INTERNATIONALSTANDARDISO/IEC27002First edition2005-06-15Information technology — Securitytechniques — Code of practice forinformation security managementTechnologies de l'information — Techniques de sécurité — Code debonne pratique pour la gestion de la sécurité de l'informationReference numberISO/IEC 27002:2005(E) ISO/IEC 2005

ISO/IEC 27002:2005(E)ForewordISO (the International Organization for Standardization) and IEC (the International ElectrotechnicalCommission) form the specialized system for worldwide standardization. National bodies that are members ofISO or IEC participate in the development of International Standards through technical committeesestablished by the respective organization to deal with particular fields of technical activity. ISO and IECtechnical committees collaborate in fields of mutual interest. Other international organizations, governmentaland non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of informationtechnology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.The main task of the joint technical committee is to prepare International Standards. Draft InternationalStandards adopted by the joint technical committee are circulated to national bodies for voting. Publication asan International Standard requires approval by at least 75 % of the national bodies casting a vote.Attention is drawn to the possibility that some of the elements of this document may be the subject of patentrights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.ISO/IEC 27002 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,Subcommittee SC 27, IT Security techniques.This first edition of ISO/IEC 27002 comprises ISO/IEC 17799:2005 and ISO/IEC 17799:2005/Cor.1:2007. Itstechnical content is identical to that of ISO/IEC 17799:2005. ISO/IEC 17799:2005/Cor.1:2007 changes O/IEC 17799:2005andISO/IEC 17799:2005/Cor.1:2007 are provisionally retained until publication of the second edition ofISO/IEC 27002. ISO/IEC 2005 – All rights reservediii

INTERNATIONAL STANDARD ISO/IEC 17799:2005TECHNICAL CORRIGENDUM 1Published 2007-07-01INTERNATIONAL ORGANIZATION FOR STANDARDIZATIONINTERNATIONAL ELECTROTECHNICAL COMMISSION МЕЖДУНАРОДНАЯ ОРГАНИЗАЦИЯ ПО СТАНДАРТИЗАЦИИ ORGANISATION INTERNATIONALE DE NORMALISATIONМЕЖДУНАРОДНАЯ ЭЛЕКТРОТЕХНИЧЕСКАЯ КОМИССИЯ COMMISSION ÉLECTROTECHNIQUE INTERNATIONALEInformation technology — Security techniques — Code ofpractice for information security managementTECHNICAL CORRIGENDUM 1Technologies de l'information — Techniques de sécurité — Code de bonne pratique pour la gestion de lasécurité de l'informationRECTIFICATIF TECHNIQUE 1Technical Corrigendum 1 to ISO/IEC 17799:2005 was prepared by Joint Technical Committee ISO/IEC JTC 1,Information technology, Subcommittee SC 27, IT Security techniques.Throughout the document:Replace “17799” with “27002”.ICS 35.040 ISO/IEC 2007 – All rights reservedPublished in SwitzerlandRef. No. ISO/IEC 17799:2005/Cor.1:2007(E)

/IEC JTC 1Voting begins on:2005-02-11Information technology — Securitytechniques — Code of practice forinformation security managementVoting terminates on:2005-04-11Technologies de l'information — Techniques de sécurité — Code depratique pour la gestion de sécurité d'informationSecretariat: ANSIPlease see the administrative notes on page iiiRECIPIENTS OF THIS DRAFT ARE INVITED TOSUBMIT, WITH THEIR COMMENTS, NOTIFICATIONOF ANY RELEVANT PATENT RIGHTS OF WHICHTHEY ARE AWARE AND TO PROVIDE SUPPORTING DOCUMENTATION.IN ADDITION TO THEIR EVALUATION ASBEING ACCEPTABLE FOR INDUSTRIAL, TECHNOLOGICAL, COMMERCIAL AND USER PURPOSES,DRAFT INTERNATIONAL STANDARDS MAY ONOCCASION HAVE TO BE CONSIDERED IN THELIGHT OF THEIR POTENTIAL TO BECOME STANDARDS TO WHICH REFERENCE MAY BE MADE INNATIONAL REGULATIONS.Reference numberISO/IEC FDIS 17799:2005(E) ISO/IEC 2005

ISO/IEC FDIS 17799:2005(E)ContentsPageFOREWORD . VIII0 INTRODUCTION . IX0. IS INFORMATION SECURITY? .IXWHY INFORMATION SECURITY IS NEEDED? . IXHOW TO ESTABLISH SECURITY REQUIREMENTS . XASSESSING SECURITY RISKS . XSELECTING CONTROLS . XINFORMATION SECURITY STARTING POINT. XCRITICAL SUCCESS FACTORS . XIDEVELOPING YOUR OWN GUIDELINES . XII1 SCOPE . 12 TERMS AND DEFINITIONS . 13 STRUCTURE OF THIS STANDARD. 43.13.2CLAUSES . 4MAIN SECURITY CATEGORIES . 44 RISK ASSESSMENT AND TREATMENT . 54.14.2ASSESSING SECURITY RISKS . 5TREATING SECURITY RISKS. 55 SECURITY POLICY . 75.1INFORMATION SECURITY POLICY . 75.1.1Information security policy document . 75.1.2Review of the information security policy. 86 ORGANIZING INFORMATION SECURITY. 96.1INTERNAL ORGANIZATION . 96.1.1Management commitment to information security. 96.1.2Information security co-ordination. 106.1.3Allocation of information security responsibilities. 106.1.4Authorization process for information processing facilities. 116.1.5Confidentiality agreements . 116.1.6Contact with authorities . 126.1.7Contact with special interest groups . 126.1.8Independent review of information security . 136.2EXTERNAL PARTIES . 146.2.1Identification of risks related to external parties. 146.2.2Addressing security when dealing with customers . 156.2.3Addressing security in third party agreements . 167 ASSET MANAGEMENT. 197.1RESPONSIBILITY FOR ASSETS . 197.1.1Inventory of assets . 197.1.2Ownership of assets . 207.1.3Acceptable use of assets. 207.2INFORMATION CLASSIFICATION . 217.2.1Classification guidelines. 217.2.2Information labeling and handling . 218 HUMAN RESOURCES SECURITY . 238.1PRIOR TO EMPLOYMENT . 238.1.1Roles and responsibilities . 23iv ISO/IEC 2005 – All rights reserved

ISO/IEC FDIS 17799:2005(E)8.1.2Screening . 238.1.3Terms and conditions of employment . 248.2DURING EMPLOYMENT . 258.2.1Management responsibilities . 258.2.2Information security awareness, education, and training . 268.2.3Disciplinary process . 268.3TERMINATION OR CHANGE OF EMPLOYMENT. 278.3.1Termination responsibilities . 278.3.2Return of assets. 278.3.3Removal of access rights . 289 PHYSICAL AND ENVIRONMENTAL SECURITY . 299.1SECURE AREAS . 299.1.1Physical security perimeter . 299.1.2Physical entry controls . 309.1.3Securing offices, rooms, and facilities . 309.1.4Protecting against external and environmental threats. 319.1.5Working in secure areas . 319.1.6Public access, delivery, and loading areas. 329.2EQUIPMENT SECURITY . 329.2.1Equipment siting and protection. 329.2.2Supporting utilities . 339.2.3Cabling security. 349.2.4Equipment maintenance. 349.2.5Security of equipment off-premises. 359.2.6Secure disposal or re-use of equipment . 359.2.7Removal of property . 3610 COMMUNICATIONS AND OPERATIONS MANAGEMENT. 3710.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES . 3710.1.1 Documented operating procedures. 3710.1.2 Change management . 3710.1.3 Segregation of duties . 3810.1.4 Separation of development, test, and operational facilities . 3810.2 THIRD PARTY SERVICE DELIVERY MANAGEMENT . 3910.2.1 Service delivery. 3910.2.2 Monitoring and review of third party services. 4010.2.3 Managing changes to third party services. 4010.3 SYSTEM PLANNING AND ACCEPTANCE . 4110.3.1 Capacity management . 4110.3.2 System acceptance . 4110.4 PROTECTION AGAINST MALICIOUS AND MOBILE CODE. 4210.4.1 Controls against malicious code. 4210.4.2 Controls against mobile code . 4310.5 BACK-UP . 4410.5.1 Information back-up . 4410.6 NETWORK SECURITY MANAGEMENT. 4510.6.1 Network controls. 4510.6.2 Security of network services . 4610.7 MEDIA HANDLING . 4610.7.1 Management of removable media. 4610.7.2 Disposal of media . 4710.7.3 Information handling procedures . 4710.7.4 Security of system documentation. 4810.8 EXCHANGE OF INFORMATION . 4810.8.1 Information exchange policies and procedures . 4910.8.2 Exchange agreements . 5010.8.3 Physical media in transit . 5110.8.4 Electronic messaging. 5210.8.5 Business information systems . 52 ISO/IEC 2005 – All rights reservedv

ISO/IEC FDIS 17799:2005(E)10.9 ELECTRONIC COMMERCE SERVICES . 5310.9.1 Electronic commerce . 5310.9.2 On-Line Transactions . 5410.9.3 Publicly available information . 5510.10MONITORING . 5510.10.1Audit logging . 5510.10.2Monitoring system use . 5610.10.3Protection of log information . 5710.10.4Administrator and operator logs . 5810.10.5Fault logging . 5810.10.6Clock synchronization . 5811 ACCESS CONTROL . 6011.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL . 6011.1.1 Access control policy . 6011.2 USER ACCESS MANAGEMENT . 6111.2.1 User registration. 6111.2.2 Privilege management . 6211.2.3 User password management. 6211.2.4 Review of user access rights . 6311.3 USER RESPONSIBILITIES . 6311.3.1 Password use . 6411.3.2 Unattended user equipment . 6411.3.3 Clear desk and clear screen policy. 6511.4 NETWORK ACCESS CONTROL . 6511.4.1 Policy on use of network services . 6611.4.2 User authentication for external connections. 6611.4.3 Equipment identification in networks . 6711.4.4 Remote diagnostic and configuration port protection . 6711.4.5 Segregation in networks . 6811.4.6 Network connection control. 6811.4.7 Network routing control . 6911.5 OPERATING SYSTEM ACCESS CONTROL. 6911.5.1 Secure log-on procedures . 6911.5.2 User identification and authentication . 7011.5.3 Password management system. 7111.5.4 Use of system utilities . 7211.5.5 Session time-out. 7211.5.6 Limitation of connection time . 7211.6 APPLICATION AND INFORMATION ACCESS CONTROL . 7311.6.1 Information access restriction . 7311.6.2 Sensitive system isolation . 7411.7 MOBILE COMPUTING AND TELEWORKING . 7411.7.1 Mobile computing and communications . 7411.7.2 Teleworking . 7512 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE . 7712.1 SECURITY REQUIREMENTS OF INFORMATION SYSTEMS . 7712.1.1 Security requirements analysis and specification. 7712.2 CORRECT PROCESSING IN APPLICATIONS . 7812.2.1 Input data validation. 7812.2.2 Control of internal processing. 7812.2.3 Message integrity. 7912.2.4 Output data validation. 7912.3 CRYPTOGRAPHIC CONTROLS . 8012.3.1 Policy on the use of cryptographic controls . 8012.3.2 Key management. 8112.4 SECURITY OF SYSTEM FILES. 8312.4.1 Control of operational software . 8312.4.2 Protection of system test data . 84vi ISO/IEC 2005 – All rights reserved

ISO/IEC FDIS 17799:2005(E)12.4.3 Access control to program source code. 8412.5 SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES . 8512.5.1 Change control procedures . 8512.5.2 Technical review of applications after operating system changes. 8612.5.3 Restrictions on changes to software packages. 8612.5.4 Information leakage. 8712.5.5 Outsourced software development. 8712.6 TECHNICAL VULNERABILITY MANAGEMENT . 8812.6.1 Control of technical vulnerabilities . 8813 INFORMATION SECURITY INCIDENT MANAGEMENT . 9013.1 REPORTING INFORMATION SECURITY EVENTS AND WEAKNESSES . 9013.1.1 Reporting information security events . 9013.1.2 Reporting security weaknesses . 9113.2 MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS . 9113.2.1 Responsibilities and procedures . 9213.2.2 Learning from information security incidents . 9313.2.3 Collection of evidence. 9314 BUSINESS CONTINUITY MANAGEMENT . 9514.1 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT . 9514.1.1 Including information security in the business continuity management process . 9514.1.2 Business continuity and risk assessment.

ISO/IEC 27002 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. This first edition of ISO/IEC 27002 comprises ISO/IEC 17799:2005 and ISO/IEC 17799:2005/Cor.1:2007. Its technical content is identical to that of ISO/IEC 17799:2005. ISO/IEC 17799:2005/Cor.1:2007 changes the