Š‹’ ƒ† ‘‹–‡– ™‹–Š ”‡•’‡ – –‘ –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–›ƒƒ‰‡‡–•›•–‡„›ǣ ƒȌ ‡•—”‹‰–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›’‘Ž‹ ›ƒ†–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›‘„Œ‡ –‹˜‡•ƒ”‡‡•–ƒ„Ž‹•Š‡† ƒ†ƒ”‡ ‘’ƒ–‹„Ž‡™‹–Š–Š‡•–”ƒ–‡‰‹ †‹”‡ –‹‘‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘Ǣ „Ȍ ‡•—”‹‰–Š‡‹–‡‰”ƒ–‹‘‘ˆ–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡”‡“—‹”‡‡–•‹–‘–Š‡ ‘”‰ƒ‹œƒ–‹‘ǯ•’”‘ ‡••‡•Ǣ Ȍ ‡•—”‹‰–Šƒ––Š‡”‡•‘—” ‡•‡‡†‡†ˆ‘”–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ƒ”‡ƒ˜ƒ‹Žƒ„Ž‡Ǣ †Ȍ ‘—‹ ƒ–‹‰–Š‡‹’‘”–ƒ ‡‘ˆ‡ˆˆ‡ –‹˜‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–ƒ†‘ˆ ‘ˆ‘”‹‰–‘ –Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡”‡“—‹”‡‡–•Ǣ ‡Ȍ ‡•—”‹‰–Šƒ––Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ƒ Š‹‡˜‡•‹–•‹–‡†‡†‘—– ‘‡ȋ•ȌǢ ˆȌ †‹”‡ –‹‰ƒ†•—’’‘”–‹‰’‡”•‘•–‘ ‘–”‹„—–‡–‘–Š‡‡ˆˆ‡ –‹˜‡‡••‘ˆ–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–› ƒƒ‰‡‡–•›•–‡Ǣ ‰Ȍ ’”‘‘–‹‰ ‘–‹—ƒŽ‹’”‘˜‡‡–Ǣƒ† ŠȌ •—’’‘”–‹‰‘–Š‡””‡Ž‡˜ƒ–ƒƒ‰‡‡–”‘Ž‡•–‘†‡‘•–”ƒ–‡–Š‡‹”Ž‡ƒ†‡”•Š‹’ƒ•‹–ƒ’’Ž‹‡•–‘–Š‡‹” ƒ”‡ƒ•‘ˆ”‡•’‘•‹„‹Ž‹–›Ǥ 5.2 Policy ‘’ƒƒ‰‡‡–•ŠƒŽŽ‡•–ƒ„Ž‹•Šƒ‹ˆ‘”ƒ–‹‘•‡ —”‹–›’‘Ž‹ ›–Šƒ–ǣ ƒȌ ‹•ƒ’’”‘’”‹ƒ–‡–‘–Š‡’—”’‘•‡‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘Ǣ „Ȍ ‹ Ž—†‡•‹ˆ‘”ƒ–‹‘•‡ —”‹–›‘„Œ‡ –‹˜‡•ȋ•‡‡͸ǤʹȌ‘”’”‘˜‹†‡•–Š‡ˆ”ƒ‡™‘”ˆ‘”•‡––‹‰‹ˆ‘”ƒ–‹‘ •‡ —”‹–›‘„Œ‡ –‹˜‡•Ǣ Ȍ ‹ Ž—†‡•ƒ ‘‹–‡––‘•ƒ–‹•ˆ›ƒ’’Ž‹ ƒ„Ž‡”‡“—‹”‡‡–•”‡Žƒ–‡†–‘‹ˆ‘”ƒ–‹‘•‡ —”‹–›Ǣƒ† †Ȍ ‹ Ž—†‡•ƒ ‘‹–‡––‘ ‘–‹—ƒŽ‹’”‘˜‡‡–‘ˆ–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡Ǥ Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›’‘Ž‹ ›•ŠƒŽŽǣ ‡Ȍ „‡ƒ˜ƒ‹Žƒ„Ž‡ƒ•†‘ —‡–‡†‹ˆ‘”ƒ–‹‘Ǣ 2 © ISO/IEC 2013 – All rights reserved ISO/IEC 27001:2013(E) ˆȌ „‡ ‘—‹ ƒ–‡†™‹–Š‹–Š‡‘”‰ƒ‹œƒ–‹‘Ǣƒ† ‰Ȍ „‡ƒ˜ƒ‹Žƒ„Ž‡–‘‹–‡”‡•–‡†’ƒ”–‹‡•ǡƒ•ƒ’’”‘’”‹ƒ–‡Ǥ 5.3 Organizational roles, responsibilities and authorities ‘’ƒƒ‰‡‡–•ŠƒŽŽ‡•—”‡–Šƒ––Š‡”‡•’‘•‹„‹Ž‹–‹‡•ƒ†ƒ—–Š‘”‹–‹‡•ˆ‘””‘Ž‡•”‡Ž‡˜ƒ––‘‹ˆ‘”ƒ–‹‘ •‡ —”‹–›ƒ”‡ƒ••‹‰‡†ƒ† ‘—‹ ƒ–‡†Ǥ ‘’ƒƒ‰‡‡–•ŠƒŽŽƒ••‹‰–Š‡”‡•’‘•‹„‹Ž‹–›ƒ†ƒ—–Š‘”‹–›ˆ‘”ǣ ƒȌ ‡•—”‹‰–Šƒ––Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ ‘ˆ‘”•–‘–Š‡”‡“—‹”‡‡–•‘ˆ–Š‹• –‡”ƒ–‹‘ƒŽ–ƒ†ƒ”†Ǣƒ† „Ȍ ”‡’‘”–‹‰‘–Š‡’‡”ˆ‘”ƒ ‡‘ˆ–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡–‘–‘’ƒƒ‰‡‡–Ǥ  ‘’ƒƒ‰‡‡–ƒ›ƒŽ•‘ƒ••‹‰”‡•’‘•‹„‹Ž‹–‹‡•ƒ†ƒ—–Š‘”‹–‹‡•ˆ‘””‡’‘”–‹‰’‡”ˆ‘”ƒ ‡‘ˆ–Š‡ ‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡™‹–Š‹–Š‡‘”‰ƒ‹œƒ–‹‘Ǥ 6 Planning 6.1 Actions to address risks and opportunities 6.1.1 General Š‡’Žƒ‹‰ˆ‘”–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ǡ–Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ ‘•‹†‡”–Š‡ issues referred to in 4.1ƒ†–Š‡”‡“—‹”‡‡–•”‡ˆ‡””‡†–‘‹4.2ƒ††‡–‡”‹‡–Š‡”‹••ƒ†‘’’‘”–—‹–‹‡• –Šƒ–‡‡†–‘„‡ƒ††”‡••‡†–‘ǣ ƒȌ ‡•—”‡–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ ƒƒ Š‹‡˜‡‹–•‹–‡†‡†‘—– ‘‡ȋ•ȌǢ „Ȍ ’”‡˜‡–ǡ‘””‡†— ‡ǡ—†‡•‹”‡†‡ˆˆ‡ –•Ǣƒ† Ȍ ƒ Š‹‡˜‡ ‘–‹—ƒŽ‹’”‘˜‡‡–Ǥ Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ’Žƒǣ †Ȍ ƒ –‹‘•–‘ƒ††”‡••–Š‡•‡”‹••ƒ†‘’’‘”–—‹–‹‡•Ǣƒ† e) how to ͳȌ ‹–‡‰”ƒ–‡ ƒ† ‹’Ž‡‡– –Š‡ ƒ –‹‘• ‹–‘ ‹–• ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡– •›•–‡ ’”‘ ‡••‡•Ǣƒ† ʹȌ ‡˜ƒŽ—ƒ–‡–Š‡‡ˆˆ‡ –‹˜‡‡••‘ˆ–Š‡•‡ƒ –‹‘•Ǥ 6.1.2 Information security risk assessment Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ†‡ϐ‹‡ƒ†ƒ’’Ž›ƒ‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•ƒ••‡••‡–’”‘ ‡••–Šƒ–ǣ ƒȌ ‡•–ƒ„Ž‹•Š‡•ƒ†ƒ‹–ƒ‹•‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹• ”‹–‡”‹ƒ–Šƒ–‹ Ž—†‡ǣ ͳȌ –Š‡”‹•ƒ ‡’–ƒ ‡ ”‹–‡”‹ƒǢƒ† ʹȌ ”‹–‡”‹ƒˆ‘”’‡”ˆ‘”‹‰‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•ƒ••‡••‡–•Ǣ „Ȍ ‡•—”‡• –Šƒ– ”‡’‡ƒ–‡† ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ”‹• ƒ••‡••‡–• ’”‘†— ‡ ‘•‹•–‡–ǡ ˜ƒŽ‹† ƒ† ‘’ƒ”ƒ„Ž‡”‡•—Ž–•Ǣ © ISO/IEC 2013 – All rights reserved 3 ISO/IEC 27001:2013(E) Ȍ ‹†‡–‹ϐ‹‡•–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹••ǣ ͳȌ ƒ’’Ž›–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•ƒ••‡••‡–’”‘ ‡••–‘‹†‡–‹ˆ›”‹••ƒ••‘ ‹ƒ–‡†™‹–Š–Š‡Ž‘•• ‘ˆ ‘ϐ‹†‡–‹ƒŽ‹–›ǡ‹–‡‰”‹–›ƒ†ƒ˜ƒ‹Žƒ„‹Ž‹–›ˆ‘”‹ˆ‘”ƒ–‹‘™‹–Š‹–Š‡• ‘’‡‘ˆ–Š‡‹ˆ‘”ƒ–‹‘ •‡ —”‹–›ƒƒ‰‡‡–•›•–‡Ǣƒ† ʹȌ ‹†‡–‹ˆ›–Š‡”‹•‘™‡”•Ǣ †Ȍ ƒƒŽ›•‡•–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹••ǣ ͳȌ ƒ••‡••–Š‡’‘–‡–‹ƒŽ ‘•‡“—‡ ‡•–Šƒ–™‘—Ž†”‡•—Ž–‹ˆ–Š‡”‹••‹†‡–‹ϐ‹‡†‹͸ǤͳǤʹ c) 1) were –‘ƒ–‡”‹ƒŽ‹œ‡Ǣ ʹȌ ƒ••‡••–Š‡”‡ƒŽ‹•–‹ Ž‹‡Ž‹Š‘‘†‘ˆ–Š‡‘ —””‡ ‡‘ˆ–Š‡”‹••‹†‡–‹ϐ‹‡†‹͸ǤͳǤʹ ȌͳȌǢƒ† ͵Ȍ †‡–‡”‹‡–Š‡Ž‡˜‡Ž•‘ˆ”‹•Ǣ ‡Ȍ ‡˜ƒŽ—ƒ–‡•–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹••ǣ ͳȌ ‘’ƒ”‡–Š‡”‡•—Ž–•‘ˆ”‹•ƒƒŽ›•‹•™‹–Š–Š‡”‹• ”‹–‡”‹ƒ‡•–ƒ„Ž‹•Š‡†‹͸ǤͳǤʹƒȌǢƒ† ʹȌ ’”‹‘”‹–‹œ‡–Š‡ƒƒŽ›•‡†”‹••ˆ‘””‹•–”‡ƒ–‡–Ǥ Š‡ ‘”‰ƒ‹œƒ–‹‘ •ŠƒŽŽ ”‡–ƒ‹ †‘ —‡–‡† ‹ˆ‘”ƒ–‹‘ ƒ„‘—– –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ”‹• ƒ••‡••‡–’”‘ ‡••Ǥ 6.1.3 Information security risk treatment Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ†‡ϐ‹‡ƒ†ƒ’’Ž›ƒ‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•–”‡ƒ–‡–’”‘ ‡••–‘ǣ ƒȌ •‡Ž‡ – ƒ’’”‘’”‹ƒ–‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ”‹• –”‡ƒ–‡– ‘’–‹‘•ǡ –ƒ‹‰ ƒ ‘—– ‘ˆ –Š‡ ”‹• ƒ••‡••‡–”‡•—Ž–•Ǣ „Ȍ †‡–‡”‹‡ƒŽŽ ‘–”‘Ž•–Šƒ–ƒ”‡‡ ‡••ƒ”›–‘‹’Ž‡‡––Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•–”‡ƒ–‡– ‘’–‹‘ȋ•Ȍ Š‘•‡Ǣ  ”‰ƒ‹œƒ–‹‘• ƒ†‡•‹‰ ‘–”‘Ž•ƒ•”‡“—‹”‡†ǡ‘”‹†‡–‹ˆ›–Š‡ˆ”‘ƒ›•‘—” ‡Ǥ Ȍ ‘’ƒ”‡–Š‡ ‘–”‘Ž•†‡–‡”‹‡†‹͸ǤͳǤ͵„Ȍƒ„‘˜‡™‹–Š–Š‘•‡‹‡šƒ†˜‡”‹ˆ›–Šƒ–‘‡ ‡••ƒ”› ‘–”‘Ž•Šƒ˜‡„‡‡‘‹––‡†Ǣ NOTE 1 ‡š ‘–ƒ‹•ƒ ‘’”‡Š‡•‹˜‡Ž‹•–‘ˆ ‘–”‘Ž‘„Œ‡ –‹˜‡•ƒ† ‘–”‘Ž•Ǥ•‡”•‘ˆ–Š‹• –‡”ƒ–‹‘ƒŽ –ƒ†ƒ”†ƒ”‡†‹”‡ –‡†–‘‡š–‘‡•—”‡–Šƒ–‘‡ ‡••ƒ”› ‘–”‘Ž•ƒ”‡‘˜‡”Ž‘‘‡†Ǥ ʹ ‘–”‘Ž ‘„Œ‡ –‹˜‡• ƒ”‡ ‹’Ž‹ ‹–Ž› ‹ Ž—†‡† ‹ –Š‡ ‘–”‘Ž• Š‘•‡Ǥ Š‡ ‘–”‘Ž ‘„Œ‡ –‹˜‡• ƒ† controls listed in ‡šƒ”‡‘–‡šŠƒ—•–‹˜‡ƒ†ƒ††‹–‹‘ƒŽ ‘–”‘Ž‘„Œ‡ –‹˜‡•ƒ† ‘–”‘Ž•ƒ›„‡‡‡†‡†Ǥ †Ȍ ’”‘†— ‡ƒ–ƒ–‡‡–‘ˆ’’Ž‹ ƒ„‹Ž‹–›–Šƒ– ‘–ƒ‹•–Š‡‡ ‡••ƒ”› ‘–”‘Ž•ȋ•‡‡͸ǤͳǤ͵„Ȍƒ† ȌȌƒ† Œ—•–‹ϐ‹ ƒ–‹‘ˆ‘”‹ Ž—•‹‘•ǡ™Š‡–Š‡”–Š‡›ƒ”‡‹’Ž‡‡–‡†‘”‘–ǡƒ†–Š‡Œ—•–‹ϐ‹ ƒ–‹‘ˆ‘”‡š Ž—•‹‘• of controls from ‡šǢ ‡Ȍ ˆ‘”—Žƒ–‡ƒ‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•–”‡ƒ–‡–’ŽƒǢƒ† ˆȌ ‘„–ƒ‹”‹•‘™‡”•ǯƒ’’”‘˜ƒŽ‘ˆ–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•–”‡ƒ–‡–’Žƒƒ†ƒ ‡’–ƒ ‡‘ˆ–Š‡ ”‡•‹†—ƒŽ‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹••Ǥ Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ”‡–ƒ‹†‘ —‡–‡†‹ˆ‘”ƒ–‹‘ƒ„‘—––Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•–”‡ƒ–‡– process.  Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•ƒ••‡••‡–ƒ†–”‡ƒ–‡–’”‘ ‡••‹–Š‹• –‡”ƒ–‹‘ƒŽ–ƒ†ƒ”†ƒŽ‹‰• ™‹–Š–Š‡’”‹ ‹’Ž‡•ƒ†‰‡‡”‹ ‰—‹†‡Ž‹‡•’”‘˜‹†‡†‹ ͵ͳͲͲͲ[ͷ]. 4 © ISO/IEC 2013 – All rights reserved ISO/IEC 27001:2013(E) 6.2 Information security objectives and planning to achieve them Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ‡•–ƒ„Ž‹•Š‹ˆ‘”ƒ–‹‘•‡ —”‹–›‘„Œ‡ –‹˜‡•ƒ–”‡Ž‡˜ƒ–ˆ— –‹‘•ƒ†Ž‡˜‡Ž•Ǥ Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›‘„Œ‡ –‹˜‡••ŠƒŽŽǣ ƒȌ „‡ ‘•‹•–‡–™‹–Š–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›’‘Ž‹ ›Ǣ „Ȍ „‡‡ƒ•—”ƒ„Ž‡ȋ‹ˆ’”ƒ –‹ ƒ„Ž‡ȌǢ Ȍ –ƒ‡‹–‘ƒ ‘—–ƒ’’Ž‹ ƒ„Ž‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‡“—‹”‡‡–•ǡƒ†”‡•—Ž–•ˆ”‘”‹•ƒ••‡••‡– ƒ†”‹•–”‡ƒ–‡–Ǣ †Ȍ „‡ ‘—‹ ƒ–‡†Ǣƒ† ‡Ȍ „‡—’†ƒ–‡†ƒ•ƒ’’”‘’”‹ƒ–‡Ǥ Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ”‡–ƒ‹†‘ —‡–‡†‹ˆ‘”ƒ–‹‘‘–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›‘„Œ‡ –‹˜‡•Ǥ Š‡’Žƒ‹‰Š‘™–‘ƒ Š‹‡˜‡‹–•‹ˆ‘”ƒ–‹‘•‡ —”‹–›‘„Œ‡ –‹˜‡•ǡ–Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ†‡–‡”‹‡ǣ ˆȌ ™Šƒ–™‹ŽŽ„‡†‘‡Ǣ ‰Ȍ ™Šƒ–”‡•‘—” ‡•™‹ŽŽ„‡”‡“—‹”‡†Ǣ ŠȌ ™Š‘™‹ŽŽ„‡”‡•’‘•‹„Ž‡Ǣ ‹Ȍ ™Š‡‹–™‹ŽŽ„‡ ‘’Ž‡–‡†Ǣƒ† ŒȌ Š‘™–Š‡”‡•—Ž–•™‹ŽŽ„‡‡˜ƒŽ—ƒ–‡†Ǥ 7 Support 7.1 Resources Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ†‡–‡”‹‡ƒ†’”‘˜‹†‡–Š‡”‡•‘—” ‡•‡‡†‡†ˆ‘”–Š‡‡•–ƒ„Ž‹•Š‡–ǡ‹’Ž‡‡–ƒ–‹‘ǡ ƒ‹–‡ƒ ‡ƒ† ‘–‹—ƒŽ‹’”‘˜‡‡–‘ˆ–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡Ǥ 7.2 uploads/Management/ 1-norma-iso27001-2013.pdf

Documents similaires

Fontys University of Applied Sciences Fontys University ICT College Study Guide 0 0

you? A guide for carers, by carers Hello, and how are More and more people are 0 0

Boîte à outils ISO27k Ligne directrice sur l'audit du SGSI Version 2, 2017 Cons 0 0

Juin 2022 Overview Formations & Certifications Techniques Palo Alto Networks Pa 0 0

CDC UNIFIED PROCESS PRACTICES GUIDE PROJECT STATUS REPORTING UP Version: 11/30/ 0 0

1 Intelligence économique Examen : à connaître par cœur pour le partiel  3 que 0 0

« La défense en profondeur » MANAGEMENT DE LA SECURITE DES SI © copyright – Aoû 0 0

Guide de préparation Édition 201804 Guide de préparation EXIN Information Secur 0 0

Les référentiels des systèmes d’information Hassan.nachifa@gmail.com Hassan NAC 0 0

© ISO 2020 Medical devices — Guidance on the application of ISO 14971 Dispositi 0 0

• Détails
• Publié le Sep 21, 2021
• Catégorie Management
• Langue French
• Taille du fichier 0.4146MB