ISO_IEC_27000-2014.pdf

INTERNATIONALISO/IECSTANDARD27000Third edition2014-01-15Information technology-Securitytechniques-Information securitymanagement systems-Overview andvocabularyTechnologies de linformation-Techniques de securite-Systemesde management de la securite de linformation-Vue densemble etvocabulaireReference numberIS0/1EC27000:2014(E)ISOIECS0/1EC2014IS0/1EC27000:2014(E)COPYRIGHT PROTECTED DOCUMENTIS0/IEC2014All rights reserved.Unless otherwise specified,no part of this publication may be reproduced or utilized otherwise in any formor by any means,electronic or mechanical,including photocopying,or posting on the internet or an intranet,without priorwritten permission.Permission can be requested from either ISO at the address below or ISOs member body in the country ofthe requester.ISO copyright officeCase postale 56.CH-1211 Geneva 20Tel.+41227490111Fax+41227490947E-mail copyrightiso.orgWeb www.iso.orgPublished in SwitzerlandISO/IEC 2014-All rights reservedIS0/IEC27000:2014(E)ContentsPageForewordiv0IntroductionV1Scope22Terms and definitions2心Information security management systems123.1Introduction.123.2What is an ISMS?133.3Process approach.143.4Why an ISMS is important.143.5Establishing,monitoring,maintaining and improving an ISMS.153.6ISMS critical success factors.183.7Benefits of the ISMS family of standards.19ISMS family of standards194.1General information.,194.2Standards describing an overview and terminology.204.3Standards specifying requirements.214.4Standards describing general guidelines.214.5Standards describing sector-specific guidelines23Annex A(informative)Verbal forms for the expression of provisions.25Annex B(informative)Term and Term ownership26Bibliography.30rights reservediiiIS0/1EC27000:2014(E)ForewordISO(the International Organization for Standardization)and IEC(the International ElectrotechnicalCommission)form the specialized system for worldwide standardization.National bodies that aremembers of ISO or IEC participate in the development of International Standards through technicalcommittees established by the respective organization to deal with particular fields of technicalactivity.ISO and IEC technical committees collaborate in fields of mutual interest.Other internationalorganizations,governmental and non-governmental,in liaison with ISO and IEC,also take part in thework.In the field of information technology,ISO and IEC have established a joint technical committee,ISO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives,Part 2.The main task of the joint technical committee is to prepare International Standards.Draft InternationalStandards adopted by the joint technical committee are circulated to national bodies for voting.Publication as an International Standard requires approval by at least 75 of the national bodiescasting a vote.Attention is drawn to the possibility that some of the elements of this document may be the subject ofpatent rights.ISO and IEC shall not be held responsible for identifying any or all such patent rights.ISO/IEC 27000 was prepared by Joint Technical Committee ISO/IEC JTC 1,Information technology,Subcommittee SC 27,IT Security techniques.This third edition cancels and replaces the second edition(ISO/IEC 27000:2012),which has beentechnically revised.ISO/IEC 2014-All rights reservedIS0/IEC27000:2014(E)0Introduction0.1OverviewInternational Standards for management systems provide a model to follow in setting up and operatinga management system.This model incorporates the features on which experts in the field have reached aconsensus as being the international state of the art.ISO/IEC JTC 1/SC 27 maintains an expert committeededicated to the development of international management systems standards for information security,otherwise known as the Information Security Management System(ISMS)family of standards.Through the use of the ISMS family of standards,organizations can develop and implement a frameworkfor managing the security of their information assets including financial information,intellectualproperty,and employee details,or information entrusted to them by customers or third parties.Thesestandards can also be used to prepare for an independent assessment of their ISMS applied to theprotection of information.0.2ISMS family of standardsThe ISMS family of standards(see Clause 4)is intended to assist organizations of all types and sizes toimplement and operate an ISMS and consists of the following International Standards,under the generaltitle Information technology-Security techniques(given below in numerical order):ISO/IEC 27000,Information security management systems-Overview and vocabularyISO/IEC 27001,Information security management systems-RequirementsISO/IEC 27002,Code of practice for information security controlsISO/IEC 27003,Information security management system implementation guidance一ISO/IEC 27004,Information security management-MeasurementISO/IEC 27005,Information security risk managementISO/IEC 27006,Requirements for bodies providing audit and certification of information securitymanagement systems-ISO/IEC 27007,Guidelines for information security management systems auditingISO/IEC TR 27008,Guidelines for auditors on information security controlsISO/IEC 27010,Information security management for inter-sector and inter-organizationalcommunicationsISO/IEC 27011,Information security management guidelines for telecommunications organizationsbased on ISO/IEC 27002ISO/IEC 27013,Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1ISO/IEC 27014,Governance of information securityISO/IEC TR 27015,Information security management guidelines for financial servicesISO/IEC TR 27016,Information security management-Organizational economicsNOTE The general title Information technology-Security techniquesindicates that these standards wereprepared by Joint Technical Committee ISO/IEC JTC 1,Information technology,Subcommittee SC 27,IT Securitytechniques.International Standards not under the same general title that are also part ofthe ISMS family of standardsare as follows:IS0 27799:2008,Health informatics-Information security management in health using ISO/IEC 27002rights reserved