SIST EN ISO/IEC 27002:2017

SLOVENSKI SIST EN ISO/IEC 27002

STANDARD
maj 2017












Informacijska tehnologija – Varnostne tehnike – Pravila obnašanja pri
kontrolah informacijske varnosti (ISO/IEC 27002:2013, vključno s
popravkoma Cor 1:2014 in Cor 2:2015)

Information technology – Security techniques – Code of practice for information
security controls (ISO/IEC 27002:2013 including Cor 1:2014 and Cor 2:2015)

Technologies de l'information – Techniques de sécurité – Code de bonne pratique
pour le management de la sécurité de l'information (ISO/IEC 27002:2013 y compris
Cor 1:2014 et Cor 2:2015)

Informationstechnik – Sicherheitsverfahren – Leitfaden für Informationssicher-
heitsmaßnahmen (ISO/IEC 27002:2013 einschließlich Cor 1:2014 und Cor 2:2015)
















Referenčna oznaka
ICS 03.100.70; 35.030 SIST EN ISO/IEC 27002:2017 (sl)


Nadaljevanje na straneh II in od 1 do 88



© 2018-10. Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST EN ISO/IEC 27002 : 2017
NACIONALNI UVOD

Standard SIST EN ISO/IEC 27002 (sl, en), Informacijska tehnologija – Varnostne tehnike – Pravila
obnašanja pri kontrolah informacijske varnosti (ISO/IEC 27002:2013, vključno s popravkoma Cor 1:2014
in Cor 2:2015), 2017, ima status slovenskega standarda in je enakovreden evropskemu standardu EN
ISO/IEC 27002, Information technology – Security techniques – Code of practice for information security
controls (ISO/IEC 27002:2013 including Cor 1:2014 and Cor 2:2015), 2017.

NACIONALNI PREDGOVOR

Besedilo standarda EN ISO/IEC 27002:2017 je pripravil združeni tehnični odbor Mednarodne
organizacije za standardizacijo (ISO) in Mednarodne elektrotehniške komisije (IEC) ISO/IEC JTC 1
Informacijska tehnologija. Slovenski standard SIST EN ISO/IEC 27002:2017 je prevod angleškega
besedila evropskega standarda EN ISO/IEC 27002:2017. V primeru spora glede besedila slovenskega
prevoda v tem standardu je odločilen izvirni evropski standard v angleškem jeziku. Slovensko-angleško
izdajo standarda je pripravil SIST/TC ITC Informacijska tehnologija.

Odločitev za privzem tega standarda je dne 25. marca 2017 sprejel SIST/TC ITC Informacijska
tehnologija.

OSNOVA ZA IZDAJO STANDARDA

– privzem standarda EN ISO/IEC 27002:2017

PREDHODNA IZDAJA

– SIST ISO/IEC 27002:2013, Informacijska tehnologija – Varnostne tehnike – Pravila obnašanja pri
kontrolah informacijske varnosti

OPOMBE

– Povsod, kjer se v besedilu standarda uporablja izraz "mednarodni standard", v SIST EN ISO/IEC
27002:2017 to pomeni “slovenski standard”.
– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
– Ta nacionalni dokument je istoveten EN ISO/IEC 27002:2017 in je objavljen z dovoljenjem

CEN
Avenue Marnix 17
1050 Bruselj
Belgija

This national document is identical with EN ISO/IEC 27002:2017 and is published with the
permission of

CEN
Avenue Marnix 17
1050 Bruxelles
Belgium


II

---------------------- Page: 2 ----------------------

EVROPSKI STANDARD EN ISO/IEC 27002
EUROPEAN STANDARD
EUROPÄISCHE NORM
NORME EUROPÉENNE februar 2017


ICS: 03.100.70; 35.030




Slovenska izdaja

Informacijska tehnologija – Varnostne tehnike – Pravila obnašanja
pri kontrolah informacijske varnosti (ISO/IEC 27002:2013, vključno s
popravkoma Cor 1:2014 in Cor 2:2015)

Information technology – Security Technologies de l'information – Informationstechnik –
techniques – Code of practice for Techniques de sécurité – Code de Sicherheitsverfahren – Leitfaden für
information security controls bonne pratique pour le Informationssicher-
(ISO/IEC 27002:2013 including Cor management de la sécurité de heitsmaßnahmen (ISO/IEC
1:2014 and Cor 2:2015) l'information (ISO/IEC 27002:2013 27002:2013 einschließlich Cor
y compris Cor 1:2014 et Cor 1:2014 und Cor 2:2015)
2:2015)




Ta evropski standard je CEN sprejel 26. januarja 2017.
Člani CEN in CENELEC morajo izpolnjevati notranje predpise CEN/CENELEC, s katerimi je
predpisano, da mora biti ta standard brez kakršnih koli sprememb sprejet ko nacionalni standard.
Seznami najnovejših izdaj teh nacionalnih standardov in njihovi bibliografski podatki so na zahtevo na
voljo pri Upravnem centru CEN-CENELEC ali pri kateremkoli članu CEN in CENELEC.
Ta evropski standard obstaja v treh uradnih izdajah (angleški, francoski, nemški). Izdaje v drugih
jezikih, ki jih člani CEN in CENELEC na lastno odgovornost prevedejo in izdajo ter prijavijo pri
Upravnem centru CEN-CENELEC, veljajo kot uradne izdaje.
Člani CEN in CENELEC so nacionalni organi za standarde Avstrije, Belgije, Bolgarije, Cipra, Češke
republike, Danske, Estonije, Finske, Francije, Grčije, Hrvaške, Irske, Islandije, Italije, Latvije, Litve,
Luksemburga, Madžarske, Malte, Nekdanje jugoslovanske republike Makedonije, Nemčije,
Nizozemske, Norveške, Poljske, Portugalske, Romunije, Slovaške, Slovenije, Srbije, Španije,
Švedske, Švice, Turčije, in Združenega kraljestva.





CEN-CENELEC
Evropski komite za standardizacijo
European Committee for Standardization
Europäisches Komitee für Normung
Comité Européen de Normalisation

Upravni center CEN-CENELEC: Avenue Marnix 17, B-1000 Bruselj


© 2017. Lastnice avtorskih pravic so vse države članice CEN in CENELEC. Ref. oznaka: EN ISO/IEC 27002:2017 E

---------------------- Page: 3 ----------------------

SIST EN ISO/IEC 27002 : 2017
Vsebina Stran
Predgovor k evropskemu standardu .7
Predgovor k mednarodnemu standardu . 8
0 Uvod . 9
0.1 Ozadje in kontekst . 9
0.2 Zahteve informacijske varnosti . 9
0.3 Izbiranje kontrol . 10
0.4 Razvijanje lastnih smernic . 10
0.5 Razmisleki o življenjskem ciklu . 10
0.6 Sorodni standardi . 10
1 Področje uporabe . 11
2 Zveze s standardi . 11
3 Izrazi in definicije . 11
4 Struktura tega standarda . 11
4.1 Točke . 11
4.2 Kategorije kontrol . 11
5 Informacijske varnostne politike . 12
5.1 Usmeritev vodstva za informacijsko varnost . 12
5.1.1 Politike za informacijsko varnost . 12
5.1.2 Pregled politik za informacijsko varnost . 13
6 Organiziranje informacijske varnosti . 13
6.1 Notranja organizacija . 13
6.1.1 Vloge in odgovornosti na področju informacijske varnosti . 13
6.1.2 Razmejitev dolžnosti . 14
6.1.3 Stik s pristojnimi organi . 14
6.1.4 Stik s specifičnimi interesnimi skupinami . 15
6.1.5 Informacijska varnost v upravljanju projektov . 15
6.2 Mobilne naprave in delo na daljavo . 16
6.2.1 Politika na področju mobilnih naprav . 16
6.2.2 Delo na daljavo . 17
7 Varnost človeških virov . 18
7.1 Pred zaposlovanjem . 18
7.1.1 Preverjanje . 18
7.1.2 Določila in pogoji za zaposlitev . 19
7.2 Med zaposlitvijo . 20
7.2.1 Odgovornosti vodstva . 20
7.2.2 Ozaveščenost, izobraževanje in usposabljanje o informacijski varnosti . 20
7.2.3 Disciplinski proces . 21
7.3 Prekinitev ali sprememba zaposlitve . 22
7.3.1 Prekinitev ali sprememba zaposlitveniih odgovornosti . 22
8 Upravljanje dobrin . 22
8.1 Odgovornost za dobrine . 22
8.1.1 Popis dobrin . 22
8.1.2 Lastništvo nad dobrinami . 23
2

---------------------- Page: 4 ----------------------

SIST EN ISO/IEC 27002 : 2017
8.1.3 Sprejemljiva uporaba dobrin . 23
8.1.4 Vračilo dobrin . 24
8.2 Razvrstitev informacij . 24
8.2.1 Razvrstitev informacij . 24
8.2.2 Označevanje informacij . 25
8.2.3 Ravnanje z dobrinami . 25
8.3 Ravnanje z nosilci podatkov/informacij . 26
8.3.1 Upravljanje izmenljivih nosilcev podatkov/informacij. 26
8.3.2 Odstranjevanje nosilcev podatkov/informacij . 26
8.3.3 Prenos fizičnih nosilcev podatkov/informacij . 27
9 Nadzor dostopa . 28
9.1 Nadzor dostopa . 28
9.1.1 Politika nadzora dostopa . 28
9.1.2 Dostop do omrežij in omrežnih storitev . 29
9.2 Upravljanje uporabniškega dostopa . 29
9.2.1 Registracija in izbris registracije uporabnika . 29
9.2.2 Zagotavljanje dostopa uporabnikom . 30
9.2.3 Upravljanje posebnih pravic dostopa . 30
9.2.4 Upravljanje tajnih informacij uporabnikov za preverjanje verodostojnosti . 31
9.2.5 Pregled uporabniških pravic dostopa . 32
9.2.6 Preklic ali prilagoditev pravic dostopa . 32
9.3 Odgovornosti uporabnikov . 33
9.3.1 Uporaba tajnih informacij za preverjanje verodostojnosti . 33
9.4 Nadzor dostopa do sistemov in aplikacij . 34
9.4.1 Omejitev dostopa do informacij . 34
9.4.2 Varni postopki prijave . 34
9.4.3 Sistem upravljanja gesel . 35
9.4.4 Uporaba posebnih pomožnih programov . 35
9.4.5 Nadzor dostopa do programske izvorne kode . 36
10 Kriptografija . 37
10.1 Kriptografske kontrole . 37
10.1.1 Politika uporabe kriptografskih kontrol . 37
10.1.2 Upravljanje ključev . 38
11 Fizična in okoljska varnost . 39
11.1 Varovana območja . 39
11.1.1 Varovanje fizičnih meja območja . 39
11.1.2 Kontrole fizičnega vstopa . 40
11.1.3 Varovanje pisarn, sob in naprav . 40
11.1.4 Zaščita pred zunanjimi in okoljskimi grožnjami . 41
11.1.5 Delo na varovanih območjih . 41
11.1.6 Dostavne in nakladalne površine . 41
11.2 Oprema . 41
11.2.1 Namestitev in zaščita opreme . 42
11.2.2 Podporna oskrba . 42
3

---------------------- Page: 5 ----------------------

SIST EN ISO/IEC 27002 : 2017
11.2.3 Varnost ožičenja . 43
11.2.4 Vzdrževanje opreme . 43
11.2.5 Odstranitev dobrin . 43
11.2.6 Varnost opreme in dobrin zunaj prostorov organizacije . 44
11.2.7 Varna odstranitev ali ponovna uporaba opreme . 44
11.2.8 Nenadzorovana uporabniška oprema . 45
11.2.9 Politika čiste mize in praznega zaslona . 45
12 Varnost operacij . 46
12.1 Operativni postopki in odgovornosti . 46
12.1.1 Dokumentirani postopki delovanja . 46
12.1.2 Upravljanje sprememb . 47
12.1.3 Upravljanje zmogljivosti . 47
12.1.4 Ločevanje razvojnih, testnih in obratovalnih naprav . 48
12.2 Zaščita pred zlonamerno programsko opremo . 49
12.2.1 Kontrole proti zlonamerni programski opremi . 49
12.3 Varnostno kopiranje . 50
12.3.1 Varnostno kopiranje informacij . 50
12.4 Beleženje in spremljanje . 51
12.4.1 Beleženje dogodkov . 51
12.4.2 Zaščita zabeleženih informacij . 52
12.4.3 Beleženje aktivnosti administratorjev in operaterjev . 52
12.4.4 Uskladitev ur . 53
12.5 Nadzor operativne programske opreme . 53
12.5.1 Namestitev programske opreme na operativne sisteme . 53
12.6 Upravljanje tehničnih ranljivosti . 54
12.6.1 Upravljanje tehničnih ranljivosti . 54
12.6.2 Omejitve pri namestitvi programske opreme . 55
12.7 Upoštevanje presoj informacijskih sistemov . 55
12.7.1 Kontrole presoje informacijskih sistemov . 56
13 Varnost komunikacije . 56
13.1 Upravljanje varovanja omrežij . 56
13.1.1 Omrežne kontrole . 56
13.1.2 Varovanje omrežnih storitev . 57
13.3.3 Ločevanje v omrežjih . 57
13.2 Prenos informacij . 58
13.2.1 Politike in postopki prenosa informacij . 58
13.2.2 Dogovori o prenosu informacij . 59
13.2.3 Elektronsko sporočanje . 59
13.2.4 Dogovori o zaupnosti ali nerazkrivanju . 60
14 Pridobivanje, razvoj in vzdrževanje sistemov . 61
14.1 Varnostne zahteve informacijskih sistemov . 61
14.1.1 Analiza in specifikacije informacijskih varnostnih zahtev . 61
14.1.2 Varovanje aplikacijskih storitev v javnih omrežjih . 62
14.1.3 Zaščita transakcij aplikacijskih storitev . 63
4

---------------------- Page: 6 ----------------------

SIST EN ISO/IEC 27002 : 2017
14.2 Varnost v procesih razvoja in podpore . 63
14.2.1 Varna razvojna politika . 63
14.2.2 Postopki nadzora sprememb sistemov . 64
14.2.3 Tehnični pregled aplikacij po spremembah operacijskih sistemov . 65
14.2.4 Omejitve pri spremembah programskih paketov . 65
14.2.5 Načela varnega sistemskega inženiringa . 66
14.2.6 Varno razvojno okolje . 66
14.2.7 Zunanje izvajanje razvoja . 67
14.2.8 Testiranje sistemske varnosti . 67
14.2.9 Testiranje prevzema sistema . 68
14.3 Testni podatki . 68
14.3.1 Zaščita testnih podatkov . 68
15 Odnosi z dobavitelji . 68
15.1 Informacijska varnost v odnosih z dobavitelji . 68
15.1.1 Informacijska varnostna politika za odnose z dobavitelji . 68
15.1.2 Obravnavanje varnosti v dogovorih z dobavitelji . 69
15.1.3 Dobavna veriga informacijske in komunikacijske tehnologije . 71
15.2 Upravljanje izvajanja storitev dobavitelja . 71
15.2.1 Spremljanje in pregledovanje storitev dobaviteljev . 72
15.2.2 Upravljanje sprememb storitev dobaviteljev . 72
16 Upravljanje informacijskih varnostnih incidentov . 73
16.1 Upravljanje informacijskih varnostnih incidentov in izboljšave . 73
16.1.1 Odgovornosti in postopki . 73
16.1.2 Poročanje o informacijskih varnostnih dogodkih . 74
16.1.3 Poročanje o informacijskih varnostnih slabostih . 75
16.1.4 Ocena informacijskih varnostnih dogodkov in odločitev o njih . 75
16.1.5 Odgovor na informacijske varnostne incidente . 75
16.1.6 Učenje iz informacijskih varnostnih incidentov . 76
16.1.7 Zbiranje dokazov . 76
17 Vidiki informacijske varnosti pri upravljanju neprekinjenega poslovanja . 77
17.1 Neprekinjena informacijska varnost . 77
17.1.1 Načrtovanje neprekinjene informacijske varnosti . 77
17.1.2 Izvajanje neprekinjene informacijske varnosti . 78
17.1.3 Preverjanje, pregledovanje in vrednotenje neprekinjene informacijske var
...

SLOVENSKI STANDARD
oSIST prEN ISO/IEC 27002:2016
01-december-2016
Informacijska tehnologija - Varnostne tehnike - Pravila obnašanja pri kontrolah
informacijske varnosti (ISO/IEC 27002:2013)
Information technology - Security techniques - Code of practice for information security
controls (ISO/IEC 27002:2013)
Informationstechnik - Sicherheitsverfahren - Leitfaden für
Informationssicherheitsmaßnahmen (ISO/IEC 27002:2013)
Technologies de l'information - Techniques de sécurité - Code de bonne pratique pour le
management de la sécurité de l'information (ISO/IEC 27002:2013)
Ta slovenski standard je istoveten z: prEN ISO/IEC 27002
ICS:
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
oSIST prEN ISO/IEC 27002:2016 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN ISO/IEC 27002:2016

---------------------- Page: 2 ----------------------
oSIST prEN ISO/IEC 27002:2016
INTERNATIONAL ISO/IEC
STANDARD 27002
Second edition
2013-10-01
Information technology — Security
techniques — Code of practice for
information security controls
Technologies de l’information — Techniques de sécurité — Code de
bonne pratique pour le management de la sécurité de l’information
Reference number
ISO/IEC 27002:2013(E)
©
ISO/IEC 2013

---------------------- Page: 3 ----------------------
oSIST prEN ISO/IEC 27002:2016
ISO/IEC 27002:2013(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2013 – All rights reserved

---------------------- Page: 4 ----------------------
oSIST prEN ISO/IEC 27002:2016
ISO/IEC 27002:2013(E)

Contents Page
Foreword .v
0 Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Structure of this standard . 1
4.1 Clauses . 1
4.2 Control categories . 1
5 Information security policies . 2
5.1 Management direction for information security . 2
6 Organization of information security . 4
6.1 Internal organization . 4
6.2 Mobile devices and teleworking . 6
7 Human resource security . 9
7.1 Prior to employment . 9
7.2 During employment .10
7.3 Termination and change of employment .13
8 Asset management .13
8.1 Responsibility for assets .13
8.2 Information classification .15
8.3 Media handling .17
9 Access control .19
9.1 Business requirements of access control .19
9.2 User access management .21
9.3 User responsibilities .24
9.4 System and application access control .25
10 Cryptography .28
10.1 Cryptographic controls .28
11 Physical and environmental security .30
11.1 Secure areas .30
11.2 Equipment .33
12 Operations security .38
12.1 Operational procedures and responsibilities .38
12.2 Protection from malware .41
12.3 Backup .42
12.4 Logging and monitoring .43
12.5 Control of operational software .45
12.6 Technical vulnerability management .46
12.7 Information systems audit considerations .48
13 Communications security .49
13.1 Network security management .49
13.2 Information transfer .50
14 System acquisition, development and maintenance .54
14.1 Security requirements of information systems .54
14.2 Security in development and support processes .57
14.3 Test data .62
15 Supplier relationships .62
15.1 Information security in supplier relationships .62
© ISO/IEC 2013 – All rights reserved iii

---------------------- Page: 5 ----------------------
oSIST prEN ISO/IEC 27002:2016
ISO/IEC 27002:2013(E)

15.2 Supplier service delivery management .66
16 Information security incident management .67
16.1 Management of information security incidents and improvements .67
17 Information security aspects of business continuity management .71
17.1 Information security continuity .71
17.2 Redundancies .73
18 Compliance .74
18.1 Compliance with legal and contractual requirements .74
18.2 Information security reviews .77
Bibliography .79
iv © ISO/IEC 2013 – All rights reserved

---------------------- Page: 6 ----------------------
oSIST prEN ISO/IEC 27002:2016
ISO/IEC 27002:2013(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
ISO/IEC 27002 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
This second edition cancels and replaces the first edition (ISO/IEC 27002:2005), which has been
technically and structurally revised.
© ISO/IEC 2013 – All rights reserved v

---------------------- Page: 7 ----------------------
oSIST prEN ISO/IEC 27002:2016
ISO/IEC 27002:2013(E)

0 Introduction
0.1 Background and context
This International Standard is designed for organizations to use as a reference for selecting controls
within the process of implementing an Information Security Management System (ISMS) based on
[10]
ISO/IEC 27001 or as a guidance document for organizations implementing commonly accepted
information security controls. This standard is also intended for use in developing industry- and
organization-specific information security management guidelines, taking into consideration their
specific information security risk environment(s).
Organizations of all types and sizes (including public and private sector, commercial and non-profit)
collect, process, store and transmit information in many forms including electronic, physical and verbal
(e.g. conversations and presentations).
The value of information goes beyond the written words, numbers and images: knowledge, concepts, ideas
and brands are examples of intangible forms of information. In an interconnected world, information and
related processes, systems, networks and personnel involved in their operation, handling and protection
are assets that, like other important business assets, are valuable to an organization’s business and
consequently deserve or require protection against various hazards.
Assets are subject to both deliberate and accidental threats while the related processes, systems,
networks and people have inherent vulnerabilities. Changes to business processes and systems or
other external changes (such as new laws and regulations) may create new information security risks.
Therefore, given the multitude of ways in which threats could take advantage of vulnerabilities to harm
the organization, information security risks are always present. Effective information security reduces
these risks by protecting the organization against threats and vulnerabilities, and then reduces impacts
to its assets.
Information security is achieved by implementing a suitable set of controls, including policies, processes,
procedures, organizational structures and software and hardware functions. These controls need to
be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the
specific security and business objectives of the organization are met. An ISMS such as that specified in
[10]
ISO/IEC 27001 takes a holistic, coordinated view of the organization’s information security risks in
order to implement a comprehensive suite of information security controls under the overall framework
of a coherent management system.
[10]
Many information systems have not been designed to be secure in the sense of ISO/IEC 27001 and this
standard. The security that can be achieved through technical means is limited and should be supported
by appropriate management and procedures. Identifying which controls should be in place requires
careful planning and attention to detail. A successful ISMS requires support by all employees in the
organization. It can also require participation from shareholders, suppliers or other external parties.
Specialist advice from external parties can also be needed.
In a more general sense, effective information security also assures management and other stakeholders
that the organization’s assets are reasonably safe and protected against harm, thereby acting as a
business enabler.
0.2 Information security requirements
It is essential that an organization identifies its security requirements. There are three main sources of
security requirements:
a) the assessment of risks to the organization, taking into account the organization’s overall business
strategy and objectives. Through a risk assessment, threats to assets are identified, vulnerability to
and likelihood of occurrence is evaluated and potential impact is estimated;
b) the legal, statutory, regulatory and contractual requirements that an organization, its trading
partners, contractors and service providers have to satisfy, and their socio-cultural environment;
vi © ISO/IEC 2013 – All rights reserved

---------------------- Page: 8 ----------------------
oSIST prEN ISO/IEC 27002:2016
ISO/IEC 27002:2013(E)

c) the set of principles, objectives and business requirements for information handling, processing,
storing, communicating and archiving that an organization has developed to support its operations.
Resources employed in implementing controls need to be balanced against the business harm likely
to result from security issues in the absence of those controls. The results of a risk assessment will
help guide and determine the appropriate management action and priorities for managing information
security risks and for implementing controls selected to protect against these risks.
[11]
ISO/IEC 27005 provides information security risk management guidance, including advice on risk
assessment, risk treatment, risk acceptance, risk communication, risk monitoring and risk review.
0.3 Selecting controls
Controls can be selected from this standard or from other control sets, or new controls can be designed
to meet specific needs as appropriate.
The selection of controls is dependent upon organizational decisions based on the criteria for risk
acceptance, risk treatment options and the general risk management approach applied to the organization,
and should also be subject to all relevant national and international legislation and regulations. Control
selection also depends on the manner in which controls interact to provide defence in depth.
Some of the controls in this standard can be considered as guiding principles for information security
management and applicable for most organizations. The controls are explained in more detail below
along with implementation guidance. More information about selecting controls and other risk treatment
[11]
options can be found in ISO/IEC 27005.
0.4 Developing your own guidelines
This International Standard may be regarded as a starting point for developing organization-specific
guidelines. Not all of the controls and guidance in this code of practice may be applicable. Furthermore,
additional controls and guidelines not included in this standard may be required. When documents are
developed containing additional guidelines or controls, it may be useful to include cross-references to clauses
in this standard where applicable to facilitate compliance checking by auditors and business partners.
0.5 Lifecycle considerations
Information has a natural lifecycle, from creation and origination through storage, processing, use and
transmission to its eventual destruction or decay. The value of, and risks to, assets may vary during their
lifetime (e.g. unauthorized disclosure or theft of a company’s financial accounts is far less significant after
they have been formally published) but information security remains important to some extent at all stages.
Information systems have lifecycles within which they are conceived, specified, designed, developed,
tested, implemented, used, maintained and eventually retired from service and disposed of. Information
security should be taken into account at every stage. New system developments and changes to existing
systems present opportunities for organizations to update and improve security controls, taking actual
incidents and current and projected information security risks into account.
0.6 Related standards
While this standard offers guidance on a broad range of information security controls that are
commonly applied in many different organizations, the remaining standards in the ISO/IEC 27000
family provide complementary advice or requirements on other aspects of the overall process of
managing information security.
Refer to ISO/IEC 27000 for a general introduction to both ISMSs and the family of standards. ISO/IEC 27000
provides a glossary, formally defining most of the terms used throughout the ISO/IEC 27000 family of
standards, and describes the scope and objectives for each member of the family.
© ISO/IEC 2013 – All rights reserved vii

---------------------- Page: 9 ----------------------
oSIST prEN ISO/IEC 27002:2016

---------------------- Page: 10 ----------------------
oSIST prEN ISO/IEC 27002:2016
INTERNATIONAL STANDARD ISO/IEC 27002:2013(E)
Information technology — Security techniques — Code of
practice for information security controls
1 Scope
This International Standard gives guidelines for organizational information security standards and
information security management practices including the selection, implementation and management
of controls taking into consideration the organization’s information security risk environment(s).
This International Standard is designed to be used by organizations that intend to:
a) select controls within the process of implementing an Information Security Management System
[10]
based on ISO/IEC 27001;
b) implement commonly accepted information security controls;
c) develop their own information security management guidelines.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 apply.
4 Structure of this standard
This standard contains 14 security control clauses collectively containing a total of 35 main security
categories and 114 controls.
4.1 Clauses
Each clause defining security controls contains one or more main security categories.
The order of the clauses in this standard does not imply their importance. Depending on the circumstances,
security controls from any or all clauses could be important, therefore each organization applying this
standard should identify applicable controls, how important these are and their application to individual
business processes. Furthermore, lists in this standard are not in priority order.
4.2 Control categories
Each main security control category contains:
a) a control objective stating what is to be achieved;
b) one or more controls that can be applied to achieve the control objective.
© ISO/IEC 2013 – All rights reserved 1

---------------------- Page: 11 ----------------------
oSIST prEN ISO/IEC 27002:2016
ISO/IEC 27002:2013(E)

Control descriptions are structured as follows:
Control
Defines the specific control statement, to satisfy the control objective.
Implementation guidance
Provides more detailed information to support the implementation of the control and meeting the
control objective. The guidance may not be entirely suitable or sufficient in all situations and may not
fulfil the organization’s specific control requirements. .
Other information
Provides further information that may need to be considered, for example legal considerations and
references to other standards. If there is no other information to be provided this part is not shown.
5 Information security policies
5.1 Management direction for information security
Objective: To provide management direction and support for information security in accordance with
business requirements and relevant laws and regulations.
5.1.1 Policies for information security
Control
A set of policies for information security should be defined, approved by management, published and
communicated to employees and relevant external parties.
Implementation guidance
At the highest level, organizations should define an “information security policy” which is approved by
management and which sets out the organization’s approach to managing its information security objectives.
Information security policies should address requirements created by:
a) business strategy;
b) regulations, legislation and contracts;
c) the current and projected information security threat environment.
The information security policy should contain statements concerning:
a) definition of information security, objectives and principles to guide all activities relating to
information security;
b) assignment of general and specific responsibilities for information security management to
defined roles;
c) processes for handling deviations and exceptions.
At a lower level, the information security policy should be supported by topic-specific policies, which
further mandate the implementation of information security controls and are typically structured to
address the needs of certain target groups within an organization or to cover certain topics.
Examples of such policy topics include:
a) access control (see Clause 9);
2 © ISO/IEC 2013 – All rights reserved

---------------------- Page: 12 ----------------------
oSIST prEN ISO/IEC 27002:2016
ISO/IEC 27002:2013(E)

b) information classification (and handling) (see 8.2);
c) physical and environmental security (see Clause 11);
d) end user oriented topics such as:
1) acceptable use of assets (see 8.1.3);
2) clear desk and clear screen (see 11.2.9);
3) information transfer (see 13.2.1);
4) mobile devices and teleworking (see 6.2);
5) restrictions on software installations and use (see 12.6.2);
e) backup (see 12.3);
f) information transfer (see 13.2);
g) protection from malware (see 12.2);
h) management of technical vulnerabilities (see 12.6.1);
i) cryptographic controls (see Clause 10);
j) communications security (see Clause 13);
k) privacy and protection of personally identifiable information (see 18.1.4);
l) supplier relationships (see Clause 15).
These policies should be communicated to employees and relevant external parties in a form that is
relevant, accessible and understandable to the intended reader, e.g. in the context of an “information
security awareness, education and training programme” (see 7.2.2).
Other information
The need for internal policies for information security varies across organizations. Internal policies
are especially useful in larger and more complex organizations where those defining and approving
the expected levels of control are segregated from those implementing the controls or in situations
where a policy applies to many different people or functions in the organization. Policies for information
security can be issued in a single “information security policy” document or as a set of individual but
related documents.
If any of the information security policies are distributed outside the organization, care should be taken
not to disclose confidential information.
Some organizations use other terms for these policy documents, such as “Standards”, “Directives” or “Rules”.
5.1.2 Review of the policies for information s
...