INTERNATIONAL ISO/IEC STANDARD 27019 First edition 2017-10 Information technology Security techniques Information security controls for the energy utility industry Technologies de I'information - Techniques de sécurite - Mesures de sécurite de I'information pour I'industrie des opérateurs de I'énergie Reference number IS0/IEC27019:2017(E) EC s @IS0/IEC 2017 ACKEY, MA nout license from IHS IS0/IEC 27019:2017(E) COPYRIGHT PROTECTED DOCUMENT IS0/IEC 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 . CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyright@iso.org www.iso.org @ IS0/IEC 2017 - All rights reserved or networking permitted without license from IHS IS0/IEC 27019:2017(E) Contents Page Foreword ..vi 0 Introduction ..viii 1 Scope. 2 Normative references .... 3 Terms and definitions 4 Structure of the document 4.1 General .4 4.2 Refinement of IS0/IEC 27001:2013 requirements 4.3 Energy utility industry specific guidance related to IS0/IEC 27002:2013 ..4 5 Information security policies .4 6 Organization of information security .4 6.1 Internal organization.. 6.1.1 Information security roles and responsibilities .4 6.1.2 Segregation of duties.. .5 6.1.3 Contact with authorities.. .5 6.1.4 Contact with special interest groups 6.1.5 Information security in project management. .5 6.1.6 ENR - Identification of risks related to external parties 6.1.7 ENR - Addressing security when dealing with customers. .6 6.2 Mobile devices and teleworking .6 6.2.1 Mobile device policy .6 6.2.2 Teleworking. ..7 7 Human resource security .7 Prior to employment .7 7.1 7.1.1 Screening. .7 7.1.2 Terms and conditions of employment 7.2 During employment. .8 7.2.1 Management responsibilities. ..8 7.2.2 Information security awareness, education and training .8 7.2.3 Disciplinary process.. 8 7.3 Termination and change of employment ..8 8 Asset management 8.1 Responsibility for assets ..8 8.1.1 Inventory of assets. ..8 8.1.2 Ownership of assets. .9 8.1.3 Acceptable use of assets .9 8.1.4 Return of assets .9 8.2 Information classification. 8.2.1 Classification of information .9 8.2.2 Labelling of information 10 8.2.3 Handling of assets. ..10 8.3 Media handling ..10 9 Access control ..10 9.1 Business requirements of access control. ..10 9.1.1 Access control policy. ..10 9.1.2 Access to networks and network services ..10 9.2 User access management ..11 9.2.1 User registration and de-registration. ..11 9.2.2 User access provisioning. .11 9.2.3 Management of privileged access rights. ..11 9.2.4 Management of secret authentication information of users. .11 CopyintntematonalOEAll rights reserved iii ENanya 5926867100, Use ACKEY,MA No reproduction or networking permitted without license from IHS