【正文】 Information security management BS7799 Part 2: Specification for information security management systems 1 1 1 1 SCOPE 4 2 TERMS AND DEFINITIONS 4 statement of applicability 4 3 INFORMATION SECURITY MANAGEMENT SYSTEM REQUIREMENTS 4 General 4 Establishing a management framework 4 Implementation 5 Documentation 5 Document control 6 Records 6 4 DETAILED CONTROLS 6 Security policy 6 Information security policy 6 Security anization 6 Information security infrastructure 6 Security of third party access 7 Outsourcing 8 Asset classification and control 8 Accountability for assets 8 Information classification 8 Personnel security 8 Security in job definition and resourcing 8 User training 9 Responding to security incidents and malfunctions 9 Physical and environmental security 10 Secure areas 10 Equipment security 10 General controls 11 Communications and operations management 11 Operational procedures and responsibilities 11 System planning and acceptance 12 Protection against malicious software 12 Housekeeping 12 Network management 13 Media handling and security 13 Exchanges of information and software 13 Access control 14 Business requirement for access control 14 User access management 14 User responsibilities 15 Network access control 15 Operating system access control 16 Application access control 17 Monitoring system access and use 17 Mobile puting and teleworking 17 Systems development and maintenance 18 Security requirements of systems 18 Security in application systems 18 Cryptographic controls 18 Security of system files 19 Security in development and support processes 19 Business continuity management 20 Aspects of business continuity management 20 Compliance 21 Compliance with legal requirements 21 Review of security policy and technical pliance 21 System audit consideration 22 1 Scope This part of BS 7799 specifies requirements for establishing, implementing and documenting information security management systems (ISMSs). It specifies requirements for security controls to be implemented according to the needs of individual anizations. NOTE Part 1 gives remendations for best practice in support of the requirements of this specification. The control objectives and controls given in clause 4 of this part of BS 7799 are derived from and aligned with the objectives and controls listed in BS 77991:1999. 2 Terms and definitions For the purposes of this part of BS 7799, the definitions given in BS 77991 apply, together with the following. statement of applicability Critique of the objectives and controls applicable to the needs of the anization 3 Information security management system requirements General The anization shall establish and maintain a documented ISMS. This shall address the assets to be protected, the anization’s approach to risk management, the control objectives and controls, and the degree of assurance required. Establishing a management framework The following steps shall be undertaken to identify and document the control objectives and controls (see Figure 1). a) The information security policy shall be defined. b) The scope of the information security management system shall be defined. The boundaries shall be defined in terms of the characteristics of the anization, its location, assets and technology. c) An appropriate risk assessment shall be undertaken. The risk assessment shall identify the threats to assets, vulnerabilities and impacts on the anization and shall determine the degree of risk. d) The areas of risk to be managed shall be identified based on the anization’s information security policy and the degree of assurance required. e) Appropriate control objectives and controls shall be selected from clause 4 for implementation by the anization, and the selection shall be justified. NOTE: Guidance on the selection of control objectives and controls can be found in BS 7799 1. The control objectives and controls listed in clause 4 of this part of BS 7799 are not exhaustive and additional controls may also be selected. f) A statement of applicability shall be prepared. The selected control objectives and controls, and the reasons for their selection shall be documented in the statement of applicability. This statement shall also record the exclusion of any controls listed in clause 4. These steps shall be reviewed at appropriately defined intervals as required. Implementation The selected control objectives and controls shall be implemented effectively by the anization. The effectiveness of the procedures adopted to implement the controls shall be verified by reviews in accordance with . NOTE Attention is drawn to the remendations given in BS 7799 1. Documentation The ISMS documentation shall consist of the following information: a) evidence of the actions undertaken as specified in 。 b) a summary of the management framework including the information security policy and the control objectives and implemented controls given in the statement of applicability。 c) the procedures adopted to implement the controls as specified in . These shall describe responsibilities and relevant actions。 d) the procedures covering the management and operation of the ISMS. These shall describe responsibilities and relevant actions. NOTE: The documents listed in ) and c) may be conveniently placed together in a security policy manual. Document control The anization shall establish and maintain procedures for controlling all documentation required under to ensure that the documentation is: a) readily available。 b) periodically reviewed and revised as necessary in line with the anization’s security policy。 c) maintained under version control and