INTERNATIONAL ISO/EEC STANDARD 27001 : Guidance prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system for Microsoft Windows Server 2008 Systems
|ID: xccdf_org.secpod_benchmark_ISO27001_Windows_2008||Date: (C)2015-01-18 (M)2018-02-27|
|Status: draft||Version: Second edition|
|Platform: cpe:/o:microsoft:windows_server_2008:-||Source: [https://www.iso.org]|
This International Standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization. The establishment and implementation of an organization's information security management system is influenced by the organization's needs and objectives, security requirements, the organizational processes used and the size and structure of the organization. All of these influencing factors are expected to change over time.
The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.
It is important that the information security management system is part of and integrated with the organization's processes and overall management structure and that information security is considered in the design of processes, information systems, and controls. It is expected that an information security management system implementation will be scaled in accordance with the needs of the organization.
This International Standard can be used by internal and external parties to assess the organization's ability to meet the organization's own information security requirements.
The order in which requirements are presented in this International Standard does not reflect their importance or imply the order in which they are to be implemented. The list items are enumerated for reference purpose only. The control objectives and controls listed are directly derived from and aligned with those listed in ISO/IEC 270O2:2013[1l, Clauses 5 to 18 and are to be used in context with Clause 6.1.3. Below is a high-level overview of the 11 ISO/IEC 27001:2013(E]) requirements (133 ISO 27001 controls).
ISO 27001 : Information Security Management System (ISMS)
A.5 Information security policies
A.6 Organization of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management