🔥🔥 Don’t Miss Out on Our End of Autumn Sale. If you have any questions, feel free to click the bottom right corner to contact our customer service..

Concat us[email protected]
Shopping Cart

No products in the cart.

🔍
BS EN ISO/IEC 27019:2020

BS EN ISO/IEC 27019:2020

$189.07

Information technology. Security techniques. Information security controls for the energy utility industry

Published By Publication Date Number of Pages
BSI 2020 48
PDF Format Searchable Printable Preview Now
Guaranteed Safe Checkout
Categories: ,

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

This document provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following:

  • central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices;

  • digital controllers and automation components such as control and field devices or Programmable Logic Controllers (PLCs), including digital sensor and actuator elements;

  • all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes;

  • communication technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote control technology;

  • Advanced Metering Infrastructure (AMI) components, e.g. smart meters;

  • measurement devices, e.g. for emission values;

  • digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor mechanisms;

  • energy management systems, e.g. of Distributed Energy Resources (DER), electric charging infrastructures, in private households, residential buildings or industrial customer installations;

  • distributed components of smart grid environments, e.g. in energy grids, in private households, residential buildings or industrial customer installations;

  • all software, firmware and applications installed on above-mentioned systems, e.g. DMS (Distribution Management System) applications or OMS (Outage Management System);

  • any premises housing the above-mentioned equipment and systems;

  • remote maintenance systems for above-mentioned systems.

This document does not apply to the process control domain of nuclear facilities. This domain is covered by IEC 62645.

This document also includes a requirement to adapt the risk assessment and treatment processes described in ISO/IEC 27001:2013 to the energy utility industry-sector–specific guidance provided in this document.

PDF Catalog

PDF Pages PDF Title
2 undefined
5 European foreword
Endorsement notice
11 Foreword
12 0 Introduction
15 1 Scope
2 Normative references
16 3 Terms and definitions
18 4 Structure of the document
4.1 General
4.2 Refinement of ISO/IEC 27001:2013 requirements
4.3 Energy utility industry specific guidance related to ISO/IEC 27002:2013
5 Information security policies
6 Organization of information security
6.1 Internal organization
6.1.1 Information security roles and responsibilities
19 6.1.2 Segregation of duties
6.1.3 Contact with authorities
6.1.4 Contact with special interest groups
6.1.5 Information security in project management
6.1.6 ENR – Identification of risks related to external parties
20 6.1.7 ENR – Addressing security when dealing with customers
6.2 Mobile devices and teleworking
6.2.1 Mobile device policy
21 6.2.2 Teleworking
7 Human resource security
7.1 Prior to employment
7.1.1 Screening
22 7.1.2 Terms and conditions of employment
7.2 During employment
7.2.1 Management responsibilities
7.2.2 Information security awareness, education and training
7.2.3 Disciplinary process
7.3 Termination and change of employment
8 Asset management
8.1 Responsibility for assets
8.1.1 Inventory of assets
23 8.1.2 Ownership of assets
8.1.3 Acceptable use of assets
8.1.4 Return of assets
8.2 Information classification
8.2.1 Classification of information
24 8.2.2 Labelling of information
8.2.3 Handling of assets
8.3 Media handling
9 Access control
9.1 Business requirements of access control
9.1.1 Access control policy
9.1.2 Access to networks and network services
25 9.2 User access management
9.2.1 User registration and de-registration
9.2.2 User access provisioning
9.2.3 Management of privileged access rights
9.2.4 Management of secret authentication information of users
9.2.5 Review of user access rights
9.2.6 Removal or adjustment of access rights
9.3 User responsibilities
9.3.1 Use of secret authentication information
26 9.4 System and application access control
9.4.1 Information access restriction
9.4.2 Secure log-on procedures
9.4.3 Password management system
9.4.4 Use of privileged utility programs
9.4.5 Access control to program source code
10 Cryptography
10.1 Cryptography controls
10.1.1 Policy on the use of cryptographic controls
10.1.2 Key management
27 11 Physical and environmental security
11.1 Secure areas
11.1.1 Physical security perimeter
11.1.2 Physical entry controls
11.1.3 Securing offices, rooms and facilities
11.1.4 Protecting against external and environmental threats
11.1.5 Working in secure areas
11.1.6 Delivery and loading areas
11.1.7 ENR – Securing control centres
28 11.1.8 ENR – Securing equipment rooms
29 11.1.9 ENR – Securing peripheral sites
30 11.2 Equipment
11.2.1 Equipment siting and protection
11.2.2 Supporting utilities
11.2.3 Cabling security
11.2.4 Equipment maintenance
11.2.5 Removal of assets
31 11.2.6 Security of equipment and assets off-premises
11.2.7 Secure disposal or re-use of equipment
11.2.8 Unattended user equipment
11.2.9 Clear desk and clear screen policy
11.3 ENR – Security in premises of external parties
11.3.1 ENR – Equipment sited on the premises of other energy utility organizations
32 11.3.2 ENR – Equipment sited on customer’s premises
11.3.3 ENR – Interconnected control and communication systems
12 Operations security
12.1 Operational procedures and responsibilities
12.1.1 Documented operating procedures
33 12.1.2 Change management
12.1.3 Capacity management
12.1.4 Separation of development, testing and operational environments
12.2 Protection from malware
12.2.1 Controls against malware
34 12.3 Back-up
12.4 Logging and monitoring
12.4.1 Event logging
12.4.2 Protection of log information
12.4.3 Administrator and operator logs
12.4.4 Clock synchronization
12.5 Control of operational software
12.5.1 Installation of software on operational systems
35 12.6 Technical vulnerability management
12.6.1 Management of technical vulnerabilities
12.6.2 Restrictions on software installation
12.7 Information systems audit considerations
12.8 ENR – Legacy systems
12.8.1 ENR – Treatment of legacy systems
36 12.9 ENR – Safety functions
12.9.1 ENR – Integrity and availability of safety functions
13 Communications security
13.1 Network security management
13.1.1 Network controls
13.1.2 Security of network services
13.1.3 Segregation in networks
37 13.1.4 ENR – Securing process control data communication
13.1.5 ENR – Logical connection of external process control systems
38 13.2 Information transfer
14 System acquisition, development and maintenance
14.1 Security requirements of information systems
14.1.1 Information security requirements analysis and specification
14.1.2 Securing application services on public networks
14.1.3 Protecting application services transactions
14.2 Security in development and support processes
14.2.1 Secure development policy
14.2.2 System change control procedures
14.2.3 Technical review of applications after operating platform changes
14.2.4 Restrictions on changes to software packages
14.2.5 Secure system engineering principles
14.2.6 Secure development environment
14.2.7 Outsourced development
39 14.2.8 System security testing
14.2.9 System acceptance testing
14.2.10 ENR – Least functionality
14.3 Test data
15 Supplier relationships
15.1 Information security in supplier relationships
15.1.1 Information security policy for supplier relationships
15.1.2 Addressing security within supplier agreements
15.1.3 Information and communication technology supply chain
40 15.2 Supplier service delivery management
16 Information security incident management
16.1 Management of information security incidents and improvements
16.1.1 Responsibilities and procedures
16.1.2 Reporting information security events
16.1.3 Reporting information security weaknesses
16.1.4 Assessment of and decision on information security events
16.1.5 Response to information security incidents
16.1.6 Learning from information security incidents
16.1.7 Collection of evidence
17 Information security aspects of business continuity management
17.1 Information security continuity
17.2 Redundancies
17.2.1 Availability of information processing facilities
41 17.2.2 ENR – Emergency communication
42 18 Compliance
18.1 Compliance with legal and contractual requirements
18.1.1 Identification of applicable legislation and contractual requirements
18.1.2 Intellectual property rights
18.1.3 Protection of records
18.1.4 Privacy and protection of personally identifiable information
18.1.5 Regulation of cryptographic controls
18.2 Information security reviews
18.2.1 Independent review of information security
18.2.2 Compliance with security policies and standards
43 18.2.3 Technical compliance review
44 Annex A (normative) Energy utility industry specific reference control objectives and controls
47 Bibliography

Related products

BS EN ISO/IEC 27019:2020
$189.07