ISO IEC TS 27022-2021.docx

ISO/IECTSTECHNICA1.27022SPECIFICATIONeditionFirst2021-03Informationtechno1.ogyGuidanceoninformationsecuritymanagementsystemprocessesCOPYRIGHTPROTECTEDDOCUMENT©IS0/1EC2021M11c<hefivdi1.itedotherwise*ri快ChBxXniEX1.msitRiDhmw;Itmiihr<1.ij1.trfvx>CoPwnR.pnttjuiionpostingontheinternetoranInunnu1.withoutpriorwrittenpermission.PermissioncanberequestedfromeitherISOatt1.½addressbe1.oworISO*smemberhodyinthecountryofth<?rrcucstcr.三cB1.andonnct8r,GenevaPhone:t41227490111辆jtc:用洲部砾o.orgPub1.ishedinSwitzer1.and©ISO/IEC2021-A1.1.rightsreservedContentsPageForewordivIntroductionv2 Scope13 Normativereferences14 Termsanddefinitions15 Structureandusageofthisdocument26 Overview3Managementprocesses.61raI7 6.2Informationsecuritygovernance/managcmentinterfaceprocess.7CorePiaOCeSSOS971GeneI"31)7.2 Securitypo1.icymanagementProCeSS97.5 RifqiinietiontBeDunkjgririentapFoseJiqMrocess107.6 Informationsecurityrisktreatmentprocess147.7 Securityimp1.ementationmanagementprocess177.8 ProcesstocontFf三三r三csandcomPe1.ence197.9 Informationsecurityincidentmanagementprocess.227.10 Informationsecuritychangemanagementprocess25羽，1.fiW,Wy6§ffi)nPr5?.278 7.13Informationsecurityimprovementprocess31Supportprocesses3381raI338.2 Recordscontro1.process338.3 MMmicationmanQHBraU)C0358.5 Informationsecuritycustomerre1.ationshipmanagementprocess.39AnnexA(informative)Statementofconformityto1SOIEC3300441Bib1.iography“一一“一一M43ForewordISO(theInternationa1.OrganizationforStandardization)andIEC(theInternationa1.E1.ectrotechnica1.(ironnwm&MiJform1.SOthjififiqJatemtfd1.t1.entstartiBtdraatua1.NStudrirdsbodiesthmitteesestab1.ishedbytherespectiveorganizationtodea1.withparticu1.arfie1.dsoftechnica1.activity.ISOandIECmitteesco1.1.aborateinfie1.dsofmutua1.interest.Othernj11adonaramtionsrgovernmenta1.andnon-governmenta1.,in1.iaisonwithISOand1EC,a1.soTheproceduresusedtodeve1.opthisdocumentandthoseintendedforitsfurthermaintenanceare咽6WifetfIH8节es1.9tfIBMn映丽屈.piJtaFA三Htt三ft酮疝or刷Mdcdtheeditoria1.ru1.esofthe1SOIECDirectives.Part2(seewww.iso.org/direc1.ives).曲麻环迎男裆Wn用印品保节麴IJiRa郴a依曲，鸥跟炳Mc曲廨膈出阴胀叫y忸a嘱刚郃*ubjcc1.rights.Detai1.sofanypatentrightsidentifiedduringthedeve1.opmentot4h*domkMw，I1.beintheIntroductionand/orontheISO1.istofPaWHJa)*4kmsreceived(seewww.iso.org/pa1.ents)ortheIEC1.istofpatentdec1.arationsreceived(seePaterHSjeCCh).nytradenameusedinthisdocumentisinformationgivenfortheconvenienceofusersanddoesnotconstituteanendorsement.tp侬SiOnSeX岬tmbcfc"ttbwMyam三IenPa用NhdardsNitomantogMoutISCKpodtiaifiUnXihXhdWoHd存Organization(VVrTO)princip1.esintheTechnica1.BarrierstoTrade(TBT),seewww.iso.org/iso/foreword.htm1.砧除喉gSC祕A碎H阐切踊眄楞Bis¾1.?CUmWeHMM出监XSO/I邮油ec"on.Wbrmahontechno1.ogy.Anyfeedbackorquestionsonthisdocumentshou1.dbedirectedtotheuser,snationa1.standardsbody.Acomp1.ete1.istingofthesebodiescanbefoundatwww.iso.org/members.1.Hm1.IntroductionAninformationsecuritymanagementsystem(ISMS)inc1.udesaco1.1.ectionofinteractingprocessesandfoofrMWdto9nwfa11DgtiMagRroetwhichThidiUtanattaDfYBddSMrQcereJirrmet)noddItraW如escontro1.sinitia1.edbythem.M触器嘲加都骁Ru温晶催de郴F肿斓hepfg蹄潞解国照Mnten?AJCeSSeSpurp1.融中建龈,mapractica1.app1.icationcanrequireadditiona1.e1.ementssuitedtotheenvironmentandcircumstances.ieiJ?限e捣愉fi曲WM箱破加癌麻帼就秋麻魁盛Simp1.iedbyISO/IEC27001.ThePRMAnyorganizationcandefineprocesseswithadditiona1.e1.ementsinordertotai1.orittoitsspecific1P醐蹩g%需小设Ih辖Ki触!甲E&einBF*目。E&SB群FSFgdR1.g第8券部品KRS坦KG假郴海ts©ISO/IEC2021-A1.1.rightsreservedInformationtechno1.ogyGuidanceoninformationsecuritymanagementsystemprocesses1ScopeThisdocumentdefinesaprocessreferencemode1.(PRM)forthedomainofinformationseritySerti6riaMj"E<tgOft1.2SOIEC33004forprocessreferencemode1.s(see一incorporatetheprocessapproachasdescribedbyISO/IEC27000:2018,4.3.withintheISMS;pt,fc1.f1.tSYifttfifonc15W1standardsoftheISO/IEC27000fami1.yfromthe-supportusersintheoperationofanISMS-thisdocumentiscomp1.ementingtherequirements-orientedperspectiveOf2 Normativereferences1.SO/IEC27003withanoperationa1.process-orientedpointofview.琳<砒烟啊唏Uf丽§SMhiSr电吃阑ent.前f*11nref圆麻州幽即网用eediQbna1.1.M%p1.ies.由Wtentundatedreferences,the1.atesteditionofthereferenceddocument(inc1.udinganyamendments)app1.ies.桂济瞰一2磁脑ewM成赫山OnM腕眦愣SecuritytechniquesInformationsecuritymanagement3 TermsanddefinitionsForthepurposesofthisdocument,thetermsanddefinitionsgiveninISO/IEC27000andthefo1.1.owingapp1.y.ISOandIECmain1.aintermino1.ogica1.databasesforuseinstandardizationatthefo1.1.owingaddresses：ISOOn1.inebrowsingp1.atform:avai1.ab1.eaihps罚WWWriSOQFgobpJTjIECE1.ectropedia:avai1.ab1.eathttp:/www.e1.ectropedia.org/coreprocessprocessthatde1.iversappar