Purchase the full subscription package now and enjoy a 40% discount, along with free updates for future editions.
AS ISO/IEC 27011:2017
$142.09
Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for telecommunications organizations
Adopts ISO/IEC 27011:2016, which defines guidelines supporting the implementation of information security controls in telecommunications organizations.
Table of contents
Header
About this publication
Preface
Introduction
1 Scope
2 Normative references
3 Definitions and abbreviations
3.1 Definitions
3.2 Abbreviations
4 Overview
4.1 Structure of this Recommendation | International Standard
4.2 Information security management systems in telecommunications organizations
4.2.1 Goal
4.2.2 Security considerations in telecommunications
4.2.3 Information assets to be protected
4.2.4 Establishment of information security management
4.2.4.1 How to establish security requirements
4.2.4.2 Assessing security risks
4.2.4.3 Selecting controls
5 Information security policies
6 Organization of information security
6.1 Internal organization
6.1.1 Information security roles and responsibilities
6.1.2 Segregation of duties
6.1.3 Contact with authorities
6.1.4 Contact with special interest groups
6.1.5 Information security in project management
6.2 Mobile devices and teleworking
7 Human resource security
7.1 Prior to employment
7.1.1 Screening
7.1.2 Terms and conditions of employment
7.2 During employment
7.3 Termination or change of employment
8 Asset management
8.1 Responsibility for assets
8.1.1 Inventory of assets
8.1.2 Ownership of assets
8.1.3 Acceptable use of assets
8.1.4 Return of assets
8.2 Information classification
8.2.1 Classification guidelines
8.2.2 Labelling of information
8.2.3 Handling of assets
8.3 Media handling
9 Access control
9.1 Business requirement for access control
9.1.1 Access control policy
9.1.2 Access to networks and network services
9.2 User access management
9.3 User responsibilities
9.4 System and application access control
10 Cryptography
11 Physical and environmental security
11.1 Secure areas
11.1.1 Physical security perimeter
11.1.2 Physical entry controls
11.1.3 Securing offices, rooms, and facilities
11.1.4 Protecting against external and environmental threats
11.1.5 Working in secure areas
11.1.6 Delivery and loading areas
11.2 Equipment
11.2.1 Equipment siting and protection
11.2.2 Supporting utilities
11.2.3 Cabling security
11.2.4 Equipment maintenance
11.2.5 Removal of assets
11.2.6 Security of equipment and assets off-premises
11.2.7 Secure disposal or re-use of equipment
11.2.8 Unattended user equipment
11.2.9 Clear desk and clear screen policy
12 Operations security
12.1 Operational procedures and responsibilities
12.1.1 Documented operating procedures
12.1.2 Change management
12.1.3 Capacity management
12.1.4 Separation of development, testing and operational environments
12.2 Protection from malware
12.3 Backup
12.4 Logging and monitoring
12.4.1 Event logging
12.4.2 Protection of log information
12.4.3 Administrator and operator logs
12.4.4 Clock synchronization
12.5 Control of operational software
12.5.1 Installation of software on operational systems
12.6 Technical vulnerability management
12.6.1 Management of technical vulnerabilities
12.6.2 Restrictions on software installation
12.7 Information systems audit considerations
13 Communications security
13.1 Network security management
13.1.1 Network controls
13.1.2 Security of network services
13.1.3 Segregation in networks
13.2 Information transfer
13.2.1 Information transfer policies and procedures
13.2.2 Agreements on information transfer
13.2.3 Electronic messaging
13.2.4 Confidentiality or non-disclosure agreements
14 System acquisition, development and maintenance
14.1 Security requirements of information systems
14.2 Security in development and support processes
14.3 Test data
15 Supplier relationships
15.1 Information security in supplier relationships
15.1.1 Information security policy for supplier relationships
15.1.2 Addressing security within supplier agreements
15.1.3 Information and communication technology supply chain
15.2 Supplier service delivery management
16 Information security incident management
16.1 Management of information security incidents and improvements
16.1.1 Responsibilities and procedures
16.1.2 Reporting information security events
16.1.3 Reporting security weaknesses
16.1.4 Assessment of and decision on information security events
16.1.5 Response to information security incidents
16.1.6 Learning from information security incidents
16.1.7 Collection of evidence
17 Information security aspects of business continuity management
17.1 Information security continuity
17.1.1 Planning information security continuity
17.1.2 Implementing information security continuity
17.1.3 Verify, review and evaluate information security continuity
17.2 Redundancies
17.2.1 Availability of information processing facilities
18 Compliance
Annex A
TEL.9 Access control
TEL.9.5 Network access control
TEL.9.5.1 Telecommunications carrier identification and authentication by users
