GB/T 22081-2016 English PDF (GBT22081-2016)
GB/T 22081-2016 English PDF (GBT22081-2016)
GB/T 22081-2016: Information technology -- Security techniques -- Code of practice for information security controls
Information technology - Security techniques - Code of practice for information security controls ICS 35.040
National Standards of People's Republic of China
Replacing GB/T 22081-2008
Information Technology Security Technology
Information Security Control Practice Guide
(ISO /IEC 27002..2013, IDT)
General Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China China National Standardization Administration released
0.1 Background and Environment Ⅳ
0.2 Information Security Requirements Ⅳ
0.3 Control Selection Ⅴ
0.4 Preparation of the organization's own guidelines Ⅴ
0.5 life cycle considerations Ⅴ
0.6 Relevant standard Ⅴ
1 range 1
2 Normative references 1
3 Terms and definitions 1
4 standard structure
4.2 Control Category 1
5 Information Security Strategy 2
5.1 Information Security Management Guide 2
Information Security Organization 3
6.1 Internal Organization 3
6.2 Mobile Devices and Remote Work 5
7 Human Resources Security 7
7.1 Before Appointment
7.2 Appointment 8
7.3 Termination and Change of Appointments
Asset Management 10
8.1 Responsibilities relating to assets 10
8.2 Information Classification 11
8.3 Media Handling 13
9.1 Access Control Business Requirements 14
9.2 User Access Management 15
9.3 User Responsibilities 18
9.4 System and Application Access Control 19
10 password 21
10.1 Password Control 21
Physical and Environmental Safety 23
11.1 Safety Zone 23
11.2 Equipment 25
12 Operational safety 28
12.1 Operational Procedures and Responsibilities
12.2 Malware Prevention 30
12.3 Backup 31
12.4 Logs and Surveillance 32
12.5 Running Software Control 34
12.6 Technical Vulnerability Management 34
12.7 Information System Audit Considerations 36
Communication Security 36
13.1 Network Security Management
13.2 Information Transmission 38
System Acquisition, Development and Maintenance 40
14.1 Information System Security Requirements 40
14.2 Security During Development and Support 42
14.3 Test Data 45
Supplier Relations 46
15.1 Information Security in Supplier Relationships 46
15.2 Supplier Service Delivery Management 48
Information Security Incident Management 49
16.1 Management and Improvement of Information Security Incidents 49
Information security aspects of business continuity management 52
17.1 Continuity of Information Security 52
17.2 Redundancy 54
18.1 Compliance with law and contractual requirements 54
18.2 Information Security Review 56
This standard was drafted in accordance with the rules given in GB/T 1.1-2009. This standard replaces GB/T 22081-2008 "Information Technology Security Information Security Management Practical Rules." This standard compared with GB/T 22081-2008, the main technical changes are as follows. --- Structural changes in Appendix NA;
--- The term changes in Appendix NB.
This standard uses the translation method identical with ISO /IEC 27002..2013 "Information Technology Security Technology Information Security Control Practices South "and its corresponding technical corrigendum (ISO /IEC 27002..2013/COR1..2014). The documents of our country that are consistent with the corresponding international documents that are normative references in this standard are as follows. --- GB/T 29246-2012 Information Technology Security Technology Information Security Management System Overview and Glossary (ISO /IEC 27000. 2009, IDT).
This standard made the following editorial changes.
--- Increased information appendix NA;
--- Added information appendix NB.
Please note that some of this document may be patentable. The issuing agencies of this document do not bear the responsibility of identifying these patents. This standard by the National Information Security Standardization Technical Committee (SAC/TC260) and focal point. This standard was drafted. China Electronics Standardization Institute, CLP Great Wall Internet System Application Co., Ltd., China Information Security Card Center, Shandong Provincial Institute of Standardization, Guangzhou 赛 Po Certification Center Services Ltd., Beijing Jiangnan Tian An Technology Co., Ltd., Shanghai three zero Guardian Information Security Co., Ltd., China National Accreditation Service for Conformity Assessment, Beijing Sunway Information Technology Co., Ltd., Heilongjiang E-mail Products Surveillance and Inspection Institute, Zhejiang Yuanwang Electronics Co., Ltd., Hangzhou letter Technology Co., Ltd. The main drafters of this standard. Xu Yuna, Shanggong Xiaoli, Min Jinghua, in particular, the public, Lu Lvwen, Ni Wenjing, Wang Lianqiang, Yu Jingtao, Fu Zhi Gao, Zhao Yingqing, Lu Pu Ming, Wang Shuguang, Yu Zhonghua, Han Shuoxiang, Wei Jun, Cheng Yuqi, Kong Xianglin, Wu Minhua, Li Hua, Li Yang. This standard replaces the standards previously issued as follows.
--- GB/T 22081-2008.
0.1 background and environment
This standard can be used as an organization's reference when choosing control in the process of information security management system (ISMS) based on GB/T 22080  Or as a guide to organizations in implementing universal information security controls. After considering the specific information security risk environment, this standard can also be used for the system Guide to information security management for specific industries and specific organizations. Organizations of all types and sizes (including the public and private sectors, business organizations, non-profit organizations) collect, process, store and disseminate Input includes various forms of information such as electronic, physical and speech (eg, talks and speeches). The value of information transcends words, numbers, and images themselves. For example, knowledge, concepts, opinions, and brands are all intangibles. In the world of interconnection For the organization of business, information and related processes, systems, networks, and the personnel involved in its operations, handling and protection activities are all capital Production, like other important business assets, is crucial to the business of the organization and therefore worth or needed to be protected against all hazards. Assets are subject to both deliberate and accidental threats; and the associated processes, systems, networks and personnel are inherently vulnerable. Business process and System changes or other external changes (such as new laws and regulations) may create new information security risks. Therefore, taking into account the threat of the use of crisp Weaknesses damage the organization a variety of ways, the risk of information security has always existed. Effective information security enables groups through prevention of threats and vulnerabilities Weaves are protected to reduce risk, thereby reducing the impact on their assets. Information security can be achieved by implementing a set of appropriate controls, including policies, procedures, procedures, organizational structure, and hardware and software capabilities. If necessary Establish, implement, monitor, review, and improve these controls to ensure they meet the organization's specific safety and business objectives. GB/T 22080  The prescribed ISMS takes an overall, coordinated view of the organization's information security risk so that it can be implemented within the overall framework of a consistent management system Now a comprehensive set of information security control.
From the perspective of GB/T 22080  and this standard, many information systems are not designed to be safe. Available through technical means Security is limited and should be supported through appropriate management and procedures. Determine what controls should exist, which requires careful planning and careful attention Festival. A successful information security management system needs the support of all employees within the organization, the shareholders, suppliers or other external parties Participation also requires expert advice from outside parties.
More generally, effective information security also assures managers and other stakeholders that the organization's assets are reasonably secure and subject to Until protection is not compromised, its role is the same as business enabler. 0.2 Information Security Requirements
It is necessary for the organization to identify its safety requirements. The three main sources of safety requirements are. a) Assess organizational risk by considering the overall business strategy and objectives of the organization. Through risk assessment, identify the threats to the assets, Assess the vulnerability of vulnerable applications and the likelihood of their occurrence, and estimate the potential impact; b) the laws, regulations, rules and regulations and contractual requirements that the organization and its trading partners, contractors and service providers must meet, and his Their social and cultural environment;
c) Principles, objectives and business requirements established by the organization to support its operations, its handling, handling, storage, communication and archiving of information. The resources used to control it must be weighed against the security issues resulting from the lack of these controls and the potential business hazards. wind The results of the risk assessment will help to guide and identify appropriate management measures, prioritization of information security risk management, and prevention of these risks The priority of the selected control.
ISO /IEC 27005  provides information security risk management guidelines, including risk assessment, risk management, risk acceptance, risk communication, Risk monitoring and risk assessment of all aspects of the proposal.
0.3 control of choice
Controls may be selected from this or other control sets or, where appropriate, new controls designed for specific needs. The choice of control depends on the organization's decision making, which is based on the risk acceptance criteria, the risk options, the generic risk management used by the organization Method; the choice of control must also comply with all relevant national laws and regulations. The choice of control at the same time also depends on how the interaction is controlled For defense in depth.
Some of the controls in this standard can be used as guidelines for information security management and can be used by most organizations. At each control Under, gives its detailed implementation guide. See the disposal options for more detailed information on selection controls and other risks ISO /IEC 27005 .
0.4 Compile the organization's own guidelines
This standard serves as a starting point for organizations to develop their own specific guidelines. For an organization, the controls and guidelines in this standard are not all suitable use. In addition, may also need to add some does not included in the standard control and guidance. When developing contains some added controls and guidelines It may be useful to give some cross-references to the clauses of this standard when it comes to organizational documentation to support auditors and business partners Compliance check.
0.5 life cycle considerations
Information has its inherent life cycle, from its creation and generation, to its final destruction or disappearance through storage, processing, use and transmission. The value of information assets and the risks they face may change over their lifecycle (eg, theft of a company's accounts after their official publication And the harm caused by unauthorized leaks will be greatly reduced), there is a certain degree of importance of information security at all stages. The life cycle of an information system includes the concept, protocol, design, development, testing, implementation, use, maintenance, and eventual decommissioning and destruction. In every One phase should take into account the information security. Information security should be considered at each stage. Develop new systems or make changes to existing systems, This provides an opportunity for organizations to upgrade and improve security controls, taking into account actual security incidents and current and projected information security risks. 0.6 related standards
This standard provides a corresponding guideline for a wide range of information security control sets common to different organizations; and information security management Other standards in the family of standards provide additional advice or requirements on other aspects of the overall management of information security. For a general introduction to the standards for information security management systems, see ISO /IEC 27000. The glossary provided in ISO /IEC 27000 was finalized Most of the terms used in information security management system standards describe the scope and goals of each standard. Information Technology Security Technology
Information Security Control Practice Guide
This standard provides guidelines for the organization's information security standards and information security management practices, including the organization of information security risk ring Environment control of the choice, implementation and management.
This standard is designed to organize.
a) Selection control, that is, selection control based on GB/T 22080  in the process of implementing an information security management system; b) to achieve universal, acceptable information security control;
c) Develop an organization's own guidance on information security management. 2 Normative references
The following documents for the application of this document is essential. For dated references, only the dated version applies to this article Pieces. For undated references, the latest edition (including all amendments) applies to this document. ISO /IEC 27000 information technology security technology information security management system overview and vocabulary (Informationtechnology- Security technologies - Information security systems systems - Overview and vocabulary. 3 Terms and definitions
ISO /IEC 27000 defined terms and definitions apply to this document.
4 standard structure
This standard includes 14 safety control chapters, contains a total of 35 major safety categories and 114 controls. Section 4.1
Define each chapter of safety controls, containing one or more major safety categories. The order of the chapters in this standard does not indicate its importance. Depending on the circumstances, safety control in any or all sections is possible Is important, so every organization that applies this standard should identify the controls that are applicable, how important these controls are, and how they are used To each business process. In addition, the list of this standard has no priority. 4.2 Control Category
Each of the major safety control categories includes.
a) a control goal that states what is to be achieved;
b) One or more controls that can be used to achieve this control objective. The description of the control structure is as follows.
To meet the control objectives, give a statement that defines a specific control. Realize the guide
To support the realization of this control and meet the control objectives, provide more detailed information. This guide may not be entirely applicable or inadequate In all cases, it may or may not meet the organization's specific control requirements. other information
Provide further information to consider, such as legal considerations and references to other standards. If there is no other information, this will be Not given.
5 information security strategy
5.1 Information Security Management Guidance
Goals. Based on business requirements and relevant laws and regulations, provide management guidance and support for information security. 5.1.1 Information Security Policy
Information security policy sets should be defined, approved by the manager, and published, communicated to all employees and external parties. Realize the guide
At the highest level, the organization should define an "information security policy" that should be approved by management and establish an organization that manages its information The safety goal of the method.
Information security policy should be concerned about the following requirements. a) business strategy
b) laws, regulations and contracts;
c) The current and expected information security threat environment.
This information security policy should include statements regarding.
a) definition of information security, goals and principles to guide all information security related activities; b) Assign general and specific responsibilities for information security management to defined roles; c) Handling deviations and surprises.
At a lower level, this information security strategy should be supported by a thematic-specific strategy that further mandates information Security controls are implemented and are often structured to emphasize the needs of certain target groups within the organization or to cover certain topics. For example, such strategic topics include.
a) Access Control (see Chapter 9);
b) Classification (and processing) of information (see 8.2);
c) Physical and Environmental Safety (see Chapter 11);
d) Strategies for end-users, such as.
1) Acceptable use of assets (see 8.1.3);
2) Desktop and screen cleaning (see 11.2.9);
3) Information transmission (see 13.2.1);
4) mobile devices and remote work (see 6.2);
5) software installation and its use restrictions (see 12.6.2);
e) backup (see 12.3);
f) Information transmission (see 13.2);
g) malware prevention (see 12.2);
h) Technical vulnerability management (see 12.6.1);
i) password control (see Chapter 10);
j) Communication security (see chapter 13);
k) Protection of privacy and its personally identifiable information (see 18.1.4); l) Supplier relationships (see Chapter 15).
These strategies should be communicated to employees and external parties in a form that is accessible, accessible and understandable to the intended reader, for example, Safety awareness, education and training "(see 7.2.2).
The need for internal information security policies varies by organization. Internal strategies are especially useful for large and complex organizations when these groups The people in the organization who identify and approve the control of the expected level are separated from those who control it, or when the internal strategy is applied at a different organizational People or functions, it is also very useful. Information security policies can be published as a single "information security policy" document or as a Unpredictable but related to a set of documents published in the form.
If information security policies are distributed outside the organization, care should be taken not to disclose confidential information. Some organizations use other terms for these policy files, such as "standards" or "rules." 5.1.2 Information Security Strategy Review
Information security strategy reviews should be conducted at planned intervals or when significant changes occur to ensure their continued suitability, adequacy ...