WIXLIB

INTERNATIONALSTANDARDISO/IEC27002First edition2005-06-15Information technology — Securitytechniques — Code of practice forinformation security managementTechnologies de l'information — Techniques de sécurité — Code debonne pratique pour la gestion de la sécurité de l'informationReference numberISO/IEC 27002:2005(E) ISO/IEC 2005

ISO/IEC 27002:2005(E)PDF disclaimerThis PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed butshall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. Indownloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariataccepts no liability in this area.Adobe is a trademark of Adobe Systems Incorporated.Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creationparameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. Inthe unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2005All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below orISO's member body in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. 41 22 749 01 11Fax 41 22 749 09 47E-mail copyright@iso.orgWeb www.iso.orgPublished in Switzerlandii ISO/IEC 2005 – All rights reserved

ISO/IEC 27002:2005(E)ForewordISO (the International Organization for Standardization) and IEC (the International ElectrotechnicalCommission) form the specialized system for worldwide standardization. National bodies that are members ofISO or IEC participate in the development of International Standards through technical committeesestablished by the respective organization to deal with particular fields of technical activity. ISO and IECtechnical committees collaborate in fields of mutual interest. Other international organizations, governmentaland non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of informationtechnology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.The main task of the joint technical committee is to prepare International Standards. Draft InternationalStandards adopted by the joint technical committee are circulated to national bodies for voting. Publication asan International Standard requires approval by at least 75 % of the national bodies casting a vote.Attention is drawn to the possibility that some of the elements of this document may be the subject of patentrights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.ISO/IEC 27002 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,Subcommittee SC 27, IT Security techniques.This first edition of ISO/IEC 27002 comprises ISO/IEC 17799:2005 and ISO/IEC 17799:2005/Cor.1:2007. Itstechnical content is identical to that of ISO/IEC 17799:2005. ISO/IEC 17799:2005/Cor.1:2007 changes O/IEC 17799:2005andISO/IEC 17799:2005/Cor.1:2007 are provisionally retained until publication of the second edition ofISO/IEC 27002. ISO/IEC 2005 – All rights reservediii

INTERNATIONAL STANDARD ISO/IEC 17799:2005TECHNICAL CORRIGENDUM 1Published 2007-07-01INTERNATIONAL ORGANIZATION FOR STANDARDIZATIONINTERNATIONAL ELECTROTECHNICAL COMMISSION МЕЖДУНАРОДНАЯ ОРГАНИЗАЦИЯ ПО СТАНДАРТИЗАЦИИ ORGANISATION INTERNATIONALE DE NORMALISATIONМЕЖДУНАРОДНАЯ ЭЛЕКТРОТЕХНИЧЕСКАЯ КОМИССИЯ COMMISSION ÉLECTROTECHNIQUE INTERNATIONALEInformation technology — Security techniques — Code ofpractice for information security managementTECHNICAL CORRIGENDUM 1Technologies de l'information — Techniques de sécurité — Code de bonne pratique pour la gestion de lasécurité de l'informationRECTIFICATIF TECHNIQUE 1Technical Corrigendum 1 to ISO/IEC 17799:2005 was prepared by Joint Technical Committee ISO/IEC JTC 1,Information technology, Subcommittee SC 27, IT Security techniques.Throughout the document:Replace “17799” with “27002”.ICS 35.040 ISO/IEC 2007 – All rights reservedPublished in SwitzerlandRef. No. ISO/IEC 17799:2005/Cor.1:2007(E)

INTERNATIONALSTANDARDISO/IEC17799Second edition2005-06-15Information technology — Securitytechniques — Code of practice forinformation security managementTechnologies de l'information — Techniques de sécurité — Code depratique pour la gestion de sécurité d'informationReference numberISO/IEC 17799:2005(E) ISO/IEC 2005

ISO/IEC 17799:2005(E)PDF disclaimerThis PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed butshall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. Indownloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariataccepts no liability in this area.Adobe is a trademark of Adobe Systems Incorporated.Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creationparameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. Inthe unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. ISO/IEC 2005All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below orISO's member body in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. 41 22 749 01 11Fax 41 22 749 09 47E-mail copyright@iso.orgWeb www.iso.orgPublished in Switzerlandii ISO/IEC 2005 – All rights reserved

ISO/IEC 17799:2005(E)ContentsPageFOREWORD. VII0 INTRODUCTION . VIII0.10.20.30.40.50.60.70.8WHAT IS INFORMATION SECURITY?.VIIIWHY INFORMATION SECURITY IS NEEDED? .VIIIHOW TO ESTABLISH SECURITY REQUIREMENTS .IXASSESSING SECURITY RISKS . IXSELECTING CONTROLS. IXINFORMATION SECURITY STARTING POINT. IXCRITICAL SUCCESS FACTORS . XDEVELOPING YOUR OWN GUIDELINES . XI1 SCOPE . 12 TERMS AND DEFINITIONS . 13 STRUCTURE OF THIS STANDARD. 43.13.2CLAUSES . 4MAIN SECURITY CATEGORIES . 44 RISK ASSESSMENT AND TREATMENT . 54.14.2ASSESSING SECURITY RISKS . 5TREATING SECURITY RISKS. 55 SECURITY POLICY . 75.1INFORMATION SECURITY POLICY . 75.1.1Information security policy document . 75.1.2Review of the information security policy. 86 ORGANIZATION OF INFORMATION SECURITY. 96.1INTERNAL ORGANIZATION . 96.1.1Management commitment to information security. 96.1.2Information security co-ordination. 106.1.3Allocation of information security responsibilities. 106.1.4Authorization process for information processing facilities. 116.1.5Confidentiality agreements . 116.1.6Contact with authorities . 126.1.7Contact with special interest groups . 126.1.8Independent review of information security . 136.2EXTERNAL PARTIES . 146.2.1Identification of risks related to external parties. 146.2.2Addressing security when dealing with customers . 156.2.3Addressing security in third party agreements . 167 ASSET MANAGEMENT. 197.1RESPONSIBILITY FOR ASSETS . 197.1.1Inventory of assets . 197.1.2Ownership of assets . 207.1.3Acceptable use of assets. 207.2INFORMATION CLASSIFICATION . 217.2.1Classification guidelines. 217.2.2Information labeling and handling . 218 HUMAN RESOURCES SECURITY . 238.1PRIOR TO EMPLOYMENT . 238.1.1Roles and responsibilities . 23 ISO/IEC 2005 – All rights reservediii

ISO/IEC 17799:2005(E)8.1.2Screening . 238.1.3Terms and conditions of employment . 248.2DURING EMPLOYMENT . 258.2.1Management responsibilities . 258.2.2Information security awareness, education, and training . 268.2.3Disciplinary process . 268.3TERMINATION OR CHANGE OF EMPLOYMENT. 278.3.1Termination responsibilities . 278.3.2Return of assets. 278.3.3Removal of access rights . 289 PHYSICAL AND ENVIRONMENTAL SECURITY . 299.1SECURE AREAS . 299.1.1Physical security perimeter . 299.1.2Physical entry controls . 309.1.3Securing offices, rooms, and facilities . 309.1.4Protecting against external and environmental threats. 319.1.5Working in secure areas . 319.1.6Public access, delivery, and loading areas. 329.2EQUIPMENT SECURITY . 329.2.1Equipment siting and protection. 329.2.2Supporting utilities . 339.2.3Cabling security. 349.2.4Equipment maintenance. 349.2.5Security of equipment off-premises. 359.2.6Secure disposal or re-use of equipment . 359.2.7Removal of property . 3610 COMMUNICATIONS AND OPERATIONS MANAGEMENT. 3710.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES . 3710.1.1 Documented operating procedures. 3710.1.2 Change management . 3710.1.3 Segregation of duties . 3810.1.4 Separation of development, test, and operational facilities . 3810.2 THIRD PARTY SERVICE DELIVERY MANAGEMENT . 3910.2.1 Service delivery. 3910.2.2 Monitoring and review of third party services. 4010.2.3 Managing changes to third party services. 4010.3 SYSTEM PLANNING AND ACCEPTANCE . 4110.3.1 Capacity management . 4110.3.2 System acceptance . 4110.4 PROTECTION AGAINST MALICIOUS AND MOBILE CODE. 4210.4.1 Controls against malicious code. 4210.4.2 Controls against mobile code . 4310.5 BACK-UP . 4410.5.1 Information back-up . 4410.6 NETWORK SECURITY MANAGEMENT. 4510.6.1 Network controls. 4510.6.2 Security of network services . 4610.7 MEDIA HANDLING . 4610.7.1 Management of removable media. 4610.7.2 Disposal of media . 4710.7.3 Information handling procedures . 4710.7.4 Security of system documentation. 4810.8 EXCHANGE OF INFORMATION . 4810.8.1 Information exchange policies and procedures . 4910.8.2 Exchange agreements . 5010.8.3 Physical media in transit . 5110.8.4 Electronic messaging. 5210.8.5 Business information systems . 52iv ISO/IEC 2005 – All rights reserved