ISO IEC 27002:2022 信息安全控制标准解析

网络安全

需积分: 4 12 浏览量更新于2024-06-27 收藏 9.36MB PDF 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

"ISO IEC 27002：2022 信息安全控制标准" ISO/IEC 27002 是国际标准化组织（ISO）和国际电工委员会（IEC）联合技术委员会1（JTC1）下属的第二十七分技术委员会（SC27）制定的信息安全管理体系标准，其核心是提供了一系列的信息安全控制措施，旨在帮助组织保护其信息资产的安全。该标准的最新版本为2022年版，由樊山翻译成中文。该标准的前言部分提到，这份中英文对照版仅供学习使用，禁止任何形式的收费行为。它涵盖了信息安全的背景、需求、控制的确定和开发，以及生命周期注意事项等相关内容，并提及了与其他标准的关系。标准的主要结构包括： 1. 范围：明确标准适用的领域和界限，定义了标准的目标和涵盖的活动范围。 2. 规范性引用：列出对理解和实施标准至关重要的其他文件或标准。 3. 术语、定义和缩写词：这是理解标准的基础，定义了关键概念，如访问控制、资产、攻击、认证、真实性、监管链、机密信息、控制、破坏、终端设备、实体、信息处理设施、信息安全漏洞、信息安全事件、信息安全事故、信息安全事件管理、信息系统和相关方等。这些术语定义了信息安全领域中的关键概念，有助于确保所有参与者对相关术语有统一的理解。例如，访问控制是指管理谁可以访问哪些信息和资源的机制；资产是指组织中具有价值的信息和相关支持设施；攻击是指针对信息系统的恶意行为；认证是确认身份的过程；真实性涉及信息的完整性和未被篡改性。标准的后续章节将详细阐述各种控制措施，指导组织如何建立、实施、维护和改进信息安全管理体系。这些控制可能涉及物理安全、人员安全、系统安全、通信安全等多个方面，以应对不断演变的信息安全威胁和风险。 ISO/IEC 27002:2022 是一套全面的信息安全管理框架，它提供了最佳实践，帮助组织在复杂多变的网络环境中确保信息资产的安全。通过遵循这些标准，组织能够更好地保护自身免受数据泄露、非法访问、系统中断等风险，同时增强客户和合作伙伴的信任。

资源详情

资源推荐

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms

and expressions related to conformity assessment, as well as information about ISO’s

adherence to the World Trade Organization (WTO) principles in the Technical Barriers to

Trade (TBT) , see www.iso.org/iso/foreword.html.

有关标准的自愿性质的解释，与合格评定有关的 ISO 特定术语和表达的含义，以及有关 ISO

遵守《技术性贸易壁垒（TBT ）中的世界贸易组织（ WTO ）原则》的信息，请参见

www.iso.org/iso/foreword.html。

This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, Information security, cybersecurity and privacy protection.

本文档由 ISO / IEC JTC 1 技术委员会，信息技术，SC 27 小组，信息安全，网络安全和隐

私保护委员会编写。

This third edition cancels and replaces the second edition (ISO/IEC 27002:2013 + Corr1:2014

+ Corr2: 2015), which has been technically revised.

第三版取消并替代了经过技术修订的第二版（ISO / IEC 27002：2013 + Corr1：2014 +

Corr2：2015）。

The main changes compared to the previous edition are as follows:

与上一版本相比的主要变化如下：

- The phrase “Code of Practice” has been dropped from the title of this document to better

reflect its purpose of being a reference set of information security controls. This is not a

change of purpose. The intention of ISO/IEC 27002 has always been to help organizations

ensure that no necessary control has been overlooked. This purpose is the same

irrespective of the intended usage of this document (see Clause 1). Notwithstanding this

declaration, the guidance given for individual controls is based on internationally

recognized best practice.

- This purpose of being a reference set is achieved by ensuring comprehensive coverage

of the varied ways in which information security controls can be described. By design, this

results in the overlaps and duplications referred to in 0.3. For this reason, the stricture of

the document has been changed, presenting the controls using a simple taxonomy and

associated attributes.

- Some controls have been merged, some deleted and several new controls have been

introduced. The complete correspondence can be found in Annex B.

Any feedback or questions on this document should be directed to the user’s national

standards body. A complete listing of these bodies can be found at

www.iso.org/members.html.

0 介绍

0.1 Background and context 背景和环境

This document is designed for organizations of all types and sizes to be used as a reference

for determining and implementing controls for information security risk treatment in an

Information Security Management System (ISMS) based on ISO/IEC 27001. It can also be used

as a guidance document for organizations determining and implementing commonly

accepted information security controls. This document is also intended for use in developing

industry and organization-specific information security management guidelines, taking into

consideration their specific information security risk environment(s). Organizational or

environment specific controls other than those included in this document can be determined

through risk assessment as necessary to modify risk.

本文档适用于各种类型和规模的组织，可以用作确定和实施基于 ISO/IEC 27001 的信息安

全管理系统（ISMS）中信息安全风险处理控制的参考。组织确定和实施公认的信息安全控制

措施的指导文件。考虑到其特定的信息安全风险环境，本文档还打算用于开发行业和特定于

组织的信息安全管理指南。可以通过风险评估来确定除本文档中所包含的组织或环境以外

的组织特定控制措施以修改风险。

Organizations of all types and sizes (including public and private sector, commercial and non-

profit) create, collect, process, store, transmit and dispose information in many forms

including electronic, physical and verbal (e.g. conversations and presentations).

各种类型和规模的组织（包括公共和私营部门，商业和非营利组织）以多种形式创建，收集，

处理，存储，传输和处置信息，包括电子形式，物理形式和口头表达（例如对话和演示）。

The value of information goes beyond the written words, numbers and images: knowledge,

concepts, ideas and brands are examples of intangible forms of information. In a

interconnected world, information and other associated assets, like other important business

interests, deserve or require protection against various risk sources, whether natural,

accidental or deliberate.

信息的价值超越了文字，数字和图像：知识，概念，思想和品牌是无形信息形式的示例。在

相互联系的世界中，信息和其他关联资产（如其他重要的商业利益）应受到保护或要求保护

免受各种自然，偶然或故意的风险来源的侵害。

Information security is achieved by implementing a suitable set of controls, including policies,

rules, processes, procedures, organizational structures and software and hardware functions.

To meet its specific security and business objectives, the organization should define,

implement, monitor, review and improve these controls where necessary. An ISMS such as

that specified in ISO/IEC 27001 takes a holistic, coordinated view of the organization’s

information security risks in order to determine and implement a comprehensive suite of

information security controls within the overall framework of a coherent management system.

Many information systems, including their management and operations, have not been

designed to be secure in terms of an ISMS as specified in ISO/IEC 27001 and this document.

The level of security that can be achieved only through technological measures is limited and

should be supported by appropriate management activities and processes. Identifying which

controls should be in place requires careful planning and attention to detail while carrying

out risk treatment.

A successful ISMS requires support from all personnel in the organization. It can also

participation from other interested parties, such as shareholders or suppliers. Advice from

matter experts can also needed.

A suitable, adequate and effective information security management system provides

assurance to the organization’s management and other interested parties that their

information and other associated assets are maintained reasonably secure and protected

against threats and harm, thereby enabling the organization to achieve the stated business

objectives.

0.2 Information security requirements 信息安全需求

It is essential that an organization determines its security requirements, There are three main

sources of security requirements:

组织确定其安全性要求至关重要。安全性要求有三个主要来源：

a) the assessment of risks to the organization, taking into account the organization’s overall

business strategy and objectives. This can be facilitated or supported through an

information security specific risk assessment. This should result in the determination of

the controls necessary to ensure that the residual risk to the organization meets its risk

acceptance criteria;

b) the legal, statutory, regulatory and contractual requirements that an organization and its

interested parties (trading partners, service providers, etc.) have to comply with and their

sociocultural environment;

c) the set of principles, objectives and business requirements for all the steps of the lifecycle

of information that an organization has developed to support its operations.

a) 评估组织的风险，并考虑组织的整体业务战略和目标。可以通过信息安全特定的风险评

估来促进或支持这一点。这应导致确定必要的控制措施，以确保组织的剩余风险满足其

风险接受标准；

b) 组织及其利益相关方（交易伙伴，服务提供商等）必须遵守的法律，法规，规范和合同

要求及其社会文化环境；

c) 组织为支持其运营而开发的信息生命周期的所有步骤的一组原则，目标和业务要求。

NOTE ISO/IEC 27005 provides information security risk management guidance, including

advice on risk assessment, risk treatment, risk acceptance, risk communication, risk monitoring

and risk review.

注：ISO/IEC 27005

提供了信息安全风险管理指南，包括有关风险评估，风险处理，风险接

受，风险沟通，风险监控和风险审查的建议。

0.3 Controls 控制

A control is defined as a measure that modifies or maintains risk. Some of the controls in

document are controls that modify risk, while others maintain risk. An information security

policy, for example, can only maintain risk, whereas compliance with the information security

policy can modify risk. Moreover, some controls describe the same generic measure in

different risk contexts. This document provides a generic mixture of organizational, people,

physical and technological information security controls derived from internationally

recognized best practices.

控制定义为修改或维持风险的措施。文档中的某些控制是修改风险的控制，而其他控制则负

责风险。例如，信息安全策略只能维护风险，而遵守信息安全策略则可以修改风险。此外，

一些控制措施在不同的风险情况下描述了相同的通用措施。本文档提供了组织，人员，物理

和技术信息安全控制的通用组合，这些控制源自国际公认的最佳实践。

0.4 Determining controls 确定控制

Determining controls is dependent upon organizational decisions following a risk assessment,

with a clearly defined scope. Decisions related to identified risks should be based on the

criteria for risk acceptance, risk treatment options and the risk management approach,

applied by the organization. The determination of controls should also be subject to all

relevant national and international legislation and regulations. Control determination also

depends on the manners in which controls interact with one another to provide defence in

depth.

确定控制取决于风险评估后的组织决策，并具有明确定义的范围。与已识别风险相关的决

策应基于组织应用的风险接受标准、风险处理方案和风险管理方法。控制措施的确定也应

遵守所有相关的国家和国际法律法规。控制确定还取决于控制相互交互以提供纵深防御的

ISO 9000，质量管理体系—基础知识和词汇

方式。

The organization can design controls as required or identify them from any source. In

specifying such controls organizations should consider the resources and investment needed

to implement and operate a control against the business value realized. See ISO/IEC 27016

for further coverage of this aspect.

组织可以根据需要设计控制或从任何来源识别它们。在指定此类控制时，组织应考虑实施和

操作控制所实现的业务价值所需的资源和投资。参见 ISO/IEC 27016 以进一步了解这方面

的内容。

The organization can design controls as required or identify them from any source. In

specifying such controls organizations should consider the resources and investment need to

implement and operate a control against the business value realized. See ISO/IEC 27016 for

further coverage of this aspect.

组织可以根据需要设计控制或从任何来源识别它们。在指定此类控制时，组织应考虑实施和

操作控制所实现的业务价值所需的资源和投资。参见 ISO/IEC 27016 以进一步了解这方面

的内容。

There should be a balance between the resources deployed for implementing controls with

the potential resulting business harm from security incidents in the absence of those controls.

The results of a risk assessment should help guide and determine the appropriate

management action, priorities for managing information security risks and for implementing

controls determined necessary to protect against these risks.

在为实施控制而部署的资源与在没有这些控制的情况下安全事件可能导致的业务损害之间

应保持平衡。风险评估的结果应有助于指导和确定适当的管理行动、管理信息安全风险的优

先级以及实施确定的必要控制以防范这些风险。

Some of the controls in this document can be considered as guiding principles for information

security management and as applicable for most organizations. More information about

determining controls and other risk treatment options can be found in ISO/IEC 27005.

本文档中的一些控制可被视为信息安全管理的指导原则，适用于大多数组织。有关确定控制

和其他风险处理选项的更多信息，请参见 ISO/IEC 27005。

0.5 Developing your own guidelines 开发自己的指南

This document can be regarded as a starting point for developing organization-specific

guidelines. All the controls and guidance in this document may not a applicable to all

organizations. Additional controls and guidelines not included in this document can also be

required to address the specific needs of the organization and the risks that have been

identified. When documents are developed containing additional guidelines or controls, it can

be useful to include cross-references to clauses in this document for future reference.

剩余325页未读，继续阅读

天天安全

粉丝: 0
资源: 3

ISO IEC 27002:2022 信息安全控制标准解析

ISO27002-2022 信息技术 网络安全与隐私保护 信息安全控制（中英文对照版）

ISO/IEC 27001：2022 信息安全、网络安全和隐私保护－信息安全管理系统－要求 - 完整中文翻译版（24页）.rar

ISO IEC 27001-2022 中文版.pdf

iso/iec 27002:2022

so/iec 27002:2022

iso27002:2022下载

iso/iec27001:2022下载

iso/iec27001:2022标准文件pdf

iso/iec 27001:2022 下载

iso/iec 27001:2022下载

gb/t 22081-2016/iso/iec 27002:2013

iec 62623:2022

iec 62619:2022

iso27002 2022下载

ISO/IEC 17025:2017

iso iec 27017-2015.pdf

27001 2022

iso/iec 27003:2017 pdf

iso/iec/ieee 42010:2022 pdf

iso/iec 27002下载

最新资源

ISO27002-2022 信息技术网络安全与隐私保护信息安全控制（中英文对照版）