BS ISO/IEC 27011:2008 Information technology. Security techniques. Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
BS ISO/IEC 27011 is the international standard that provides guidelines to support the implementation of information security management (ISM) in telecommunications organizations.
The standard is for telecommunications organizations and will enable them to meet baseline ISM requirements of confidentiality, integrity, availability and any other relevant security property of telecommunications.
BS ISO/IEC 27011 establishes guidelines and general principles for initiating, implementing, maintaining, and improving ISM in telecommunications organizations based on BS ISO/IEC 27002 Code of practice for information security management.
BS ISO/IEC 27011 now includes a Telecommunications Extended Control Set which provides new controls and implementation guidance for a telecommunications organization. This has been included in two new Annexes.
It provides an implementation baseline of ISM within telecommunications organizations to ensure the confidentiality, integrity and availability of telecommunications facilities and services.
Why should I implement BS ISO/IEC 27011?
Telecommunications organizations that implement BS ISO/IEC 27011 both within and between jurisdictions, will:
- Be able to assure the confidentiality, integrity and availability of the global telecommunications facilities and services
- Have adopted secure collaborative processes and controls ensuring the lowering of risks in the delivery of telecommunications services
- Be able to redeploy resources to more productive activities
- Have adopted a consistent holistic approach to information security
- Be able to improve personal awareness and increase public trust.
What are the objectives of BS ISO/IEC 27011?
BS ISO/IEC 27011 provides practical guidance specially suited for telecommunications organizations on:
- Commonly-accepted goals of information security management specifically suited for telecommunications organizations
- Information security management practices to assist in the building of confidence for telecommunications activities.
Who should use BS ISO/IEC 27011?
BS ISO/IEC 27011 is for telecommunications organizations; anyone responsible for information security; together with security vendors, auditors, telecommunications terminal vendors and application content providers,
It provides them with a common set of general security control objectives based on ISO/IEC 27002, telecommunications sector specific controls, and information security management guidelines allowing for the selection and implementation of such controls.
Contents of BS ISO/IEC 27011 include:
- Normative references
- Structure of this guideline
- Information security management systems in Telecommunications business
- Security Policy
- Organization of information security
- Internal organization
- External parties
- Asset management
- Responsibility for assets
- Information classification
- Human resources security
- Prior to employment
- During employment
- Termination or change of employment
- Physical and environmental security
- Secure areas
- Equipment security
- Communications and operations management
- Operational procedures and responsibilities
- Third party service delivery management
- System planning and acceptance
- Protection against malicious and mobile code
- Network security management
- Media handling
- Exchange of information
- Electric Commerce Service
- Access control
- Business requirement for access control
- User access management
- User responsibilities
- Network access control
- Operating system access control
- Application and information access control
- Mobile computing and teleworking
- Information systems acquisition, development and maintenance
- Security requirements of information systems
- Correct processing in applications
- Cryptographic controls
- Security of system files
- Security in development and support processes
- Technical Vulnerability Management
- Information security incident management
- Reporting information security events and weaknesses
- Management of information security incidents and improvements
- Business continuity management
- Information security aspects of business continuity management
- Telecommunications Extended Control Set
- Additional Implementation Guidance
Read the Introduction for more information