国际标准
ISO/IEC
27701
第一版
2019-08
安全技术 –
针对ISO/IEC 27001和ISO/IEC 27002
在隐私信息管理的扩展 - 要求和指南
参考编号
ISO/IEC 27701:2019(E)
©ISO/IEC 2019
内容
ISO/IEC
27701:2019(E)
页
前言_________________________________________________________________________________ vii
0 引言 ____________________________________________________________________________ viii
0.1 总则 _________________________________________________________________________________ viii
0.2 与其他管理体系的兼容性 _______________________________________________________________ viii
1 范围 _____________________________________________________________________________ 1
2 规范性引用文献 ___________________________________________________________________ 1
3 术语,定义和缩写 _________________________________________________________________ 1
3.1 联合PII控制者 ___________________________________________________________________________ 1
3.2 隐私信息管理体系PIMS __________________________________________________________________ 2
4 总则 _____________________________________________________________________________ 2
4.1 本标准的结构 ___________________________________________________________________________ 2
4.2
ISO/IEC 27001:2013要求的应用 ___________________________________________________________ 2
4.3
ISO/IEC 27002:2013指南的应用 ___________________________________________________________ 3
4.4 顾客 ___________________________________________________________________________________ 4
5 与ISO/IEC 27001相关的PIMS特定要求 _______________________________________________ 4
5.1 总则 ___________________________________________________________________________________ 4
5.2 组织环境 _______________________________________________________________________________ 4
5.2.1 理解组织及其环境 _________________________________________________________________________________ 4
5.2.2 理解相关方的需求和期望 ___________________________________________________________________________ 5
5.2.3 确定信息安全管理体系的范围 _______________________________________________________________________ 5
5.2.4 信息安全管理体系 _________________________________________________________________________________ 5
5.3 领导 ___________________________________________________________________________________ 5
5.3.1 领导和承诺 _______________________________________________________________________________________ 5
5.3.2 方针 _____________________________________________________________________________________________ 5
5.3.3 组织角色,职责和权限 _____________________________________________________________________________ 5
5.4 规划 ___________________________________________________________________________________ 6
© ISO/IEC 2019 - 保留所有权利
i
ISO/IEC
5.4.1 应对风险和机会的措施 _____________________________________________________________________________ 6
27701:2019(E)(E
5.4.2 信息安全目标和实现规划 ___________________________________________________________________________ 7
)
5.5 支持 ___________________________________________________________________________________ 7
5.5.1 资源 _____________________________________________________________________________________________ 7
5.5.2 能力 _____________________________________________________________________________________________ 7
5.5.3 意识 _____________________________________________________________________________________________ 7
5.5.4 沟通 _____________________________________________________________________________________________ 7
5.5.5 文件记录信息 _____________________________________________________________________________________ 7
5.6 运行 ___________________________________________________________________________________ 7
5.6.1 运行的规划和控制 _________________________________________________________________________________ 7
5.7 绩效评价 _______________________________________________________________________________ 8
5.7.1 监测,测量,分析和评价 ___________________________________________________________________________ 8
5.7.2 内部审核 _________________________________________________________________________________________ 8
5.7.3 管理评审 _________________________________________________________________________________________ 8
5.8 改进 ___________________________________________________________________________________ 8
5.8.1 不符合和纠正措施 _________________________________________________________________________________ 8
5.8.2 持续改进 _________________________________________________________________________________________ 8
6 与ISO/IEC 27002相关的PIMS特定指南 _______________________________________________ 8
6.1 总则 ___________________________________________________________________________________ 8
6.2 信息安全策略 ___________________________________________________________________________ 8
6.2.1 信息安全管理指导 _________________________________________________________________________________ 8
6.3 信息安全组织 ___________________________________________________________________________ 9
6.3.1 内部组织 _________________________________________________________________________________________ 9
6.3.2 移动设备和远程工作 ______________________________________________________________________________ 10
6.4 人力资源安全 __________________________________________________________________________ 10
6.4.1 任用前 __________________________________________________________________________________________ 10
6.4.2 任用中 __________________________________________________________________________________________ 10
6.4.3 任用的终止和变更 ________________________________________________________________________________ 10
6.5 资产管理 ______________________________________________________________________________ 11
6.5.1 有关资产的责任 __________________________________________________________________________________ 11
6.5.2 信息分级 ________________________________________________________________________________________ 11
6.5.3 介质处理 ________________________________________________________________________________________ 11
ii
© ISO / IEC 2019 - 保留所有权
利
ISO/IEC
6.6 访问控制 ______________________________________________________________________________ 12
27701:2019(E)
6.6.1 访问控制的业务要求 ______________________________________________________________________________ 12
6.6.2 用户访问管理 ____________________________________________________________________________________ 12
6.6.3 用户责任 ________________________________________________________________________________________ 13
6.6.4 系统和应用程序访问控制 __________________________________________________________________________ 13
6.7 密码 __________________________________________________________________________________ 14
6.7.1 密码控制 ________________________________________________________________________________________ 14
6.8 物理和环境安全 ________________________________________________________________________ 14
6.8.1 安全区域 ________________________________________________________________________________________ 14
6.8.2 设备 ____________________________________________________________________________________________ 15
6.9 运行安全 ______________________________________________________________________________ 16
6.9.1 运行规程和责任 __________________________________________________________________________________ 16
6.9.2 恶意软件防范 ____________________________________________________________________________________ 16
6.9.3 备份 ____________________________________________________________________________________________ 16
6.9.4 日志和监视 ______________________________________________________________________________________ 17
6.9.5 运行软件的控制 __________________________________________________________________________________ 18
6.9.6 技术脆弱性管理 __________________________________________________________________________________ 18
6.9.7 信息系统审计的考虑 ______________________________________________________________________________ 18
6.10 通信安全 ______________________________________________________________________________ 18
6.10.1 网络安全管理 __________________________________________________________________________________ 18
6.10.2 信息传输 ______________________________________________________________________________________ 18
6.11 系统的获取,开发和维护 ________________________________________________________________ 19
6.11.1 信息系统的安全要求 ____________________________________________________________________________ 19
6.11.2 开发和支持过程中的安全 ________________________________________________________________________ 19
6.11.3 测试数据 ______________________________________________________________________________________ 21
6.12 供应商关系 ____________________________________________________________________________ 21
6.12.1 供应商关系中的信息安全 ________________________________________________________________________ 21
6.12.2 供应商服务交付管理 ____________________________________________________________________________ 22
6.13 信息安全事件管理 ______________________________________________________________________ 22
6.13.1 信息安全事件的管理和改进 ______________________________________________________________________ 22
6.14 业务连续性管理的信息安全方面 __________________________________________________________ 24
6.14.1 信息安全连续性 ________________________________________________________________________________ 24
6.15 符合性 ________________________________________________________________________________ 24
© ISO/IEC 2019 - 保留所有权利
iii
ISO/IEC
6.15.1 符合法律和合同要求 ____________________________________________________________________________ 24
27701:2019(E)(E
6.15.2 信息安全评审 __________________________________________________________________________________ 25
)
7 针对PII控制者的补充ISO/IEC 27002指南 _____________________________________________ 26
7.1 总论 __________________________________________________________________________________ 26
7.2 收集和处理的条件 ______________________________________________________________________ 26
7.2.1 识别并记录目的 __________________________________________________________________________________ 26
7.2.2 确定法律依据 ____________________________________________________________________________________ 26
7.2.3 确定何时以及如何获得准许 ________________________________________________________________________ 27
7.2.4 获得并记录准许 __________________________________________________________________________________ 27
7.2.5 隐私影响评估 ____________________________________________________________________________________ 28
7.2.6 与PII处理者的合同 ________________________________________________________________________________ 28
7.2.7 联合PII控制者 ____________________________________________________________________________________ 28
7.2.8 与处理PII控制有关的记录 __________________________________________________________________________ 29
7.3 对PII主体的义务 ________________________________________________________________________ 29
7.3.1 确定并履行对PII主体的义务 ________________________________________________________________________ 29
7.3.2 确定提供给PII主体的信息 __________________________________________________________________________ 30
7.3.3 向PII主体提供信息 ________________________________________________________________________________ 30
7.3.4 提供修改或撤销准许的机制 ________________________________________________________________________ 31
7.3.5 提供反对PII处理的机制 ____________________________________________________________________________ 31
7.3.6 访问,更正和/或擦除 _____________________________________________________________________________ 31
7.3.7 PII控制者告知第三方的义务 ________________________________________________________________________ 32
7.3.8 提供PII处理者的副本 ______________________________________________________________________________ 32
7.3.9 处理请求 ________________________________________________________________________________________ 33
7.3.10 自动决策的制定 ________________________________________________________________________________ 33
7.4
设计的隐私和默认的隐私 _______________________________________________________________ 33
7.4.1 限制收集 ________________________________________________________________________________________ 33
7.4.2 限制处理 ________________________________________________________________________________________ 34
7.4.3 准确性和质量 ____________________________________________________________________________________ 34
7.4.4 PII最小化目标 ____________________________________________________________________________________ 34
7.4.5 PII在处理结束时去识别化和删除 ____________________________________________________________________ 35
7.4.6 临时文件 ________________________________________________________________________________________ 35
7.4.7 保留 ____________________________________________________________________________________________ 35
7.4.8 处置 ____________________________________________________________________________________________ 36
7.4.9 PII传输 __________________________________________________________________________________________ 36
iv
© ISO / IEC 2019 - 保留所有权
利
7.5
PII共享,传输和披露 ____________________________________________________________________ 36
27701:2019(E)
ISO/IEC
7.5.1 识别司法管辖区之间PII传输的基础 __________________________________________________________________ 36
7.5.2 PII可以传输至的国家和国际组织 ____________________________________________________________________ 36
7.5.3 PII传输的记录 ____________________________________________________________________________________ 37
7.5.4 向第三方披露PII的记录 ____________________________________________________________________________ 37
8 针对PII处理者的补充ISO/IEC 27002指南 _____________________________________________ 37
8.1 总则 __________________________________________________________________________________ 37
8.2 收集和处理的条件 ______________________________________________________________________ 37
8.2.1 客户协议 ________________________________________________________________________________________ 37
8.2.2 组织的目的 ______________________________________________________________________________________ 38
8.2.3 营销和广告使用 __________________________________________________________________________________ 38
8.2.4 侵权指令 ________________________________________________________________________________________ 38
8.2.5 客户义务 ________________________________________________________________________________________ 39
8.2.6 与处理PII有关的记录 ______________________________________________________________________________ 39
8.3 对于PII主体的义务 ______________________________________________________________________ 39
8.3.1 对于PII主体的义务 ________________________________________________________________________________ 39
8.4 默认的隐私,设计的隐私 ________________________________________________________________ 39
8.4.1 临时文件 ________________________________________________________________________________________ 40
8.4.2 退回,传输或处置PII ______________________________________________________________________________ 40
8.4.3 PII传输控制 ______________________________________________________________________________________ 40
8.5
PII共享,传输和披露 ____________________________________________________________________ 41
8.5.1 管辖区之间PII传输的基础 __________________________________________________________________________ 41
8.5.2 PII可以传输至的国家和国际组织 ____________________________________________________________________ 41
8.5.3 向第三方披露PII的记录 ____________________________________________________________________________ 41
8.5.4 PII披露请求的通知 ________________________________________________________________________________ 42
8.5.5 具有法律约束力的PII披露 __________________________________________________________________________ 42
8.5.6 处理PII的分包商的披露 ____________________________________________________________________________ 42
8.5.7 分包商处理PII的参与 ______________________________________________________________________________ 42
8.5.8 分包商处理PII的变更 ______________________________________________________________________________ 43
附录A ______________________________________________________________________________ 44
附录B. ______________________________________________________________________________ 48
附录C ______________________________________________________________________________ 51
© ISO/IEC 2019 - 保留所有权利
v
ISO/IEC
附录D. ______________________________________________________________________________ 53
27701:2019(E)(E
附录E. ______________________________________________________________________________ 56
)
附录F. ______________________________________________________________________________ 59
F.1 如何应用本标准 ___________________________________________________________________________ 59
F.2 安全标准的改进示例 _______________________________________________________________________ 59
参考书目____________________________________________________________________________ 61
vi
© ISO / IEC 2019 - 保留所有权
利