ISO IEC 27013-2021.docx

INTERNATIONA1.STANDARDISO/IEC27013editionThird2021-1.1.Informationsecurity,cybersecurityandprivacyprotectionGuidanceontheintegratedimp1.ementationofISO/IEC27001andISO/IEC20000*1SecuritydeVinformation,CybersecuriteetprotectiondeIaviepriveeRecommandationspourIamiseencuvreintegreede11SOIEC27001etdeISOIKC20000-1ReferencenumberISO/IEC27013:2021(E)COPYRIGHTPROTECTEDDOCUMENT©ISO/1EC2021IUirhM*hedbdi1.iUedotherwiseupdhi.o啪InyM1.tta0Dmk<nroni(ncm11ni10tf1.*Mqn1.C6pW11opypMRationmaytheinternetoranintranet,withoutpriorwrittenpermission.PermissioncanberequestedfromeitherISOattheaddressbe1.oworISO'smemberbodyinthecountr)oftherequester.f),WV>fifiU81.andonnet8CH-1214Vernier,GenevaPhone：M1.227490111觥曲ite：图洲跳触OQrgPub1.ishedinSwitzer1.andContentsForewordivIntroductionv2 Scope13 Normativereferences14 Termsanddefinitions1OverviewofISO/IEC27001andISO/IEC200001.14.1 UnderstandingISO/IEC27001andISO/IEC20000-114.2 ISO/IEC27001COn(XPtS25Approachesforintegratedimp1.ementation35.1 Genera1.35.2 Considerationsofscope3534蝴m©醐掰ationscenarios45.3.2 Neitherstandardiscurrent1.yusedasthebasisforamanagementsystem45.3.3 Themanagementsystemfu1.fi1.stherequirementsofoneofthestandards55.3.4 standard.66Integratedimp1.ementationconsiderations_66 .167 .2Potentia1.cha1.1.enges7234ResptBandn1.scQnf1.gMinf1.BOhitemsServicedesignandtransitionRiskassessmentandmanagementRiskandotherpartiesIncidentmanagementProb1.emmanagementGatheringofevidence解:20蜘时蜘q三除淞出°nfincidents7.11.11 Changemanagement138:初黜招磔融机Sf1.M剧Htand硼Wimprovement37.3.3 Capaatymanagement147.3.4 Managementofthirdpartiesandre1.atedrisk-.一._.一.147.3.5 弗1.ft三敌制朝阳嘛肱缶gement15Annex(informative)CorrespondencebetweenISO1EC27001:2013,C1.auses1to10,and1SOIEC20000-1:2018rC1.auses1to1()17AnnexB(informative)CoiTespondencebetweenthecontro1.sinISO/IEC27001:2013,Annex,andtherequirementsinISO/IEC20000-1:2018,C1.auses4to1019Annexand(informa1.ive)ComparisonofternsanddefinitionsbetweenISO/IEC27000:201822ForewordISO(theInternationa1.OrganizationforStandardization)andIEC(theInternationa1.E1.ectrotechnica1.(inrt)(55io6)Srn1.H(i<5pQriaiipd(syiBweopkodcfBtanriOTdrraJion.SttiQttorddHudiughtechnimitteesestab1.ishedbytherespectiveorganizationtodea1.withparticu1.arfie1.dsoftechnica1.activity.ISOandIECmitteesco1.1.aborateinfie1.dsofmutua1.interestOtherinternationa1.ornizations,governmenta1.andnon-governmenta1.rin1.iaisonwithISOandIEC,a1.sotakepartintheTheproceduresusedtodeve1.opthisdocumentandthoseintendedforitsfurthermaintenanceftideddc1.bedthcindFrcnt1.S(W?矫也(H三帼rtsA曲如M1.Mar1帕序的居如jpjffaraf1.ex1.in%wkwi"WNhIheedUH三111展N1.hCISO/IECDirectives.Part2(seewsvw.iso.org/directivesorwww.iec.ch/members.experts/refdocs).A(ftftF>rigWjwn怕&%愁S<3UinWf!ft三b1.e用三电Q0h¾hy*hf1.1.三ffkubjectrights.Detai1.sofanypatentrightsidentifiedduringthedeve1.opmentOfI1.÷d屋um&MWiI1.b&intheIntrodurtionand/orontheISO1.istofpatentdec1.arationsreceived(seewww.iso.org/patents)ortheIEC1.istofpatentdec1.arationsreceived(seepatents.iec.ch).Anytradenameusedinthisdocumentisinformationgivenfortheconvenienceofusersanddoesnotconstituteanendorsement.B即邸SiOnSeXPk1.nttrtbM岫CMtbWfthy前榄喇11fnt,StandHHs,1.hfoWttbgatfdOs,ttkadhvwceartd由aWoUdTade0tgQN¾G。注(VT0)princip1.esiU4<hNtNB*H沁咯to：*#(CBT)seewww.iso.org/iso/foreword.htrn1.IntheIEC.seewww.iec.chunderstandingstandards.j族。例M腺里SC编妞肿群梆隰CUrj夕或M1.wfm阳(SOI&肪小ec"on./brmaontechno1.ogy,Thisthirdeditioncance1.sandrep1.acesthesecondedition(ISO/IEC27013:2015),whichhasbeenIEWAWI1.y268bU18.Themainchangecomparedwiththepreviouseditionisthea1.ignmentwithA1.istofa1.1.partsintheISO/IEC27000seriescanbefoundontheISOandIECwebsites.NwfyTfeAibftekefMW油He1.tft川曲府hesft魅?rfHQWjqRPqRjreeted,w.iecxh/nationa1.-committees.IntroductionThere1.ationshipbetweeninformationsecuritymanagementandservicemanagementisSOc1.osethattaByoui6fi9,½a3¢Wcgnizeinfohwbo11teoiQ<taphngciiM*nntW80jaEf)30tt01.Standardsfervicemanagement.ItiscommonforanorganizationtoimprovethewayitoperatestoachieveconformitywiththerequirementsspecifiedinoneInternationa1.Standardandthenmakefurtherimprovementstoachieveconformitywiththerequirementsofanother.Thereareanumberofadvantagesforanorganizationinensuringitsmanagementsystemtakesintoaccountboththeservice1.ifecyc1.eandtheprotectionoftheorganization'sinformation.These娥眄姆陶顺却曲曾1.areo的眼丽靓aEft三us1.y.制喇因YayI三kc日翎hna1.processes,inparticu1.ar,canderivebenefitfromthemutua1.1.yreinforcingconceptsandsimi1.aritiesbetweentheseInternationa)Standardsandtheircommonobjectives.KwiM1.gwifttqi1.pftdkWffimp1.ementationofinformationsecurity11anagcncntandservicea) credibi1.itytointerna1.andexterna1.customers,andotherinterestedpartiesoftheorganization,ofeffectiveandsecureservices;b) 1.owercostofimp1.ementing,maintainingandauditinganintegratedmanagementsystem,whereeffectiveandefficientmanagementofbothservicesandinformationsecurityarepartofanorganization'sstrategy；c) reductioninimp1.ementationtimeduetotheintegrateddeve1.opmentofprocessessupportingbothservicemanagementandinformationsecuritymanagement;d) ertmWftixioncor¥>/iwnic*ti«mvyinafup$fcdt)on；re1.iabi1.ityandimprovedoperationa1.efficiencythroughe) agreaterunderstandingbySerViCemanagementandinformationsecuritypersonne1.ofeachother,sviewpoints;f) anorganizationcertifiedforISO/IEC27001canmoreeasi1.yfu1.itherequirementsforinformationSecurityspecifiedinISO/IEC20000-1:2018,873,asISO/IEC27001andISO/IEC20000-1arecomp1.ementaryinrequirements.ThisdocumentisbasedonISO)EC27001:2013andISO/IEC20000-1:2018.酶IEC硼般出hdirW三蒯三i¼i加热SonSeithW%M羔晒即CgrftiI锚锹触ftftardsandThisdocumentdoesnotreproducecontentofISO/IEC27001orISO/IEC20000-1.Equa1.1.y,itdoesnot腮Fffteover1.a理即用nter信觎2盟Sta嘏和(UbmP斗潴8榭U1.i&ser?蜘砌Rd三iinen由郡£¥站WsCttoISO/IEC20000-1andISO/IEC27001.NOTESpecific1.egis1.ationscanexistwhichcanimpactthep1.anningofanorganizationmanagementsystem.Informationsecurity,cybersecurityandprivacyprotectionGuidanceontheintegratedimp1.ementationofISO/IEC27001andISO/IEC20000-11Scopefororganizationsintendingto：b)in1.ementbothISO/IEC27001andISO/IEC20000-1together：ormanagementfocuses(ISMS)exc1.usive1.yontheintegratedimp1.ementationmanagementinformationsecurity2 Normativereferencesconstitutesrcquircments1.atestCdiUOndOCUment.referencedreferences,(inc1.udingamendments)app1.ies.app)ies.systemrequirementssystemsOverviewandvocabu1.arysystems-Requirements3 TermsanddenitionsISO/IEC20000-1:2018app1.y.ISOOn1.inebrowsingp1.atform：avai1.ab1.eat1.utpsww¼Mso>orgobp4OverviewofISO/IEC27001andISO/IEC20000-14.1UnderstandingISO/IEC27001andISO/IEC20000-1securitymanagcmcnt!SOIEC20000-1management.Thismaximizesmanage11cn1.rcsourcesinformationThisdocumentgivesguidanceontheintegratedimp1.ementationofISO/IEC27001andISO1EC20000-1a)imp1.ementISO/IEC27001whenISO/IEC20000-1isa1.readyimp1.emented,orviceversa；c)integrateexistingmanagementsystemsbasedonISO/IEC27001andISO/IEC20000-1.ThisdocumentsystemasspecifiedinISO/IEC27001andserviceofsystem(SMS)asspecifiedinISO/IEC20000-1.Thefo1.1.owingdocumentsarereferredtointhetextinsuchawaythatsomeora1.1.oftheircontentundatedreferences,theofthisoftheFordateddocumenton1.ytheanyeditioncitedForISO/IEC20000-1:2018,Informationtechno1.ogyServicemanagementPart1:ServicemanagementISO/IEC27000:2018,Informationtechno1.ogySecuritytechniquesInformationsecuritymanagementISO/IEC27001:2013,Informationtechno1.ogySecuritytechniquesInformationSeeUritymanagementForthepurposesofthisdocument,thetermsanddefinitionsgiveninISO/IEC27000:2018andISOandIECmaintaintermino1.ogica1.databasesforuseinstandardizationatthefo1.1.owingaddresses:IECE1.ectropedia:avai1.ab1.eathttp:/www.e1.ectropedia.org/Anorganizationshou1.dhaveagoodunderstandingofthecharacteristics,simi1.aritiesanddifferencesofISO/IEC27001andandservicebeforep1.anninganintegratedthetimeandsystemforavai1.ab1.efor1.O"E612aMi&24X1(IiII(Ito4p)xh«Mdinubbu)dmdiQBfiubstttut6IiitoiiainCdOtaiaduedex1.yng4.2 ISO1EC27001conceptsISO/IEC27001providesamode1.forestab1.ishing,imp1.ementing,maintainingandcontinua1.1.yimprovingturm.!nfertxMBdiBcftmrityv'aynndbRiUHe<iyertMtyjtcc'itifrjftheon.ornfiEntaiocantakeanyToachieveconformitywiththerequirementsspecifiedinISO/IEC27001,anorganizationshou1.d三MnanS梢膈如副於限瑞肥磁整轴&括瓢怨袋P3riety。用豳Ure黑蜥耐皿辘曲Xedescmeasuresareknownasinformationsecuritycontro1.s.Theorganizationshou1.ddetermineacceptab1.e1.eve1.sofrisk,takingintoaccounttherequirementsofinterestedpartiesre1.evanttotsarebusinessrequirements,1.ega1.andregu1.atoryj三i即ts"11三fii沁翻?阳1期MnS.requiremenISO/IEC27001canbeusedbyanytypeandsizeoforganization.Exc1.udinganyoftherequirementsanorganizationc1.aimstoISO/IEC2700?:rC1.auses4to101.isnotacceptab1.ewhen4.3 ISO/IEC20000-1conceptsISO/IEC20000-1specifiesrequirementsforestab1.ishing,imp1.ementing,maintainingandcontinua1.1.yIrfqK52ngi11<kIdEgetha讪碍mg?Itesj3efHShstokfiMdc1.ivery叫OiPOrtHimPtf(岬men11(tfvicedchicemeetagreedrequirementsandde1.iverva1.ueforcustomers,usersandtheorganizationde1.iveringtheservices.forinformationsecuritymanagementarcspecifiedinISO/IEC20000-1:2018.8.7.3.A1.1.requirementsspecifiedinISO/iEC200004aregenericandareintendedtobeapp1.icab1.etoa1.1.organizations,sforthen用fptnNserviR¾W检Mw1.og剧H屏digi由Fi三i由侬杰龈4悭GcW-外hejsrequirementsinISO/IEC20000-1:2018,C1.auses4to10,isnotacceptab1.ewhentheorganizationc1.aimsconformitytoISO/IEC20000-11irrespectiveofthenatureoftheorganization.4.4 Simi1.aritiesanddifferencesServicemanagementandinformationsecuritymanagementaresometimestreatedasiftheyareitberb0dahHtted0rcfTiditbubMccOAmB”1JaitipteCaIbndRd1.PnaftIabiiytamuhm11securitymanagementisoftennotunderstoodtobefundamenta1.toeffectiveservicede1.ivery.Asaresu1.tservicemanagementisfrequent1.yimp1.ementedfirst.Therearesomesharedconceptsbetweentheset¼rodiscip1.ines,aswe1.1.asconceptsthatareuniquetoeach.Informationsecuritymanagementandservicemanagementdear1.yaddressverysimi1.arrequirementsandactivities,eventhoughtheSMSandtheISMSeachhigh1.ightdifferentdetai1.s.WhenworkingwithI则阕ftQUh1.艘龈必MsW)O4硼碗编剧遍相仍独邸田晒fE三枭行确镂H1.tosomoredifferentintendedoutcomes.ISO/IEC20000-1isdesignedtoensurethattheorganizationprovideseffectiveservices,whi1.eISO/IEC27001isdesignedtoenab1.etheorganizationtomanageinformationsecurityriskandrecoverfromorpreventinformationsecurityincidents.SeeAnnexAfordetai1.softhecorrespondencebetweenISO/IEC27001:2013,C1.auses1to10,andISO/IEC20000-1:2018,C1.auses1to10.SeeAnnexBforacomparisonoftopicsbetweenthecontro1.sCO橄尉蚓亚州PSM孰NWiiaonSand央版Vee1.碎怖Iend朗对折哪仅20000-1:2018.SeeAnttexCfora5Approachesforintegratedimp1.ementation5.1 Genera1.Anorganizationp1.anningtoimp1.ementbothISO/IEC27001andISO/IEC20000-1canbeinoneofthreestatesasfo1.1.ows：unofficia1.managementarrangementsexistwhichcoverbothinformationsecuritymanagementandservicemanagementbuthavenotbeenforma1.ized,documentedorde1.iberate1.yintegratedintotheorganization'sotheractivities：thereisamanagementsystembasedonISO/IEC27001orISO/IEC20000-1;t1.inotinterf1.Wrd)anagementsystemsbasedonISO/IEC27001andISO/IEC20000-1,butthesenorganizationp1.anningtoimp1.ementanintegratedmanagementsystemforinfo11nationsecurityandservicemanagementshou1.dconsiderat1.eastthefo1.1.owing：a) othermanagementsystem(三)a1.readyinuse(e.g.aqua1.itymanagementsystem);thescope(三)b) app1.icab1.e;oftheproposedISMSandSMS,aswe1.1.asanydifferenceinscopebetweenthem,ifc) a1.1.services,processesandtheirinterdependenciesinthecontextoftheintegratedmanagementsystem；d) e1.ementsofeachmanagementsystemwhichcanbeintegratedandhowtheycanbeintegrated;e) e1.ementsthataretoremainseparate：0theimpactoftheintegratedmanagementsystemoncustomers,supp1.iersandotherinterestedparties;g) theimpactontechno1.ogyinuse;h) theimpacton,orriskto,theservicesandservicemanagement；i) theimpacton,orriskto,informationsecurityandinformationsecuritymanagement;j) educationandtrainingintheintegratedmanagementsystem;k) accountabi1.itiesandresponsibi1.itiesfora1.1.requirements；l) phasesandsequenceofimp1.ementationactivities.5.2ConsiderationsofscopeOneareawhereanISMSandanSMScandifferisont1.esubjectofscope,name1.y,whatassets,services,processesandpartsoftheorganizationthemanagementsystemshou1.dinc1.ude.ISO/IEC20000-1isconcernedwiththep1.anning,design,transition,de1.iveryandimprovementofservicestode1.iverva1.uetocustomers,usersandtheorganization.ThescopeofISO/IEC20000-1f三j腌!Mred招曲百曲涮弛哪Service站播。腐阉加制3a网型物三>R触耽W1.fo1.eOrPartofa1.argerentity.TheSMSscopecana1.sobodefinedexc1.usive1.ybyac1.earphysica1.boundary,suchasasing1.esitede1.iveringservices.TheorganizationinthescopeoftheSMScana1.sobeknownasaserviceprovider.ISO/IEC27001isconcernedwithhowtomanageinformationsecurityrisk.ThescopeoftheISMScoversthoseactivitiesre1.atedtomanagingtheconfidentia1.ity,integrityandavai1.abi1.ityoftheorganization'sinformation.Termconfigurationitem(C1.)ISO/IEC27000:2018Notdefined3.11conformity(harmonizedstructureterm)fu1.fi1.mentofarequirementconsequence由一so/mc2021A=ngh-sreserved3.12outcomeofaneventaffectingobjectivesNote1toentry:Aneventcan1.eadtoarangeofconsequences.Note2toentry:Aconsequencecanbecertainoruncertainand,MthecontextOfinformationsecurity,isusua1.1.ynegative.Note3toentry:Consequencescanbeexpressedqua1.itative1.yorquantitative1.y.Note4toentry：Initia1.consequencescanesca1.atethroughknock-oneffects.SOURCE:ISOGuide73:2009,3.6.1.3,modifiedNote2toentryhasbeenchangedafter*andrt.J二EC27013:2021(E)ISO/IEC20000-1:20183.2.2e1.ementthatneedstobecontro1.1.edinordertode1.iveraserviceorservices3.1.3Identica1.definition.ISO/IEC200004hasaddedanotetoentry：Note1coentry：Confbrmicyre1.atestorequirementsinthisdocumentaswe1.1.astheorganization'sSMSrequirements.Note2toentry：Theorigina1.AnnexS1.definitionhasbeenmodifiedbyaddingNote1toentry.NotdefinedCommentsonusageoftheterminbothstandardsConfigurationmanagementisprominentinISO/IEC20000-1.AninformationassetinISO/IEC27001cana1.sobeaC1.inISO/IEC200004.See6.2.2forafurtherexp1.anationaboutcongurat1.onitems.Broad1.ythesamemeaninginISO/IEC27001andISO/IEC20000-1.Thetermconsequence"isusedinISO/IEC20000-1:2018,3.1.20,notestoentryfortheterm,riskrt,ISO/IEC200001:2018,6.1.3,NOTE1,ISOIEC20000-1:2018,8.1rrequirementsandISO/IEC20000-1:2018,10.1.1,requirements.Thewordisusedinthenorma1.Eng1.ish1.anguageusage.A1.1.exceptISO/IEC20000-1:2018.6.1.3.archarmonizedstructuretext.28/-EC27013NJ021(E)TermISO/IEC27000:2018ISO/IEC20000-1:2018Cnmmentsonusageoftheterminbothstandards)rrectiveactionrmonizcdstructureterm)actcor117ontoe1.iminatethecauseofanon-actformityandtopreventrecurrencethecdNodefcexthe