Reference numbe
r
ISO/IEC 27011:2016(E)
©
ISO/IEC 2016
INTERNATIONAL
STANDARD
ISO/IEC
27011
Second edition
2016-12-01
Information technology — Security
techniques — Code of practice for
Information security controls based on
ISO/IEC 27002 for telecommunications
organizations
Technologies de l'information — Techniques de sécurité — Code de
bonne pratique pour les contrôles de la sécurité de l'information fondés
sur l'ISO/IEC 27002 pour les organismes de télécommunications
ISO/IEC 27011:2016(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2016
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Ch. de Blandonnet 8 CP 401
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
copyright@iso.org
Web www.iso.org
Published in Switzerland
ii
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27011:2016(E)
© ISO/IEC 2016 – All rights reserved
ii-1
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
This second edition cancels and replaces firs edition of ISO/IEC 27011:2008 which has been technically
revised.
ISO/IEC 27011 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques, in collaboration with ITU-T. The identical text is published as
Rec. ITU-T X.1051.
ITU-T Rec. X.1051 (04/2016) iii
CONTENTS
Page
1 Scope .............................................................................................................................................................. 1
2 Normative references...................................................................................................................................... 1
3 Definitions and abbreviations ......................................................................................................................... 1
3.1 Definitions ........................................................................................................................................... 1
3.2 Abbreviations ...................................................................................................................................... 2
4 Overview ........................................................................................................................................................ 2
4.1 Structure of this Recommendation | International Standard ................................................................ 2
4.2 Information security management systems in telecommunications organizations .............................. 3
5 Information security policies .......................................................................................................................... 5
6 Organization of information security.............................................................................................................. 5
6.1 Internal organization ........................................................................................................................... 5
6.2 Mobile devices and teleworking .......................................................................................................... 6
7 Human resource security ................................................................................................................................ 6
7.1 Prior to employment ............................................................................................................................ 6
7.2 During employment ............................................................................................................................ 7
7.3 Termination or change of employment ............................................................................................... 7
8 Asset management .......................................................................................................................................... 7
8.1 Responsibility for assets ...................................................................................................................... 7
8.2 Information classification .................................................................................................................... 8
8.3 Media handling .................................................................................................................................... 8
9 Access control ................................................................................................................................................ 8
9.1 Business requirement for access control ............................................................................................. 8
9.2 User access management ..................................................................................................................... 9
9.3 User responsibilities ............................................................................................................................ 9
9.4 System and application access control ................................................................................................ 9
10 Cryptography .................................................................................................................................................. 9
11 Physical and environmental security .............................................................................................................. 9
11.1 Secure areas ......................................................................................................................................... 9
11.2 Equipment ........................................................................................................................................... 10
12 Operations security ......................................................................................................................................... 12
12.1 Operational procedures and responsibilities ........................................................................................ 12
12.2 Protection from malware ..................................................................................................................... 13
12.3 Backup ................................................................................................................................................ 13
12.4 Logging and monitoring ...................................................................................................................... 13
12.5 Control of operational software ........................................................................................................... 13
12.6 Technical vulnerability management .................................................................................................. 14
12.7 Information systems audit considerations ........................................................................................... 14
13 Communications security ............................................................................................................................... 14
13.1 Network security management ............................................................................................................ 14
13.2 Information transfer............................................................................................................................. 15
14 System acquisition, development and maintenance ....................................................................................... 16
14.1 Security requirements of information systems .................................................................................... 16
14.2 Security in development and support processes .................................................................................. 16
14.3 Test data .............................................................................................................................................. 16
15 Supplier relationships ..................................................................................................................................... 16
15.1 Information security in supplier relationships ..................................................................................... 16
15.2 Supplier service delivery management ................................................................................................ 17
16 Information security incident management .................................................................................................... 17
16.1 Management of information security incidents and improvements..................................................... 17
17 Information security aspects of business continuity management .................................................................. 19
