《BS-7799-2-1999.pdf》由会员分享,可在线阅读,更多相关《BS-7799-2-1999.pdf(16页珍藏版)》请在三一文库上搜索。
1、| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | BRITISH STANDARD BS 7799-2:1999 Incorporat
2、ing Amendment No. 1 ICS 35.020; 35.040 NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW Information security management Part 2: Specification for information security management systems Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:42:
3、59 GMT+00:00 2006, Uncontrolled Copy, (c) BSI This British Standard, having been prepared under the direction of the DISC Board, was published under the authority of the Standards Committee and comes into effect on 15 May 1999 BSI 02-2001 First published as Part 2 February 1998 The following BSI ref
4、erences relate to work on this standard: Committee reference BDD/2 ISBN 0 580 28280 5 BS 7799-2:1999 Amendments issued since publication Amd. No.DateComments 13087February 2001 Indicated by a sideline. Committees responsible for this British Standard The preparation of this British Standard was entr
5、usted to BSI/DISC Committee BDD/2, Information security management, upon which the following bodies were represented: Association of British Insurers British Computer Society British Telecommunications plc The Business Continuity Institute Department of Trade and Industry (Information Security Polic
6、y Group) Det Norske Veritas Quality Assurance HMG Protective Security Authority HSBC Indicii Salus Institute of Chartered Accountants in England and Wales Institute of Internal Auditors KPMG plc L3 Network Security Lloyds TSB Logica UK Marks and Spencer plc Nationwide Building Society PCSL Racal Net
7、work Services RKPAssociates Shell International Petroleum Co Ltd Unilever plc Whitbread plc XiSEC Consultants Ltd/AEXIS Consultants Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:42:59 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS 7799-2:1999 BSI 02-2001i |
8、Contents Page Committees responsibleInside front cover Forewordii 1Scope1 2Terms and definitions1 3Information security management system requirements1 3.1General1 3.2Establishing a management framework1 3.3Implementation1 3.4Documentation1 3.5Document control1 3.6Records2 4Detailed controls2 4.1Sec
9、urity policy2 4.2Organizational security3 4.3Asset classification and control3 4.4Personnel security3 4.5Physical and environmental security4 4.6Communications and operations management5 4.7Access control6 4.8Systems development and maintenance7 4.9Business continuity management8 4.10 Compliance8 Fi
10、gure 1 Establishing a management framework2 Annex A (informative) Changes to internal numbering10 Bibliography11 Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:42:59 GMT+00:00 2006, Uncontrolled Copy, (c) BSI ii BSI 02-2001 BS 7799-2:1999 | | | 1)Part 1 of B
11、S 7799 has now been adopted by ISO/IEC and is currently available as BS ISO/IEC 17799:2000. BS ISO/IEC 17799:2000 contains a national annex which enables users to quickly identify changes between it and BS 7799-1:1999. | | | | | Foreword This part of BS 7799 has been prepared by BDD/2, Information s
12、ecurity management. It supersedes BS 7799-2:1998, which is withdrawn. BS 7799 is issued in two parts: Part 1: Code of practice for information security management1); Part 2: Specification for information security management systems. This new edition of BS 7799-2 is required because the numbering sys
13、tem, the control objectives, and the controls given in clause 4 of this part of BS 7799 are directly derived from and aligned with those listed in clauses 3 to 12 of BS 7799-11)which has been revised. No other changes have been introduced. As a new edition, this does not represent a full review or r
14、evision of the standard, which will be undertaken in due course. It forms the basis for an assessment of the information security management system (ISMS) of the whole, or part, of an organization. It may be used as a basis for a formal certification scheme. This specification is based on BS 7799-1,
15、 Information security management Part 1: Code of practice for information security management1), which provides guidance on best practice in support of the requirements of this specification. However, the list of control objectives and controls in clause 4 of this part of BS 7799 is not exhaustive a
16、nd an organization may consider that additional control objectives and controls are necessary. Not all the controls described will be relevant to every situation, nor can they take account of local environmental or technological constraints, or be present in a form that suits every potential user in
17、 an organization. Organizations need to undertake a risk assessment to identify the most appropriate control objectives and controls to be implemented which are applicable to their own needs. Once identified, these need to be recorded in a statement of applicability. The statement of applicability n
18、eeds to be accessible to managers, personnel and any third party (e.g. auditors, certifiers, etc.) authorized to have access to it. The control objectives and controls recorded in the statement of applicability, together with the policy and procedure documents and all other relevant records, are kno
19、wn as the organizations ISMS. The requirements given in clause 4 of this part of BS 7799 are deliberately general in their nature. It is expected that organizations seeking certification will adopt those elements of best practice given in part 11)that the risk assessment demonstrates are most approp
20、riate to their needs. Any conditions associated with a certification scheme will be issued separately under the authority of the scheme owner and do not fall within the scope of this standard. To be certifiable against this British Standard the ISMS will be implemented and maintained to the satisfac
21、tion of the third party certification body. It has been assumed in the drafting of this British Standard that the execution of its provisions is entrusted to appropriately qualified and experienced people. Annex A is informative and contains a table showing the relationship between the sections of t
22、he 1998 edition and the clauses of the 1999 edition. A British Standard does not purport to include all the necessary provisions of a contract. Users of British Standards are responsible for their correct application. Compliance with a British Standard does not of itself confer immunity from legal o
23、bligations. Summary of pages This document comprises a front cover, an inside front cover, pages i and ii, pages 1 to 11 and a back cover. The BSI copyright notice displayed in this document indicates when the document was last issued. Sidelining in this document indicates the most recent changes by
24、 amendment. Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:42:59 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BSI 02-20011 BS 7799-2:1999 | | | | 1 Scope This part of BS 7799 specifies requirements for establishing, implementing and documenting information sec
25、urity management systems (ISMSs). It specifies requirements for security controls to be implemented according to the needs of individual organizations. NOTEBS ISO/IEC 17799 gives recommendations for best practice in support of the requirements of this specification. The control objectives and contro
26、ls given in clause 4 of this part of BS 7799 are derived from and aligned with the objectives and controls listed in BS ISO/IEC 17799:2000. 2 Terms and definitions For the purposes of this part of BS 7799, the definitions given in BS ISO/IEC 17799 apply, together with the following. 2.1 statement of
27、 applicability critique of the objectives and controls applicable to the needs of the organization 3 Information security management system requirements 3.1 General The organization shall establish and maintain a documented ISMS. This shall address the assets to be protected, the organizations appro
28、ach to risk management, the control objectives and controls, and the degree of assurance required. 3.2 Establishing a management framework The following steps shall be undertaken to identify and document the control objectives and controls (see Figure 1). a) The information security policy shall be
29、defined. b) The scope of the information security management system shall be defined. The boundaries shall be defined in terms of the characteristics of the organization, its location, assets and technology. c) An appropriate risk assessment shall be undertaken. The risk assessment shall identify th
30、e threats to assets, vulnerabilities and impacts on the organization and shall determine the degree of risk. d) The areas of risk to be managed shall be identified based on the organizations information security policy and the degree of assurance required. e) Appropriate control objectives and contr
31、ols shall be selected from clause 4 for implementation by the organization, and the selection shall be justified. NOTEGuidance on the selection of control objectives and controls can be found in BS ISO/IEC 17799. The control objectives and controls listed in clause 4 of this part of BS 7799 are not
32、exhaustive and additional controls may also be selected. | f) A statement of applicability shall be prepared. The selected control objectives and controls, and the reasons for their selection shall be documented in the statement of applicability. This statement shall also record the exclusion of any
33、 controls listed in clause 4. These steps shall be reviewed at appropriately defined intervals as required. 3.3 Implementation The selected control objectives and controls shall be implemented effectively by the organization. The effectiveness of the procedures adopted to implement the controls shal
34、l be verified by reviews in accordance with 4.10.2. NOTEAttention is drawn to the recommendations given in BS ISO/IEC 17799. 3.4 Documentation The ISMS documentation shall consist of the following information: a) evidence of the actions undertaken as specified in 3.2; b) a summary of the management
35、framework including the information security policy and the control objectives and implemented controls given in the statement of applicability; c) the procedures adopted to implement the controls as specified in 3.3. These shall describe responsibilities and relevant actions; d) the procedures cove
36、ring the management and operation of the ISMS. These shall describe responsibilities and relevant actions. NOTEThe documents listed in 3.4b) and c) may be conveniently placed together in a security policy manual. 3.5 Document control The organization shall establish and maintain procedures for contr
37、olling all documentation required under 3.4 to ensure that the documentation is: a) readily available; b) periodically reviewed and revised as necessary in line with the organizations security policy; c) maintained under version control and made available at all locations where operations essential
38、to the effective functioning of the ISMS are performed; d) promptly withdrawn when obsolete; e) identified and retained when obsolete and required for legal or knowledge preservation purposes, or both. Documentation shall be legible, dated (together with dates of revision) and readily identifiable,
39、maintained in an orderly manner and retained for a specified period. Procedures and responsibilities shall be established and maintained for the creation and modification of the various types of document. NOTEDocuments may be in any medium, such as hard copy or electronic media. Licensed Copy: Londo
40、n South Bank University, London South Bank University, Fri Dec 08 12:42:59 GMT+00:00 2006, Uncontrolled Copy, (c) BSI 2 BSI 02-2001 BS 7799-2:1999 Figure 1 Establishing a management framework 3.6 Records Records, being evidence generated as a consequence of the operation of the ISMS, shall be mainta
41、ined to demonstrate compliance with the requirements of this part of BS 7799 as appropriate to the system and to the organization, e.g. a visitors book, audit records and authorization of access. The organization shall establish and maintain procedures for identifying, maintaining, retaining and dis
42、posing of the records demonstrating compliance. Records shall be legible, identifiable and traceable to the activity involved. Records shall be stored and maintained in such a way that they are readily retrievable and protected against damage, deterioration or loss. NOTERecords may be in any medium,
43、 such as hard copy or electronic media. 4 Detailed controls 4.1 Security policy 4.1.1 Information security policy Objective: To provide management direction and support for information security. 4.1.1.1 Information security policy document A policy document shall be approved by management, published
44、 and communicated, as appropriate, to all employees. 4.1.1.2 Review and evaluation The policy shall be reviewed regularly, and in case of influencing changes, to ensure it remains appropriate. Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:42:59 GMT+00:00 20
45、06, Uncontrolled Copy, (c) BSI BSI 02-20013 BS 7799-2:1999 |4.2 Organizational security 4.2.1 Information security infrastructure Objective: To manage information security within the organization. 4.2.1.1 Management information security forum A management forum to ensure that there is clear directio
46、n and visible management support for security initiatives shall be in place. 4.2.1.2 Information security co-ordination Where appropriate to the size of the organization, a cross-functional forum of management representatives from relevant parts of the organization shall be used to co-ordinate the i
47、mplementation of information security controls. 4.2.1.3 Allocation of information security responsibilities Responsibilities for the protection of individual assets and for carrying out specific security processes shall be clearly defined. 4.2.1.4 Authorization process for information processing fac
48、ilities A management authorization process for new information processing facilities shall be established. 4.2.1.5 Specialist information security advice Advice on information security provided by in-house or specialist advisors shall be sought and communicated throughout the organization. 4.2.1.6 C
49、o-operation between organizations Appropriate contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunications operators shall be maintained. 4.2.1.7 Independent review of information security The implementation of the information security policy shall be reviewed independently. 4.2.2 Security of third party access Objective: To maintain the security of organizational information processing facilities and information assets accessed by third parties. 4.2.2.1 Identification of risks from third party access The risks as