Please see the administrative notes on page iii
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPORT-
ING DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
Reference number
ISO/IEC FDIS 27001:2005(E)
© ISO/IEC 2005
FINAL
DRAFT
ISO/IEC JTC 1
Secretariat: DIN
Voting begins on:
2005-06-30
Voting terminates on:
2005-08-30
INTERNATIONAL
STANDARD
ISO/IEC
FDIS
27001
Information technology Security
techniques Information security
management systems Requirements
Technologies de l'information Techniques de sécurité Systèmes
de gestion de sécurité de l'information Exigences
ISO/IEC FDIS 27001:2005(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
Copyright notice
This ISO document is a Draft International Standard and is copyright-protected by ISO. Except as permitted
under the applicable laws of the user's country, neither this ISO draft nor any extract from it may be
reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic,
photocopying, recording or otherwise, without prior written permission being secured.
Requests for permission to reproduce should be addressed to either ISO at the address below or ISO's
member body in the country of the requester.
ISO copyright office
Case postale 56 x CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Reproduction may be subject to royalty payments or a licensing agreement.
Violators may be prosecuted.
ii © ISO/IEC 2004 All rights reserved
ISO/IEC FDIS 27001:2005(E)
© ISO/IEC 2005 All rights reserved iii
Contents Page
Foreword............................................................................................................................................................ iv
0 Introduction ........................................................................................................................................... v
0.1 General................................................................................................................................................... v
0.2 Process approach................................................................................................................................. v
0.3 Compatibility with other management systems ............................................................................... vi
1 Scope ......................................................................................................................................................1
1.1 General....................................................................................................................................................1
1.2 Application .............................................................................................................................................1
2 Normative references ............................................................................................................................1
3 Terms and definitions ...........................................................................................................................2
4 Information security management system .........................................................................................3
4.1 General requirements............................................................................................................................3
4.2 Establishing and managing the ISMS..................................................................................................4
4.2.1 Establish the ISMS.................................................................................................................................4
4.2.2 Implement and operate the ISMS .........................................................................................................6
4.2.3 Monitor and review the ISMS................................................................................................................6
4.2.4 Maintain and improve the ISMS............................................................................................................7
4.3 Documentation requirements...............................................................................................................7
4.3.1 General....................................................................................................................................................7
4.3.2 Control of documents ...........................................................................................................................8
4.3.3 Control of records..................................................................................................................................8
5 Management responsibility ..................................................................................................................9
5.1 Management commitment ....................................................................................................................9
5.2 Resource management .........................................................................................................................9
5.2.1 Provision of resources..........................................................................................................................9
5.2.2 Training, awareness and competence.................................................................................................9
6 Internal ISMS audits.............................................................................................................................10
7 Management review of the ISMS........................................................................................................10
7.1 General..................................................................................................................................................10
7.2 Review input.........................................................................................................................................10
7.3 Review output ......................................................................................................................................11
8 ISMS improvement...............................................................................................................................11
8.1 Continual improvement.......................................................................................................................11
8.2 Corrective action..................................................................................................................................11
8.3 Preventive action .................................................................................................................................12
Annex A (normative) Control objectives and controls..................................................................................13
Annex B (informative) OECD principles and this International Standard ...................................................30
Annex C (informative) Correspondence between ISO 9001:2000, ISO 14001:2004 and this
International Standard.........................................................................................................................31
Bibliography ......................................................................................................................................................34
ISO/IEC FDIS 27001:2005(E)
iv © ISO/IEC 2005 All rights reserved
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27001 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
ISO/IEC FDIS 27001:2005(E)
© ISO/IEC 2005 All rights reserved v
0 Introduction
0.1 General
This International Standard has been prepared to provide a model for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The
adoption of an ISMS should be a strategic decision for an organization. The design and implementation of an
organizations ISMS is influenced by their needs and objectives, security requirements, the processes
employed and the size and structure of the organization. These and their supporting systems are expected to
change over time. It is expected that an ISMS implementation will be scaled in accordance with the needs of
the organization, e.g. a simple situation requires a simple ISMS solution.
This International Standard can be used in order to assess conformance by interested internal and external
parties.
0.2 Process approach
This International Standard promotes the adoption of a process approach for establishing, implementing,
operating, monitoring, reviewing, maintaining and improving an organization's ISMS.
An organization needs to identify and manage many activities in order to function effectively. Any activity using
resources and managed in order to enable the transformation of inputs into outputs can be considered to be a
process. Often the output from one process directly forms the input to the following process.
The application of a system of processes within an organization, together with the identification and
interactions of these processes, and their management, can be referred to as a process approach.
The process approach for information security management presented in this International Standard
encourages its users to emphasize the importance of:
a) understanding an organizations information security requirements and the need to establish policy and
objectives for information security;
b) implementing and operating controls to manage an organization's information security risks in the context
of the organizations overall business risks;
c) monitoring and reviewing the performance and effectiveness of the ISMS; and
d) continual improvement based on objective measurement.
This International Standard adopts the "Plan-Do-Check-Act" (PDCA) process model, which is applied to
structure all ISMS processes. Figure 1 illustrates how an ISMS takes as input the information security
requirements and expectations of the interested parties and through the necessary actions and processes
produces information security outcomes that meets those requirements and expectations. Figure 1 also
illustrates the links in the processes presented in Clauses 4, 5, 6, 7 and 8.
The adoption of the PDCA model will also reflect the principles as set out in the OECD Guidelines (2002)1)
governing the security of information systems and networks. This International Standard provides a robust
model for implementing the principles in those guidelines governing risk assessment, security design and
implementation, security management and reassessment.
1) OECD Guidelines for the Security of Information Systems and Networks Towards a Culture of Security. Paris:
OECD, July 2002. www.oecd.org
ISO/IEC FDIS 27001:2005(E)
vi © ISO/IEC 2005 All rights reserved
EXAMPLE 1
A requirement might be that breaches of information security will not cause serious financial damage to an
organization and/or cause embarrassment to the organization.
EXAMPLE 2
An expectation might be that if a serious incident occurs perhaps hacking of an organizations eBusiness
web site there should be people with sufficient training in appropriate procedures to minimize the impact.
Interested
Parties
Managed
information
security
Information
security
requirements
and expectations
Interested
Parties
Plan
Do
Check
Act
Monitor and
review the ISMS
Monitor and
review the ISMS
Implement and
operate the ISMS
Implement and
operate the ISMS
Maintain and
improve the ISMS
Maintain and
improve the ISMS
Establish
ISMS
Establish
ISMS
Interested
Parties
Managed
information
security
Information
security
requirements
and expectations
Interested
Parties
Plan
Do
Check
Act
Monitor and
review the ISMS
Monitor and
review the ISMS
Implement and
operate the ISMS
Implement and
operate the ISMS
Maintain and
improve the ISMS
Maintain and
improve the ISMS
Establish
ISMS
Establish
ISMS
Figure 1 PDCA model applied to ISMS processes
Plan (establish the ISMS) Establish ISMS policy, objectives, processes and procedures relevant to
managing risk and improving information security to deliver results in
accordance with an organizations overall policies and objectives.
Do (implement and operate
the ISMS)
Implement and operate the ISMS policy, controls, processes and
procedures.
Check (monitor and review
the ISMS)
Assess and, where applicable, measure process performance against
ISMS policy, objectives and practical experience and report the results to
management for review.
Act (maintain and improve
the ISMS)
Take corrective and preventive actions, based on the results of the internal
ISMS audit and management review or other relevant information, to
achieve continual improvement of the ISMS.
0.3 Compatibility with other management systems
This International Standard is aligned with ISO 9001:2000 and ISO 14001:2004 in order to support consistent
and integrated implementation and operation with related management standards. One suitably designed
management system can thus satisfy the requirements of all these standards. Table C.1 illustrates the
relationship between the clauses of this International Standard, ISO 9001:2000 and ISO 14001:2004.
This International Standard is designed to enable an organization to align or integrate its ISMS with related
management system requirements.
FINAL DRAFT INTERNATIONAL STANDARD ISO/IEC FDIS 27001:2005(E)
© ISO/IEC 2005 All rights reserved 1
Information technology Security techniques Information
security management systems Requirements
IMPORTANT This publication does not purport to include all the necessary provisions of a contract.
Users are responsible for its correct application. Compliance with an International Standard does not
in itself confer immunity from legal obligations.
1 Scope
1.1 General
This International Standard covers all types of organizations (e.g. commercial enterprises, government
agencies, not-for profit organizations). This International Standard specifies the requirements for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the
context of the organizations overall business risks. It specifies requirements for the implementation of security
controls customized to the needs of individual organizations or parts thereof.
The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect
information assets and give confidence to interested parties.
NOTE 1: References to business in this International Standard should be interpreted broadly to mean those activities
that are core to the purposes for the organizations existence.
NOTE 2: ISO/IEC 17799 provides implementation guidance that can be used when designing controls.
1.2 Application
The requirements set out in this International Standard are generic and are intended to be applicable to all
organizations, regardless of type, size and nature. Excluding any of the requirements specified in Clauses 4,
5, 6, 7, and 8 is not acceptable when an organization claims conformity to this International Standard.
Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be justified and
evidence needs to be provided that the associated risks have been accepted by accountable persons. Where
any controls are excluded, claims of conformity to this International Standard are not acceptable unless such
exclusions do not affect the organizations ability, and/or responsibility, to provide information security that
meets the security requirements determined by risk assessment and applicable regulatory requirements.
NOTE: If an organization already has an operative business process management system (e.g. in relation with
ISO 9001 or ISO 14001), it is preferable in most cases to satisfy the requirements of this International Standard within this
existing management system.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 17799:2005, Information technology Security techniques Code of practice for information
security management.
ISO/IEC FDIS 27001:2005(E)
2 © ISO/IEC 2005 All rights reserved
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
asset
anything that has value to the organization
[ISO/IEC 13335-1:2004]
3.2
availability
the property of being accessible and usable upon demand by an authorized entity
[ISO/IEC 13335-1:2004]
3.3
confidentiality
the property that information is not made available or disclosed to unauthorized individuals, en
本文档为【ISO 27001英文版】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。