0

( 2.5)
2550

0 0101010

01 01 101
0
1

10

101

101010101010
112

0101
12120

0101010
02-564-6900
02-564-6901..2
0

0
National Electronics and Computer Technology Center

1
1

0
0
National Science and Technology Development Agency

10
01
1 10
Ministry of Science and Technology 101
112 Thailand Science Park, Phahon Yothin Road,
0101010101010
Klong Luang, Pathumthani 12120, THAILAND.
Tel. +66-2-564-6900
Fax. +66-2-564-6901..2

http://www.thaicert.nectec.or.th

e-mail: thaicert@nectec.or.th


( 2.5)
2550


( 2.5) 2550

ISBN: 978-974-229-584-4
1 ( 2550)
1,000

.. 2550 ... .. 2537

Copyright2007 by:
National Electronics and Computer Technology Center
National Science and Technology Development Agency
Ministry of Science and Technology
112 Thailand Science Park, Phahon Yothin Road, Klong 1, Klong Luang,
Pathumthani 12120, THAILAND.
Tel. +66(2)-564-6900 Fax. +66(2)-564-6901..2
( 2.5) 2550/

.-- :
, 2550
64
ISBN: 978-974-229-584-4
1. . 2. . I. .

658.478 QA 76.9

Thai Computer Emergency Response Team

112 . . . 12120
02-564-6900 02-564-6901..2
URL: http://thaicert.nectec.or.th/ e-mail: thaicert@nectec.or.th


ISO/IEC 27001:2005 ISO/IEC 17799:2005

4,000



( )






..................................................................................................... 9
1 ............................................. 10
2 .................................................... 18
3 .............. 20
4 ........ 21
5 .......................... 23

.................... 25
1. (Security policy) ............................................ 26
1.1 (Information security
policy) ................................................................................................ 26
2. (Organization of
information security) ................................................................................. 26
2.1 (Internal
organization) ...................................................................................... 26
2.2
(External parties) ................................................................ 28
3. (Asset management) ....................... 29
3.1
(Responsibility for assets) ................................................................. 29
3.2 (Information classification) ........................ 30
4. (Human resources security).... 30
4.1 (Prior to employment) .... 30
4.2 (During
employment) ........................................................................................ 31
4.3 (Termination or change of
employment) ........................................................................................ 32
5. (Physical and
environmental security) ............................................................................ 33
5.1 (Secure areas) ............... 33
5.2 (Equipment security)........................ 34
6.
(Communications and operations management) ................... 35
6.1 (Operational
procedures and responsibilities) ......................................................... 35
6.2 (Third party service
delivery management) ......................................................................... 36
6.3 (System planning and
acceptance) ......................................................................................... 37
6.4 (Protection against malicious and
mobile code)........................................................................................ 38
6.5 (Back-up) ................................................................... 38
6.6
(Network security management).......................................................... 38
6.7 (Media handling) ........................ 39
6.8 (Exchange of information) ........................... 40
6.9
(Electronic commerce services)........................................................... 41
6.10 (Monitoring) ........................ 41
7. (Access control)........................................................ 42
7.1 (Business
requirements for access control) ........................................................ 42
7.2 (User access management) ......... 43
7.3 (User responsibilities) .................... 43
7.4 (Network access control) ..................... 44
7.5 (Operating system access
control)................................................................................................ 45
7.6 (Application and
information access control) ................................................................ 46
7.7
(Mobile computing and teleworking) ...................................... 46
8. (Information systems
acquisition, development and maintenance) ............................................ 47
8.1 (Security
requirements of information systems)................................................. 47
8.2 (Correct processing in
applications) ....................................................................................... 47
8.3 (Cryptographic controls) ............................ 48
8.4 (Security of
system files) ........................................................................................ 48
8.5
(Security in development and support
processes) .......................................................................................... 49
8.6 (Technical Vulnerability
Management)...................................................................................... 50
9.
(Information security incident management) ............................................. 51
 9.1
(Reporting information security events and weaknesses) ................. 51
9.2
(Management of information security incidents
and improvements) ............................................................................. 51
10. (Business continuity
management) .......................................................................................... 52
10.1
(Information security aspects of business continuity
management) ................................................................................. 52
11. (Compliance) ................................................... 53
11.1 (Compliance with legal
requirements) ................................................................................. 53
11.2
(Compliance with security policies and standards, and
technical compliance) .................................................................... 55
11.3 (Information systems audit
considerations) ............................................................................... 55
.................................................................................................. 57
.................................................................................................. 61
 1

( ISO/IEC 27001)


1
1.1



Plan-Do-Check-Act P-D-C-A
1

1
Plan-Do-Check-Act

1.2
1.2.1 (Plan)

10

 a)



b)


b.1

b.2

b.3
b.4 ( 1.2.1 c)
b.5
c)
c.1

c.2

d)
d.1

d.2
d.3
d.4

e)
e.1

11
( 2.5) 2550



e.2

e.3
e.4

1.2.1) c.2)
f)

f.1
f.2

1.2.1) c.2)
f.3
f.4

g)




h)

i)
j) SoA (Statement of Applicability)

12



j.1
1.2.1) g)
j.2

j.3

1.2.2
(Do)
a)


b) -

c) 1.1.2) g)

d)



e)
( 2.2.2)
f)

g)
( 2.2)

13
( 2.5) 2550
 h)

( 1.2.3 a)

1.2.3
(Check)
a)


a.1
a.2

a.3


a.4


a.5

b)





c)

14

 d)



d.1
d.2
d.3
d.4

d.5
d.6


e)
( 3)
f)
( 4.1)
g)

h)

( 1.3.3)

1.2.4
(Act)
a)

15
( 2.5) 2550
 b) 5.2 5.3


c)

d)

1.3
1.3.1


a) 1.2.1 b
b)
c)

d) 1.2.1 c
e) 1.2.1 c to 1.2.1 g
f) 1.2.2 b
g)

1.2.3 c
h) ( 1.3.3)
i) Statement of Aplicability
(SoA)

16

 1.3.2



a)
b)
c)
d)
e)
f)


g)
h)
i) ()
j)

1.3.3

1.2

17
( 2.5) 2550
 -


-
-

2
2.1

a)
b)
c)
d)



e)

( 2.2.1)
f)
g)

h)
18

 2.2
2.2.1

a)

b)

c)


d)


e)

f)

2.2.2



a)

b) (
)
c) b)

19
( 2.5) 2550
 d)

(
1.3.3)

a)

b)
c)
d)

( 1.3.3)

20



( 5)

4
4.1

( 1 )

( 1.3.3)

4.2

a)

b)
c)


d)
e)

21
( 2.5) 2550
 f)
g)
h)

i)

4.3


a)

b)

c)


c.1
c.2
c.3
c.4
c.5
c.6 /
d)
e)

22

 5

5.1

-
-
-
-
-
-

5.2

a)
b)
c)

d)
e) ( 1.3.3)
f)

5.3

23
( 2.5) 2550


a)

b)

c)
d) ( 1.3.3)
e)

24

 2

( ISO/IEC 27001 Annex A

ISO/IEC 17799:2005)

25
( 2.5) 2550

1. (Security policy)

1.1 (Information security policy)

1.1.1 (Information
security policy document)
()

1.1.2 (Review of the information

security policy)
()

2. (Organization
of information security)

2.1 (Internal organization)

26

 2.1.1
(Management commitment to information security)
()

2.1.2 (Information
security coordination)
()

2.1.3
(Allocation of information security responsibilities)
()

2.1.4
(Authorization process for information processing facilities)
()

2.1.5 (Confidentiality
agreements)
()
(
)

27
( 2.5) 2550
 2.1.6 (Contact with
authorities)
( )
. .
. (Internet Service Provider)
(ThaiCERT)

2.1.7
(Contact with special interest groups)
()

2.1.8
(Independent review of information security)
()

2.2
(External parties)

2.2.1
(Identification of risks related to external parties)

28

 ()

2.2.2
(Addressing security when
dealing with customers)
()


2.2.3
(Addressing security in third party
agreements)
()

3. (Asset management)

3.1 (Responsibility for assets)

3.1.1 (Inventory of assets)

()

3.1.2 (Ownership of assets)

29
( 2.5) 2550
 ()
()

3.1.3 (Acceptable use of assets)

()

3.2 (Information classification)

3.2.1 (Classification guidelines)

()


3.2.2 (Information
labeling and handling)
()

4. (Human resources
security)

4.1 (Prior to employment)

(
)

30



4.1.1 (Roles and

responsibilities)
()

4.1.2 (Screening)
( )
(
)



4.1.3 (Terms and conditions of employment)
()
(
)

4.2 (During employment)

31
( 2.5) 2550


4.2.1 (Management
responsibilities)
()

4.2.2
(Information security awareness, education, and training)
( )

4.2.3 (Disciplinary process)

()

4.3 (Termination or change of employment)

4.3.1 (Termination responsibilities)
()


4.3.2 (Return of assets)

32

 ()

4.3.3 (Removal of access rights)

()

5. (Physical
and environmental security)

5.1 (Secure areas)

5.1.1 (Physical security perimeter)
( )
-
. -

5.1.2 - (Physical entry controls)

( )
-
-
5.1.3
(Securing offices, rooms and facilities)
()

5.1.4 (Protecting against

external and environmental threats)
33
( 2.5) 2550
 ()

5.1.5 (Working in
secure areas)
()

5.1.6
(Public access, delivery, and loading areas)
( )

5.2 (Equipment security)

5.2.1 (Equipment siting and protection)
()

5.2.2 (Supporting utilities)

()



5.2.3 (Cabling security)

34

 ( )

5.2.4 (Equipment maintenance)

()

5.2.5 (Security of equipment

off-premises)
()


5.2.6 (Secure
disposal or re-use of equipment)
()

5.2.7 (Removal of property)

()

6.
(Communications and operations
management)
6.1 (Operational
procedures and responsibilities)
35
( 2.5) 2550


6.1.1 (Documented operating

procedures)
()

6.1.2
(Change management)
()

6.1.3 (Segregation of duties)

()

6.1.4
(Separation of development, test, and operational facilities)
( )

6.2 (Third party service

delivery management)

6.2.1 (Service delivery)

()

36



6.2.2 (Monitoring and

review of third party services)
()


6.2.3 (Managing changes
to third party services)
()

6.3 (System planning and

acceptance)

6.3.1 (Capacity management)
( )

6.3.2 (System acceptance)

()

37
( 2.5) 2550
6.4 (Protection against malicious and
mobile code)

6.4.1 (Controls against malicious code)

( )

6.4.2 (Controls against mobile code)

()
(
)

6.5 (Back-up)

6.5.1 (Information back-up)

()

6.6
(Network security management)

6.6.1 (Network controls)

38

 ( )


6.6.2 (Security of network
services)
()

6.7 (Media handling)

6.7.1 (Management
of removable media)
()

6.7.2 (Disposal of media)

()


6.7.3 (Information handling
procedures)
()

39
( 2.5) 2550
 6.7.4 (Security of system
documentation)
()

6.8 (Exchange of information)

6.8.1 (Information
exchange policies and procedures)
( )
(
)
6.8.2 (Exchange agreements)
()

6.8.3 (Physical media in transit)
()

6.8.4 (Electronic messaging)

()

6.8.5 (Business information

systems)
()

40

6.9 (Electronic
commerce services)

6.9.1 (Electronic commerce)

()

6.9.2 (On-line transactions)
()
-
-

6.9.3 (Publicly available

information)
()

6.10 (Monitoring)

6.10.1 (Audit
logging)
()

6.10.2 (Monitoring system use)

41
( 2.5) 2550
 ()

6.10.3 (Protection of log information)
()

6.10.4
(Administrator and operator logs)
()

6.10.5 (Fault logging)

()

6.10.6 (Clock synchronization)

( )

7. (Access control)

7.1 (Business
requirements for access control)

7.1.1 (Access control policy)
()

42

7.2 (User access management)

7.2.1 (User registration)

()



7.2.2 (Privilege management)
()

7.2.3 (User password management)

( )

7.2.4 (Review of user access rights)

()

7.3 (User responsibilities)

7.3.1 (Password use)

( )

7.3.2 (Unattended user equipment)

()

43
( 2.5) 2550
 7.3.3
(Clear desk and clear screen policy)
()

7.4 (Network access control)

7.4.1 (Policy on use of network services)
( )

7.4.2 (User authentication for
external connections)
()

7.4.3 (Equipment identification in

networks)
()

7.4.4 (Remote
diagnostic and configuration port protection)
()

7.4.5 (Segregation in networks)

( )

44

 7.4.6 (Network connection control)
()

7.4.7 (Network routing control)
()

7.5 (Operating system access control)

7.5.1 (Secure log-on
procedures)
()

7.5.2 (User identification and

authentication)
()

7.5.3 (Password management system)

( )

7.5.4 (Use of system utilities)

( )

7.5.5 (Session time-out)
()

45
( 2.5) 2550
 7.5.6 (Limitation of connection
time)
( )

7.6 (Application and

information access control)

7.6.1 (Information access restriction)

( )

7.6.2 (Sensitive system isolation)

()

7.7
(Mobile computing and teleworking)

7.7.1 (Mobile computing and

communications)
()
( notebook, palm laptop )

7.7.2 (Teleworking)

46

 ()

8. (Information
systems acquisition, development and maintenance)

8.1 (Security
requirements of information systems)

8.1.1
(Security requirements analysis and specification)
( )

8.2 (Correct processing in

applications)

8.2.1 (Input data validation)

( )

8.2.2 (Control of internal

processing)
()


47
( 2.5) 2550
 8.2.3 (Message integrity)
()
(
)

8.2.4 (Output data validation)

()

8.3 (Cryptographic controls)

8.3.1 (Policy on the use of cryptographic

controls)
( )

8.3.2 (Key management)
()

8.4 (Security of
system files)

8.4.1 (Control of
operational software)

48

 ()


8.4.2 (Protection of system test
data)
( )

8.4.3 (Access control to

program source code)
()

8.5
(Security in development and support processes)

8.5.1 (Change
control procedures)
()


8.5.2
(Technical review of applications after operating system changes)

49
( 2.5) 2550
 ()


8.5.3 (Restrictions
on changes to software packages)
()

8.5.4 (Information leakage)

()

8.5.5 (Outsourced software
development)
()

8.6 (Technical Vulnerability

Management)


8.6.1 (Control of technical vulnerabilities)
( )

50

9.
(Information security incident management)

9.1
(Reporting information security events and weaknesses)


9.1.1 (Reporting
information security events)
(
)

9.1.2
(Reporting security weaknesses)
(
)

9.2
(Management of information security incidents and
improvements)

9.2.1 (Responsibilities and

procedures)

51
( 2.5) 2550
 ()


9.2.2 (Learning
from security incidents)
( )



9.2.3 (Collection of evidence)
()

10. (Business
continuity management)

10.1
(Information security aspects of business continuity management)

10.1.1 (Including information

security in the business continuity management process)
( )

52



10.1.2 (Business
continuity and risk assessment)
()

10.1.3 (Developing and

implementing continuity plans including information security)
( )


10.1.4
(Business continuity planning framework)
( )



10.1.5 (Testing,
maintaining and re-assessing business continuity plans)
()

11. (Compliance)

11.1 (Compliance with legal

requirements)


53
( 2.5) 2550
 11.1.1 (Identification of applicable
legislation)
()
( )

11.1.2 (Intellectual property rights

(IRP))
()

(
)

11.1.3 (Protection of
organizational records)
()


11.1.4 (Data protection and privacy of personal
information)
( )

11.1.5
(Prevention of misuse of information processing facilities)
()

54

 11.1.6 (Regulation of
cryptographic controls)
()

11.2
(Compliance with security policies and standards, and technical
compliance)

11.2.1 (Compliance
with security policies and standards)
()

11.2.2 (Technical
compliance checking)
()

11.3 (Information systems audit

considerations)

11.3.1 (Information systems

audit controls)
55
( 2.5) 2550
 ()


11.3.2
(Protection of information systems audit tools)
()
( )

56



57
( 2.5) 2550


(User Account)
(Email Account)

58


/

59
( 2.5) 2550

Critical Infrastructure

= 1
= 1 - 100
= 100

= 10,000
= 10,000 - 100,000
= 100,000

=
= 1
= 1

0 =
1 =

(Incidental Damage)

60



61
( 2.5) 2550
62



1. .

2. .

3. .

4.


5. .

1. .

2. .

3. ..

4. ..

5.

63
( 2.5) 2550
6. ..

7. ..

8.


9.

10.

11.

1. ..

2. ..

64