1、ISO/IECTSTECHNICA1.27022SPECIFICATIONeditionFirst2021-03Informationtechno1.ogyGuidanceoninformationsecuritymanagementsystemprocessesCOPYRIGHTPROTECTEDDOCUMENTIS0/1EC2021M11chefivdi1.itedotherwise*ri快ChBxXniEX1.msitRiDhmw;ItmiihrCoPwnR.pnttjuiionpostingontheinternetoranInunnu1.withoutpriorwrittenperm
2、ission.PermissioncanberequestedfromeitherISOatt1.addressbe1.oworISO*smemberhodyinthecountryofth?rrcucstcr.三cB1.andonnct8r,GenevaPhone:t41227490111辆jtc:用洲部砾o.orgPub1.ishedinSwitzer1.andISO/IEC2021-A1.1.rightsreservedContentsPageForewordivIntroductionv2 Scope13 Normativereferences14 Termsanddefinition
3、s15 Structureandusageofthisdocument26 Overview3Managementprocesses.61raI7 6.2Informationsecuritygovernance/managcmentinterfaceprocess.7CorePiaOCeSSOS971GeneI31)7.2 Securitypo1.icymanagementProCeSS97.5 RifqiinietiontBeDunkjgririentapFoseJiqMrocess107.6 Informationsecurityrisktreatmentprocess147.7 Sec
4、urityimp1.ementationmanagementprocess177.8 ProcesstocontFf三三r三csandcomPe1.ence197.9 Informationsecurityincidentmanagementprocess.227.10 Informationsecuritychangemanagementprocess25羽,1.fiW,Wy6ffi)nPr5?.278 7.13Informationsecurityimprovementprocess31Supportprocesses3381raI338.2 Recordscontro1.process3
5、38.3 MMmicationmanQHBraU)C0358.5 Informationsecuritycustomerre1.ationshipmanagementprocess.39AnnexA(informative)Statementofconformityto1SOIEC3300441Bib1.iography“一一“一一M43ForewordISO(theInternationa1.OrganizationforStandardization)andIEC(theInternationa1.E1.ectrotechnica1.(ironnwm&MiJform1.SOthjififi
6、qJatemtfd1.t1.entstartiBtdraatua1.NStudrirdsbodiesthmitteesestab1.ishedbytherespectiveorganizationtodea1.withparticu1.arfie1.dsoftechnica1.activity.ISOandIECmitteesco1.1.aborateinfie1.dsofmutua1.interest.Othernj11adonaramtionsrgovernmenta1.andnon-governmenta1.,in1.iaisonwithISOand1EC,a1.soTheprocedu
7、resusedtodeve1.opthisdocumentandthoseintendedforitsfurthermaintenanceare咽6WifetfIH8节es1.9tfIBMn映丽屈.piJtaFA三Htt三ft酮疝or刷Mdcdtheeditoria1.ru1.esofthe1SOIECDirectives.Part2(seewww.iso.org/direc1.ives).曲麻环迎男裆Wn用印品保节麴IJiRa郴a依曲,鸥跟炳Mc曲廨膈出阴胀叫y忸a嘱刚郃*ubjcc1.rights.Detai1.sofanypatentrightsidentifiedduringthede
8、ve1.opmentot4h*domkMw,I1.beintheIntroductionand/orontheISO1.istofPaWHJa)*4kmsreceived(seewww.iso.org/pa1.ents)ortheIEC1.istofpatentdec1.arationsreceived(seePaterHSjeCCh).nytradenameusedinthisdocumentisinformationgivenfortheconvenienceofusersanddoesnotconstituteanendorsement.tp侬SiOnSeX岬tmbcfcttbwMyam
9、三IenPa用NhdardsNitomantogMoutISCKpodtiaifiUnXihXhdWoHd存Organization(VVrTO)princip1.esintheTechnica1.BarrierstoTrade(TBT),seewww.iso.org/iso/foreword.htm1.砧除喉gSC祕A碎H阐切踊眄楞Bis1.?CUmWeHMM出监XSO/I邮油econ.Wbrmahontechno1.ogy.Anyfeedbackorquestionsonthisdocumentshou1.dbedirectedtotheuser,snationa1.standardsbo
10、dy.Acomp1.ete1.istingofthesebodiescanbefoundatwww.iso.org/members.1.Hm1.IntroductionAninformationsecuritymanagementsystem(ISMS)inc1.udesaco1.1.ectionofinteractingprocessesandfoofrMWdto9nwfa11DgtiMagRroetwhichThidiUtanattaDfYBddSMrQcereJirrmet)noddItraW如escontro1.sinitia1.edbythem.M触器嘲加都骁Ru温晶催de郴F肿斓h
11、epfg蹄潞解国照Mnten?AJCeSSeSpurp1.融中建龈,mapractica1.app1.icationcanrequireadditiona1.e1.ementssuitedtotheenvironmentandcircumstances.ieiJ?限e捣愉fi曲WM箱破加癌麻帼就秋麻魁盛Simp1.iedbyISO/IEC27001.ThePRMAnyorganizationcandefineprocesseswithadditiona1.e1.ementsinordertotai1.orittoitsspecific1P醐蹩g%需小设Ih辖Ki触!甲E&einBF*目。E&S
12、B群FSFgdR1.g第8券部品KRS坦KG假郴海tsISO/IEC2021-A1.1.rightsreservedInformationtechno1.ogyGuidanceoninformationsecuritymanagementsystemprocesses1ScopeThisdocumentdefinesaprocessreferencemode1.(PRM)forthedomainofinformationseritySerti6riaMjEtgOft1.2SOIEC33004forprocessreferencemode1.s(see一incorporatetheprocess
13、approachasdescribedbyISO/IEC27000:2018,4.3.withintheISMS;pt,fc1.f1.tSYifttfifonc15W1standardsoftheISO/IEC27000fami1.yfromthe-supportusersintheoperationofanISMS-thisdocumentiscomp1.ementingtherequirements-orientedperspectiveOf2 Normativereferences1.SO/IEC27003withanoperationa1.process-orientedpointof
14、view.琳r:Thisdefinitionre1.iesonandextendsthedefinitionsinISO9000:2015andISO38500:2015.Note2tocntrr:Inthisdefinition,*corccompetencyisunderstoodasthesetofski1.1.sandknow-howpresentwithinamanagementsystem,direct1.ya1.ignedwiththeobjectivesofthemanagementsystem,supportingtheachievementoftheobjectivesan
15、dnote1.sewherepresentwithintheorganizationatacompetitive1.eve1.integratedmanagementsystemIMSmanagementsystemthatintegratesa1.1.ofanorganizationsystems-1.ikeinformationsecuritymanagementandbusinesscontinuitymanagement-andprocessesintoonecomp1.eteframeworkenab1.inganorganizationtoworkasasing1.eunitwit
16、hunifiedobjectivesISO/IEC2021-A1.1.rightsreserved3.3keygoa1.indicatorCatOrthatisanex-postmeasurefortheachievementofagoa1./objectivekeyperformanceindicator生gicatorthatisanex-antemeasure,whicha1.1.owapredictionifagoa1./objectiveisachievedinthefuturemanagementprocessprocessthatdefinestheobjectivesofthe
17、managementsystemtoachievethestrategicobjectivessetbytheorganizationsgoverningbodyNote1toentry:Thisdefinitionre1.iesonandextendsthedefinitionsinISO9000:2015andISO/IEC38500:2015.3.6supportprocessprocessthatsupportscoreprocessesbyprovidingandmanagingnecessaryresourceswithoutde1.iveringdirectCUStOmerva1
18、ueNote1toentry:Thisdefinitionre1.icsonandextendsthedefinitionsinISO9000:2015andISO/IEC38500:2015.4 StructureandusageofthisdocumentTheobjectiveofthisdocumentistoguidetheusersofISO/IEC27001ontheoperationoftheISMS.Noadditiona1.requirementsaredefinedwithinthisdocument.Itisnotintendedtobeusedoutofthebox
19、withoutadaptingittotheimp1.ementingorganizationanditshou1.dnotbeusedasrequirementswithinISMScertificationaudits.AthB0Hdmprucercgardingtocontro1.info11natioutsourccds(?rity.servires:Auditreportsforscn,ktActiritiesfunctions-emergi11g1.ktc11niDetvh(ogjc5ccffectsandandinnv/xionsimpartoffortre11dsbeISMs
20、XhaIgcSinther11ronmx,-Identifyrootcausesofnonconformities.-MSunRmricK1.kaIhSi呻TWen”3m市向Gm1.Methemi2aiHw1.MHsttnwSMS叫必Qdi11ireroc(References-ISO/IEC27003:2017.10.1and10.28Supportprocesses8.1 Genera1.Thisc1.ausedescribesexamp1.esupportprocessesthatcanbefoundinanISMS.TheconceptsandPbnpestfsanewiMjiiied
21、inip1.etheHftitionepnaipitprocessesshou1.dbeconsideredduringtheprocessp1.anning8.2 Recordscontro1.processTab1.e14Processprofi1.eRecordscontro1.processProcessnameRecordscontro1.processProcesscategorySupportprocessObjective/purposes-SUitabiIityEiisureappropriateandadequac)-)dentification.ofrecords.des
22、ciption.format,reviewandIPPrOVa1.Actiritiesfunctions Definewhatshou1.dherecorded,towhatextent一Create/fi1.erecords. Accessandprotectrecords. process).1.dcntifyperiodofretention(partia1.1.yavai1.ab1.easinputfromtherequirementsReferences1SO1EC27003:2017.7.58.3 ResourcemanagementprocessTab1.e15Processpr
23、ofi1.eResourcemanagementprocessProcessnameResourcemanagementprocessProcesscategorySupportprocessInputResu1.ts-fccswFoISXSttnffuitrrwce;MK5即赶口”rtfcfcrm2ficfedfjfIeCKyqeafttWMiw胖rfctMtiesfunct1.ons-iSNSCatjraebutto11trdsandcrattk-adifkrcrtutirafurrfriothersnadricpiftmeDtsbrtuwnrott11)B(urdribytheCommu
24、nicatenecessaryresourcesto:-rexuroU凉cwm山r11抗HHasErproityrsEWreamf1.fc5k11rxmitf1.trrip11iftc(Hossrynirn-thecommunicationprocess-regardingtheISMScontro1.s.A1.1.ocatenecessaryresourcesforapprovedcontro1.sfundedbytheISMS.一Permanent1.ymonitorISMSresourceusageandupdateresourcea1.1.ocation.-Deve1.opandcom
25、municatereportsregardingresourceusageofISMScoreReferences-ISO/IEC27003:2017,6.2and7.1ProcessnameCommunicationprocessInputnktfctWXCttrt Fromsecuritypo1.icymanagementprocess:ISpo1.icies. Fromrecordscontro1.process:Appropriatedocumentsandnecessaryrecords. Fromresourcemanagementprocess:reportsregardingr
26、esourceusageforISMScontro1.s:-estimationofnecessaryresourcestooperatetheISMScoreprocesses.infornanonFromrequirementSSeeUrity.managementprocess:AssignedrequirementsResu1.ts-Forrecordscontro1.process:mmunicationp1.anfornorma1.operationsandemergencysituations;ctivitiesfunct1.ons-Dcvc1.opupdatcriskcommu
27、nicationp1.ansforemergencysituations.Executecommunicationp1.ans.1.eamfrompreviousmmunication.Requ:rc11entsmaMcfncnpneSwurityPoIXymnRrourcD0errcbtonshmanagementPfxKEPcrHnaucm1.uatioaprocess1.nforautkmSOCUrttyrts1.ca%M%Mnmtp11RMUme*rvv*vF-IuMWa(IMIneema1.jd*1.P11ch;ra”“1.6,MM0CfMIMMnaPoStMMMyayoef11bA
28、utAftJM4WUCiDeve1.o1.1.pdaeriskCommunkAt1.onphn4fornomu1.operationsIMaTtmuwtiII八t11IInformationsecuntyHSktnurmencprocr(AaMrcpcmAtrMmctkProcesstoconcro!outsourcedservicesDev1.o1.pdaumkCommunkaOonp1.ansforetnercncyKtaUdtiO1.MInforniationsexr1tyInadentmoac*nEPnXBEiecutccommunkSonphuRCKHdrgenerateIntorm
29、ationsoIrIty1.na11uConwruritygenaum4vue11m(nttrdromareto然PMtatiorHCommunicateinformationsecurityPerfOrmanCe/addedva1.uetocustomers.ReferencesISO/IEC27003:2017;4.2,7.4and10.1Figure18Processf1.owchartInformationsecuritycustomerre1.ationshipmanagementprocessAnnexAStatementofconformitytoISO/IEC33004de11
30、nedannexdiscussesWhethcrprocessreferencemode1.s.AccordingrefercnccISO/IECmeeting,*Thcpurposeassessmentmode1.s.*Criteriaforprocessreferencemode1.sdefinedinISO/IEC33004arethefo1.1.owing:management,processreferencedomain,isc1.ear1.ydedicatedtotheuseWithininformationsecurityriskmode1.anditsintendedconte
31、xtofuse.referencemode1.processcontainedintheframeworkmethodprocessesdete11ninenecessarymaturityrneasurementbcavoidcdapproach,rep1.acedtheaprocess-orientedinformationsecurityasaone-timewithinthescopeoftheprocessreferencemode1.:Aprocesssha1.1.bedescribedintermsofitspurposeandprocessoutcomes.b)Thedescr
32、ibedsetofprocessoutcomessha1.1.benecessaryandsufficienttoachievethepurposeofandsufficientfortheOecessarytheandsufficient.processpurposeandtheprocessoutcome54Processdescriptionssha1.1.notcontainorimp1.yaspectsoftheprocessqua1.itycharacteristicbeyondthebasic1.eve1.ofanyre1.evantprocessmeasurementframe
33、workconformantwithISO/IEC33003.d)processoutcomedescribesconstraints1.requirements,goa1.s,etcartifact;asignificantchangeofrequirement.Ingcnera1.,processes.ofISO/IECTR24774wereconsideredwhi1.edefiningISO/IEC2021-A1.1.rightsreserved41(informative)ThisinISO/IEC33004fortheprocessmode1.isaprocesstonodc1.3
34、3004:thecriteriaofaprocessreferencemode1.istodefineasetofprocessesthatco1.1.ective1.yCansupporttheprimaryaimsofacommunityofinterest.Aprocessreferencemode1.providesthebasisforoneormoreprocess1) Aprocessreferencemode1.sha1.1.containadec1.arationofthedomainoftheprocessreferencemode1.TheISMSwhichisamode
35、1.2) Aprocessreferencemode1.sha1.1.containadescriptionofthere1.ationshipbetweentheprocessreferenceTheprocessesoftheISMSprocessreferencemode1.areformu1.atedinagenera1.mannertofitfora1.1.organizationsindependentoftheirsize,objectives,businessmode1.,1.ocationetc.TheISMSprocess1.eve1.foreachshou1.dbeuse
36、dcontextISMStoofthethereferencemode1.shou1.dbetai1.oredtothespecificneedsoftheapp1.yingorganizationandmustbeusedon1.yasastartingpoint.Agenera1.focusonaprocessperspectiveratherthanameasureperspectiveisintended.Aproject,shou1.ddrivenand1.ikebyunderstandingofapproach.3) /1processreferencemode1.sha1.1.containprocessdescriptions,meetingthefo1.1.owingrequirementsa)Processpurposeandoutcomes(resu1.ts)aredescribedwithintheprocessprofi1.es.theprocess.Thesetsofpr
