ISO/IEC INTERNATIONAL STANDARD 27033-2 First edition 2012-08-01 Information technology Security techniques Network security Part 2: Guidelines for the design and implementation of network security Technologies de I'information - Techniques de sécurité - Sécurite de réseau Partie 2: Lignes directrices pour la conception et I'implémentation de la securitedereseau Reference number ISO/IEC 27033-2:2012(E) IEC so ISO/IEC2012 HS under I without license from IHS Not for Resale ISO/IEC 27033-2:2012(E) COPYRIGHTPROTECTEDDOCUMENT ISO/IEC2012 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either isO at the address below or IsO's memberbody in the country of the requester. ISO copyright office Case postale 56 : CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail [email protected] Web www.iso.org Published in Switzerland ISO/IEC2012-Allrightsreserved y IHS unde permitted without license from IHS Not for Resale ISO/IEC 27033-2:2012(E) Contents Page Foreword 1 Scope. 1 2 Normative references. 3 Terms and definitions .. 4 Abbreviations. 5 Document structure .. 6 Preparing for design of network security. 6.1 Introduction.. 6.2 Asset identification .... 6.3 Requirements collection.... 6.3.1 Legal and regulatory requirements . 6.3.2 Business requirements. 6.3.3 Performance requirements 6.4 Review requirements .. 6.5 Review of existing designs and implementations ..... 7 Design of network security 7.1 Introduction. 7.2 Design principles. 7.2.1 Introduction.. 7.2.2 Defence in depth... 7.2.3 Network Zones.... 7.2.4 Design resilience. 7.2.5 Scenarios .. 7.2.6 Models and Frameworks... 7.3 Design Sign off.... 8 Implementation .. .8 8.1 Introduction. 8.2 Criteria for Network component selection... 8.3 Criteria for product or vendor selection .... .9 8.4 Network management....... 10 8.5 Logging, monitoring and incident response .... 11 8.6 Documentation .... 8.7 Test plans and conducting testing .... 8.8 Sign off ..... 12 Annex A (informative) Cross-references between IS0/IE 27001:2005/IS0/IEC 27002:2005 network security related controls and ISO/IEc 27033-2:2012 clauses ... 13 Annex B (informative) Example documentation templates ... 14 B.1 Anexamplenetworksecurityarchitecturedocumenttemplate.. 14 B.1.1 Introduction....... B.1.2 Businessrelatedrequirements 14 B.1.3 Technical architecture ... 14 B.1.4 Networkservices 17 B.1.5 Hardware/physical layout...... B.1.6 Software.. 18 B.1.7 Performance... B.1.8 Known issues B.1.9 References 19 CopyrightIntenational Oganizainfrstandardizalion Allrightsreserved ili ted withoutlicensefromIHS Not for Resale