《ISO IEC 27013-2021.docx》由会员分享,可在线阅读,更多相关《ISO IEC 27013-2021.docx(35页珍藏版)》请在三一办公上搜索。
1、INTERNATIONA1.STANDARDISO/IEC27013editionThird2021-1.1.Informationsecurity,cybersecurityandprivacyprotectionGuidanceontheintegratedimp1.ementationofISO/IEC27001andISO/IEC20000*1SecuritydeVinformation,CybersecuriteetprotectiondeIaviepriveeRecommandationspourIamiseencuvreintegreede11SOIEC27001etdeISOI
2、KC20000-1ReferencenumberISO/IEC27013:2021(E)COPYRIGHTPROTECTEDDOCUMENTISO/1EC2021IUirhM*hedbdi1.iUedotherwiseupdhi.o啪InyM1.tta0DmkfifiU81.andonnet8CH-1214Vernier,GenevaPhone:M1.227490111觥曲ite:图洲跳触OQrgPub1.ishedinSwitzer1.andContentsForewordivIntroductionv2 Scope13 Normativereferences14 Termsanddefin
3、itions1OverviewofISO/IEC27001andISO/IEC200001.14.1 UnderstandingISO/IEC27001andISO/IEC20000-114.2 ISO/IEC27001COn(XPtS25Approachesforintegratedimp1.ementation35.1 Genera1.35.2 Considerationsofscope3534蝴m醐掰ationscenarios45.3.2 Neitherstandardiscurrent1.yusedasthebasisforamanagementsystem45.3.3 Theman
4、agementsystemfu1.fi1.stherequirementsofoneofthestandards55.3.4 standard.66Integratedimp1.ementationconsiderations_66 .167 .2Potentia1.cha1.1.enges7234ResptBandn1.scQnf1.gMinf1.BOhitemsServicedesignandtransitionRiskassessmentandmanagementRiskandotherpartiesIncidentmanagementProb1.emmanagementGatherin
5、gofevidence解:20蜘时蜘q三除淞出nfincidents7.11.11 Changemanagement138:初黜招磔融机Sf1.M剧Htand硼Wimprovement37.3.3 Capaatymanagement147.3.4 Managementofthirdpartiesandre1.atedrisk-.一._.一.147.3.5 弗1.ft三敌制朝阳嘛肱缶gement15Annex(informative)CorrespondencebetweenISO1EC27001:2013,C1.auses1to10,and1SOIEC20000-1:2018rC1.auses
6、1to1()17AnnexB(informative)CoiTespondencebetweenthecontro1.sinISO/IEC27001:2013,Annex,andtherequirementsinISO/IEC20000-1:2018,C1.auses4to1019Annexand(informa1.ive)ComparisonofternsanddefinitionsbetweenISO/IEC27000:201822ForewordISO(theInternationa1.OrganizationforStandardization)andIEC(theInternatio
7、na1.E1.ectrotechnica1.(inrt)(55io6)Srn1.H(irigWjwn怕&%愁S3UinWf!ft三b1.e用三电Q0hhy*hf1.1.三ffkubjectrights.Detai1.sofanypatentrightsidentifiedduringthedeve1.opmentOfI1.d屋um&MWiI1.b&intheIntrodurtionand/orontheISO1.istofpatentdec1.arationsreceived(seewww.iso.org/patents)ortheIEC1.istofpatentdec1.arationsre
8、ceived(seepatents.iec.ch).Anytradenameusedinthisdocumentisinformationgivenfortheconvenienceofusersanddoesnotconstituteanendorsement.B即邸SiOnSeXPk1.nttrtbM岫CMtbWfthy前榄喇11fnt,StandHHs,1.hfoWttbgatfdOs,ttkadhvwceartd由aWoUdTade0tgQNG。注(VT0)princip1.esiU4hNtNB*H沁咯to:*#(CBT)seewww.iso.org/iso/foreword.htrn
9、1.IntheIEC.seewww.iec.chunderstandingstandards.j族。例M腺里SC编妞肿群梆隰CUrj夕或M1.wfm阳(SOI&肪小econ./brmaontechno1.ogy,Thisthirdeditioncance1.sandrep1.acesthesecondedition(ISO/IEC27013:2015),whichhasbeenIEWAWI1.y268bU18.Themainchangecomparedwiththepreviouseditionisthea1.ignmentwithA1.istofa1.1.partsintheISO/IEC2
10、7000seriescanbefoundontheISOandIECwebsites.NwfyTfeAibftekefMW油He1.tft川曲府hesft魅?rfHQWjqRPqRjreeted,w.iecxh/nationa1.-committees.IntroductionThere1.ationshipbetweeninformationsecuritymanagementandservicemanagementisSOc1.osethattaByoui6fi9,a3Wcgnizeinfohwbo11teoiQ/iwnic*timvyinafup$fcdt)on;re1.iabi1.it
11、yandimprovedoperationa1.efficiencythroughe) agreaterunderstandingbySerViCemanagementandinformationsecuritypersonne1.ofeachother,sviewpoints;f) anorganizationcertifiedforISO/IEC27001canmoreeasi1.yfu1.itherequirementsforinformationSecurityspecifiedinISO/IEC20000-1:2018,873,asISO/IEC27001andISO/IEC2000
12、0-1arecomp1.ementaryinrequirements.ThisdocumentisbasedonISO)EC27001:2013andISO/IEC20000-1:2018.酶IEC硼般出hdirW三蒯三ii加热SonSeithW%M羔晒即CgrftiI锚锹触ftftardsandThisdocumentdoesnotreproducecontentofISO/IEC27001orISO/IEC20000-1.Equa1.1.y,itdoesnot腮Fffteover1.a理即用nter信觎2盟Sta嘏和(UbmP斗潴8榭U1.i&ser?蜘砌Rd三iinen由郡站WsCtto
13、ISO/IEC20000-1andISO/IEC27001.NOTESpecific1.egis1.ationscanexistwhichcanimpactthep1.anningofanorganizationmanagementsystem.Informationsecurity,cybersecurityandprivacyprotectionGuidanceontheintegratedimp1.ementationofISO/IEC27001andISO/IEC20000-11Scopefororganizationsintendingto:b)in1.ementbothISO/IE
14、C27001andISO/IEC20000-1together:ormanagementfocuses(ISMS)exc1.usive1.yontheintegratedimp1.ementationmanagementinformationsecurity2 Normativereferencesconstitutesrcquircments1.atestCdiUOndOCUment.referencedreferences,(inc1.udingamendments)app1.ies.app)ies.systemrequirementssystemsOverviewandvocabu1.a
15、rysystems-Requirements3 TermsanddenitionsISO/IEC20000-1:2018app1.y.ISOOn1.inebrowsingp1.atform:avai1.ab1.eat1.utpswwMsoorgobp4OverviewofISO/IEC27001andISO/IEC20000-14.1UnderstandingISO/IEC27001andISO/IEC20000-1securitymanagcmcnt!SOIEC20000-1management.Thismaximizesmanage11cn1.rcsourcesinformationThi
16、sdocumentgivesguidanceontheintegratedimp1.ementationofISO/IEC27001andISO1EC20000-1a)imp1.ementISO/IEC27001whenISO/IEC20000-1isa1.readyimp1.emented,orviceversa;c)integrateexistingmanagementsystemsbasedonISO/IEC27001andISO/IEC20000-1.ThisdocumentsystemasspecifiedinISO/IEC27001andserviceofsystem(SMS)as
17、specifiedinISO/IEC20000-1.Thefo1.1.owingdocumentsarereferredtointhetextinsuchawaythatsomeora1.1.oftheircontentundatedreferences,theofthisoftheFordateddocumenton1.ytheanyeditioncitedForISO/IEC20000-1:2018,Informationtechno1.ogyServicemanagementPart1:ServicemanagementISO/IEC27000:2018,Informationtechn
18、o1.ogySecuritytechniquesInformationsecuritymanagementISO/IEC27001:2013,Informationtechno1.ogySecuritytechniquesInformationSeeUritymanagementForthepurposesofthisdocument,thetermsanddefinitionsgiveninISO/IEC27000:2018andISOandIECmaintaintermino1.ogica1.databasesforuseinstandardizationatthefo1.1.owinga
19、ddresses:IECE1.ectropedia:avai1.ab1.eathttp:/www.e1.ectropedia.org/Anorganizationshou1.dhaveagoodunderstandingofthecharacteristics,simi1.aritiesanddifferencesofISO/IEC27001andandservicebeforep1.anninganintegratedthetimeandsystemforavai1.ab1.efor1.OE612aMi&24X1(IiII(Ito4p)xhMdinubbu)dmdiQBfiubstttut6
20、IiitoiiainCdOtaiaduedex1.yng4.2 ISO1EC27001conceptsISO/IEC27001providesamode1.forestab1.ishing,imp1.ementing,maintainingandcontinua1.1.yimprovingturm.!nfertxMBdiBcftmrityvaynndbRiUHeiyertMtyjtccitifrjftheon.ornfiEntaiocantakeanyToachieveconformitywiththerequirementsspecifiedinISO/IEC27001,anorganiza
21、tionshou1.d三MnanS梢膈如副於限瑞肥磁整轴&括瓢怨袋P3riety。用豳Ure黑蜥耐皿辘曲Xedescmeasuresareknownasinformationsecuritycontro1.s.Theorganizationshou1.ddetermineacceptab1.e1.eve1.sofrisk,takingintoaccounttherequirementsofinterestedpartiesre1.evanttotsarebusinessrequirements,1.ega1.andregu1.atoryj三i即ts11三fii沁翻?阳1期MnS.require
22、menISO/IEC27001canbeusedbyanytypeandsizeoforganization.Exc1.udinganyoftherequirementsanorganizationc1.aimstoISO/IEC2700?:rC1.auses4to101.isnotacceptab1.ewhen4.3 ISO/IEC20000-1conceptsISO/IEC20000-1specifiesrequirementsforestab1.ishing,imp1.ementing,maintainingandcontinua1.1.yIrfqK52ngi11R触耽W1.fo1.eO
23、rPartofa1.argerentity.TheSMSscopecana1.sobodefinedexc1.usive1.ybyac1.earphysica1.boundary,suchasasing1.esitede1.iveringservices.TheorganizationinthescopeoftheSMScana1.sobeknownasaserviceprovider.ISO/IEC27001isconcernedwithhowtomanageinformationsecurityrisk.ThescopeoftheISMScoversthoseactivitiesre1.a
24、tedtomanagingtheconfidentia1.ity,integrityandavai1.abi1.ityoftheorganizationsinformation.Termconfigurationitem(C1.)ISO/IEC27000:2018Notdefined3.11conformity(harmonizedstructureterm)fu1.fi1.mentofarequirementconsequence由一so/mc2021A=ngh-sreserved3.12outcomeofaneventaffectingobjectivesNote1toentry:Anev
25、entcan1.eadtoarangeofconsequences.Note2toentry:Aconsequencecanbecertainoruncertainand,MthecontextOfinformationsecurity,isusua1.1.ynegative.Note3toentry:Consequencescanbeexpressedqua1.itative1.yorquantitative1.y.Note4toentry:Initia1.consequencescanesca1.atethroughknock-oneffects.SOURCE:ISOGuide73:200
26、9,3.6.1.3,modifiedNote2toentryhasbeenchangedafter*andrt.J二EC27013:2021(E)ISO/IEC20000-1:20183.2.2e1.ementthatneedstobecontro1.1.edinordertode1.iveraserviceorservices3.1.3Identica1.definition.ISO/IEC200004hasaddedanotetoentry:Note1coentry:Confbrmicyre1.atestorequirementsinthisdocumentaswe1.1.astheorg
27、anizationsSMSrequirements.Note2toentry:Theorigina1.AnnexS1.definitionhasbeenmodifiedbyaddingNote1toentry.NotdefinedCommentsonusageoftheterminbothstandardsConfigurationmanagementisprominentinISO/IEC20000-1.AninformationassetinISO/IEC27001cana1.sobeaC1.inISO/IEC200004.See6.2.2forafurtherexp1.anationab
28、outcongurat1.onitems.Broad1.ythesamemeaninginISO/IEC27001andISO/IEC20000-1.ThetermconsequenceisusedinISO/IEC20000-1:2018,3.1.20,notestoentryfortheterm,riskrt,ISO/IEC200001:2018,6.1.3,NOTE1,ISOIEC20000-1:2018,8.1rrequirementsandISO/IEC20000-1:2018,10.1.1,requirements.Thewordisusedinthenorma1.Eng1.ish
29、1.anguageusage.A1.1.exceptISO/IEC20000-1:2018.6.1.3.archarmonizedstructuretext.28/-EC27013NJ021(E)TermISO/IEC27000:2018ISO/IEC20000-1:2018Cnmmentsonusageoftheterminbothstandards)rrectiveactionrmonizcdstructureterm)actcor117ontoe1.iminatethecauseofanon-actformityandtopreventrecurrencethecdNodefcexthe