|
US$3074.00 · In stock
Delivery: <= 13 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 22081-2024: Cybersecurity technology - Information security controls
Status: Valid GB/T 22081: Evolution and historical versions
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 22081-2024 | English | 3074 |
Add to Cart
|
13 days [Need to translate]
|
Cybersecurity technology - Information security controls
| Valid |
GB/T 22081-2024
|
| GB/T 22081-2016 | English | 370 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Information technology -- Security techniques -- Code of practice for information security controls
| Valid |
GB/T 22081-2016
|
| GB/T 22081-2008 | English | RFQ |
ASK
|
8 days [Need to translate]
|
Information technology -- Security techniques -- Code of practice for information security management
| Obsolete |
GB/T 22081-2008
|
PDF similar to GB/T 22081-2024
Standard similar to GB/T 22081-2024 GB/T 22240 GB/T 22239 GB/T 22080 Basic data | Standard ID | GB/T 22081-2024 (GB/T22081-2024) | | Description (Translated English) | Cybersecurity technology - Information security controls | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.030 | | Word Count Estimation | 154,156 | | Date of Issue | 2024-10-29 | | Date of Implementation | 2025-04-01 | | Older Standard (superseded by this standard) | GB/T 22081-2016 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 22081-2024: Cybersecurity technology - Information security controls---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
ICS 35.030
CCSL80
National Standard of the People's Republic of China
Replace GB/T 22081-2016
Network security technology information security control
(ISO /IEC 27002.2022,Informationsecurity,cybersecurityand
Released on 2024-09-29
2025-04-01 Implementation
State Administration for Market Regulation
The National Standardization Administration issued
Table of Contents
Preface V
Introduction VI
1 Scope 1
2 Normative references 1
3 Terms, definitions and abbreviations 1
3.1 Terms and Definitions 1
3.2 Abbreviations 5
4 File Structure 6
4.1 Chapter Settings 6
4.2 Themes and attributes 7
4.3 Control Design 7
5 Organizational Control 8
5.1 Information Security Policy 8
5.2 Information security roles and responsibilities 10
5.3 Separation of Duties11
5.4 Management Responsibility12
5.5 Relations with competent authorities 13
5.6 Contacts with specific interested parties 13
5.7 Threat Intelligence 14
5.8 Information Security in Project Management 15
5.9 Inventory of information and other related assets17
5.10 Acceptable use of information and other related assets18
5.11 Return of assets19
5.12 Information Classification 20
5.13 Information Marking 21
5.14 Information Transmission 23
5.15 Access Control 25
5.16 Identity Management 26
5.17 Identification Information 27
5.18 Access Rights 29
5.19 Information security in supplier relationships 30
5.20 Emphasize information security in supplier agreements32
5.21 Managing information security in the ICT supply chain 34
5.22 Monitoring, review and change management of supplier services 35
5.23 Information security of cloud services 37
5.24 Information Security Incident Management Planning and Preparation 38
5.25 Information security incident assessment and decision making 40
5.26 Response to information security incidents 41
5.27 Learning from Information Security Incidents 42
5.28 Evidence Collection 42
5.29 Information security during disruptions 43
5.30 ICT readiness for business continuity 44
5.31 Legal, regulatory, and contractual requirements 46
5.32 Intellectual Property Rights47
5.33 Protection of records 48
5.34 Privacy and Protection of Personally Identifiable Information49
5.35 Independent review of information security 50
5.36 Comply with information security policies, regulations and standards 51
5.37 Documented operating procedures 52
6 Personnel Control53
6.1 Review 53
6.2 Terms and conditions of employment54
6.3 Information security awareness, education and training 55
6.4 Violation handling process 57
6.5 Liability after termination or change of employment 58
6.6 Confidentiality or non-disclosure agreement 59
6.7 Remote work 60
6.8 Reporting of Information Security Incidents 61
7 Physical Control 62
7.1 Physical Security Boundary 62
7.2 Physical Entrance 63
7.3 Security of offices, rooms and facilities 64
7.4 Physical Security Monitoring 65
7.5 Physical and Environmental Threat Protection 66
7.6 Working in a safe area 67
7.7 Cleaning the Desktop and Screen 68
7.8 Equipment placement and protection 69
7.9 Security of assets outside the organization's premises 70
7.10 Storage media 71
7.11 Support facilities72
7.12 Cable Laying Safety 73
7.13 Equipment Maintenance 74
7.14 Safe disposal or reuse of equipment 75
8 Technical Control 76
8.1 User terminal equipment 76
8.2 Privileged Access Rights 78
8.3 Information Access Restrictions 79
8.4 Source code access 80
8.5 Security Identification 81
8.6 Capacity Management 83
8.7 Malware Prevention 84
8.8 Technical Vulnerability Management 85
8.9 Configuration Management 88
8.10 Information Deletion 90
8.11 Data Desensitization91
8.12 Data Leakage Prevention 92
8.13 Information Backup 93
8.14 Redundancy of information processing facilities 95
8.15 Log 96
8.16 Surveillance Activities 98
8.17 Clock Synchronization 100
8.18 Use of Privileged Utilities 100
8.19 Installation of operating system software 101
8.20 Network Security 102
8.21 Network Service Security 104
8.22 Network Isolation 105
8.23 Web Filtering 106
8.24 Use of cryptographic techniques 106
8.25 Security Development Life Cycle 108
8.26 Application Security Requirements 109
8.27 System Security Architecture and Engineering Principles 111
8.28 Security Coding 113
8.29 Security Testing in Development and Acceptance 115
8.30 Development Outsourcing 116
8.31 Isolation of Development, Test, and Production Environments 117
8.32 Change Management 118
8.33 Test Information 119
8.34 Protecting Information Systems During Audit Testing 120
Appendix A (Informative) Use of Attributes 122
A.1 Overview 122
A.2 Organizational View 132
Appendix B (Informative) Correspondence between this document and GB/T 22081-2016 133
References 143
Foreword
This document is in accordance with the provisions of GB/T 1.1-2020 "Guidelines for standardization work Part 1.Structure and drafting rules for standardization documents"
Drafting.
This document replaces GB/T 22081-2016 "Information Technology Security Technology Information Security Control Practice Guide" and GB/T 22081-
Compared with.2016, in addition to structural adjustments and editorial changes, the main technical changes are as follows.
--- The controls have been merged and deleted, and new controls have been added. The corresponding relationship with GB/T 22081-2016 is shown in Appendix B.
This document is equivalent to ISO /IEC 27002.2022 "Information security, network security and privacy protection information security controls".
The following minimal editorial changes were made to this document.
--- To be consistent with the existing national cybersecurity standards, the name of the standard is adjusted to "Cybersecurity Technology Information Security Control".
Please note that some of the contents of this document may involve patents. The issuing organization of this document does not assume the responsibility for identifying patents.
This document was proposed and coordinated by the National Cybersecurity Standardization Technical Committee (SAC/TC260).
This document was drafted by. Beijing CESI Technology Development Co., Ltd., China National Accreditation Service for Conformity Assessment, China Great Wall Network System
Tong Application Co., Ltd., China Cyber Security Review Technology and Certification Center, Beijing CESI Certification Co., Ltd., Beijing Times Xinwei Information
Technology Co., Ltd., Beijing Jiangnan Tianan Technology Co., Ltd., Shandong Institute of Standardization, Sichuan University, Hangzhou Anheng Information Technology Co., Ltd.
Co., Ltd., Heilongjiang Cyberspace Research Center, Shanghai Pudong Development Bank Co., Ltd. Credit Card Center, Beijing Baidu Netcom Technology
Co., Ltd., AsiaInfo Technologies (Chengdu) Co., Ltd., Industrial Internet Innovation Center (Shanghai) Co., Ltd., Alibaba Cloud Computing Co., Ltd., Lenovo
(Beijing) Co., Ltd., Sangfor Technologies Co., Ltd., Venustech Information Technology Group Co., Ltd., Kylin Software Co., Ltd.,
Ehang Technology Co., Ltd., China Certification Center Co., Ltd., Beijing Shuanxing Technology Co., Ltd., Shanghai Guanan Information Technology Co., Ltd.
Co., Ltd., China National Cybersecurity Information Technology Co., Ltd., Beijing Topsec Network Security Technology Co., Ltd., National Information Technology Security Research Center, Beijing
Beijing Blue Elephant Standard Consulting Service Co., Ltd., Xiamen Meiyou Co., Ltd., Changyang Technology (Beijing) Co., Ltd., Inspur Electronic Information
Industry Co., Ltd., China Science and Technology Information Security Common Technology National Engineering Research Center Co., Ltd., Shaanxi Provincial Network and Information Security Evaluation Center
Xin, Midea Group Co., Ltd., Zhongneng Fusion Wisdom Technology Co., Ltd., Beijing Shenzhou Green Alliance Technology Co., Ltd., Huawei Technologies Co., Ltd.
Beijing Times Yixin Technology Co., Ltd., Beijing Yuanbao Technology Co., Ltd., State Grid Xinjiang Electric Power Co., Ltd. Electric Power Research Institute,
Beijing Kuaishou Technology Co., Ltd.
The main drafters of this document are. Shangguan Xiaoli, Wang Jiao, Wang Bingzheng, Gan Junjie, Fu Zhigao, Min Jinghua, Youqi, Zhao Lihua, Xu Yuna,
Wang Lianqiang, Chen Guanzhi, Zhu Xuefeng, Gong Wei, Lin Yanghuichen, Hu Yong, Zhao Yujie, Chen Xing, Li Rui, Wang Hansheng, Tie Jincheng, Li Wenqing, Guo Jianling,
Liao Shuangxiao, Qin Feng, Huang Zhengyan, Shi Chenchen, Liu Chen, Yang Tianshi, Yang Zhaojun, Zhao Xiang, Xia Fang, Liu Yuhong, Xie Jiang, Ruan Yizong, Xie Qin, Zhu Song,
Xiao Tingting, Zhang Debao, Huang Penghua, Zhang Yajing, Gao Liqin, Hu Jianxun, Yang Fan, Zhang Liangliang, Liu Changchuan, Cheng Luyang, Zhang Zhe, Yi Tianshu, Yu Xiaoxin,
Gu Jun, Zou Zhenwan, Liu Haijun, Yuan Yingying, and Wang Xin.
The previous versions of this document and the documents it replaces are as follows.
---First published as GB/T 22081-2008 in.2008 and first revised in.2016;
---This is the second revision.
Introduction
0.1 Background
This document is applicable to organizations of all types and sizes.
This document serves as a reference for organizations in determining and implementing the controls required when dealing with all risks; it also serves as a reference for organizations in determining and implementing generally accepted
In addition, this document can also be used to prepare other information security risk management documents for specific industries or organizations.
Information Security Management Guide. In addition to the controls contained in this document, controls required that are specific to an organization or environment can be determined through risk assessment.
Organizations of all types and sizes (public and private, commercial and non-profit) create, collect,
Processing, storing, transmitting and disposing of information, including electronic, physical and oral (such as conversations/sessions and presentations).
The value of information goes beyond words, numbers and images. knowledge, concepts, opinions and brands are all intangible information.
In the information world, information and related assets are worth or need to be protected against various sources of risk, whether the risk is natural, accidental or catastrophic.
Intentional destruction.
Information security is achieved through the implementation of a set of appropriate controls, including policies, rules, processes, procedures, organizational structures, and hardware and software functions.
The organization should define, implement, monitor, review and improve these controls as necessary to meet its specific security and business objectives.
The Information Security Management System (ISMS) specified in GB/T 22080 examines the information security risks of an organization from a holistic and coordinated perspective.
Identify and implement a comprehensive set of information security controls within the overall framework of a consistent management system.
Compared with the ISMS specified in GB/T 22080 and this document, many information systems, including their management and operation, have not yet been designed for security.
Risk treatment requires careful planning and attention to detail to determine which controls to implement.
A successful ISMS requires the support of all personnel within the organization and may also require the involvement of other stakeholders such as shareholders or suppliers.
You may also need advice from industry experts.
An appropriate, adequate and effective information security management system provides the organization's management and other interested parties with the assurance that their information security management system is
Information and other related assets are kept in a reasonably secure state and protected from threats and damage, thereby enabling the organization to achieve its established business objectives.
0.2 Information Security Requirements
It is necessary for an organization to determine its information security requirements. Information security requirements come from three main sources.
a) Assess organizational risk by taking into account the organization’s overall business strategy and objectives. This can be accomplished through information security-specific risk assessments.
This should result in a determination of the necessary controls to ensure that the residual risk faced by the organization is commensurate with its risk profile.
Accept the guidelines.
b) The laws, regulations, rules and contractual requirements that the organization and its stakeholders (trading partners, service providers, etc.) must comply with and their social
Cultural environment.
c) The set of principles, objectives and business requirements established by an organization for all steps of the information life cycle to support its operations.
0.3 Control
A control is defined as an action that changes or maintains a risk. Some of the controls in this document modify the risk, while others maintain the risk.
For example, an information security policy can only maintain risk, while compliance with the information security policy can change risk. In addition, some controls describe
This document provides a range of organizational, human, physical and technical measures derived from internationally recognized best practices.
Information security control.
0.4 Determination of Control
The determination of controls is based on decisions made by the organization after risk assessment and has a clearly defined scope.
The decision on control should be based on the risk acceptance criteria, risk treatment options and risk management approach adopted by the organization. The determination of control should also consider all
Relevant national and international laws and regulations. The determination of controls also depends on the coordination of different controls to achieve defense in depth.
An organization can design controls as needed or identify controls from any source. When developing such controls, the organization should consider implementing and operating a
A comparison between the resources and investment required for a control and the business value that the control can achieve. See ISO /IEC TR27016, which provides
It provides guidance on making ISMS investment decisions and the economic consequences of those decisions in the context of competing resource demands.
A balance should be struck between the resources deployed to implement controls and the potential business impact of a security incident in the absence of those controls.
The results of the risk assessment should help guide and determine appropriate management actions, priorities for managing information security risks, and implementation.
Identify the necessary controls to protect against those risks.
Some of the controls in this document can be considered guidelines for information security management and are applicable to most organizations.
For more information on other risk treatment options, see ISO /IEC 27005.
0.5 Develop organization-specific guidance
This document can be considered a starting point for developing organization-specific guidance. Not all controls and guidance in this document are applicable to all organizations.
Organizations may also require additional controls and guidance not included in this document to meet their specific needs and address identified risks.
When documents containing additional guidance or controls are prepared, cross-references to the clauses of this document are given to facilitate subsequent reference.
0.6 Life Cycle Considerations
Information has a life cycle from creation to destruction. Throughout its life cycle, the value of information and the risks it faces may change.
ization (e.g., unauthorized disclosure or theft of company financial accounts is not material after publication, but integrity remains critical), therefore,
Information security is important at all stages.
Information systems and other assets related to information security have a life cycle, including conception, specification, design, development, testing, implementation, use, and maintenance.
Information security should be considered at every stage. New system development projects and changes to existing systems should be able to
Consider the risks to the organization and the lessons learned from security incidents, which provide opportunities for improving security controls.
0.7 Related standardization documents
This document provides guidance on broad information security controls that are commonly applied to all types of organizations.
Some industry-specific standardization documents provide additional controls for specific areas (e.g., for cloud services).
ISO /IEC 27017, ISO /IEC 27701 for privacy protection, ISO /IEC 27019 for energy, ISO /IEC 27019 for telecommunications organizations
ISO /IEC 27011 and ISO 27799 for health). These standardization documents are included in the references, and Chapters 5 to 8 of the “Guidelines
Some of these normative documents are referenced in the "South" and "Other information" entries.
Network security technology information security control
1 Scope
This document provides a reference set of common information security controls, including implementation guidance.
This document applies to.
a) Organize ISO /IEC 27001 to implement the Information Security Management System (ISMS);
b) The organization implements information security controls based on internationally recognized best practices;
c) The organization prepares its own information security management guidelines.
2 Normative references
This document has no normative references.
3 Terms, definitions and abbreviations
3.1 Terms and Definitions
The following terms and definitions apply to this document.
3.1.1
Access Control
Means of ensuring that physical and logical access to assets (3.1.2) is authorized and restricted based on business and information security requirements.
3.1.2
asset
Anything that is valuable to the organization.
Note. In the context of information security, there are two types of assets.
---Main assets.
● Information;
● Business processes (3.1.27) and activities.
---All types of supporting assets (assets on which the main assets depend), such as.
● Hardware;
● Software;
● Network;
● Personnel (3.1.20);
● Location;
● Organizational structure.
3.1.3
attack
Any unauthorized attempt to destroy, alter, disable, or access assets (3.1.2) (whether successful or unsuccessful), or any attempt to disclose, steal, or
Any unauthorized use of the Assets.
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 22081-2024_English be delivered?Answer: Upon your order, we will start to translate GB/T 22081-2024_English as soon as possible, and keep you informed of the progress. The lead time is typically 9 ~ 13 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 22081-2024_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 22081-2024_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. Question 5: Should I purchase the latest version GB/T 22081-2024?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 22081-2024 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically.
|