당신은 주제를 찾고 있습니까 “iso 27009 pdf – iMindMap 10 – Xuất file ra định dạng PDF – JPG – PNG“? 다음 카테고리의 웹사이트 Chewathai27.com/you 에서 귀하의 모든 질문에 답변해 드립니다: Chewathai27.com/you/blog. 바로 아래에서 답을 찾을 수 있습니다. 작성자 Phan Kim Tu 이(가) 작성한 기사에는 조회수 9,194회 및 좋아요 55개 개의 좋아요가 있습니다.
Table of Contents
iso 27009 pdf 주제에 대한 동영상 보기
여기에서 이 주제에 대한 비디오를 시청하십시오. 주의 깊게 살펴보고 읽고 있는 내용에 대한 피드백을 제공하세요!
d여기에서 iMindMap 10 – Xuất file ra định dạng PDF – JPG – PNG – iso 27009 pdf 주제에 대한 세부정보를 참조하세요
https://www.phankimtu.com
iso 27009 pdf 주제에 대한 자세한 내용은 여기를 참조하세요.
ISO IEC 27009-2020 – PDFCOFFEE.COM
ISO/IEC 27009 Second editio n 2 02 0-04. Information security, cybersecurity and privacy protection — Sector- specific application o f ISO/IEC 27001 — …
Source: pdfcoffee.com
Date Published: 12/12/2022
View: 4972
ISO/IEC 27009:2020 – iTeh Standards
ISO/IEC 2020. iTeh STANDARD PREVIEW. (standards.iteh.ai). ISO/IEC 27009:2020 https://standards.iteh.ai/catalog/standards/sist/97be6588-6cf2-4423-bf19-.
Source: cdn.standards.iteh.ai
Date Published: 8/13/2022
View: 2403
ISO/IEC 27009:2020 – Information security, cybersecurity and …
This document specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001, and complement or amend ISO/IEC …
Source: www.iso.org
Date Published: 6/13/2021
View: 8691
ISO/IEC 27009-2020 pdf free – Standards Download Free
ISO/IEC 27009-2020 pdf free.Information security, cybersecurity and privacy protection – Sector-specific application of ISO/IEC 27001 – Requirements.
Source: freestandards.mealir.com
Date Published: 6/20/2022
View: 1711
BS ISO/IEC 27009:2020 pdf download
ISO/IEC 27009:2020,Information security, cybersecurity and privacy protection — Sector-specific application of ISO/IEC 27001 — Requirements.
Source: www.freestandardsdownload.com
Date Published: 11/23/2022
View: 7659
BS ISO/IEC 27009:2020 PDF Download – NormStream
This document specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001, and complement or amend ISO/IEC 27002 to support …
Source: www.normstream.com
Date Published: 2/17/2022
View: 9745
BS ISO IEC 27009:2020 download free
BS ISO IEC 27009:2020 download free.Information security, cybersecurity and privacy protection — Sector-specific application of ISO/IEC …
Source: www.52yufa.com
Date Published: 1/25/2021
View: 6605
주제와 관련된 이미지 iso 27009 pdf
주제와 관련된 더 많은 사진을 참조하십시오 iMindMap 10 – Xuất file ra định dạng PDF – JPG – PNG. 댓글에서 더 많은 관련 이미지를 보거나 필요한 경우 더 많은 관련 기사를 볼 수 있습니다.
주제에 대한 기사 평가 iso 27009 pdf
- Author: Phan Kim Tu
- Views: 조회수 9,194회
- Likes: 좋아요 55개
- Date Published: 2020. 2. 24.
- Video Url link: https://www.youtube.com/watch?v=2SP8hipX6OY
ISO IEC 27009-2020
Citation preview
I N TERNATIONAL
S TANDARD
ISO/IEC 27009 Second editio n 2 02 0-04
Information security, cybersecurity and privacy protection — Sector-
specific application o f ISO/IEC 27001 — Requirements
Sécurité de l’information, cybersécurité et protection des données personnelles — Application de l’ISO/IEC 27001 à un secteur spécifique — Exigences
Reference numb er I SO /I EC 2 7 0 0 9 : 2 0 2 0 (E )
©
I SO /I E C 2 0 2 0
ISO/IEC 2 7009: 2 02 0(E)
COPYRIGHT PROTECTED DOCUMENT © I SO /I EC 2 0 2 0
All rights reserved. Unless otherwise specified, or required in the context o f its implementation, no part o f this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country o f the requester. ISO copyright o ffice CP 401 • Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +41 22 749 01 11 Fax: +41 22 749 09 47 Email: [email protected] Webs ite: www. iso . org
Published in Switzerland ii
© I SO /I E C 2 0 2 0 – All rights res erved
ISO/IEC 27009:2 020(E)
Contents Foreword
Page
.. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . ..
iv
1
Scope . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 1
2
Normative re ferences . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 1
3
Terms and definitions . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 1
4
Overview o f this document . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . 2
4.1
General
4.2
Structure of this document . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. 3
4.3
5
6
. . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .
Expanding ISO/IEC 27001 requirements or ISO/IEC 27002 controls
. . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . .
2
3
Addition to, refinement or interpretation o f ISO/IEC 2 7001 requirements . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . 3
5.1 5.2 5.3 5.4
General Addition o f requirements to ISO/IEC 27001 Refinement o f requirements in ISO/IEC 27001 Interpretation o f requirements in ISO/IEC 27001
. . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .
3
. . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . .
4
.. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . .
4
. . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . .
4
Additional or modified ISO/IEC 27002 guidance . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 4
6.1 General 6.2 Additional guidance 6.3 Modified guidance Annex A (normative) Template for developing sector-specific standards related to
. . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . .
4
. . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . .
5
.. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . .
5
ISO/IEC 2 7001 and optionally ISO/IEC 27002 . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . 6
Annex B (normative) Template for developing sector-specific standards related to
ISO/IEC 2 7002 . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . 9
Annex C (in formative) Explanation o f the advantages and disadvantages o f numbering approaches used within Annex B . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . .. . . . . . . . 16 Bibliography . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . 18
© I SO /I E C 2 0 2 0 – All rights res erved
iii
ISO/IEC 2 7009: 2 02 0(E)
Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members o f ISO or IEC participate in the development o f International Standards through technical committees established by the respective organization to deal with particular fields o f technical activity. ISO and IEC technical committees collaborate in fields o f mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field o f in formation technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the di fferent approval criteria needed for the di fferent types o f ISO documents should be noted. This document was dra fted in accordance with the editorial rules o f the ISO/IEC Directives, Part 2 (see www. iso . org/direc tives) . Attention is drawn to the possibility that some o f the elements o f this document may be the subject o f patent rights. ISO and IEC shall not be held responsible for identi fying any or all such patent rights. Details o f any patent rights identified during the development o f the document will be in the Introduction and/or on the ISO list o f patent declarations received (see www. iso . org/patents) . Any trade name used in this document is in formation given for the convenience o f users and does not constitute an endorsement. For an explanation on the voluntary nature o f standards, the meaning o f ISO specific terms and expressions related to con formity assessment, as well as in formation about ISO’s adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www. iso . org/ iso/foreword . htm l .
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Subcommittee SC 27, Information security, cybersecurity and privacy protection .
In formation technology,
This second edition cancels and replaces the first edition (ISO/IEC 27009:2016), which has been technically revised. The main changes compared to the previous edition are as follows: — the scope has been updated to more clearly reflect the content o f this document; — former Annex A has been divided into Annexes A and B; —
Annex C has been created.
Any feedback or questions on this document should be directed to the user’s national standards body. A complete listing o f these bodies can be found at www. iso . org/memb ers . htm l .
iv
© I SO /I E C 2 0 2 0 – All rights res erved
INTERNATIONAL STANDARD
ISO/IEC 27009:2 020(E)
Information security, cybersecurity and privacy
protection — Sector-specific application o f ISO/IEC 27001 — Requirements 1
Scope
This document specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001, and complement or amend ISO/IEC 27002 to support a specific sector (domain, application area or market). This document explains how to: — include requirements in addition to those in ISO/IEC 27001, — refine or interpret any o f the ISO/IEC 27001 requirements, — include controls in addition to those o f ISO/IEC 27001:2013, Annex A and ISO/IEC 27002, — modi fy any o f the controls o f ISO/IEC 27001:2013, Annex A and ISO/IEC 27002, — add guidance to or modi fy the guidance o f ISO/IEC 27002. This document specifies that additional or refined requirements do not invalidate the requirements in ISO/IEC 27001. This document is applicable to those involved in producing sector-specific standards. 2
Normative re ferences
The following documents are re ferred to in the text in such a way that some or all o f their content constitutes requirement o f this document. For dated re ferences, only the edition cited applies. For undated re ferences, the latest edition o f the re ferenced document (including any amendments) applies. ISO/IEC 27000,
In formation technology — Security techniques — In formation security management
systems — Overview and vocabulary
ISO/IEC 27001, In formation technology — Security techniques — In formation security management systems — Requirements ISO/IEC 27002, In formation technology — Security techniques — Code of practice for in formation security
controls
3
Terms and definitions
For the purposes o f this document, the terms and definitions given in following apply.
I S O/ I E C
2 70 0 0
and the
ISO and IEC maintain terminological databases for use in standardization at the following addresses: — ISO Online browsing platform: available at http s://www. iso . org/obp — IEC Electropedia: available at http://www.electropedia . org/
© I SO /I E C 2 0 2 0 – All rights res erved
1
ISO/IEC 27009:2020(E)
3.1
interpret interpretation
explanation o f an ISO/IEC 27001 requirement in a sector-specific context which does not invalidate any o f the ISO/IEC 27001 requirements Note 1 to entry: The explanation can pertain to either a requirement or guidance. 3.2 refine refinement
supplementation or adaptation o f an ISO/IEC 27001 requirement in a sector-specific context which does not remove or invalidate any o f the ISO/IEC 27001 requirements 4 4.1
Overview o f this document General
ISO/IEC 27001 defines the requirements for establishing, implementing, maintaining and continually improving an in formation security management system. ISO/IEC 27001 states that its requirements are generic and are intended to be applicable to all organizations, regardless o f type, size or nature. ISO/IEC 27001:2013, Annex A, provides control objectives and controls. ISO/IEC 27001 requires an organization to “determine all controls that are necessary to implement the in formation security risk treatment option(s) chosen [see 6.1.3 b)]”, and “compare the controls determined in 6.1.3 b) above with those in [ISO/IEC 27001:2013,] Annex A, and veri fy that no necessary controls have been omitted [see 6.1.3 c)]”. The guidance o f control objectives and controls o f ISO/IEC 27001:2013, Annex A, are included in I SO/I EC 2 70 02 .
ISO/IEC 27002 provides guidelines for in formation security management practices including the selection, implementation and management o f controls taking into consideration the organization’s in formation security risk environment. The guidelines have a hierarchical structure that consists o f clauses, control objectives, controls, implementation guidance and other in formation. The guidelines o f ISO/IEC 27002 are generic and are intended to be applicable to all organizations, regardless o f type, size or nature. While ISO/IEC 27001 and ISO/IEC 27002 are widely accepted in organizations, including commercial enterprises, government agencies and not- for-profit organizations, there are needs for sector-specific versions o f these standards. EXAMPLES The following documents have been developed to address these sector-specific needs are: — ISO/IEC 27010, In formation technology — Security techniques — In formation security management for intersector and inter-organizational communication s
— ISO/IEC 27011,
In formation technology — Security techniques — Code o f practice for In formation security controls based on ISO/IEC 27002 for telecommunications organization s
— ISO/IEC 27017,
In formation technology — Security techniques — Code o f practice for in formation security
controls based on ISO/IEC 27002 for cloud services
— ISO/IEC 27018, In formation technology — Security techniques — Code o f practice for protection o f personally identifiable in formation (PII) in public clouds acting as PII processors
— ISO/IEC 27019, In formation technology — Security techniques — In formation security controls for the energy utility industry
2
© I SO /I E C 2 0 2 0 – All rights res erved
ISO/IEC 27009:2 020(E)
Other organizations have also produced standards addressing sector-specific needs. Sector-specific standards should be consistent with the requirements o f the in formation security management system. This document specifies requirements on how to create sector-specific standards that extend ISO/IEC 27001 and complement or amend ISO/IEC 27002 (see Clause 1) . This document assumes that all requirements from ISO/IEC 27001 that are not refined or interpreted, and all controls in ISO/IEC 27002 that are not modified, apply in the sector-specific context unchanged. 4.2
Structure o f this document
Clause 5 provides requirements and guidance on how to make addition to, refinement or interpretation o f ISO/IEC 27001 requirements. Clause 6 provides requirements and guidance on how to provide control clauses, control objectives, controls, implementation guidance or other in formation that are additional to or modi fy ISO/IEC 27002 content.
Annex A contains a template which shall be used for sector-specific standards related to ISO/IEC 27001. Annex B contains two templates which shall be used for sector-specific standards related to I S O/I E C 2 70 02 .
For sector-specific standards related to both ISO/IEC 27001 (see Clause 5) and ISO/IEC 27002 Clause 6), both Annex A and Annex B apply.
(see
Annex C provides explanations about advantages and disadvantages o f two di fferent numbering approaches applied in the two templates in Annex B . In this document, the following concepts are used to adapt ISO/IEC 27001 requirements for a sector: — addition ― see 5 . 2 ; — refinement ― see 5 . 3 ; — interpretation ― see 5 .4. In this document, the following concepts are used to adapt ISO/IEC 27002 guidance for a sector: — addition ― see 6 . 2 ; — modification ― see 6 . 3 . 4.3
Expanding ISO/IEC 27001 requirements or ISO/IEC 27002 controls
Sector-specific standards related to ISO/IEC 27001 may add requirements or guidance to those o f ISO/IEC 27001 or ISO/IEC 27002. The addition may expand the requirements or guidance beyond in formation security into their sector-specific topic. EXAMPLE ISO/IEC 27018 uses such expansions. ISO/IEC 27018:2019, Annex A contains a set o f controls aimed at the protection o f personally identifiable in formation and, there fore, expands the scope o f ISO/IEC 27018 to cover PII protection in addition to in formation security. 5 5.1
Addition to, refinement or interpretation o f ISO/IEC 27001 requirements General
Figure 1 illustrates how sector-specific requirements are constructed in relation to ISO/IEC 27001.
© I SO /I E C 2 0 2 0 – All rights res erved
3
ISO/IEC 27009:2020(E)
Figure 1 — Construction o f sector-specific requirements
5.2
Addition o f requirements to ISO/IEC 27001
Addition o f requirements to ISO/IEC 27001 requirements is permitted. EXAMPLE A sector which has additional requirements for an in formation security policy can add them to the requirements for the policy specified in ISO/IEC 27001:2013, 5.2.
No requirement that is added to those in ISO/IEC 27001 shall remove or invalidate any o f the requirements defined in ISO/IEC 27001. Where applicable, sector-specific additions to ISO/IEC 27001 requirements shall follow the requirements and guidance set out in Annex A . Refinement o f requirements in ISO/IEC 27001
5.3
Refinement o f ISO/IEC 27001 requirements is permitted. NOTE
Refinements do not remove or invalidate any o f the requirements in ISO/IEC 27001 (see 3 . 2 ) .
Where applicable, sector-specific refinements o f ISO/IEC 27001 requirements shall follow the requirements and guidance set out in Annex A . EXAMPLE 1 A sector-specific standard could contain controls additional to ISO/IEC 27001:2013, Annex A. In this case, the requirements related to in formation security risk treatment in ISO/IEC 27001:2013, 6.1.3 c) and d) need to be refined to include the additional controls given in the sector-specific standard.
Specification o f a particular approach to meeting requirements in ISO/IEC 27001 is also permitted. EXAMPLE 2 A particular sector has a prescribed way to determine the competence o f people working within the scope o f the sector-specific management system. This requirement could refine the general requirement in ISO/IEC 27001:2013, 7.2. 5.4
Interpretation o f requirements in ISO/IEC 27001
Interpretation o f ISO/IEC 27001 requirements is permitted. NOTE Interpretations do not invalidate any o f the ISO/IEC 27001 requirements but explain them or place them into sector-specific context (see 3.1) .
Where applicable, sector-specific interpretations o f ISO/IEC 27001 requirements shall follow the requirements and guidance set out in Annex A . 6 6.1
Additional or modified ISO/IEC 27002 guidance General
Figure 2 illustrates how ISO/IEC 27002 guidance can be added to or modified.
4
© I SO /I E C 2 0 2 0 – All rights res erved
ISO/IEC 27009:2 020(E)
Figure 2 — Construction o f sector-specific guidance
Each control shall only contain one instance o f the word “should”. NOTE In ISO/IEC 27001, In formation security risk treatment requires an organization to state controls that have been determined and justification o f inclusions, and justification for exclusions o f controls from ISO/IEC 27001:2013, Annex A. Having only one use o f “should” within a control statement eliminates the possibility o f ambiguity over the scope o f the control. 6.2
Additional guidance
Addition o f clauses, control objectives, controls, implementation guidance and other in formation to I S O/I E C 2 70 02 is p ermitted.
Where applicable, clauses, control objectives, controls, implementation guidance and other in formation additional to ISO/IEC 27002 shall follow the requirements and guidance set out in Annex B . Be fore speci fying additional clauses, control objectives or controls, entities producing sector-specific standards related to ISO/IEC 27001 should consider whether a more e ffective approach would be to modi fy existing ISO/IEC 27002 content, or achieve the desired result just through the addition o f sector-specific control objectives (instead o f adding clauses), controls (instead o f control objectives), implementation guidance and other in formation (instead o f controls) to the existing ISO/IEC 27002 content.
6.3
Modified guidance
Clauses, controls and their control objectives contained in ISO/IEC 27002 shall not be modified. I f there is a sector-specific need to include a control objective that contradicts a control objective contained in ISO/IEC 27002, a new sector-specific control objective shall be introduced. The new control objective shall have at least one sector-specific control. I f there is a sector-specific need to include a control that contradicts a control contained in ISO/IEC 27002, a new sector-specific control shall be introduced.
Modification o f implementation guidance and other in formation from ISO/IEC 27002 is permitted. Where applicable, modified clauses, control objectives, controls, implementation guidance and other in formation from ISO/IEC 27002 shall follow the requirements and guidance set out in Annex B .
© I SO /I E C 2 0 2 0 – All rights res erved
5
ISO/IEC 27009:2020(E)
Annex A
(normative) Template for developing sector-specific standards related to ISO/IEC 27001 and optionally ISO/IEC 27002
A.1 Dra fting instructions I n A. 2
, the following formatting conventions are used:
— the text in angle brackets should be replaced by suitable sector-specific text. EXAMPLE For the telecommunications sector, the title o f Clause 4 o f the template in specific requirements” is adapted as “Telecommunications-specific requirements”.
A. 2
, “-
— the text in braces and italics indicates how to use this part o f the template; this text should be deleted in the final version o f the sector-specific standard. — the text written without special formatting should be copied verbatim. A.2 Template Introduction
{Include how the requirements contained within this document relate to the requirements specified within ISO/IEC 27001 and optionally how the guidance contained within the standard relate to the guidance in ISO/IEC 27002 if the sector-specific standard is also related to ISO/IEC 27002.} {Insert the following text.}
This document is NOT a new management system standard independent o f ISO/IEC 27001, but rather specifies -specific requirements that are composed o f refinements o f and/or additions to requirements in ISO/IEC 27001. {Ifthe sector-specific standard is also related to ISO/IEC 27002 , insert the following text instead o fthe above.}
This document is NOT a new management system standard independent o f ISO/IEC 27001, but rather: a) specifies -specific requirements that are composed o f refinements o f and/or additions to requirements in ISO/IEC 27001; and b) specifies -specific guidance that supports additions to and/or modifications o f ISO/IEC 27002 (see Clause 6). 1 Scope {Include appropriate scope statements including the relationship o f the standard to ISO/IEC 27001 and optionally ISO/IEC 27002 if the sector-specific standard is also related to ISO/IEC 27002.}
2 Normative re ferences {Insert the relevant normative references, including ISO/IEC 27001 and optionally ISO/IEC 27002.}
ISO/IEC 27000,
In formation technology — Security techniques — In formation security management
systems — Overview and vocabulary
6
© I SO /I E C 2 0 2 0 – All rights res erved
ISO/IEC 27009:2 020(E)
3 Terms and definitions {Insert the following text to ensure that ISO/IEC 27000 is included.}
For the purposes o f this document, the terms and definitions given in following] apply.
I S O/I E C
2 70 0 0
[and the4 -specific requirements related to ISO/IEC 27001:2013 4.1 General {Insert the following text.}
All requirements from ISO/IEC 27001:2013, Clauses 4 to 10, that do not appear below shall apply unchanged. {Add all sector-specific requirements. When adding a requirement, check first whether it is related to a requirement already existing in ISO/IEC 27001 . If additional requirements relate to existing requirements from ISO/IEC 27001 , add a title to them with a prefix o f at least three letters for the sector, followed by the subclause number and the original title o f the subclause from ISO/IEC 27001 . EXAMPLE
4.2 CLD 4.1 Understanding the organization and its context.
If there is no relation to an existing requirement, place the additional requirement as a new subclause at the end a fter all other subclauses in Clause 4 o f the sector-specific standard.} {Optionally, a sector-specific standard may have a table which indicates the relationship between the (sub) clause o f the sector-specific standard and those o f ISO/IEC 27001 . A table is a useful tool which helps readers understand the placement o fthe clauses o fthe sector-specific standard compared to those o fISO/IEC 27001 .}
Table 1 — Correspondence o f -specific requirements with ISO/IEC 27001 Subclause in ISO/IEC 27001:2013
Title
Subclause in this document
Remarks
{Indicate sector-specific requirements that are additional to the ISO/IEC 27001 requirements by insertion o f the following text.}
In addition to ISO/IEC 27001:2013, , the following applies. {Indicate sector-specific requirements that refine ISO/IEC 27001:201 3 requirements by insertion o f the
following text.}
ISO/IEC 27001:2013, is refined as follows. {Indicate sector-specific requirements that interpret ISO/IEC 27001 :201 3 requirements by insertion o f the
following text.}
ISO/IEC 27001:2013, is interpreted as follows. {If possible, show the added, refined or interpreted text by use o f italics.} {If the sector-specific standard has sector-specific controls, always insert the following text.}
ISO/IEC 27001:2013, 6.1.3 c), is refined as follows. © I SO /I E C 2 0 2 0 – All rights res erved
7
ISO/IEC 27009:2020(E)
Compare the controls determined in 6.1.3 b) above with those in ISO/IEC 27001:2013, Annex A, and with Annex A, to veri fy that no necessary controls have been omitted. ISO/IEC 27001:2013, 6.1.3 d), is refined as follows. Produce a Statement o f Applicability that contains: — the necessary controls [see ISO/IEC 27001:2013, 6.1.3 b) and c)]; — a justification for their inclusion; — whether the necessary controls are implemented or not; and — a justification for excluding any o f the controls in Annex A and ISO/IEC 27001:2013, Annex A. {The controls in ISO/IEC 27001 :201 3, Annex A, are not requirements. However, it is possible to mandate controls. There are two different types o f sources o f mandated controls. If the set o f mandated controls comes from an external source, then add a requirement mandating the set o f controls by referencing the external source. If they are introduced in this document, specify them explicitly. Such mandated controls should be placed in the most relevant clause (i. e. Clauses 4 to 10) in this document, for example Clause 8. Insert the following text to specify the mandated controls as a refinement to ISO/IEC 27001 as an additional clause.}
In addition to ISO/IEC 27001:2013, Clause , the following applies. {If the sector-specific standard is also related to ISO/IEC 27002, use the template generated by combining Clause 4 of this template and Clauses 4 to 6 in B. 2 or Clauses 4 to 18 in B. 3 appropriately so that the structure o f the sector-specific standard fits for its purpose.} {If the sector-specific standard has sector-specific controls, add an Annex A in the same way as o f ISO/IEC 27001:201 3, Annex A , with the following text.}
Annex A list o f the -specific re ference control objectives and controls which shall be applied as additions to ISO/IEC 27001:2013, Annex A, as specified in 4.1. Annex A
(normative) < Sector > -specific re ference control objectives and controls {Introduce Table A .1 in the same format as ISO/IEC 27001 :201 3, Annex A , with the following text.}
The additional or modified control objectives and controls listed in Table A.1 are directly derived from and aligned with those defined in this document and are to be used in context with ISO/IEC 27001:2013, 6.1.3, as refined by this document.
8
© I SO /I E C 2 0 2 0 – All rights res erved
ISO/IEC 27009:2 020(E)
Annex B
(normative) Template for developing sector-specific standards related to ISO/IEC 27002
B.1 Dra fting instructions B.1.1 Common instructions In
B.2 and B.3, the following formatting conventions are used:
— the text in angle brackets should be replaced by suitable sector-specific text; EXAMPLE For the telecommunications sector, the title o f Clause 6 o f the template in B.2 or 4. 3 template in B.3, “-specific guidance” is adapted as “Telecommunications-specific guidance”.
of the
— the text in braces and italics indicates how to use this part o f the template; this text should be deleted in the final version o f the sector-specific standard; — the text written without special formatting should be copied verbatim. B.1.2
Instructions for two numbering approaches
There are two templates, B.2 and B.3, which apply di fferent types o f numbering approaches for sectorspecific clauses, control objectives, controls, implementation guidance and other in formation. In producing sector-specific standards using this annex, one o f the templates should be selected, that is suitable to the re ference standard. The numbering approaches are described in B.1.3 and B.1.4 . Annex C provides an explanation o f the advantages and disadvantages o f the two numbering approaches given in B.2 and B.3 . B.1.3 Numbering approach to indicate all o f sector-specific contents with three-letter prefix in Clause 6 o f the sector-specific standard (B.2)
Numbers and titles with a three-letter prefix for the sector (along with the subclause number o f the sector-specific document) are used as the titles o f subclauses in Clause 6 o f the sector-specific standard for additional or modified clauses, control objectives, controls, implementation guidance and other in formation from ISO/IEC 27002:2013. EXAMPLE
6.2 CLD 5.1.1 Policies for in formation security.
In this approach controls, control objectives, implementation guidance and other in formation which have no modification o f or addition to ISO/IEC 27002 are neither reproduced nor re ferenced. B.1.4 Numbering approach in accordance with clause/subclause numbers o f ISO/ IEC 27002 (B.3 )
All numbers and titles in ISO/IEC 27002:2013, Clauses 5 to 18, are reproduced to indicate relevant sector-specific implementation guidance/other in formation, and a three-letter prefix for the sector
© I SO /I E C 2 0 2 0 – All rights res erved
9
ISO/IEC 27009:2020(E)
is attached to the title o f a (sub)clause so as to indicate additional sector-specific clauses, control objectives or controls. EXAMPLE
6 Organization o f in formation security 6.1 Internal organization
……
6.1.6 ENR ― Identification o f risks related to external parties
In this approach, controls, control objectives, implementation guidance and other in formation which have no modification o f, or addition to, ISO/IEC 27002:2013 are not reproduced entirely. Only the subclause headings are reproduced along with simple text indicating that no modifications or additions are made. B.2 Template (for numbering approach to indicate all o f sector-specific contents with three-letter prefix in Clause 6 o f the sector-specific standard) Introduction
{Include how the guidance contained within this document relates to the guidance within ISO/IEC 27002.} {Insert the following text.}
This document is not a new management system standard independent o f ISO/IEC 27001, but rather: a) specifies -specific guidance that supports additions to and/or modifications o f ISO/IEC 27002 (see Clause 6); and b) refines requirements o f ISO/IEC 27001:2013, 6.1.3 c) and d), that support additions to and/or modifications o f controls (see Clause 5). {If the sector-specific standard related to ISO/IEC 27002 is also related to ISO/IEC 27001 , use Annex A in combination with Annex B.}
1 Scope {Include appropriate scope statements including the relationship o f the standard to ISO/IEC 27001 and ISO/IEC 27002.}
2 Normative re ferences {Insert the relevant normative references, including ISO/IEC 27001 and optionally ISO/IEC 27002.}
ISO/IEC 27000,
In formation technology — Security techniques — In formation security management
systems — Overview and vocabulary 3 Terms and definitions
{Insert the following text to ensure that ISO/IEC 27000 is included.}
For the purposes o f this document, the terms and definitions given in following] apply.
I S O/I E C
2 70 0 0
[and the4 Structure o f this document 4.1 General {If the sector-specific standard has sector-specific clauses, control objectives or controls additional to or modified from ISO/IEC 27002, insert the following text.}
The -specific re ference control objectives and controls are listed in Annex A.
10
© I SO /I E C 2 0 2 0 – All rights res erved
ISO/IEC 27009:2 020(E)
{Optionally, a sector-specific standard may have a table which indicates the relationship between the (sub)clause o f the sector-specific standard and those o f ISO/IEC 27002. A table is a useful tool which helps readers understand the placement o f the clauses o f the sector-specific standard compared to those o f ISO/IEC 27002.}
Table 1 — Correspondence o f -specific requirements with ISO/IEC 27002 Subclause in ISO/IEC 27002:2013
Title
Subclause in this document
Remarks
5 Refinement o f ISO/IEC 27001 requirements {If the sector-specific standard has sector-specific controls, always insert the following text.}
ISO/IEC 27001:2013, 6.1.3 c) is refined as follows. Compare the controls determined in 6.1.3 b) above with those in ISO/IEC 27001:2013, Annex A, and with Annex A, to veri fy that no necessary controls have been omitted. ISO/IEC 27001:2013, 6.1.3 d) is refined as follows. Produce a Statement o f Applicability that contains: — the necessary controls [see ISO/IEC 27001:2013, 6.1.3 b) and c)]; — a justification for their inclusion; — whether the necessary controls are implemented or not; and — a justification for excluding any o f the controls in Annex A and ISO/IEC 27001:2013, Annex A. NOTE
These refinements are necessary due to the introduction o f new -specific controls in this
do c ument.
All other requirements in ISO/IEC 27001:2013, Clauses 4 to 10, shall apply unchanged. There are no additional or refined requirements specific to . {Ifthe sector-specific standard does not have sector-specific clauses, control objectives or controls additional to, or modified from, ISO/IEC 27002, but has implementation guidance or other in formation additional to, or modified from, ISO/IEC 27002, always insert the following text.}
All requirements from ISO/IEC 27001:2013, Clauses 4 to 10, shall apply unchanged. There are no additional or refined requirements specific to . 6 -specific guidance related to ISO/IEC 27002:2013 6.1 General {Always insert the following text.}
All clauses, control objectives, controls, implementation guidance and other in formation from ISO/IEC 27002 that do not appear below apply unchanged. {If the sector-specific standard has sector-specific clauses, control objectives, controls, implementation guidance or other in formation additional to or modified from ISO/IEC 27002 , insert them in this clause. For each added or modified clause, control objectives, control, implementation guidance or other in formation,
© I SO /I E C 2 0 2 0 – All rights res erved
11
ISO/IEC 27009:2020(E)
add a new subclause with a sequential subclause number. If the subclause has a relation to an existing (sub)
clause ofISO/IEC 27002 , add a title with the three-letter prefix followed by the referenced (sub)clause number and title o f the (sub)clause o f ISO/IEC 27002 . If there is no relation, add an appropriate title for the clause. When considering new control objectives, controls, implementation guidance and/or other in formation, check first whether it is related to existing ISO/IEC 27002 content. If it is, modify the relevant ISO/IEC 27002 content. If there is no relation, place the additional content a fter the clauses, control objectives or controls from ISO/IEC 27002 (see also 6. 3). Number those modified or additional sector-specific clauses, control objectives or controls in accordance with the above instruction.} {Indicate sector-specific clauses that are additional to ISO/IEC 27002 by insertion o f the following text.}
In addition to ISO/IEC 27002:2013, the following applies. {Indicate sector-specific control objectives that are additional to following text.}
ISO/IEC 27002 by insertion of the
In addition to ISO/IEC 27002:2013, Clause , the following applies. {Indicate sector-specific controls that are additional to ISO/IEC 27002:201 3 by insertion o f the following text; ensure that the control objective reflects the additional sector-specific controls.}
In addition to ISO/IEC 27002:2013 , the following applies. {When modifying a control objective, control, implementation guidance or other in formation, for example, by modifying or adding to existing text, repeat as much as necessary from ISO/IEC 27002 for understanding. Denote sector-specific modifications o f control objectives or controls in ISO/IEC 27002 by insertion o f one o f the following, as required.}
ISO/IEC 27002:2013, is modified as follows. {or}
ISO/IEC 27002:2013, is modified as follows. {Where the existing text o f a control is not modified, only additional guidance given, insert one o f the following headings, as required.}
Additional implementation guidance for ISO/IEC 27002:2013, Additional other in formation for ISO/IEC 27002:2013, {If possible, show added or modified text by use o f italics. If text from ISO/IEC 27002 is reproduced in the sector-specific standard, it shall be distinguished from the other elements o f the sector-specific standard.} {If the sector-specific standard has sector-specific clauses, control objectives or controls additional to, or modified from, ISO/IEC 27002, add an Annex A in the same way as ISO/IEC 27001:201 3, Annex A , and replace, where applicable, the occurrence o f “should” by “shall”. Give the annex the following heading and title.}
Annex A list o f the -specific re ference control objectives and controls which shall be applied as additions to ISO/IEC 27001:2013, Annex A, as specified in 4.1. Annex A
(normative) -specific re ference control objectives and controls {Introduce Table A .1 in the same format as ISO/IEC 27001 :201 3, Annex A , with the following text.}
The additional or modified control objectives and controls listed in Table A.1 are directly derived from and aligned with those defined in this document and are to be used in context with ISO/IEC 27001:2013, 6.1.3 as refined by this document. 12
© I SO /I E C 2 0 2 0 – All rights res erved
ISO/IEC 27009:2 020(E)
B.3 Template (for numbering approach in accordance with clause/subclause numbers o f ISO/IEC 27002) Introduction
{Include how the guidance contained within this document relates to the guidance within ISO/IEC 27002.} {Insert the following text.}
This document is not a new management system standard independent o f ISO/IEC 27001, but rather: a) specifies -specific guidance that supports additions to and/or modifications o f ISO/IEC 27002 (see Clause 5 to 18); and b) refines requirements 6.1.3 c) and d) o f ISO/IEC 27001 that support additions to and/or modifications of controls (see 4. 2 ) .
{If the sector-specific standard related to ISO/IEC 27002 is also related to ISO/IEC 27001 , use Annex A in combination with Annex B.}
1 Scope {Include appropriate scope statements including the relationship o f the standard to ISO/IEC 27001 and ISO/IEC 27002.}
2 Normative re ferences {Insert the relevant normative references, including ISO/IEC 27001 and optionally ISO/IEC 27002.}
ISO/IEC 27000,
In formation technology — Security techniques — In formation security management
systems — Overview and vocabulary 3 Terms and definitions
{Insert the following text to ensure that ISO/IEC 27000 is included.}
For the purposes o f this document, the terms and definitions given in following] apply.
I S O/I E C
2 70 0 0
[and the4 Structure o f this document 4.1 General {If the sector-specific standard has sector-specific clauses, control objectives or controls additional to or modified from ISO/IEC 27002 insert the following text.}
The -specific re ference control objectives and controls are listed in Annex A. 4.2 Refinement o f ISO/IEC 27001 requirements {If the sector-specific standard has sector-specific controls, always insert the following text.}
ISO/IEC 27001:2013, 6.1.3 c), is refined as follows. Compare the controls determined in 6.1.3 b) above with those in ISO/IEC 27001:2013, Annex A, and with Annex A, to veri fy that no necessary controls have been omitted. ISO/IEC 27001:2013, 6.1.3 d), is refined as follows.
© I SO /I E C 2 0 2 0 – All rights res erved
13
ISO/IEC 27009:2020(E)
Produce a Statement o f Applicability that contains: — the necessary controls [see ISO/IEC 27001:2013, 6.1.3 b) and c)]; — a justification for their inclusion; — whether the necessary controls are implemented or not; and — a justification for excluding any o f the controls in Annex A and ISO/IEC 27001:2013, Annex A. NOTE
These refinements are necessary due to the introduction o f new -specific controls in this
do cument.
All other requirements in ISO/IEC 27001:2013, Clauses 4 to 10, shall apply unchanged. There are no additional or refined requirements specific to . {Ifthe sector-specific standard does not have sector-specific clauses, control objectives or controls additional to, or modified from, ISO/IEC 27002, but has implementation guidance or other in formation additional to, or modified from, ISO/IEC 27002, always insert the following text.}
All requirements from ISO/IEC 27001:2013, Clauses 4 to 10, shall apply unchanged. There are no additional or refined requirements specific to . 4.3 -specific guidance related to ISO/IEC 27002 {Always insert the following text.}
Sector-specific guidance related to ISO/IEC 27002 are specified in Clause 5 to 18 where applicable. All clauses, control objectives, controls, implementation guidance and other in formation from ISO/IEC 27002, where only their (sub)clause headings appear below (but no further guidance), apply unchanged. {For Clauses 5 to 18 o f this template, insert all numbers and titles in ISO/IEC 27002:201 3, Clause 5 to 18 (i. e. mirror the clause structure provided in ISO/IEC 27002).} {Insert the sector-specific clauses, control objectives, controls, implementation guidance and other in formation additional to or modified from ISO/IEC 27002 under the relevant clauses o f ISO/IEC 27002. Number additional clauses, control objectives or controls in the same format as ISO/IEC 27002, but with a prefix to the sector o f at least three letters for the sector.
EXAMPLE 6.1.6 ENR ― Identification of risks related to external parties When considering new control objectives, controls, implementation guidance and/or other in formation, check first whether it is related to existing ISO/IEC 27002 content. If it is, modify the relevant ISO/IEC 27002 content. If there is no relation, place the additional content a fter the clauses, control objectives and controls from ISO/IEC 27002 (see also 6. 3). Number those modified or additional sector-specific clauses, control objectives or controls in accordance with the above instruction.} {Indicate sector-specific clauses that are additional to ISO/IEC 27002 by insertion o f the following text.}
Additional clause for ISO/IEC 27002 {Indicate sector-specific control objectives that are additional to ISO/IEC 27002 by insertion o f the following text at the end o f the appropriate clause.}
Additional control objective for ISO/IEC 27002:2013, {Indicate sector-specific controls that are additional to ISO/IEC 27002:201 3 by insertion o f the following text at the end o f the appropriate control objective; ensure that the control objective reflects the additional sector-specific controls.}
Additional control for ISO/IEC 27002:2013, 14
© I SO /I E C 2 0 2 0 – All rights res erved
ISO/IEC 27009:2 020(E)
{When modifying a control objective, control, implementation guidance or other in formation, for example, by modifying or adding to existing text, repeat as much as necessary from ISO/IEC 27002 for understanding. Denote sector-specific modifications o f control objectives or controls in ISO/IEC 27002 by insertion o f one o f the following, as required.}
is modified as follows. {or}
is modified as follows. {Where the existing text o f a control is not modified, only additional guidance given, insert one o f the following headings, as required.}
Additional implementation guidance for ISO/IEC 27002:2013, Additional other in formation for ISO/IEC 27002:2013, {If possible, show added or modified text by use o f italics. If text from ISO/IEC 27002 is reproduced in the sector-specific standard, it shall be distinguished from the other elements o f the sector-specific standard.} {Ifthere is no sector-specific content to the specific clause or subclause in ISO/IEC 27002, insert the following text under the clause or subclause title.}
No additional in formation specific to for ISO/IEC 27002:2013, . {If the sector-specific standard has sector-specific clauses, control objectives or controls additional to, or modified from, ISO/IEC 27002:201 3, add an Annex A in the same way as ISO/IEC 27001:201 3, Annex A, and replace, where applicable, the occurrence o f“should” by “shall”. Give the annex the following heading and title.}
Annex A list o f the -specific re ference control objectives and controls which shall be applied as additions to ISO/IEC 27001:2013, Annex A, as specified in 4.1. Annex A
(normative) < Sector > -specific re ference control objectives and controls {Introduce Table A .1 in the same format as ISO/IEC 27001:201 3, Annex A , with the following text.}
The additional or modified control objectives and controls listed in Table A.1 are directly derived from and aligned with those defined in this document and are to be used in context with ISO/IEC 27001:2013, 6.1.3, as refined by this document.
© I SO /I E C 2 0 2 0 – All rights res erved
15
ISO/IEC 27009:2020(E)
Annex C
(informative) Explanation o f the advantages and disadvantages o f numbering approaches used within Annex B
C.1
General
Clauses B.2 and B.3 apply the following two di fferent numbering approaches on how to present sectorspecific clauses, control objectives, controls, implementation guidance and other in formation related to I SO/I EC 2 70 02 :
B.2 presents a numbering approach to indicate all sector-specific contents with three-letter prefix within Clause 6 o f the sector-specific standard (see C . 2 );
—
B.3 presents a numbering approach in accordance with the clause/subclause numbers o f ISO/IEC 27002:2013 (see C . 3 ) .
—
This annex lists advantages and disadvantages o f the approaches so that users o f this document can select one o f the approaches which is suitable to their standards. C.2 Numbering approach to indicate all sector-specific contents with three-letter prefix in Clause 6 o f the sector-specific standard C.2.1
Concept
Numbers and titles with a three-letter prefix for the sector (along with the subclause number o f the sector-specific document) are used as the titles o f subclauses in Clause 6 for additional or modified clauses, control objectives, controls, implementation guidance and other in formation. EXAMPLE
6.2 CLD 5.1.1 Policies for in formation security
This approach was developed to avoid duplication with ISO/IEC 27002 so as to simpli fy and shorten sector-specific standards. C.2.2
Advantages
This approach makes it possible for a sector-specific standard to link back to ISO/IEC 27002 without gaps in the numbering by using the number o f ISO/IEC 27002 with the prefix o f each sector-specific standard as a part o f titles o f (sub)clauses that have sector-specific content. The sector-specific standard can be concise specifically i f it has small number o f (sub)clauses containing sector-specific contents. (Sub)clauses without any sector-specific content in ISO/IEC 27002 do not have to be repeated in a sector-specific standard. C.2.3
Disadvantages
Sector-specific additional controls are di fficult to find in the main body o f the standard because both additional controls and controls o f ISO/IEC 27002 that have additional or modified implementation guidance or other in formation bear common three-letter prefixes. However, they are easily identified in Annex A o f the sector-specific standard created in accordance with the template in B.2 .
16
© I SO /I E C 2 0 2 0 – All rights res erved
ISO/IEC 27009:2 020(E)
Clause 6 o f a sector-specific standard can become a quite long since all the sector-specific guidance for ISO/IEC 27002:2013, Clauses 5 to 18, is included in it. C.3 Numbering approach in accordance with clause/subclause numbers o f ISO/ IEC 27002 C.3.1
Concept
All numbers and titles in ISO/IEC 27002:2013, Clauses 5 to 18, are used to indicate relevant sectorspecific implementation guidance/other in formation, and a three-letter prefix for the sector is attached to the title o f (sub)clause so as to indicate additional sector-specific clauses, control objectives or control s:
EXAMPLE
6 Organization o f in formation security 6.1 Internal organization
……
6.1.6 ENR ― Identification o f risks related to external parties
C.3.2
Advantages
It makes it possible for sector-specific standards to have the same structure as ISO/IEC 27002, instead o f stating all sector-specific guidance within Clause 6 o f the sector specific standards. Thus, it is possible to easily make the link between (sub)clauses o f ISO/IEC 27002 (i.e. clauses, control objectives, controls, implementation guidance and other in formation) with those with added/modified text in sector-specific standards. Additional sector-specific controls are easily identifiable in the main body o f the text by the three-letter prefix which are used only for additional/modified controls. C.3.3
Disadvantages
Unnecessary (sub)clauses without any sector-specific content in ISO/IEC 27002 have to be included in a sector-specific standard. In other words, i f the sector specific standard only has a few sector-specific (sub) clauses, the standard has to have a lot o f (sub)clauses consisting only o f headlines and short template text.
© I SO /I E C 2 0 2 0 – All rights res erved
17
ISO/IEC 27009:2020(E)
Bibliography [1] [2 ] [3 ]
In formation technology — Security techniques — In formation security management for inter-sector and inter-organizational communications I S O/ I E C 2 70 1 0 ,
I S O/ I E C 2 70 1 1 , In f ormation technology — Security techniques — Code o f practice for In formation security controls based on ISO/IEC 27002 for telecommunications organizations
I S O/ I E C
2 70 17,
In formation technology — Security techniques — Code o f practice for in formation
security controls based on ISO/IEC 27002 for cloud services [4] [5 ]
18
In formation technology — Security techniques — Code o f practice for protection o f personally identifiable in formation (PII) in public clouds acting as PII processors I S O/ I E C 2 70 1 8 ,
I S O/ I E C 2 70 19 , In f ormation technology — Security techniques — In formation security controls for the energy utility industry
© I SO /I E C 2 0 2 0 – All rights res erved
ISO/IEC 2 7009: 2 02 0(E)
ICS 3 5 .03 0 Price based on 1 8 pages © I SO /I EC 2 0 2 0 – All rights reserved
Information security, cybersecurity and privacy protection — Sector-specific application of ISO/IEC 27001 — Requirements
This document specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001, and complement or amend ISO/IEC 27002 to support a specific sector (domain, application area or market).
This document explains how to:
— include requirements in addition to those in ISO/IEC 27001,
— refine or interpret any of the ISO/IEC 27001 requirements,
— include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,
— modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,
— add guidance to or modify the guidance of ISO/IEC 27002.
This document specifies that additional or refined requirements do not invalidate the requirements in ISO/IEC 27001.
This document is applicable to those involved in producing sector-specific standards.
ISO/IEC 27009-2020 pdf free
ISO/IEC 27009-2020 pdf free.Information security, cybersecurity and privacy protection – Sector-specific application of ISO/IEC 27001 – Requirements.
This document specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001, and complement or amend ISO/IEC 27002 to support a specific sector (domain, application area or market).
This document explains how to:
一include requirements in addition to those in ISO/IEC 27001,
一refine or interpret any of the ISO/IEC 27001 requirements,
一include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,
一modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,
一add guidance to or modify the guidance of ISO/IEC 27002.
This document specifies that additional or refined requirements do not invalidate the requirements in
ISO/IEC 27001.
This document is applicable to those involved in producing sector-specific standards.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirement of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies,
ISO/IEC 27000, Information technology 一Security techniques一Information security management systems一Overview and vocabulary
ISO/IEC 27001, Information technology一Security techniques – – Information security management systems一Requirements
ISO/IEC 27002, Information technology一Security techniques一Code of practice for information security controls
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
一ISO Online browsing platform: available at hts://www.iso.org/obp
一IEC Electropedia: available at http://www.electropedia.org/
3.1 interpret interpretation explanation of an ISO/IEC 27001 requirement in a sector-specific context which does not invalidate any of the ISO/IEC 27001 requirements
Note 1 to entry: The explanation can pertain to either a requirement or guidance.
refine refinement supplementation or adaptation of an ISO/IEC 27001 requirement in a sector-specific context which does not remove or invalidate any of the ISO/IEC 27001 requirements
4 Overview of this document
4.1 General
ISO/IEC 27001 defines the requirements for establishing, implementing, maintaining and continually improving an information security management system. ISO/IEC 27001 states that its requirements are generic and are intended to be applicable to all organizations, regardless of type, size or nature.ISO/IEC 27001:2013, Annex A, provides control objectives and controls. ISO/IEC 27001 requires an organization to “determine all controls that are necessary to implement the information security risk treatment option[s) chosen [see 6.1.3 b)]”, and “compare the controls determined in 6.1.3 b) above with those in [ISO/IEC 27001:2013.] Annex A, and verify that no necessary controls have been omitted [see 6.1.3 c]”. The guidance of control objectives and controls of ISO/IEC 27001:2013, Annex A, are included in ISO/IEC 27002.
ISO/IEC 27002 provides guidelines for information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment. The guidelines have a hierarchical structure that consists of clauses, control objectives, controls, implementation guidance and other information. The guidelines of ISO/IEC 27002 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.While ISO/IEC 27001 and ISO/IEC 27002 are widely accepted in organizations, including commercial enterprises, government agencies and not-for-profit organizations, there are needs for sector-specific versions of these standards.ISO/IEC 27009 pdf download.
Tags: cybersecurity and privacy protection
BS ISO/IEC 27009:2020 pdf download
ISO/IEC 27009:2020,Information security, cybersecurity and privacy protection — Sector-specific application of ISO/IEC 27001 — Requirements.
The document can be downloaded here for free,and size of the file is 7.15M.
BS ISO/IEC 27009:2020 specifies that additional or refined requirements do not invalidate the requirements in ISO/IEC 27001.
BS ISO/IEC 27009:2020 is applicable to those involved in producing sector-specific standards.
This second edition cancels and replaces the first edition (ISO/IEC 27009: 2016),which has been technically revised.
The main changes compared to the previous edition are as follows:
—the scope has been updated to more clearly reflect the content of this document;
—former annex a has been divided into annexes A and B;
—Annex C has been created;
Additional guidance
Addition of clauses, control objectives, controls, implementation guidance and other information to ISO/IEC 27002 is permitted.
Where applicable, clauses, control objectives, controls, implementation guidance and other information additional to ISO/EC 27002 shall follow the requirements and guidance set out in Annex B.
Before specifying additional clauses, control objectives or controls, entities producing sector-specific standards related to ISO/IEC 27001 should consider whether a more effective approach would be to modify existing ISO/IEC 27002 content, or achieve the desired result just through the addition of sector-specific control objectives (instead of adding clauses), controls (instead of control objectives),implementation guidance and other information (instead of controls) to the existing ISO/IEC 27002 content.
Modified guidance
Clauses, controls and their control objectives contained in ISO/IEC 27002 shall not be modified.
If there is a sector-specific need to include a control objective that contradicts a control objective contained in ISO/IEC 27002, a new sector-specific control objective shall be introduced. The new control objective shall have at least one sector-specific control. If there is a sector-specific need toinclude a control that contradicts a control contained in ISO/IEC 27002, a new sector-specific controlshall be introduced.
Modification of implementation guidance and other information from ISO/IEC 27002 is permitted.
Where applicable, modified clauses, control objectives, controls, implementation guidance and other information from ISO/EC 27002 shall follow the requirements and guidance set out in Annex B.
Related Information Download
BS ISO IEC 27009:2020 download free
BS ISO IEC 27009:2020 download free.Information security, cybersecurity and privacy protection — Sector-specific application of ISO/IEC 27001 — Requirements.
1 Scope
BS ISO IEC 27009 specifies the requirements for creating sector-specific standards that extend ISOJIEC 27001. and complement or amend ISO/IEC 27002 to support a specific sector (domain, application area or market).
BS ISO IEC 27009 explains how to:
— include requirements in addition to those in ISOJIEC 2700L
— refine or interpret any of the ISO/IEC 27001 requirements.
— include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,
— modify any of the controls of ISO/IEC 27001:2013. Annex A and ISO/IEC 27002.
— add guidance to or modify the guidance of ISOJlEC27UZ.
BS ISO IEC 27009 specifies that additional or refined requirements do not invalidate the requirements in
ISO/IEC 27001.
BS ISO IEC 27009 is applicable to those involved in producing sector-specific standards.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirement of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/I EC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary
ISO/IEC 27001. Information technology — Security techniques — Information security management systems — Requirements
ISQJIEC 27001. information technology — Security techniques — Code of practice for information security controls
Other organizations have also produced standards addressing sector-specific needs.
Sector-specific standards should be consistent with the requirements of the information security management system. BS ISO IEC 27009specifies requirements on how to create sector-specific standards that extend ISO/IEC 27001 and complement or amend TSO/IEC 27002 (see Clause 1).
BS ISO IEC 27009 assumes that all requirements from ISO/IEC 270flJ. that are not refined or interpreted, and all controls in ISOJIEC 27002 that are not modified, apply in the sector-specific context unchanged.
4.2 Structure of this document
Clause 5 provides requirements and guidance on how to make addition to, refinement or interpretation of ISO/IEC 27001 requirements.
Clause 6 provides requirements and guidance on how to provide control clauses, control objectives. controls, implementation guidance or other information that are additional to or modify ISO/IEC 27002 content.
Annex A contains a template which shall be used for sector-specific standards related to ISO/IEC 27001.
An.n.ex_B contains two templates which shall be used for sector-specific standards related to
ISO/IEC 270.02.
For sector-specific standards related to both ISO/IEC 27001 (see Clause 5) and ISOJIEC 27(102 (see Clause 6), both Annex A and Annex B apply.
Annex C provides explanations about advantages and disadvantages of two different numbering approaches applied in the two templates in Annex B.
In this document, the following concepts are used to adapt lSO/IEC 27001 requirements for a sector:
— addition — see
— refinement — see j3
— interpretation — see SA.
In BS ISO IEC 27009, the following concepts are used to adapt ISO/IEC 27002 guidance for a sector:
Addition of requirements to ISQJIEC11flOI requirements is permitted.
EXAMPLE A sector which has additional requirements for an information security policy can add them to the requirements for the policy specified in ISO/IEC 27001:20 13. 5.2.
No requirement that is added to those in ISO/IEC 27001 shall remove or invalidate any of the requirements defined in ISOJIEC 27001.
Where applicable, sector-specific additions to [SJIEC_l.Zi1t11 requirements shall lollow the requirements and guidance set out in Annex A.
5.3 Refinement of requirements in ISO/IEC 27001
Refinement of ISO/IEC 27001 requirements is permitted.
NOTE Reli,wrnents do not remove or invalidate any of the requirements in ISO/IEC 27001 (see 32).
Where applicable, sector-specific refinements of ISO/IEC 27001 requirements shall follow the requirements and guidance set out in Annex A.
EXAMPLE I A sector-specific standard could contain controls additional to ISO/IEC 27001:2013. Annex A. In this case, the requirements related to information security risk treatment in ISO/IEC 27001:2013. 6.1.3 c) and d) need to be refined to Include the additional controls given in the sector-specific standard.
Specification of a particular approach to meeting requirements in ISO/IEC 27001 is also permitted.
EXAMPLE 2 A particular sector has a prescribed way to determine the competence of people working within the scope of the sector-specific management system. This requirement could reline the general requirement in
ISO/IEC 27001:2013. 7.2.
5.4 Interpretation of requirements in ISO/IEC 27001
Interpretation of ISOJIEC 27001 requirements is permitted.
NOTE Interpretations do not invalidate any of the ISO/IEC 27001 requirements but explain them or place them into sector-specific context (see ii).
Where applicable, sector-specific interpretations of lSO/IEC 27001 requirements shall follow the
Each control shall only contain one instance of the word should’.
NOTE In ISO/IEC 27001, Information security risk treatment requires an organization to state controls that have been determined and justification of inclusions, and justification for exclusions of controls from ISO/IEC 27001:2013. Annex A. Having only one use of should within a control statement eliminates the possibility of ambiguity over the scope of the control.
6.2 Additional guidance
Addition of clauses, control objectives, controls, implementation guidance and other information to LiIE271O2 is permitted.
Where applicable, clauses, control objectives, controls, implementation guidance and other information additional to ISO/IEC 27002 shall follow the requirements and guidance set out in Annex B,
Before specifying additional clauses, control objectives or controls, entities producing sector- specific standards related to ISO/IEC 27001 should consider whether a more effective approach would be to modify existing ISO/IEC 27002 content, or achieve the desired result just through the addition of sector-specific control objectives (instead of adding clauses), controls (instead of control objectives), implementation guidance and other information (instead of controls) to the existing ISO/IEC 27002 content.
6.3 Modified guidance
Clauses, controls and their control objectives contained in ISO/IEC 27002 shall not be modified.
If there is a sector-specific need to include a control objective that contradicts a control objective contained in ISO/IEC 27002. a new sector-specific control objective shall be introduced. The new control objective shall have at least one sector-specific control. If there Is a sector-specific need to include a control that contradicts a control contained in ISO/IEC 27002, a new sector-specific control shall be introduced.
Modification of implementation guidance and other information from ISO/IEC 27002 is permitted.
Where applicable, modified clauses, control objectives, controls, implementation guidance and other information from ISO/IEC 27002 shall follow the requirements and guidance set out in Annex 8.
Download infomation Go to download
키워드에 대한 정보 iso 27009 pdf
다음은 Bing에서 iso 27009 pdf 주제에 대한 검색 결과입니다. 필요한 경우 더 읽을 수 있습니다.
이 기사는 인터넷의 다양한 출처에서 편집되었습니다. 이 기사가 유용했기를 바랍니다. 이 기사가 유용하다고 생각되면 공유하십시오. 매우 감사합니다!
사람들이 주제에 대해 자주 검색하는 키워드 iMindMap 10 – Xuất file ra định dạng PDF – JPG – PNG
- Imindmap
- mind mapping
- imindmap 10
iMindMap #10 #- #Xuất #file #ra #định #dạng #PDF #- #JPG #- #PNG
YouTube에서 iso 27009 pdf 주제의 다른 동영상 보기
주제에 대한 기사를 시청해 주셔서 감사합니다 iMindMap 10 – Xuất file ra định dạng PDF – JPG – PNG | iso 27009 pdf, 이 기사가 유용하다고 생각되면 공유하십시오, 매우 감사합니다.
