ISO/IEC 27010:2015

INTERNATIONAL ISO/IEC
STANDARD 27010
Second edition
2015-11-15
Information technology — Security
techniques — Information security
management for inter-sector and
inter-organizational communications
Technologies de l’information — Techniques de sécurité — Gestion de
la sécurité de l’information des communications intersectorielles et
interorganisationnelles
Reference number
©
ISO/IEC 2015
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved

Contents Page
Foreword .vi
Introduction .vii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Concepts and justification . 1
4.1 Introduction . 1
4.2 Information sharing communities . 2
4.3 Community management . 2
4.4 Supporting entities . 2
4.5 Inter-sector communication . 2
4.6 Conformity . 3
4.7 Communications model . 4
5 Information security policies . 4
5.1 Management direction for information security . 4
5.1.1 Policies for information security. 4
5.1.2 Review of the policies for information security . 5
6 Organization of information security . 5
7 Human resource security . 5
7.1 Prior to employment . 5
7.1.1 Screening . 5
7.1.2 Terms and conditions of employment . 5
7.2 During employment . 5
7.3 Termination and change of employment . 5
8 Asset management . 5
8.1 Responsibility for assets . 5
8.1.1 Inventory of assets . 5
8.1.2 Ownership of assets . 5
8.1.3 Acceptable use of assets . 6
8.1.4 Return of assets . 6
8.2 Information classification . 6
8.2.1 Classification of information . 6
8.2.2 Labelling of information . 6
8.2.3 Handling of assets . 6
8.3 Media handling . 6
8.4 Information exchanges protection . 7
8.4.1 Information dissemination . 7
8.4.2 Information disclaimers . 7
8.4.3 Information credibility . 7
8.4.4 Information sensitivity reduction . 8
8.4.5 Anonymous source protection . 8
8.4.6 Anonymous recipient protection . 8
8.4.7 Onwards release authority . 9
9 Access control . 9
10 Cryptography . 9
10.1 Cryptographic controls . 9
10.1.1 Policy on the use of cryptographic controls . 9
10.1.2 Key management . 9
11 Physical and environmental security . 9
© ISO/IEC 2015 – All rights reserved iii

12 Operations security . 9
12.1 Operational procedures and responsibilities . 9
12.2 Protection from malware .10
12.2.1 Controls against malware .10
12.3 Backup .10
12.4 Logging and monitoring .10
12.4.1 Event logging .10
12.4.2 Protection of log information .10
12.4.3 Administrator and operator logs .10
12.4.4 Clock synchronization .10
12.5 Control of operational software .10
12.6 Technical vulnerability management .10
12.7 Information systems audit considerations .10
12.7.1 Information systems audit controls .10
12.7.2 Community audit rights .10
13 Communications security .11
13.1 Network security management .11
13.2 Information transfer .11
13.2.1 Information transfer policies and procedures .11
13.2.2 Agreements on information transfer .11
13.2.3 Electronic messaging .11
13.2.4 Confidentiality or non-disclosure agreements .11
14 System acquisition, development and maintenance .11
15 Supplier relationships .12
15.1 Information security in supplier relationships .12
15.1.1 Information security policy for supplier relationships .
...