Information Technology — Security Techniques — Information .

Transcription

INTERNATIONALSTANDARDISO/IEC27000Fifth edition2018-02Information technology — Securitytechniques — Information securitymanagement systems — Overview andvocabularyTechnologies de l'information — Techniques de sécurité — Systèmesde management de la sécurité de l'information — Vue d'ensemble etvocabulaireReference numberISO/IEC 27000:2018(E) ISO/IEC 2018

ISO/IEC 27000:2018(E) COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2018All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication maybe reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or postingon the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the addressbelow or ISO’s member body in the country of the requester.ISO copyright officeCP 401 Ch. de Blandonnet 8CH-1214 Vernier, Geneva, SwitzerlandTel. 41 22 749 01 11Fax 41 22 749 09 47copyright@iso.orgwww.iso.orgPublished in Switzerlandii ISO/IEC 2018 – All rights reserved

ISO/IEC 27000:2018(E) Contents PageForeword. ivIntroduction.v12345Scope. 1Normative references. 1Terms and definitions. 1Information security management systems.114.1General. 114.2What is an ISMS?. 114.2.1Overview and principles. 114.2.2Information. 124.2.3Information security. 124.2.4Management. 124.2.5Management system. 134.3Process approach. 134.4Why an ISMS is important. 134.5Establishing, monitoring, maintaining and improving an ISMS. 144.5.1Overview. 144.5.2Identifying information security requirements. 144.5.3Assessing information security risks. 154.5.4Treating information security risks. 154.5.5Selecting and implementing controls. 154.5.6Monitor, maintain and improve the effectiveness of the ISMS. 164.5.7Continual improvement. 164.6ISMS critical success factors. 174.7Benefits of the ISMS family of standards. 17ISMS family of standards.185.1General information. 185.2Standard describing an overview and terminology: ISO/IEC 27000 (this document). 195.3Standards specifying requirements. 195.3.1ISO/IEC 27001. 195.3.2ISO/IEC 27006. 205.3.3ISO/IEC 27009. 205.4Standards describing general guidelines. 205.4.1ISO/IEC 27002. 205.4.2ISO/IEC 27003. 205.4.3ISO/IEC 27004. 215.4.4ISO/IEC 27005. 215.4.5ISO/IEC 27007. 215.4.6ISO/IEC TR 27008. 215.4.7ISO/IEC 27013. 225.4.8ISO/IEC 27014. 225.4.9ISO/IEC TR 27016. 225.4.10 ISO/IEC 27021. 225.5Standards describing sector-specific guidelines. 235.5.1ISO/IEC 27010. 235.5.2ISO/IEC 27011. 235.5.3ISO/IEC 27017. 235.5.4ISO/IEC 27018. 245.5.5ISO/IEC 27019. 245.5.6ISO 27799. 25Bibliography. 26 ISO/IEC 2018 – All rights reserved iii

ISO/IEC 27000:2018(E) ForewordISO (the International Organization for Standardization) is a worldwide federation of national standardsbodies (ISO member bodies). The work of preparing International Standards is normally carried outthrough ISO technical committees. Each member body interested in a subject for which a technicalcommittee has been established has the right to be represented on that committee. Internationalorganizations, governmental and non-governmental, in liaison with ISO, also take part in the work.ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters ofelectrotechnical standardization.The procedures used to develop this document and those intended for its further maintenance aredescribed in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for thedifferent types of ISO documents should be noted. This document was drafted in accordance with theeditorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).Attention is drawn to the possibility that some of the elements of this document may be the subject ofpatent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details ofany patent rights identified during the development of the document will be in the Introduction and/oron the ISO list of patent declarations received (see www .iso .org/ patents).Any trade name used in this document is information given for the convenience of users and does notconstitute an endorsement.For an explanation on the voluntary nature of standards, the meaning of ISO specific terms andexpressions related to conformity assessment, as well as information about ISO's adherence to theWorld Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the followingURL: www .iso .org/ iso/ foreword .html.This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, SC 27, ITSecurity techniques.This fifth edition cancels and replaces the fourth edition (ISO/IEC 27000:2016), which has beentechnically revised. The main changes compared to the previous edition are as follows:— the Introduction has been reworded;— some terms and definitions have been removed;— Clause 3 has been aligned on the high-level structure for MSS;— Clause 5 has been updated to reflect the changes in the standards concerned;— Annexes A and B have been deleted.iv ISO/IEC 2018 – All rights reserved

ISO/IEC 27000:2018(E) Introduction0.1   OverviewInternational Standards for management systems provide a model to follow in setting up andoperating a management system. This model incorporates the features on which experts in the fieldhave reached a consensus as being the international state of the art. ISO/IEC JTC 1/SC 27 maintains anexpert committee dedicated to the development of international management systems standards forinformation security, otherwise known as the Information Security Management system (ISMS) familyof standards.Through the use of the ISMS family of standards, organizations can develop and implement a frameworkfor managing the security of their information assets, including financial information, intellectualproperty, and employee details, or information entrusted to them by customers or third parties. Thesestandards can also be used to prepare for an independent assessment of their ISMS applied to theprotection of information.0.2   Purpose of this documentThe ISMS family of standards includes standards that:a)define requirements for an ISMS and for those certifying such systems;c)address sector-specific guidelines for IS

ISO/IEC 27000:2018(E) 3.4 audit scope extent and boundaries of an audit (3.3) [SOURCE: ISO 19011:2011, 3.14, modified — Note 1 to entry has been deleted.] 3.5