1
/
of
6
www.ChineseStandard.us -- Field Test Asia Pte. Ltd.
GB/T 22081-2016 English PDF (GB/T22081-2016)
GB/T 22081-2016 English PDF (GB/T22081-2016)
Regular price
$370.00
Regular price
Sale price
$370.00
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
GB/T 22081-2016: Information technology -- Security techniques -- Code of practice for information security controls
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GB/T 22081-2016 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 22081-2016
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 22081-2016
Information technology - Security techniques - Code of practice for information security controls
ICS 35.040
L80
National Standards of People's Republic of China
Replacing GB/T 22081-2008
Information Technology Security Technology
Information Security Control Practice Guide
(ISO /IEC 27002..2013, IDT)
2016-08-29 released
2017-03-01 Implementation
General Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China
China National Standardization Administration released
Directory
Foreword Ⅲ
Introduction IV
0.1 Background and Environment Ⅳ
0.2 Information Security Requirements Ⅳ
0.3 Control Selection Ⅴ
0.4 Preparation of the organization's own guidelines Ⅴ
0.5 life cycle considerations Ⅴ
0.6 Relevant standard Ⅴ
1 range 1
2 Normative references 1
3 Terms and definitions 1
4 standard structure
Section 4.1
4.2 Control Category 1
5 Information Security Strategy 2
5.1 Information Security Management Guide 2
Information Security Organization 3
6.1 Internal Organization 3
6.2 Mobile Devices and Remote Work 5
7 Human Resources Security 7
7.1 Before Appointment
7.2 Appointment 8
7.3 Termination and Change of Appointments
Asset Management 10
8.1 Responsibilities relating to assets 10
8.2 Information Classification 11
8.3 Media Handling 13
Access Control
9.1 Access Control Business Requirements 14
9.2 User Access Management 15
9.3 User Responsibilities 18
9.4 System and Application Access Control 19
10 password 21
10.1 Password Control 21
Physical and Environmental Safety 23
11.1 Safety Zone 23
11.2 Equipment 25
12 Operational safety 28
12.1 Operational Procedures and Responsibilities
12.2 Malware Prevention 30
12.3 Backup 31
12.4 Logs and Surveillance 32
12.5 Running Software Control 34
12.6 Technical Vulnerability Management 34
12.7 Information System Audit Considerations 36
Communication Security 36
13.1 Network Security Management
13.2 Information Transmission 38
System Acquisition, Development and Maintenance 40
14.1 Information System Security Requirements 40
14.2 Security During Development and Support 42
14.3 Test Data 45
Supplier Relations 46
15.1 Information Security in Supplier Relationships 46
15.2 Supplier Service Delivery Management 48
Information Security Incident Management 49
16.1 Management and Improvement of Information Security Incidents 49
Information security aspects of business continuity management 52
17.1 Continuity of Information Security 52
17.2 Redundancy 54
Compliance 54
18.1 Compliance with law and contractual requirements 54
18.2 Information Security Review 56
References 65
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 22081-2008 "Information Technology Security Information Security Management Practical Rules."
This standard compared with GB/T 22081-2008, the main technical changes are as follows.
--- Structural changes in Appendix NA;
--- The term changes in Appendix NB.
This standard uses the translation method identical with ISO /IEC 27002..2013 "Information Technology Security Technology Information Security Control Practices
South "and its corresponding technical corrigendum (ISO /IEC 27002..2013/COR1..2014).
The documents of our country that are consistent with the corresponding international documents that are normative references in this standard are as follows.
--- GB/T 29246-2012 Information Technology Security Technology Information Security Management System Overview and Glossary (ISO /IEC 27000.
2009, IDT).
This standard made the following editorial changes.
--- Increased information appendix NA;
--- Added information appendix NB.
Please note that some of this document may be patentable. The issuing agencies of this document do not bear the responsibility of identifying these patents.
This standard by the National Information Security Standardization Technical Committee (SAC/TC260) and focal point.
This standard was drafted. China Electronics Standardization Institute, CLP Great Wall Internet System Application Co., Ltd., China Information Security
Card Center, Shandong Provincial Institute of Standardization, Guangzhou 赛 Po Certification Center Services Ltd., Beijing Jiangnan Tian An Technology Co., Ltd., Shanghai three zero
Guardian Information Security Co., Ltd., China National Accreditation Service for Conformity Assessment, Beijing Sunway Information Technology Co., Ltd., Heilongjiang E-mail
Products Surveillance and Inspection Institute, Zhejiang Yuanwang Electronics Co., Ltd., Hangzhou letter Technology Co., Ltd.
The main drafters of this standard. Xu Yuna, Shanggong Xiaoli, Min Jinghua, in particular, the public, Lu Lvwen, Ni Wenjing, Wang Lianqiang,
Yu Jingtao, Fu Zhi Gao, Zhao Yingqing, Lu Pu Ming, Wang Shuguang, Yu Zhonghua, Han Shuoxiang, Wei Jun, Cheng Yuqi, Kong Xianglin, Wu Minhua, Li Hua, Li Yang.
This standard replaces the standards previously issued as follows.
--- GB/T 22081-2008.
introduction
0.1 background and environment
This standard can be used as an organization's reference when choosing control in the process of information security management system (ISMS) based on GB/T 22080 [10]
Or as a guide to organizations in implementing universal information security controls. After considering the specific information security risk environment, this standard can also be used for the system
Guide to information security management for specific industries and specific organizations.
Organizations of all types and sizes (including the public and private sectors, business organizations, non-profit organizations) collect, process, store and disseminate
Input includes various forms of information such as electronic, physical and speech (eg, talks and speeches).
The value of information transcends words, numbers, and images themselves. For example, knowledge, concepts, opinions, and brands are all intangibles. In the world of interconnection
For the organization of business, information and related processes, systems, networks, and the personnel involved in its operations, handling and protection activities are all capital
Production, like other important business assets, is crucial to the business of the organization and therefore worth or needed to be protected against all hazards.
Assets are subject to both deliberate and accidental threats; and the associated processes, systems, networks and personnel are inherently vulnerable. Business process and
System changes or other external changes (such as new laws and regulations) may create new information security risks. Therefore, taking into account the threat of the use of crisp
Weaknesses damage the organization a variety of ways, the risk of information security has always existed. Effective information security enables groups through prevention of threats and vulnerabilities
Weaves are protected to reduce risk, thereby reducing the impact on their assets.
Information security can be achieved by implementing a set of appropriate controls, including policies, procedures, procedures, organizational structure, and hardware and software capabilities. If necessary
Establish, implement, monitor, review, and improve these controls to ensure they meet the organization's specific safety and business objectives. GB/T 22080 [10]
The prescribed ISMS takes an overall, coordinated view of the organization's information security risk so that it can be implemented within the overall framework of a consistent management system
Now a comprehensive set of information security control.
From the perspective of GB/T 22080 [10] and this standard, many information systems are not designed to be safe. Available through technical means
Security is limited and should be supported through appropriate management and procedures. Determine what controls should exist, which requires careful planning and careful attention
Festival. A successful information security management system needs the support of all employees within the organization, the shareholders, suppliers or other external parties
Participation also requires expert advice from outside parties.
More generally, effective information security also assures managers and other stakeholders that the organization's assets are reasonably secure and subject to
Until protection is not compromised, its role is the same as business enabler.
0.2 Information Security Requirements
It is necessary for the organization to identify its safety requirements. The three main sources of safety requirements are.
a) Assess organizational risk by considering the overall business strategy and objectives of the organization. Through risk assessment, identify the threats to the assets,
Assess the vulnerability of vulnerable applications and the likelihood of their occurrence, and estimate the potential impact;
b) the laws, regulations, rules and regulations and contractual requirements that the organization and its trading partners, contractors and service providers must meet, and his
Their social and cultural environment;
c) Principles, objectives and business requirements established by the organization to support its operations, its handling, handling, storage, communication and archiving of information.
The resources used to control it must be weighed against the security issues resulting from the lack of these controls and the potential business hazards. wind
The results of the risk assessment will help to guide and identify appropriate management measures, prioritization of information security risk management, and prevention of these risks
The priority of the selected control.
ISO /IEC 27005 [11] provides information security risk management guidelines, including risk assessment, risk management, risk acceptance, risk communication,
Risk monitoring and risk assessment of all aspects of the proposal.
0.3 control of choice
Controls may be selected from this or other control sets or, where appropriate, new controls designed for specific needs.
The choice of control depends on the organization's decision making, which is based on the risk acceptance criteria, the risk options, the generic risk management used by the organization
Method; the choice of control must also comply with all relevant national laws and regulations. The choice of control at the same time also depends on how the interaction is controlled
For defense in depth.
Some of the controls in this standard can be used as guidelines for information security management and can be used by most organizations. At each control
Under, gives its detailed implementation guide. See the disposal options for more detailed information on selection controls and other risks
ISO /IEC 27005 [11].
0.4 Compile the organization's own guidelines
This standard serves as a starting point for organizations to develop their own specific guidelines. For an organization, the controls and guidelines in this standard are not all suitable
use. In addition, may also need to add some does not included in the standard control and guidance. When developing contains some added controls and guidelines
It may be useful to give some cross-references to the clauses of this standard when it comes to organizational documentation to support auditors and business partners
Compliance check.
0.5 life cycle considerations
Information has its inherent life cycle, from its creation and generation, to its final destruction or disappearance through storage, processing, use and transmission.
The value of information assets and the risks they face may change over their lifecycle (eg, theft of a company's accounts after their official publication
And the harm caused by unauthorized leaks will be greatly reduced), there is a certain degree of importance of information security at all stages.
The life cycle of an information system includes the concept, protocol, design, development, testing, implementation, use, maintenance, and eventual decommissioning and destruction. In every
One phase should take into account the information security. Information security should be considered at each stage. Develop new systems or make changes to existing systems,
This provides an opportunity for organizations to upgrade and improve security controls, taking into account actual security incidents and current and projected information security risks.
0.6 related standards
This standard provides a corresponding guideline for a wide range of information security control sets common to different organizations; and information security management
Other standards in the family of standards provide additional advice or requirements on other aspects of the overall management of information security.
For a general introduction to the standards for information security management systems, see ISO /IEC 27000. The glossary provided in ISO /IEC 27000 was finalized
Most of the terms used in information security management system standards describe the scope and goals of each standard.
Information Technology Security Technology
Information Security Control Practice Guide
1 Scope
This standard provides guidelines for the organization's information security standards and information security management practices, including the organization of information security risk ring
Environment control of the choice, implementation and management.
This standard is designed to organize.
a) Selection control, that is, selection control based on GB/T 22080 [10] in the process of implementing an information security management system;
b) to achieve universal, acceptable information security control;
c) Develop an organization's own guidance on information security management.
2 Normative references
The following documents for the application of this document is essential. For dated references, only the dated version applies to this article
Pieces. For undated references, the latest edition (including all amendments) applies to this document.
ISO /IEC 27000 information technology security technology information security management system overview and vocabulary (Informationtechnology-
Security technologies - Information security systems systems - Overview and vocabula...
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GB/T 22081-2016 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 22081-2016
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 22081-2016
Information technology - Security techniques - Code of practice for information security controls
ICS 35.040
L80
National Standards of People's Republic of China
Replacing GB/T 22081-2008
Information Technology Security Technology
Information Security Control Practice Guide
(ISO /IEC 27002..2013, IDT)
2016-08-29 released
2017-03-01 Implementation
General Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China
China National Standardization Administration released
Directory
Foreword Ⅲ
Introduction IV
0.1 Background and Environment Ⅳ
0.2 Information Security Requirements Ⅳ
0.3 Control Selection Ⅴ
0.4 Preparation of the organization's own guidelines Ⅴ
0.5 life cycle considerations Ⅴ
0.6 Relevant standard Ⅴ
1 range 1
2 Normative references 1
3 Terms and definitions 1
4 standard structure
Section 4.1
4.2 Control Category 1
5 Information Security Strategy 2
5.1 Information Security Management Guide 2
Information Security Organization 3
6.1 Internal Organization 3
6.2 Mobile Devices and Remote Work 5
7 Human Resources Security 7
7.1 Before Appointment
7.2 Appointment 8
7.3 Termination and Change of Appointments
Asset Management 10
8.1 Responsibilities relating to assets 10
8.2 Information Classification 11
8.3 Media Handling 13
Access Control
9.1 Access Control Business Requirements 14
9.2 User Access Management 15
9.3 User Responsibilities 18
9.4 System and Application Access Control 19
10 password 21
10.1 Password Control 21
Physical and Environmental Safety 23
11.1 Safety Zone 23
11.2 Equipment 25
12 Operational safety 28
12.1 Operational Procedures and Responsibilities
12.2 Malware Prevention 30
12.3 Backup 31
12.4 Logs and Surveillance 32
12.5 Running Software Control 34
12.6 Technical Vulnerability Management 34
12.7 Information System Audit Considerations 36
Communication Security 36
13.1 Network Security Management
13.2 Information Transmission 38
System Acquisition, Development and Maintenance 40
14.1 Information System Security Requirements 40
14.2 Security During Development and Support 42
14.3 Test Data 45
Supplier Relations 46
15.1 Information Security in Supplier Relationships 46
15.2 Supplier Service Delivery Management 48
Information Security Incident Management 49
16.1 Management and Improvement of Information Security Incidents 49
Information security aspects of business continuity management 52
17.1 Continuity of Information Security 52
17.2 Redundancy 54
Compliance 54
18.1 Compliance with law and contractual requirements 54
18.2 Information Security Review 56
References 65
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 22081-2008 "Information Technology Security Information Security Management Practical Rules."
This standard compared with GB/T 22081-2008, the main technical changes are as follows.
--- Structural changes in Appendix NA;
--- The term changes in Appendix NB.
This standard uses the translation method identical with ISO /IEC 27002..2013 "Information Technology Security Technology Information Security Control Practices
South "and its corresponding technical corrigendum (ISO /IEC 27002..2013/COR1..2014).
The documents of our country that are consistent with the corresponding international documents that are normative references in this standard are as follows.
--- GB/T 29246-2012 Information Technology Security Technology Information Security Management System Overview and Glossary (ISO /IEC 27000.
2009, IDT).
This standard made the following editorial changes.
--- Increased information appendix NA;
--- Added information appendix NB.
Please note that some of this document may be patentable. The issuing agencies of this document do not bear the responsibility of identifying these patents.
This standard by the National Information Security Standardization Technical Committee (SAC/TC260) and focal point.
This standard was drafted. China Electronics Standardization Institute, CLP Great Wall Internet System Application Co., Ltd., China Information Security
Card Center, Shandong Provincial Institute of Standardization, Guangzhou 赛 Po Certification Center Services Ltd., Beijing Jiangnan Tian An Technology Co., Ltd., Shanghai three zero
Guardian Information Security Co., Ltd., China National Accreditation Service for Conformity Assessment, Beijing Sunway Information Technology Co., Ltd., Heilongjiang E-mail
Products Surveillance and Inspection Institute, Zhejiang Yuanwang Electronics Co., Ltd., Hangzhou letter Technology Co., Ltd.
The main drafters of this standard. Xu Yuna, Shanggong Xiaoli, Min Jinghua, in particular, the public, Lu Lvwen, Ni Wenjing, Wang Lianqiang,
Yu Jingtao, Fu Zhi Gao, Zhao Yingqing, Lu Pu Ming, Wang Shuguang, Yu Zhonghua, Han Shuoxiang, Wei Jun, Cheng Yuqi, Kong Xianglin, Wu Minhua, Li Hua, Li Yang.
This standard replaces the standards previously issued as follows.
--- GB/T 22081-2008.
introduction
0.1 background and environment
This standard can be used as an organization's reference when choosing control in the process of information security management system (ISMS) based on GB/T 22080 [10]
Or as a guide to organizations in implementing universal information security controls. After considering the specific information security risk environment, this standard can also be used for the system
Guide to information security management for specific industries and specific organizations.
Organizations of all types and sizes (including the public and private sectors, business organizations, non-profit organizations) collect, process, store and disseminate
Input includes various forms of information such as electronic, physical and speech (eg, talks and speeches).
The value of information transcends words, numbers, and images themselves. For example, knowledge, concepts, opinions, and brands are all intangibles. In the world of interconnection
For the organization of business, information and related processes, systems, networks, and the personnel involved in its operations, handling and protection activities are all capital
Production, like other important business assets, is crucial to the business of the organization and therefore worth or needed to be protected against all hazards.
Assets are subject to both deliberate and accidental threats; and the associated processes, systems, networks and personnel are inherently vulnerable. Business process and
System changes or other external changes (such as new laws and regulations) may create new information security risks. Therefore, taking into account the threat of the use of crisp
Weaknesses damage the organization a variety of ways, the risk of information security has always existed. Effective information security enables groups through prevention of threats and vulnerabilities
Weaves are protected to reduce risk, thereby reducing the impact on their assets.
Information security can be achieved by implementing a set of appropriate controls, including policies, procedures, procedures, organizational structure, and hardware and software capabilities. If necessary
Establish, implement, monitor, review, and improve these controls to ensure they meet the organization's specific safety and business objectives. GB/T 22080 [10]
The prescribed ISMS takes an overall, coordinated view of the organization's information security risk so that it can be implemented within the overall framework of a consistent management system
Now a comprehensive set of information security control.
From the perspective of GB/T 22080 [10] and this standard, many information systems are not designed to be safe. Available through technical means
Security is limited and should be supported through appropriate management and procedures. Determine what controls should exist, which requires careful planning and careful attention
Festival. A successful information security management system needs the support of all employees within the organization, the shareholders, suppliers or other external parties
Participation also requires expert advice from outside parties.
More generally, effective information security also assures managers and other stakeholders that the organization's assets are reasonably secure and subject to
Until protection is not compromised, its role is the same as business enabler.
0.2 Information Security Requirements
It is necessary for the organization to identify its safety requirements. The three main sources of safety requirements are.
a) Assess organizational risk by considering the overall business strategy and objectives of the organization. Through risk assessment, identify the threats to the assets,
Assess the vulnerability of vulnerable applications and the likelihood of their occurrence, and estimate the potential impact;
b) the laws, regulations, rules and regulations and contractual requirements that the organization and its trading partners, contractors and service providers must meet, and his
Their social and cultural environment;
c) Principles, objectives and business requirements established by the organization to support its operations, its handling, handling, storage, communication and archiving of information.
The resources used to control it must be weighed against the security issues resulting from the lack of these controls and the potential business hazards. wind
The results of the risk assessment will help to guide and identify appropriate management measures, prioritization of information security risk management, and prevention of these risks
The priority of the selected control.
ISO /IEC 27005 [11] provides information security risk management guidelines, including risk assessment, risk management, risk acceptance, risk communication,
Risk monitoring and risk assessment of all aspects of the proposal.
0.3 control of choice
Controls may be selected from this or other control sets or, where appropriate, new controls designed for specific needs.
The choice of control depends on the organization's decision making, which is based on the risk acceptance criteria, the risk options, the generic risk management used by the organization
Method; the choice of control must also comply with all relevant national laws and regulations. The choice of control at the same time also depends on how the interaction is controlled
For defense in depth.
Some of the controls in this standard can be used as guidelines for information security management and can be used by most organizations. At each control
Under, gives its detailed implementation guide. See the disposal options for more detailed information on selection controls and other risks
ISO /IEC 27005 [11].
0.4 Compile the organization's own guidelines
This standard serves as a starting point for organizations to develop their own specific guidelines. For an organization, the controls and guidelines in this standard are not all suitable
use. In addition, may also need to add some does not included in the standard control and guidance. When developing contains some added controls and guidelines
It may be useful to give some cross-references to the clauses of this standard when it comes to organizational documentation to support auditors and business partners
Compliance check.
0.5 life cycle considerations
Information has its inherent life cycle, from its creation and generation, to its final destruction or disappearance through storage, processing, use and transmission.
The value of information assets and the risks they face may change over their lifecycle (eg, theft of a company's accounts after their official publication
And the harm caused by unauthorized leaks will be greatly reduced), there is a certain degree of importance of information security at all stages.
The life cycle of an information system includes the concept, protocol, design, development, testing, implementation, use, maintenance, and eventual decommissioning and destruction. In every
One phase should take into account the information security. Information security should be considered at each stage. Develop new systems or make changes to existing systems,
This provides an opportunity for organizations to upgrade and improve security controls, taking into account actual security incidents and current and projected information security risks.
0.6 related standards
This standard provides a corresponding guideline for a wide range of information security control sets common to different organizations; and information security management
Other standards in the family of standards provide additional advice or requirements on other aspects of the overall management of information security.
For a general introduction to the standards for information security management systems, see ISO /IEC 27000. The glossary provided in ISO /IEC 27000 was finalized
Most of the terms used in information security management system standards describe the scope and goals of each standard.
Information Technology Security Technology
Information Security Control Practice Guide
1 Scope
This standard provides guidelines for the organization's information security standards and information security management practices, including the organization of information security risk ring
Environment control of the choice, implementation and management.
This standard is designed to organize.
a) Selection control, that is, selection control based on GB/T 22080 [10] in the process of implementing an information security management system;
b) to achieve universal, acceptable information security control;
c) Develop an organization's own guidance on information security management.
2 Normative references
The following documents for the application of this document is essential. For dated references, only the dated version applies to this article
Pieces. For undated references, the latest edition (including all amendments) applies to this document.
ISO /IEC 27000 information technology security technology information security management system overview and vocabulary (Informationtechnology-
Security technologies - Information security systems systems - Overview and vocabula...
Share
