Documente Academic
Documente Profesional
Documente Cultură
ISO
27001:2005
Ref #
5
5.1.
Security Policy
Information security policy
5.1.1
5.1.2
Organization of information
security
Internal organization
6.1
6.1.1
Management commitment to
information security
March 1, 2006
Control
To provide management
direction and support for
information security in
accordance with business
requirements and relevant laws
and regulations..
An information security policy
document shall be approved by
management, and published and
communicated to all employees
and relevant external parties.
The information security policy
shall be reviewed at planned
intervals or if significant changes
occur to ensure its continuing
suitability, adequacy, and
effectiveness.
To manage information
security within the
organization.
Management shall actively
support security within the
organization through clear
direction, demonstrated
commitment, explicit assignment,
and acknowledgement of
information security
ISO
17799:2000
Ref #
Title
3
3.1
Security Policy
Information security policy
3.1.1
3.1.2
Organizational Security
4.1
Information Security
Infrastructure
4.1.1
Management information
security forum
Control
To provide management
direction and support for
information security.
To manage information
security within the
organization.
A management forum to
ensure that there is clear
direction and visible
management support for
security initiatives will be in
place. The management forum
shall promote security through
Page 1 of 27
ISO
27001:2005
Ref #
Control
ISO
17799:2000
Ref #
Title
responsibilities.
6.1.2
Information security
coordination
4.1.2
Information security
coordination
6.1.3
Allocation of information
security responsibilities
4.1.3
Allocation of information
security responsibilities
6.1.4
4.1.4
6.1.5
Confidentiality agreements
6.1.3
Confidentiality agreements
6.1.6
A management authorization
process for new information
processing facilities shall be
defined and implemented.
Requirements for confidentiality
or non-disclosure agreements
reflecting the organization's
needs for the protection of
information shall be identified and
regularly reviewed.
Appropriate contacts with relevant
authorities shall be maintained.
4.1.6
Cooperation between
organizations
6.1.7
4.1.5
March 1, 2006
Control
Page 2 of 27
ISO
27001:2005
Ref #
6.1.8
Independent review of
information security
6.2
External parties
6.2.1
6.2.2
6.2.3
March 1, 2006
Control
Title
ISO
17799:2000
Ref #
Control
4.1.7
Independent review of
information security
4.2
Security of third-party
access
4.2.1
New control
4.2.2
Page 3 of 27
ISO
27001:2005
Ref #
Control
Asset management
7.1
7.1.1
Inventory of assets
7.1.2
Ownership of assets
7.1.3
7.2
Information classification
7.2.1
Classification guidelines
March 1, 2006
Title
ISO
17799:2000
Ref #
4.3.1
Security requirements in
outsourcing contracts
5
To achieve and maintain
appropriate protection of
organizational assets.
All assets shall be clearly
identified and an inventory of all
important assets drawn up and
maintained.
All information and assets
associated with information
processing facilities shall be
owned by a designated part of the
organization.
Rules for the acceptable use of
information and assets associated
with information processing
facilities shall be identified,
documented and implemented.
To ensure that information
receives an appropriate level of
protection.
5.1
5.1.1
Inventory of assets
5.2
Information classification
5.2.1
Classification guidelines
Control
To maintain appropriate
protection of organizational
assets.
An inventory of all important
assets associated with each
information system shall be
drawn up and maintained.
New control
New Control
Page 4 of 27
ISO
27001:2005
Ref #
7.2.2
8
8.1
8.1.1
8.1.2
Screening
8.1.3
March 1, 2006
Control
ISO
17799:2000
Ref #
Title
5.2.2
6
6.1
Personnel security
Security in job definition and
resourcing
6.1.1
6.1.2
6.1.4
Control
Page 5 of 27
ISO
27001:2005
Ref #
8.2
During employment
8.2.1
Management responsibilities
8.2.2
Information security
awareness, education, and
training
8.2.3
Disciplinary process
8.3
Termination or change of
employment
March 1, 2006
Control
Title
ISO
17799:2000
Ref #
6.2
User training
Control
New control
6.2.1
6.3.5
Disciplinary process
New objective
Page 6 of 27
ISO
27001:2005
Ref #
8.3.1
Termination responsibilities
8.3.2
Return of assets
8.3.3
9
9.1
9.1.1
9.1.2
March 1, 2006
Control
orderly manner.
Responsibilities for performing
employment termination or
change of employment shall be
clearly defined and assigned.
All employees, contractors and
third party users shall return all of
the organization's assets in their
possession upon termination of
their employment, contract or
agreement.
The access rights of all
employees, contractors and third
party users to information and
information processing facilities
shall be removed upon
termination or their employment,
contract or agreement or adjusted
upon change.
Control
New control
New control
New control
7
To prevent unauthorized
physical access, damage and
interference to the
organization's premises and
information.
Security perimeters (barriers such
as walls, card controlled entry
gates or manned reception desks)
shall be used to protect areas that
contain information and
information processing facilities.
Secure areas shall be protected
by appropriate entry controls to
ensure that only authorized
personnel are allowed access.
Title
ISO
17799:2000
Ref #
To prevent unauthorized
physical access, damage
and interference to business
premises and information.
7.1.1
7.1.2
Page 7 of 27
ISO
27001:2005
Ref #
Control
9.1.3
9.1.4
9.1.5
9.1.6
9.2
Equipment security
9.2.1
9.2.2
Supporting utilities
March 1, 2006
Title
ISO
17799:2000
Ref #
7.1.3
Control
New control
7.1.4
7.1.5
7.2
Equipment security
7.2.1
7.2.2
Power supplies
Page 8 of 27
ISO
27001:2005
Ref #
Control
ISO
17799:2000
Ref #
Title
9.2.3
Cabling security
7.2.3
Cabling security
9.2.4
Equipment maintenance
7.2.4
Equipment maintenance
9.2.5
7.2.5
9.2.6
7.2.6
9.2.7
Removal of property
7.3.2
Removal of property
10
Communications and
operations management
Operational procedures and
responsibilities
Communications and
operations management
Operational procedures and
responsibilities
10.1
10.1.1
Documented operating
procedures
10.1.2
Change management
March 1, 2006
8.1
8.1.1
Documented operating
procedures
8.1.2
Control
Power and
telecommunications cabling
carrying data or supporting
information services shall be
protected from interception or
damage.
Equipment shall be correctly
maintained to enable its
continued availability and
integrity.
Any use of equipment for
information processing outside
an organization's premises
shall require authorization by
management.
Information shall be erased
from equipment prior to
disposal or re-use.
Equipment, information or
software belonging to the
organization shall not be
removed without authorization
of the management.
Page 9 of 27
ISO
27001:2005
Ref #
10.1.3
Segregation of duties
10.1.4
Separation of development,
test and operational facilities
10.2
10.2.1
Service delivery
10.2.2
10.2.3
March 1, 2006
Control
Title
ISO
17799:2000
Ref #
8.1.4
Segregation of duties
8.1.5
Separation of development
and operational facilities
Control
New Objective
8.1.6
New control
New control
Page 10 of 27
ISO
27001:2005
Ref #
10.3
10.3.1
10.3.2
System acceptance
10.4
10.4.1
10.4.2
Control
Title
ISO
17799:2000
Ref #
8.2.1
8.2.2
System acceptance
8.3
8.3.1
March 1, 2006
8.2
Control
New control
Page 11 of 27
ISO
27001:2005
Ref #
10.5
Back-up
10.5.1
Information back-up
10.6
Network Security
management
10.6.1
Network controls
10.6.2
10.7
Media handling
10.7.1
Management of removable
media
10.7.2
Disposal of media
March 1, 2006
Control
ISO
17799:2000
Ref #
Title
Control
8.4
Housekeeping
8.4.1
Information back-up
8.5
Network management
8.5.1
Network controls
9.4.9
8.6
To prevent damage to
assets and interruptions to
business activities.
8.6.1
Management of removable
computer media
8.6.2
Disposal of media
The management of
removable computer media,
such as tapes, disks,
cassettes and printed reports
shall be controlled.
Media shall be disposed of
Page 12 of 27
ISO
27001:2005
Ref #
10.7.3
Information handling
procedures
10.7.4
Security of system
documentation
10.8
Exchange of information
10.8.1
10.8.2
Exchange agreements
10.8.3
10.8.4
Electronic messaging
March 1, 2006
Control
ISO
17799:2000
Ref #
Title
Control
Information handling
procedures
8.6.4
Security of system
documentation
8.7
Exchanges of information
and software
8.7.7
8.7.1
8.7.2
8.7.4
Page 13 of 27
ISO
27001:2005
Ref #
Control
Title
ISO
17799:2000
Ref #
protected.
10.8.5
10.9
Electronic commerce
services
10.9.1
Electronic commerce
10.9.2
On-Line Transactions
10.9.3
10.10
Monitoring
10.10.1
Audit logging
March 1, 2006
8.7.5
8.7.6
To detect unauthorized
information processing
activities.
Audit logs recording user
activities, exceptions, and
information security events shall
9.7
9.7.1
Event logging
Control
New objective
8.7.3
New control
Page 14 of 27
ISO
27001:2005
Ref #
10.10.2
10.10.3
10.10.4
10.10.5
Fault logging
10.10.6
Clock synchronization
11
11.1
11.1.1
Access Control
Business requirement for
access control
Access control policy
11.2
March 1, 2006
Control
Title
ISO
17799:2000
Ref #
9.7.2
Control
New control
8.4.2
Operator logs
8.4.3
Fault logging
9.7.3
Clock synchronization
9
9.1
9.1.1
Access Control
Business requirement for
access control
Access control policy
9.2
To control access to
information.
Business requirements for
access control shall be defined
and documented, and access
shall be restricted to what is
defined in the access control
policy.
To ensure that access rights
Page 15 of 27
ISO
27001:2005
Ref #
11.2.1
User registration
11.2.2
Privilege management
11.2.3
11.2.4
11.3
User responsibilities
11.3.1
Password use
11.3.2
11.3.3
Control
ISO
17799:2000
Ref #
Title
9.2.1
User registration
9.2.2
Privilege management
9.2.3
9.2.4
9.3
User responsibilities
9.3.1
Password use
9.3.2
7.3.1
March 1, 2006
Control
Page 16 of 27
ISO
27001:2005
Ref #
11.4
11.4.1
11.4.2
11.4.3
Equipment identification in
networks
11.4.4
11.4.5
Segregation in networks
11.4.6
11.4.7
11.5
March 1, 2006
Control
ISO
17799:2000
Ref #
Title
Control
To prevent unauthorized
access to networked services.
Users shall only be provided with
access to the services that they
have been specifically authorized
to use.
Appropriate authentication
methods shall be used to control
access by remote users.
Automatic equipment
identification shall be considered
as a means to authenticate
connections from specific
locations and equipment.
Physical and logical access to
diagnostic and configuration ports
shall be controlled.
Groups of information services,
users, and information systems
shall be segregated on networks.
9.4
Protection of networked
services.
Users shall only have direct
access to the services that
they have been specifically
authorized to use.
Access by remote users shall
be subject to authentication.
9.4.1
9.4.3
9.4.4
Node authentication
Connections to remote
computer systems shall be
authenticated.
9.4.5
9.4.6
Segregation in networks
9.4.7
9.4.8
To prevent unauthorized
9.5
Page 17 of 27
ISO
27001:2005
Ref #
11.5.1
control
Secure log-on procedures
11.5.2
11.5.3
Password management
system
11.5.4
11.5.5
Session time-out
11.5.6
11.6
11.6.1
March 1, 2006
Control
ISO
17799:2000
Ref #
9.5.2
Title
control
Terminal log-on procedures
9.5.3
9.5.4
Password management
system
9.5.5
9.5.7
Terminal time-out
9.5.8
9.6
9.6.1
Control
computer access.
Access to information services
shall use a secure log-on
process.
All users shall have a unique
identifier (user ID) for their
personal and sole use so that
activities can be traced to the
responsible individual. A
suitable authentication
technique shall be chosen to
substantiate the claimed
identity of the user.
Password management
systems shall provide an
effective, interactive facility
which aims to ensure quality
passwords.
Use of system utility programs
shall be restricted and tightly
controlled.
Page 18 of 27
ISO
27001:2005
Ref #
11.6.2
11.7
11.7.1
11.7.2
Teleworking
12
Information systems
acquisition, development
and maintenance
Security requirements of
information systems
12.1
12.1.1
12.2
Correct processing in
applications
March 1, 2006
Control
Title
ISO
17799:2000
Ref #
9.6.2
9.8
9.8.1
Mobile computing
9.8.2
Teleworking
10
10.1
Security requirements of
systems
A10.1.1
10.2
Security in application
systems
Control
Page 19 of 27
ISO
27001:2005
Ref #
12.2.1
12.2.2
12.2.3
Message integrity
12.2.4
12.3
Cryptographic controls
12.3.1
12.3.2
Key management
March 1, 2006
Control
applications.
Data input to applications shall be
validated to ensure that this data
is correct and appropriate.
ISO
17799:2000
Ref #
Title
Control
systems.
Data input to application
systems shall be validated to
ensure that it is correct and
appropriate.
Validation checks shall be
incorporated into systems to
detect any corruption of the
data processed.
10.2.1
10.2.2
10.2.3
Message authentication
10.2.4
To protect confidentiality,
authenticity or integrity of
information by cryptographic
means.
A policy on the use of
cryptographic controls for
protection of information shall be
developed and implemented.
Key management shall be in
place to support the
organization's use of
cryptographic techniques.
10.3
Cryptographic controls
10.3.1
10.3.5
Key management
Page 20 of 27
ISO
27001:2005
Ref #
Control
ISO
17799:2000
Ref #
Title
Control
12.4
10.4
12.4.1
10.4.1
12.4.2
10.4.2
12.4.3
10.4.3
12.5
10.5
12.5.1
10.5.1
12.5.2
Technical review of
applications after operating
system changes
10.5.2
12.5.3
Restrictions on changes to
software packages
10.5.3
Restrictions on changes to
software packages
Modifications to software
packages shall be
discouraged and essential
changes strictly controlled.
12.5.4
Information leakage
10.5.4
March 1, 2006
Page 21 of 27
ISO
27001:2005
Ref #
12.5.5
Outsourced software
development
12.6
Technical Vulnerability
Management
12.6.1
Control of technical
vulnerabilities
13
Information security
incident management
Reporting information
security events and
weaknesses
13.1
13.1.1
13.1.2
Reporting security
weaknesses.
13.2
Management of information
security incidents and
improvements
March 1, 2006
Control
Outsourced software
development shall be supervised
and monitored by the
organization.
To reduce risks resulting from
exploitation of published
technical vulnerabilities.
Timely information about
technical vulnerabilities of
information systems being used
shall be obtained, the
organization's exposure to such
vulnerabilities evaluated, and
appropriate measures taken to
address the associated risk.
Title
ISO
17799:2000
Ref #
10.5.5
Outsourced software
development
Control
New objective
New control
New area
To ensure information security
events and weaknesses
associated with information
systems are communicated in a
manner allowing timely
corrective action to be taken.
Information security events shall
be reported through appropriate
management channels as quickly
as possible.
All employees, contractors and
third party users of information
systems and services shall be
required to note and report any
observed or suspected security
weaknesses in systems or
services.
To ensure a consistent and
effective approach is applied to
the management of information
New objective
6.3.1
6.3.2
Reporting security
weaknesses
New Objective
Page 22 of 27
ISO
27001:2005
Ref #
13.2.1
Responsibilities and
procedures
13.2.2
13.2.3
Collection of evidence
14
14.1
Business continuity
management
Information security aspects
of business continuity
management
14.1.1
March 1, 2006
Control
security incidents.
Management responsibilities and
procedures shall be established
to ensure a quick, effective and
orderly response to information
security incidents.
ISO
17799:2000
Ref #
Title
8.1.3
Incident management
procedures
6.3.4
12.1.7
Collection of evidence
Control
Incident management
responsibilities and
procedures shall be
established to ensure a quick,
effective and orderly response
to security incidents and to
collect incident related data
such as audit trails and logs.
Mechanisms shall be put in
place to enable the types,
volumes and costs of incidents
and malfunctions to be
quantified and monitored.
Where action against a person
or organization involves the
law, either civil or criminal, the
evidence presented shall
conform to the rules of
evidence laid down in the
relevant law or in the rules of
the specific court in which the
case will be heard. This shall
include compliance with any
published standard or code of
practice for the production of
admissible evidence.
11
To counteract interruptions to
business activities and to
protect critical business
processes from the effects of
major failures of information
systems or disasters and to
ensure their timely resumption.
A managed process shall be
11.1
Aspects of business
continuity management
To counteract interruptions
to business activities and to
protect critical business
processes from the effects
of major failures or
disasters.
11.1.1
Business continuity
Page 23 of 27
ISO
27001:2005
Ref #
14.1.2
14.1.3
14.1.4
14.1.5
15
15.1
Compliance
Compliance with legal
March 1, 2006
Control
ISO
17799:2000
Ref #
Title
Control
management process
11.1.2
11.1.3
11.1.4
A single framework of
business continuity plans shall
be maintained to ensure that
all plans are consistent, and to
identify priorities for testing
and maintenance.
11.1.5
12.1
Page 24 of 27
ISO
27001:2005
Ref #
Control
requirements
statutory, regulator or
contractual obligations and of
any security requirements.
15.1.1
Identification of applicable
legislation
15.1.2
15.1.3
Protection of organizational
records
15.1.4
15.1.5
Prevention of misuse of
information processing
facilities
March 1, 2006
ISO
17799:2000
Ref #
Title
requirements
Control
12.1.1
Identification of applicable
legislation
12.1.2
12.1.3
Safeguarding of organizational
records
Important records of an
organization shall be protected
from loss, destruction and
falsification.
12.1.4
12.1.5
Prevention of misuse of
information processing
facilities
Page 25 of 27
ISO
27001:2005
Ref #
Control
ISO
17799:2000
Ref #
Title
15.1.6
Regulation of cryptographic
controls
12.1.6
Regulation of cryptographic
controls
15.2
12.2
15.2.1
To ensure compliance of
systems with organizational
security policies and
standards.
Managers shall ensure that all
security procedures within their
area of responsibility are carried
out correctly to achieve
compliance with security policies
and standards.
12.2.1
15.2.2
Technical compliance
checking
12.2.2
Technical compliance
checking
15.3
12.3
15.3.1
12.3.1
March 1, 2006
Control
Page 26 of 27
ISO
27001:2005
Ref #
15.3.2
Protection of information
systems audit tools
Control
processes.
Access to information systems
audit tools shall be protected to
prevent any possible misuse or
compromise.
Title
ISO
17799:2000
Ref #
12.3.2
Control
Dropped controls
6.3.3
Reporting software
malfunctions
9.4.2
Enforced path
9.5.1
Automatic terminal
identification
9.5.6
10.3.2
Encryption
10.3.3
Digital signatures
10.3.4
Non-repudiation services
March 1, 2006
Page 27 of 27