As NZS ISO IEC 27001-2006 Information Technology - Security Techniques - Information Security Management Syst

7/31/2019 As NZS ISO IEC 27001-2006 Information Technology - Security Techniques - Information Security Management Syst

1/12

AS/NZS ISO/IEC 27001:2006

Information technology Security techniques Information security management systems

Requirements

AS/NZS


2/12


This Joint Australian/New Zealand Standard was prepared by Joint TechnicalCommittee IT-012, Information Systems, Security and Identification. It wasapproved on behalf of the Council of Standards Australia on 19 May 2006 and onbehalf of the Council of Standards New Zealand on 2 June 2006.This Standard was published on 23 June 2006.

The following are represented on Commit tee IT-012:

Attorney Generals Department

Australian Association of Permanent Building Societies

Australian Bankers Association

Australian Chamber Commerce and Industry

Australian Electrical and Electronic Manufacturers Association

Certification Forum of Australia

Department of DefenceDepartment of Social Welfare, NZ

Government Communications Security Bureau, NZ

Internet Industry Association

NSW Police Service

New Zealand Defence Force

Reserve Bank of Australia

Keeping Standards up-to-date

Standards are living documents which reflect progress in science, technology andsystems. To maintain their currency, all Standards are periodically reviewed, andnew editions are published. Between editions, amendments may be issued.Standards may also be withdrawn. It is important that readers assure themselvesthey are using a current Standard, which should include any amendments whichmay have been published since the Standard was purchased.

Detailed information about joint Australian/New Zealand Standards can be found byvisiting the Standards Web Shop at www.standards.com.au or Standards NewZealand web site at www.standards.co.nz and looking up the relevant Standard inthe on-line catalogue.

Alternatively, both organizations publish an annual printed Catalogue with fulldetails of all current Standards. For more frequent listings or notification ofrevisions, amendments and withdrawals, Standards Australia and Standards NewZealand offer a number of update options. For information about these services,users should contact their respective national Standards organization.

We also welcome suggestions for improvement in our Standards, and especiallyencourage readers to notify us immediately of any apparent inaccuracies orambiguities. Please address your comments to the Chief Executive of eitherStandards Australia or Standards New Zealand at the address shown on the backcover.

This Standard was issued in draft form for comment as DR 06091.


3/12


Australian/New Zealand StandardInformation technologySecuritytechniquesInformation securitymanagement systemsRequirements

Originated as part of AS/NZS 4444:1996.Previous edition AS/NZS 7799.2:2003.Jointly revised and redesignated as AS/NZS ISO/IEC 27001:2006.

COPYRIGHT

Standards Australia/Standards New Zealand

All rights are reserved. No part of this work may be reproduced or copied in any form or byany means, electronic or mechanical, including photocopying, without the written

permission of the publisher.

Jointly published by Standards Australia, GPO Box 476, Sydney, NSW 2001 and Standards

New Zealand, Private Bag 2439, Wellington 6020

ISBN 0 7337 7497 0


4/12

ii

PREFACE

This Standard was prepared by the Joint Standards Australia/Standards New Zealand Committee

IT-012, Information Systems, Security and Identification to supersede AS/NZS 7799.2:2003,Information security management, Part 2: Specification of information security management

systems.

This Standard is identical with, and has been reproduced from ISO/IEC 27001:2005,

Information technologySecurity techniquesInformation security management systems

Requirements. It represents both an update to the existing ISMS standard

(AS/NZS 7799.2:2003) and the adoption of the revised ISO numbering convention which will

gather the core information security standards together into the newly allocated 27000 series.

The objective of this Standard is to specify the requirements for establishing, implementing,

operating, monitoring, reviewing, maintaining and improving a documented ISMS within the

context of the organizations overall business risks. It specifies requirements for the

implementation of security controls customized to the needs of individual organizations or parts

thereof (see Annex B which provides informative guidance on the use of this Standard).

The ISMS is designed to ensure adequate and proportionate security controls that adequately

protect information assets and give confidence to customers and other interested parties. This

can be translated into maintaining and improving competitive edge, cash flow, profitability,

legal compliance and commercial image.

As this Standard is reproduced from an international standard, the following applies:

(a) Its number appears on the cover and title page while the international standard number

appears only on the cover.

(b) In the source text this International Standard should read Australia/New ZealandStandard.

(c) A full point substitutes for a comma when referring to a decimal marker.

References to International Standards should be replaced by references to Australian or

Australian/New Zealand Standards, as follows:

Reference to International Standard Australian/New Zealand Standard

ISO/IEC AS/NZS

17799 Information technologySecurity

techniquesCode of practice for

information security management

17799 Information technologyCode of

practice for information security

management

The terms normative and informative have been used in this Standard to define the

application of the annex to which they apply. A normative annex is an integral part of a

Standard, whereas an informative annex is only for information and guidance.


5/12

ii i

CONTENTS

Page

1 Scope ......................................................................................................................................................11.1 General....................................................................................................................................................11.2 Application .............................................................................................................................................12 Normative references ............................................................................................................................13 Terms and definitions ...........................................................................................................................24 Information security management system .........................................................................................34.1 General requirements............................................................................................................................34.2 Establishing and managing the ISMS..................................................................................................44.2.1 Establish the ISMS.................................................................................................................................44.2.2 Implement and operate the ISMS .........................................................................................................64.2.3 Monitor and review the ISMS................................................................................................................64.2.4 Maintain and improve the ISMS............................................................................................................74.3 Documentation requirements...............................................................................................................74.3.1 General....................................................................................................................................................74.3.2 Control of documents ...........................................................................................................................84.3.3 Control of records..................................................................................................................................85 Management responsibility ..................................................................................................................95.1 Management commitment ....................................................................................................................95.2 Resource management .........................................................................................................................95.2.1 Provision of resources..........................................................................................................................95.2.2 Training, awareness and competence.................................................................................................96 Internal ISMS audits.............................................................................................................................107 Management review of the ISMS........................................................................................................107.1 General..................................................................................................................................................107.2 Review input .........................................................................................................................................107.3 Review output ......................................................................................................................................118 ISMS improvement...............................................................................................................................118.1 Continual improvement.......................................................................................................................118.2 Corrective action..................................................................................................................................118.3 Preventive action.................................................................................................................................12Annex A (normative) Control objectives and controls..................................................................................13Annex B (informative) OECD principles and this International Standard ...................................................30Annex C (informative) Correspondence between ISO 9001:2000, ISO 14001:2004 and this

International Standard.........................................................................................................................31Bibliography ......................................................................................................................................................34


6/12

iv

0 Introduction

0.1 General

This International Standard has been prepared to provide a model for establishing, implementing, operating,monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). Theadoption of an ISMS should be a strategic decision for an organization. The design and implementation of anorganizations ISMS is influenced by their needs and objectives, security requirements, the processesemployed and the size and structure of the organization. These and their supporting systems are expected tochange over time. It is expected that an ISMS implementation will be scaled in accordance with the needs ofthe organization, e.g. a simple situation requires a simple ISMS solution.

This International Standard can be used in order to assess conformance by interested internal and externalparties.

0.2 Process approach

This International Standard adopts a process approach for establishing, implementing, operating, monitoring,reviewing, maintaining and improving an organization's ISMS.

An organization needs to identify and manage many activities in order to function effectively. Any activity usingresources and managed in order to enable the transformation of inputs into outputs can be considered to be aprocess. Often the output from one process directly forms the input to the next process.

The application of a system of processes within an organization, together with the identification andinteractions of these processes, and their management, can be referred to as a process approach.

The process approach for information security management presented in this International Standardencourages its users to emphasize the importance of:

a) understanding an organizations information security requirements and the need to establish policy andobjectives for information security;

b) implementing and operating controls to manage an organization's information security risks in the contextof the organizations overall business risks;

c) monitoring and reviewing the performance and effectiveness of the ISMS; and

d) continual improvement based on objective measurement.

This International Standard adopts the "Plan-Do-Check-Act" (PDCA) model, which is applied to structure all

ISMS processes. Figure 1 illustrates how an ISMS takes as input the information security requirements andexpectations of the interested parties and through the necessary actions and processes produces informationsecurity outcomes that meets those requirements and expectations. Figure 1 also illustrates the links in theprocesses presented in Clauses 4, 5, 6, 7 and 8.

The adoption of the PDCA model will also reflect the principles as set out in the OECD Guidelines (2002) 1)governing the security of information systems and networks. This International Standard provides a robustmodel for implementing the principles in those guidelines governing risk assessment, security design andimplementation, security management and reassessment.

1) OECD Guidelines for the Security of Information Systems and Networks Towards a Culture of Security. Paris:OECD, July 2002. www.oecd.org


7/12

v

EXAMPLE 1

A requirement might be that breaches of information security will not cause serious financial damage to anorganization and/or cause embarrassment to the organization.

EXAMPLE 2

An expectation might be that if a serious incident occurs perhaps hacking of an organizations eBusinessweb site there should be people with sufficient training in appropriate procedures to minimize the impact.

Interested

Parties

Managed

information

security

Informationsecurity

requirements

and expectations

Interested

Parties

Plan

Do

Check

Act

Monitor and

review the ISMS

Monitor and

review the ISMS

Implement and

operate the ISMS

Implement andoperate the ISMS

Maintain and

improve the ISMS

Maintain andimprove the ISMS

EstablishISMS

Establish

ISMS

Interested

Parties

Managed

information

security

Informationsecurity

requirements

and expectations

Interested

Parties

Plan

Do

Check

Act

Monitor and

review the ISMS

Monitor and

review the ISMS

Implement and

operate the ISMS

Implement andoperate the ISMS

Maintain and

improve the ISMS

Maintain andimprove the ISMS

EstablishISMS

Establish

ISMS

Figure 1 PDCA model applied to ISMS processes

Plan (establish the ISMS) Establish ISMS policy, objectives, processes and procedures relevant tomanaging risk and improving information security to deliver results inaccordance with an organizations overall policies and objectives.

Do (implement and operatethe ISMS)

Implement and operate the ISMS policy, controls, processes andprocedures.

Check (monitor and reviewthe ISMS)

Assess and, where applicable, measure process performance againstISMS policy, objectives and practical experience and report the results to

management for review.

Act (maintain and improvethe ISMS)

Take corrective and preventive actions, based on the results of the internalISMS audit and management review or other relevant information, toachieve continual improvement of the ISMS.

0.3 Compatibility with other management systems

This International Standard is aligned with ISO 9001:2000 and ISO 14001:2004 in order to support consistentand integrated implementation and operation with related management standards. One suitably designedmanagement system can thus satisfy the requirements of all these standards. Table C.1 illustrates the

relationship between the clauses of this International Standard, ISO 9001:2000 and ISO 14001:2004.

This International Standard is designed to enable an organization to align or integrate its ISMS with relatedmanagement system requirements.


8/12

vi

NOTES


9/12

1AUSTRALIAN/NEW ZEALAND STANDARD

Information technology Security techniques Informationsecurity management systems Requirements

IMPORTANT This publication does not purport to include all the necessary provisions of a contract.Users are responsible for its correct application. Compliance with an International Standard does notin itself confer immunity from legal obligations.

1 Scope

1.1 General

This International Standard covers all types of organizations (e.g. commercial enterprises, governmentagencies, non-profit organizations). This International Standard specifies the requirements for establishing,implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within thecontext of the organizations overall business risks. It specifies requirements for the implementation of securitycontrols customized to the needs of individual organizations or parts thereof.

The ISMS is designed to ensure the selection of adequate and proportionate security controls that protectinformation assets and give confidence to interested parties.

NOTE 1: References to business in this International Standard should be interpreted broadly to mean those activitiesthat are core to the purposes for the organizations existence.

NOTE 2: ISO/IEC 17799 provides implementation guidance that can be used when designing controls.

1.2 Application

The requirements set out in this International Standard are generic and are intended to be applicable to allorganizations, regardless of type, size and nature. Excluding any of the requirements specified in Clauses 4,5, 6, 7, and 8 is not acceptable when an organization claims conformity to this International Standard.

Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be justified andevidence needs to be provided that the associated risks have been accepted by accountable persons. Whereany controls are excluded, claims of conformity to this International Standard are not acceptable unless suchexclusions do not affect the organizations ability, and/or responsibility, to provide information security that

meets the security requirements determined by risk assessment and applicable legal or regulatoryrequirements.

NOTE: If an organization already has an operative business process management system (e.g. in relation withISO 9001 or ISO 14001), it is preferable in most cases to satisfy the requirements of this International Standard within thisexisting management system.

2 Normative references

The following referenced documents are indispensable for the application of this document. For datedreferences, only the edition cited applies. For undated references, the latest edition of the referenced

document (including any amendments) applies.

ISO/IEC 17799:2005, Information technology Security techniques Code of practice for informationsecurity management

COPYRIGHT


10/12

3 Terms and definitions

For the purposes of this document, the following terms and definitions apply.

3.1

assetanything that has value to the organization

[ISO/IEC 13335-1:2004]

3.2availability

the property of being accessible and usable upon demand by an authorized entity

[ISO/IEC 13335-1:2004]

3.3confidentialitythe property that information is not made available or disclosed to unauthorized individuals, entities, or

processes

[ISO/IEC 13335-1:2004]

3.4information security

preservation of confidentiality, integrity and availability of information; in addition, other properties such asauthenticity, accountability, non-repudiation and reliability can also be involved

[ISO/IEC 17799:2005]

3.5information security event

an identified occurrence of a system, service or network state indicating a possible breach of informationsecurity policy or failure of safeguards, or a previously unknown situation that may be security relevant

[ISO/IEC TR 18044:2004]

3.6information security incidenta single or a series of unwanted or unexpected information security events that have a significant probabilityof compromising business operations and threatening information security

[ISO/IEC TR 18044:2004]

3.7information security management system

ISMSthat part of the overall management system, based on a business risk approach, to establish, implement,operate, monitor, review, maintain and improve information security

NOTE: The management system includes organizational structure, policies, planning activities, responsibilities,practices, procedures, processes and resources.

3.8integritythe property of safeguarding the accuracy and completeness of assets

[ISO/IEC 13335-1:2004]

3.9

residual riskthe risk remaining after risk treatment

[ISO/IEC Guide 73:2002]

COPYRIGHT


11/12

3.10risk acceptance

decision to accept a risk


3.11risk analysissystematic use of information to identify sources and to estimate the risk


3.12risk assessmentoverall process of risk analysis and risk evaluation


3.13

risk evaluationprocess of comparing the estimated risk against given risk criteria to determine the significance of the risk


3.14risk managementcoordinated activities to direct and control an organization with regard to risk


3.15risk treatment

process of selection and implementation of measures to modify risk


NOTE: In this International Standard the term control is used as a synonym for measure.

3.16statement of applicabilitydocumented statement describing the control objectives and controls that are relevant and applicable to theorganizations ISMS.

NOTE: Control objectives and controls are based on the results and conclusions of the risk assessment and risktreatment processes, legal or regulatory requirements, contractual obligations and the organizations businessrequirements for information security.

4 Information security management system

4.1 General requirements

The organization shall establish, implement, operate, monitor, review, maintain and improve a documentedISMS within the context of the organizations overall business activities and the risks it faces. For the purposesof this International Standard the process used is based on the PDCA model shown in Figure 1.

COPYRIGHT


12/12

This is a free preview. Purchase the entire publication at the link below:

Looking for additional Standards? Visit SAI Global Infostore

Subscribe to ourFree Newsletters about Australian Standards in Legislation; ISO, IEC, BSI and more

Do you need to Manage Standards Collections Online?

Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation

Do you want to know when a Standard has changed?

Want to become an SAI Global Standards Sales Affiliate?

Learn about other SAI Global Services:

LOGICOM Military Parts and Supplier DatabaseMetals Infobase Database of Metal Grades, Standards and Manufacturers

Materials Infobase Database of Materials, Standards and Suppliers

Database of European Law, CELEX and Court Decisions

Need to speak with a Customer Service Representative - Contact Us

AS/NZS ISO/IEC 27001:2006, Informationtechnology - Security techniques - Informationsecurity management systems - Requirements
http://infostore.saiglobal.com/store?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Newsletters/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Collections/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/StandardsWatch/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Affiliate/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Metals/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Materials/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/European-Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/getpage.aspx?path=/InformationServices/shop/pages/ContactingUs.htm&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/Details.aspx?ProductId=394887&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/getpage.aspx?path=/InformationServices/shop/pages/ContactingUs.htm&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/European-Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Materials/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Metals/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Affiliate/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/StandardsWatch/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Collections/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Newsletters/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSites

Documents

As NZS ISO IEC 27001-2006 Information Technology - Security Techniques - Information Security Management Syst