ISO标准——IEC 27001:2005
Reference number
ISO/IEC 27001:2005(E)
采用PDCA模型将影响OECD《信息系统和网络的安全治理》(2002)中陈述的原则,0 Introduction
0.1 General
This International Standard has been prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The adoption of an ISMS should be a strategic decision for an organization. The design and implementation of an organization’s ISMS is influenced by their needs and objectives, curity requirements, the process employed and the size and structure of the organization. The and their supporting systems are expected to change over time. It is expected that an ISMS i
mplementation will be scaled in accordance with the needs of the organization, e.g. a simple situation requires a simple ISMS solution.
This International Standard can be ud in order to asss conformance by interested internal and external parties.
0.2 Process approach
This International Standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's ISMS.
An organization needs to identify and manage many activities in order to function effectively. Any activity using resources and managed in order to enable the transformation of inputs into outputs can be considered to be a process. Often the output from one process directly forms the input to the next process.
The application of a system of process within an organization, together with the identification and interactions of the process, and their management, can be referred to as a “process approach”.
The process approach for information curity management prented in this International Standard
encourages its urs to emphasize the importance of: a) understanding an organization’s information curity requirements and the need to establish policy and objectives for information curity;
b) implementing and operating controls to manage an organization's information curity risks in the context of the organization’s overall business risks;
c) monitoring and reviewing the performance and effectiveness of the ISMS; and
d) continual improvement bad on objective measurement.
This International Standard adopts the "Plan-Do-Check-Act" (PDCA) model, which is applied to structure all ISMS process. Figure 1 illustrates how an ISMS takes as input the information curity requirements and expectations of the interested parties and through the necessary actions and process produces information curity outcomes that meets tho requirements and expectations. Figure 1 also illustrates the links in the process prented in Claus 4, 5, 6, 7 and 8.
The adoption of the PDCA model will also reflect the principles as t out in the
期望可以是指假设发生了严重的事件--可能是组织的电子商务网站遭受了黑客攻击—那么就必须有训练有素的人员通过适当的程序尽量减少其影响。OECD Guidelines (2002)1) governing the curity of information systems and networks. This International Standard provides a robust model for implementing the principles in tho guidelines governing risk asssment, curity design and implementation, curity management and reasssment.
A requirement might be that breaches of information curity will not cau rious financial damage to an organization and/or cau embarrassment to the organization.
An expectation might be that if a rious incident occurs — perhaps hacking of an organization’s eBusiness web site — there should be people with sufficient training in appropriate procedures to minimize the impact.
0.3 与其他管理系统的兼容性
为了增强一致性,并与相关的管理标准整合实施和运作,本国际标准与BS EN ISO 9001:2000 和BSEN ISO 14001:2004相互协调。一个设计合理的管理系统能够满足所有标
表C.1 展示了本国际标准与ISO 9001:2000和ISO 14001:2004之间的关系。
本国际标准设计上就考虑把ISMS与其他相关的管理系统进行整合;0.3 Compatibility with other management systems This International Standard is aligned with ISO 9001:2000 and ISO
14001:2004 in order to support consistent and integrated implementation and operation with related management standards. One suitably designed management system can thus satisfy the requirements of all the standards. Table C.1 illustrates the relationship between the claus of this International Standard, ISO 9001:2000 and ISO 14001:2004.
This International Standard is designed to enable an organization to align or integrate its ISMS with related management system requirements.
Plan(establish the ISMS) Establish ISMS policy, objectives, process and procedures relevant
to managing risk and improving information curity to deliver results
in accordance with an organization’s overall policies and objectives.
Do(implement and operate the ISMS) Implement and operate the ISMS policy, controls, process and procedures.
Check(monitor and review the ISMS) Asss and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review.
Act(maintain and improve the ISMS) Take corrective and preventive actions, bad on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.
计划(建立ISMS) 根据组织的整体策略和目标,建立与管理风险相关的ISMS策略、目标、
实施(实施和运行ISMS) 实施和运作ISMS的策略、控制措施和程序。
检查(监控和审核ISMS) 针对于ISMS策略、目标、实践经验进行评估、测量,并报告结果给管
改进(维护和改进 ISMS) 根据内部ISMS审核、管理评审的结果及其他相关信息,采取纠正和预
1范围 1 Scope
注2:ISO/IEC 17799为设计控制措施提供实施指南。
注:如果组织已经运行业务管理系统(如ISO9001或ISO14001),那将更容易满足本国际标准的需求。1.1 General
This International Standard covers all types of organizations (e.g. commercial enterpris, government agencies, non-profit organizations). This International Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing,maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of curity controls customized to the needs of individual organizations or parts thereof.
The ISMS is designed to ensure the lection of adequate and proportionate curity controls that protect information asts and give confidence to interested parties.
NOTE 1: References to ‘business’ in this International Standard should be interpreted broadly to mean tho activities that are core to the purpos for the organization’s existence.
NOTE 2: ISO/IEC 17799 provides implementation guidance that can be ud when designing controls.
1.2 Application
The requirements t out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size and nature. Excluding any of the requirements specified in Claus 4, 5, 6, 7, and 8 is not acceptable when an organization claims conformity to this International Standard.
Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be justified and evidence needs to be provided that the associated risks have been accepted by accountable persons. Where any controls are excluded, claims of conformity to this International Standard are not acceptable unless such exclusions do not affect the organization’s ability, and/or responsibility, to provide information curity that meets the curity requirements determined by risk asssment and applicable legal or regulatory requirements.
NOTE: If an organization already has an operative business process management system (e.g. in relation with ISO 9001 or ISO 14001), it is preferable in most cas to satisfy the requirements of thi
s International Standard within this existing management system.
ISO/IEC 17799:2005信息技术—安全技术--信息安全管理实施指南2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17799:2005, Information technology — Security techniques — Code of practice for information curity management