logo资料库

ISO_IEC_27701_2019_CH.pdf

第1页 / 共71页
第2页 / 共71页
第3页 / 共71页
第4页 / 共71页
第5页 / 共71页
第6页 / 共71页
第7页 / 共71页
第8页 / 共71页
资料共71页,剩余部分请下载后查看
国际标准 ISO/IEC 27701 第一版 2019-08 安全技术 – 针对ISO/IEC 27001和ISO/IEC 27002 在隐私信息管理的扩展 - 要求和指南 参考编号 ISO/IEC 27701:2019(E) ©ISO/IEC 2019
内容 ISO/IEC 27701:2019(E) 页 前言_________________________________________________________________________________ vii 0 引言 ____________________________________________________________________________ viii 0.1 总则 _________________________________________________________________________________ viii 0.2 与其他管理体系的兼容性 _______________________________________________________________ viii 1 范围 _____________________________________________________________________________ 1 2 规范性引用文献 ___________________________________________________________________ 1 3 术语,定义和缩写 _________________________________________________________________ 1 3.1 联合PII控制者 ___________________________________________________________________________ 1 3.2 隐私信息管理体系PIMS __________________________________________________________________ 2 4 总则 _____________________________________________________________________________ 2 4.1 本标准的结构 ___________________________________________________________________________ 2 4.2 ISO/IEC 27001:2013要求的应用 ___________________________________________________________ 2 4.3 ISO/IEC 27002:2013指南的应用 ___________________________________________________________ 3 4.4 顾客 ___________________________________________________________________________________ 4 5 与ISO/IEC 27001相关的PIMS特定要求 _______________________________________________ 4 5.1 总则 ___________________________________________________________________________________ 4 5.2 组织环境 _______________________________________________________________________________ 4 5.2.1 理解组织及其环境 _________________________________________________________________________________ 4 5.2.2 理解相关方的需求和期望 ___________________________________________________________________________ 5 5.2.3 确定信息安全管理体系的范围 _______________________________________________________________________ 5 5.2.4 信息安全管理体系 _________________________________________________________________________________ 5 5.3 领导 ___________________________________________________________________________________ 5 5.3.1 领导和承诺 _______________________________________________________________________________________ 5 5.3.2 方针 _____________________________________________________________________________________________ 5 5.3.3 组织角色,职责和权限 _____________________________________________________________________________ 5 5.4 规划 ___________________________________________________________________________________ 6 © ISO/IEC 2019 - 保留所有权利 i
ISO/IEC 5.4.1 应对风险和机会的措施 _____________________________________________________________________________ 6 27701:2019(E)(E 5.4.2 信息安全目标和实现规划 ___________________________________________________________________________ 7 ) 5.5 支持 ___________________________________________________________________________________ 7 5.5.1 资源 _____________________________________________________________________________________________ 7 5.5.2 能力 _____________________________________________________________________________________________ 7 5.5.3 意识 _____________________________________________________________________________________________ 7 5.5.4 沟通 _____________________________________________________________________________________________ 7 5.5.5 文件记录信息 _____________________________________________________________________________________ 7 5.6 运行 ___________________________________________________________________________________ 7 5.6.1 运行的规划和控制 _________________________________________________________________________________ 7 5.7 绩效评价 _______________________________________________________________________________ 8 5.7.1 监测,测量,分析和评价 ___________________________________________________________________________ 8 5.7.2 内部审核 _________________________________________________________________________________________ 8 5.7.3 管理评审 _________________________________________________________________________________________ 8 5.8 改进 ___________________________________________________________________________________ 8 5.8.1 不符合和纠正措施 _________________________________________________________________________________ 8 5.8.2 持续改进 _________________________________________________________________________________________ 8 6 与ISO/IEC 27002相关的PIMS特定指南 _______________________________________________ 8 6.1 总则 ___________________________________________________________________________________ 8 6.2 信息安全策略 ___________________________________________________________________________ 8 6.2.1 信息安全管理指导 _________________________________________________________________________________ 8 6.3 信息安全组织 ___________________________________________________________________________ 9 6.3.1 内部组织 _________________________________________________________________________________________ 9 6.3.2 移动设备和远程工作 ______________________________________________________________________________ 10 6.4 人力资源安全 __________________________________________________________________________ 10 6.4.1 任用前 __________________________________________________________________________________________ 10 6.4.2 任用中 __________________________________________________________________________________________ 10 6.4.3 任用的终止和变更 ________________________________________________________________________________ 10 6.5 资产管理 ______________________________________________________________________________ 11 6.5.1 有关资产的责任 __________________________________________________________________________________ 11 6.5.2 信息分级 ________________________________________________________________________________________ 11 6.5.3 介质处理 ________________________________________________________________________________________ 11 ii © ISO / IEC 2019 - 保留所有权 利
ISO/IEC 6.6 访问控制 ______________________________________________________________________________ 12 27701:2019(E) 6.6.1 访问控制的业务要求 ______________________________________________________________________________ 12 6.6.2 用户访问管理 ____________________________________________________________________________________ 12 6.6.3 用户责任 ________________________________________________________________________________________ 13 6.6.4 系统和应用程序访问控制 __________________________________________________________________________ 13 6.7 密码 __________________________________________________________________________________ 14 6.7.1 密码控制 ________________________________________________________________________________________ 14 6.8 物理和环境安全 ________________________________________________________________________ 14 6.8.1 安全区域 ________________________________________________________________________________________ 14 6.8.2 设备 ____________________________________________________________________________________________ 15 6.9 运行安全 ______________________________________________________________________________ 16 6.9.1 运行规程和责任 __________________________________________________________________________________ 16 6.9.2 恶意软件防范 ____________________________________________________________________________________ 16 6.9.3 备份 ____________________________________________________________________________________________ 16 6.9.4 日志和监视 ______________________________________________________________________________________ 17 6.9.5 运行软件的控制 __________________________________________________________________________________ 18 6.9.6 技术脆弱性管理 __________________________________________________________________________________ 18 6.9.7 信息系统审计的考虑 ______________________________________________________________________________ 18 6.10 通信安全 ______________________________________________________________________________ 18 6.10.1 网络安全管理 __________________________________________________________________________________ 18 6.10.2 信息传输 ______________________________________________________________________________________ 18 6.11 系统的获取,开发和维护 ________________________________________________________________ 19 6.11.1 信息系统的安全要求 ____________________________________________________________________________ 19 6.11.2 开发和支持过程中的安全 ________________________________________________________________________ 19 6.11.3 测试数据 ______________________________________________________________________________________ 21 6.12 供应商关系 ____________________________________________________________________________ 21 6.12.1 供应商关系中的信息安全 ________________________________________________________________________ 21 6.12.2 供应商服务交付管理 ____________________________________________________________________________ 22 6.13 信息安全事件管理 ______________________________________________________________________ 22 6.13.1 信息安全事件的管理和改进 ______________________________________________________________________ 22 6.14 业务连续性管理的信息安全方面 __________________________________________________________ 24 6.14.1 信息安全连续性 ________________________________________________________________________________ 24 6.15 符合性 ________________________________________________________________________________ 24 © ISO/IEC 2019 - 保留所有权利 iii
ISO/IEC 6.15.1 符合法律和合同要求 ____________________________________________________________________________ 24 27701:2019(E)(E 6.15.2 信息安全评审 __________________________________________________________________________________ 25 ) 7 针对PII控制者的补充ISO/IEC 27002指南 _____________________________________________ 26 7.1 总论 __________________________________________________________________________________ 26 7.2 收集和处理的条件 ______________________________________________________________________ 26 7.2.1 识别并记录目的 __________________________________________________________________________________ 26 7.2.2 确定法律依据 ____________________________________________________________________________________ 26 7.2.3 确定何时以及如何获得准许 ________________________________________________________________________ 27 7.2.4 获得并记录准许 __________________________________________________________________________________ 27 7.2.5 隐私影响评估 ____________________________________________________________________________________ 28 7.2.6 与PII处理者的合同 ________________________________________________________________________________ 28 7.2.7 联合PII控制者 ____________________________________________________________________________________ 28 7.2.8 与处理PII控制有关的记录 __________________________________________________________________________ 29 7.3 对PII主体的义务 ________________________________________________________________________ 29 7.3.1 确定并履行对PII主体的义务 ________________________________________________________________________ 29 7.3.2 确定提供给PII主体的信息 __________________________________________________________________________ 30 7.3.3 向PII主体提供信息 ________________________________________________________________________________ 30 7.3.4 提供修改或撤销准许的机制 ________________________________________________________________________ 31 7.3.5 提供反对PII处理的机制 ____________________________________________________________________________ 31 7.3.6 访问,更正和/或擦除 _____________________________________________________________________________ 31 7.3.7 PII控制者告知第三方的义务 ________________________________________________________________________ 32 7.3.8 提供PII处理者的副本 ______________________________________________________________________________ 32 7.3.9 处理请求 ________________________________________________________________________________________ 33 7.3.10 自动决策的制定 ________________________________________________________________________________ 33 7.4 设计的隐私和默认的隐私 _______________________________________________________________ 33 7.4.1 限制收集 ________________________________________________________________________________________ 33 7.4.2 限制处理 ________________________________________________________________________________________ 34 7.4.3 准确性和质量 ____________________________________________________________________________________ 34 7.4.4 PII最小化目标 ____________________________________________________________________________________ 34 7.4.5 PII在处理结束时去识别化和删除 ____________________________________________________________________ 35 7.4.6 临时文件 ________________________________________________________________________________________ 35 7.4.7 保留 ____________________________________________________________________________________________ 35 7.4.8 处置 ____________________________________________________________________________________________ 36 7.4.9 PII传输 __________________________________________________________________________________________ 36 iv © ISO / IEC 2019 - 保留所有权 利
7.5 PII共享,传输和披露 ____________________________________________________________________ 36 27701:2019(E) ISO/IEC 7.5.1 识别司法管辖区之间PII传输的基础 __________________________________________________________________ 36 7.5.2 PII可以传输至的国家和国际组织 ____________________________________________________________________ 36 7.5.3 PII传输的记录 ____________________________________________________________________________________ 37 7.5.4 向第三方披露PII的记录 ____________________________________________________________________________ 37 8 针对PII处理者的补充ISO/IEC 27002指南 _____________________________________________ 37 8.1 总则 __________________________________________________________________________________ 37 8.2 收集和处理的条件 ______________________________________________________________________ 37 8.2.1 客户协议 ________________________________________________________________________________________ 37 8.2.2 组织的目的 ______________________________________________________________________________________ 38 8.2.3 营销和广告使用 __________________________________________________________________________________ 38 8.2.4 侵权指令 ________________________________________________________________________________________ 38 8.2.5 客户义务 ________________________________________________________________________________________ 39 8.2.6 与处理PII有关的记录 ______________________________________________________________________________ 39 8.3 对于PII主体的义务 ______________________________________________________________________ 39 8.3.1 对于PII主体的义务 ________________________________________________________________________________ 39 8.4 默认的隐私,设计的隐私 ________________________________________________________________ 39 8.4.1 临时文件 ________________________________________________________________________________________ 40 8.4.2 退回,传输或处置PII ______________________________________________________________________________ 40 8.4.3 PII传输控制 ______________________________________________________________________________________ 40 8.5 PII共享,传输和披露 ____________________________________________________________________ 41 8.5.1 管辖区之间PII传输的基础 __________________________________________________________________________ 41 8.5.2 PII可以传输至的国家和国际组织 ____________________________________________________________________ 41 8.5.3 向第三方披露PII的记录 ____________________________________________________________________________ 41 8.5.4 PII披露请求的通知 ________________________________________________________________________________ 42 8.5.5 具有法律约束力的PII披露 __________________________________________________________________________ 42 8.5.6 处理PII的分包商的披露 ____________________________________________________________________________ 42 8.5.7 分包商处理PII的参与 ______________________________________________________________________________ 42 8.5.8 分包商处理PII的变更 ______________________________________________________________________________ 43 附录A ______________________________________________________________________________ 44 附录B. ______________________________________________________________________________ 48 附录C ______________________________________________________________________________ 51 © ISO/IEC 2019 - 保留所有权利 v
ISO/IEC 附录D. ______________________________________________________________________________ 53 27701:2019(E)(E 附录E. ______________________________________________________________________________ 56 ) 附录F. ______________________________________________________________________________ 59 F.1 如何应用本标准 ___________________________________________________________________________ 59 F.2 安全标准的改进示例 _______________________________________________________________________ 59 参考书目____________________________________________________________________________ 61 vi © ISO / IEC 2019 - 保留所有权 利
分享到:
收藏