Shulou(Shulou.com)06/01 Report--

1. IS027001: the difference between 2013 and 2005

Remarks on ISO27001:2005 version ISO27001:2013 version A5 Security Policy A5 Security Policy

A6 Information Security Organization A6 Information Security Organization

A8 Human Resources Security A7 Human Resources Security

A7 asset management A8 asset management

A11 access control A9 access control

A10 cryptography adds A9 physical and environmental security A11 physical and environmental security

A10 Communication and Operations Management A12 Operation Security is split by the old version

A13 communication security is acquired, developed and maintained by the old split A12 information system, A14 system acquisition, development and maintenance

A15 supply relationship added A13 Information Security event Management A16 Information Security event Management

A14 Business continuity Management A17 Information Security aspects of Business continuity Management

A15 compliance A18 compliance

II. Content of the ISO27001:2013 version

14 Control Domain Control measures A5 Security Policy

A5.1 Information Security Management Direction

Objective: to provide management guidance and support for information security and to ensure that information security meets business requirements and relevant laws and regulations A5.1.1 Information Security Policy documents shall be approved, issued and communicated by managers to all employees and external parties. A5.1.2 Information Security Policy Review shall be conducted at planned intervals or when major changes occur. To ensure its continued suitability, adequacy and effectiveness A6 information security organization

A6.1 Internal Organization

Objective: to establish a management framework Initiating and controlling roles and responsibilities for implementing information security A6.1.1 Information security within the organization all information security responsibilities shall be defined and assigned A6.1.2 contacts with regulators shall be maintained with regulators A6.1.3 contacts with special interest groups and specific interest groups, Other professional security forums or industry associations should maintain appropriate contact A6.1.4 Information Security in Project Management should be integrated into Project Management Independent of project type A6.1.5 responsibilities and permissions in conflict of duties should be separated to reduce unauthorized or inadvertent modification and misuse of A6.2 mobile devices and telecommuting of assets

Objective: to ensure the security of telecommuting and the use of mobile devices A6.2.1 Mobile device policies should use matching policies and security measures to prevent risks caused by mobile devices A6.2.2 telecommuting should use supporting policies and security measures to protect information access, handle or remotely store A7 human resources security

Before A7.1 appointment

Objective: to ensure that it is appropriate for people in the organization to understand their responsibilities and consider their roles. A7.1.1 screening conducts background checks on employees, contractual personnel and third-party candidates in accordance with relevant laws, regulations and ethics, the survey shall meet business needs, types of access to information and known risks the terms and conditions of A7.1.2 appointment as part of contractual obligations, employees shall agree to and sign the terms and conditions of employment contracts Its responsibility for organizational information security should be specified in the appointment of A7.2

Objective: to ensure that employees and external users are aware of and perform information security responsibilities A7.2.1 management responsibilities management should require employees, contractors and third-party users to apply security A7.2.2 information security awareness in accordance with the security policies and procedures established by the organization, education and training all employees, relevant contract personnel and third-party personnel in the organization should receive appropriate awareness training And regularly update organizational policies and procedures related to their work A7.2.3 Disciplinary procedures for employees who violate safety regulations, there should be a formal and communicable disciplinary process A7.3 termination or change of appointment

Purpose: to ensure that the interests of the organization are part of the termination and change of employment A7.3.1 A person who still has information security responsibilities and obligations after termination or change of appointment should be defined and communicated to employees or to outsiders to implement A8 asset management.

A8.1 is responsible for assets

Purpose: to achieve and maintain proper protection of organizational assets A8.1.1 the asset list shall identify assets related to information and information processing facilities, prepare and maintain asset inventory A8.1.2 assets held by responsible persons A8.1.3 permissible use of information related to information processing facilities and acceptable rules for the use of assets shall be identified, documented and implemented A8.2 information classification

Objective: to ensure that information is protected by classification according to the importance of information. A8.2.1 classified information should be classified according to its value to the organization, legal requirements, sensitivity and critical classification. A8.2.2 marking of information according to the information classification scheme adopted by the organization, a set of information marking process A8.2.3 assets should be developed and implemented according to the information classification methods adopted by the organization. A8.2.4 A set of asset handling procedures shall be developed and implemented. All employees and external users shall return the organization's assets A8.3 media after the termination of the contract or agreement.

Objective: in order to prevent unauthorized disclosure, modification, deletion or destruction of information stored on the media, the management of A8.3.1 removable media is carried out according to the classification method adopted by the organization to implement the removable media management process A8.3.2 disposal of media that is not needed, formal procedures should be used to reliably and safely dispose of A8.3.3 physical media during transmission. Media containing information should be protected from unauthorized access, abuse or damage. A9 access Control

A9.1 Business requirements for access control

Objective: to restrict access to information and information processing facilities A9.1.1 access control policy should establish an access control policy, and review the use policy of A9.1.2 network services based on business and access security requirements. Only provide authorized network access and network service A9.2 user access management.

Purpose: to ensure that authorized users access the system and services And prevent unauthorized access to A9.2.1 user registration and deregistration should establish a set of registration and logout procedures for authorization and revocation of all user types in all systems and services A9.2.2 privilege management should restrict and control the allocation of special rights and the use of A9.2.3 user password authentication information management should use a formal management process to control the allocation of secret authentication information. 2.4 Review of user access the asset owner should regularly review the user's access rights A9.2.5 remove or adjust access rights after the termination of the contract or agreement Access to user information and information processing facilities for all staff and outsiders should be removed or adjusted A9.3 user responsibilities

Objective: to make users clear about the protection of identity authentication information responsible for the use of A9.3.1 secret authentication information should require users to use secret authentication information A9.4 system and application access control in accordance with organizational security practices.

Objective: to prevent unauthorized use of A9.4.1 information access restrictions on systems and applications should be based on access control policies to restrict access to information and application system functions A9.4.2 security login program if the access control policy requires Access to the operating system should be controlled through a secure login program A9.4.3 password management system password management system should adopt interactive passwords and ensure the quality of passwords A9.4.4 privileged utility should be restricted to utilities that may exceed system and application control measures and strictly control access to A9.4.5 program source code access to program source code should be restricted A10 cryptography

A10.1 password control

Objective: appropriate and effective use of passwords to protect the confidentiality, authenticity and integrity of information A10.1.1 password use control policies should be formulated and implemented information protection password control policies A10.1.2 secret key management should formulate and implement secret key use, protection, usage policies and A11 physical and environmental security throughout its life cycle

A11.1 Security Zone

Objective: to prevent unauthorized physical access to organizational sites and information, damage and interference with A11.1.1 physical security boundaries should be set up to protect A11.1.2 physical access control security areas of hazardous information and information processing facilities should be protected by appropriate access controls to ensure that only authorized personnel are allowed to access the A11.1.3 office. Security protection of rooms and facilities should be designed and physical security measures should be taken for offices, rooms and facilities A11.1.4 external and environmental threats should be designed and physical security measures should be taken to prevent natural disasters Malicious or accident A11.1.5 physical protection measures and guidelines for safe area work should be designed and applied A11.1.6 delivery and transfer area access points (such as transition areas) and other points where unauthorized personnel have access to the office should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access to A11.2 equipment.

Objective: to prevent the loss, damage, theft or endangering the safety of assets and the interruption of organizational activities. A11.2.1 equipment placement and protection should be properly placed and protected. To reduce threats and hazards from the environment and unauthorized access to A11.2.2 supporting equipment should protect equipment from power failures and other interruptions A11.2.3 security should protect power and communication cables that transmit data or support information services, from intercepting or damaging A11.2.4 equipment maintenance equipment should be correctly protected To ensure the integrity of its continuous availability, mobile devices, information or software of A11.2.5 assets should not be taken out of the organization A11.2.6 off-site equipment and assets before authorization to take security measures for assets outside the organization site, all projects that consider the safe disposal of A11.2.7 equipment working outside the organization site or the reuse of equipment containing storage media should be verified. To ensure that prior to disposal, any sensitive information and registration software have been deleted or safely written to cover A11.2.8 unattended user equipment users should ensure that unattended user equipment has appropriate protection A11.2.9 Desktop and screen clearance policies should adopt the strategy of emptying files on desktops, removable storage media and A12 operating safety of information processing facility screens.

A12.1 operating procedures and responsibilities

Objective: to ensure a strong and secure operation information processing facility A12.1.1 documented operation procedures should be documented and provided to all users who need A12.1.2 change management to the organization, business processes, changes to information processing facilities and systems should be controlled. The use of A12.1.3 capacity management resources should be monitored, adjusted, and forecasts for future capacity requirements should be made. To ensure the required system performance A12.1.4 development, the separate development and test environment of the test and running environment should be separate from the operating environment. Reduce the risk of unauthorized access and operating system changes A12.2 malware protection

Objective: to ensure that information and information processing facilities are protected from malware. A12.2.1 malware control should be combined with appropriate user experience, using detection, prevention and recovery control means to prevent malware A12.3 backup.

Objective: to prevent data loss A12.3.1 information backup according to the established backup strategy backup information, software and system images, and regularly test A12.4 recording and monitoring

Objective: to record events and generate evidence A12.4.1 event logs should produce event logs that record user activities, anomalies, errors and information security events, and to maintain a set cycle to support future investigation and access control monitoring A12.4.2 log information protection log facilities and log information should be protected To prevent tampering and unauthorized access to A12.4.3 administrators and operators log the activities of system administrators and system operators should be logged, and to protect and regularly review A12.4.4 clocks synchronizing all relevant information processing facilities in an organization or security domain should be synchronized using precise clock sources that have been set

Control of A12.5 operating software

Objective: to ensure the integrity of the operating system

The installation of A12.5.1 operating system software should establish a process to control the installation of operating system software A12.6 technical vulnerability management

Objective: to prevent the risk caused by the published technology vulnerabilities A12.6.1 the management of technology vulnerabilities should obtain timely information on the vulnerabilities of existing information systems, evaluate the degree of exposure of organizations to these vulnerabilities, and take appropriate measures to deal with the related risks A12.6.2 restrictions on software installation should establish rules to control users to install software A12.7 information system audit considerations

Objective: to minimize the impact of the business system audit process A12.7.1 information system audit control involves audit requirements and activities for operational system verification and should be carefully planned and approved in order to minimize the risk of business process disruption A13 communication security

A13.1 Network Security Management

Objective: to ensure the security of information in the network and protect the supporting information processing facility A13.1.1 Network Control should manage and control the network to protect the security of A13.1.2 network services in systems and applications. The security mechanism, service level and management requirements of all network services should be clearly defined and included in the network service agreement. Whether these services are provided internally or outsourced A13.1.3 network isolation should isolate information services and user system information A13.2 information transmission in the network.

Objective: to maintain the security of information transmission between the organization and any external entity. A13.2.1 policies and procedures for information transmission should establish formal transmission policies, processes and controls. To ensure the security of information transmission between all types of communication facilities A13.2.2 Information transfer protocols shall establish secure transmission protocols for the transmission of business information between organizations and external parties A13.2.3 Electronic information involving electronic messages shall be properly protected A13.2.4 confidentiality or non-disclosure protocols shall determine the confidentiality or non-disclosure protocols required for the protection of organizational information, periodically review and record A14 system acquisition, development and maintenance

A14.1 Security requirements for information systems

Objective: ensuring security is an integral part of the life cycle of information systems, including special requirements for equipment providing services to public networks. A14.1.1 Security requirements Analysis and specifications should establish requirements for information security controls, including financial statements and enhanced technical requirements for new or existing information systems, taking into account all relevant standards For example, whether the life cycle or whether the application is available on the public network using A14.1.2 to protect the information transmitted in the application service on the public network should be protected from fraud and contract disputes, unauthorized disclosure and modification of A14.1.3 Protection Application Services transactions the information involved in the transmission of application services should be protected to prevent unauthorized message changes and incomplete transmission Routing errors, undisclosed, unauthorized message replication or playback A14.2 security during development and support

Objective: to ensure the design and implementation of information security throughout the life cycle of the information system A14.2.1 Security Development Policy should formulate and apply development rules for software and systems A14.2.2 change control procedures should use formal change control procedures to control the implementation of the change. technical evaluation of applications after operating platform changes A14.2.3 operating platform changes Critical business applications should be reviewed and tested to ensure that there is no negative impact on the operation and security of the organization. Restrictions on A14.2.4 software package changes should be discouraged, limited to necessary changes, and all changes should be controlled. A14.2.5 system development programs should establish a security system development process and record Maintain and apply to any information system development work A14.2.6 secure development environment organization shall establish and properly protect the development environment security, and integrate the work covering the entire system development cycle A14.2.7 outsourced development organization shall supervise and supervise the outsourced system development work A14.2.8 system security testing during the development process Security A14.2.9 system acceptance testing must be tested when establishing new systems, upgrading systems and newer versions, acceptance test procedures and related standard A14.3 test data must be established

Objective: to ensure the safety of test data A14.3.1 Protection of test data should be carefully screened to protect and control the supply relationship of A15

A15.1 Security of supply relationship

Objective: to ensure the security of organizational information accessed by suppliers A15.1.1 supply relationship information security policies for reducing supplier-related information security risks or information security requirements of information processing facilities should be recorded A15.1.2 Security requirements in supplier agreements shall be established and approved by suppliers, including processing and storage Communication or provision of information on the organization's IT infrastructure agreements between the A15.1.3ICT supply chain and suppliers should include requirements to address information security risks related to information, communications technology services and product supply chains A15.2 supplier service delivery management

Objective: to maintain the information security requirements and service delivery levels agreed with the supplier agreement A15.2.1 Monitoring and review supplier service organizations shall regularly monitor, review and review supplier services A15.2.2 supplier service change management shall manage changes in services provided by suppliers, including maintenance and improvement of existing information security policies, procedures and controls, and should be critical to commercial information Reassessment of systems, processes and risks taking into account A16 information security event management

A16.1 Information Security incident Management and continuous improvement

Objective: to ensure consistent and effective ways to manage information security incidents, including reporting of communications security incidents and vulnerabilities A16.1.1 responsibilities and procedures should establish management responsibilities and procedures To ensure a rapid, effective and orderly response to information security events A16.1.2 reporting information security events should be reported as soon as possible through appropriate management channels A16.1.3 reporting information security vulnerabilities should require all employees of information systems and services, External personnel record and report on the security weaknesses of any system or service they have observed or can. A16.1.4 Assessment and decision-making of information security events should be evaluated and made. If they are classified as information security events A16.1.5 response to information security incidents information security incidents should be reviewed in accordance with procedural documents A16.1.6 review information security incidents to gain knowledge from the analysis and resolution of information security incidents, reduce the possibility of future accidents or impact A16.1.7 evidence collection organizations shall develop and apply procedures for identification and collection Access to and preservation of information that can be used as evidence A17 Information Security aspects of Business continuity Management

A17.1 Information Security continuity

Objective: the continuity of information security should be embedded in the business continuity management (BCM) of the organization to ensure that information can be protected and adverse events can be predicted at all times. A17.1.1 Planning Information Security continuity Organization shall determine its information security and information security management continuity requirements under adverse circumstances, such as crisis or disaster A17.1.2 to achieve information security continuity organization shall establish, record, implement Maintain processes, procedures, and controls to ensure the level A17.1.3 verification of information security continuity required under adverse circumstances, the continuity organization that reviews and evaluates information security shall verify the information security continuity controls it establishes and implements at regular intervals to ensure that they are effective and effective under adverse circumstances. A17.2 redundancy

Objective: to ensure the availability of information processing facilities A17.2.1 the availability of information processing facilities should be redundant to meet the availability requirements of A18 compliance

A18.1 Information Security Review

Objective: to ensure that information security facilities operate and implement A18.1.1 independent review of information security in accordance with the organization's policies and procedures. The organization's methods and facilities for managing information security (such as control objectives, control measures, policies, processes and procedures of information security) should be independently reviewed at planned intervals, when significant changes take place in security implementation. Also conduct an independent review of A18.1.2 compliance with security policies and standards managers shall regularly review the correct implementation of information processing and procedures within their areas of responsibility to ensure compliance with security policies, standards and other security requirements A18.1.3 Technical Compliance Inspection Information system shall be periodically checked for compliance with organizational information security policies and standards A18.2 compliance with legal and contractual requirements

Purpose: to avoid violating relevant information security laws, regulations, rules, contractual obligations and any security requirements A18.2.1 identify the legal and contractual requirements for each information system and organization, all relevant statutory, legal and contractual requirements, and the methods adopted by the organization to meet these requirements should be clearly defined Documented and updated A18.2.2 intellectual property (IPR) shall implement appropriate procedures to ensure that when using materials with intellectual property rights and proprietary software products, the protection of documented information in accordance with laws, regulations, contracts and business requirements protects documented information from loss, damage, and tampering in accordance with laws, regulations, contracts and business requirements. Unauthorized access and unauthorized publication of A18.2.4 Privacy and personal Information shall be protected in accordance with relevant laws, regulations and terms of contract, ensure the protection of privacy and personal information A18.2.5 password control measures the regulatory use of password control measures shall comply with relevant agreements, laws and regulations

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.