ISO标准——IEC 27001:2005
信息安全管理体系——
规范与使用指南
Reference number
ISO/IEC 27001:2005(E)
0简介
0.1总则
本国际标准的目的是提供建立、实施、运作、监控、评审、维护和改进信息安全管理体系(ISMS)的模型。采用ISMS应是一个组织的战略决定。组织ISMS的设计和实施受业务需求和目标、安全需求、应用的过程及组织的规模、结构的影响。上述因素和他们的支持系统预计会随事件而变化。希望根据组织的需要去扩充ISMS的实施,如,简单的环境是用简单的ISMS解决方案。
本国际标准可以用于内部、外部评估其符合性。
0.2过程方法
本国际标准鼓励采用过程的方法建立、实施、运作、监控、评审、维护和改进一个组织的ISMS的有效性。
一个组织必须识别和管理许多活动使其有效地运行。通过利用资源和管理,将输入转换为输出的活动,可以被认为是一个过程。通常,一个过程的输出直接形成了下一个过程的输入。
组织内过程体系的应用,连同这些过程的识别和相互作用及管理,可以称之这“过程的方法”。
在本国际标准中,信息安全管理的过程方法鼓励用户强调以下方面的重要性:
a)了解组织信息安全需求和建立信息安
全策略和目标的需求;
b)在组织的整体业务风险框架下,通过
实施及运作控制措施管理组织的信息
安全风险;
c)监控和评审ISMS的执行和有效性;
d)基于客观测量的持续改进。
本国际标准采用了“计划-实施-检查-改进”(PDCA)模型去构架全部ISMS流程。图1显示ISMS如何输入相关方的信息安全需求和期望,经过必要的处理,产生满足需求和期望的产品信息安全输出,图1阐明与条款4、5、6、7、8相关。
采用PDCA模型将影响OECD《信息系统和网络的安全治理》(2002)中陈述的原则,0 Introduction
0.1 General
This International Standard has been prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The adoption of an ISMS should be a strategic decision for an organization. The design and implementation of an organization’s ISMS is influenced by their needs and objectives, curity requirements, the process employed and the size and structure of the organization. The and their supporting systems are expected to change over time. It is expected that an ISMS i
托福官网mplementation will be scaled in accordance with the needs of the organization, e.g. a simple situation requires a simple ISMS solution.
This International Standard can be ud in order to asss conformance by interested internal and external parties.
0.2 Process approach
This International Standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's ISMS.
An organization needs to identify and manage many activities in order to function effectively. Any activity using resources and managed in order to enable the transformation of inputs into outputs can be considered to be a process. Often the output from one process directly forms the input to the next process.
The application of a system of process within an organization, together with the identification and interactions of the process, and their management, can be referred to as a “process approach”.
The process approach for information curity management prented in this International Standard
encourages its urs to emphasize the importance of: a) understanding an organization’s information curity requirements and the need to establish policy and objectives for information curity;
b) implementing and operating controls to manage an organization's information curity risks in the context of the organization’s overall business risks;
c) monitoring and reviewing the performance and effectiveness of the ISMS; and
鸡蛋厚烧
d) continual improvement bad on objective measurement.
This International Standard adopts the "Plan-Do-Check-Act" (PDCA) model, which is applied to structure all ISMS process. Figure 1 illustrates how an ISMS takes as input the information curity requirements and expectations of the interested parties and through the necessary actions and process produces information curity outcomes that meets tho requirements and expectations. Figure 1 also illustrates the links in the process prented in Claus 4, 5, 6, 7 and 8.
The adoption of the PDCA model will also reflect the principles as t out in the
卧薪尝胆的人是谁
本国际标准提供一个健壮的模型去实施指南中的控制风险评估、安全设计和实施、安全管理和再评估的原则。
例1
要求可以是违背信息安全不会给组织带来严重经济损失或干扰。
例2
期望可以是指假设发生了严重的事件--可能是组织的电子商务网站遭受了黑客攻击—那么就必须有训练有素的人员通过适当的程序尽量减少其影响。OECD Guidelines (2002)1) governing the curity of information systems and networks. This International Standard provides a robust model for implementing the principles in tho guidelines governing risk asssment, curity design and implementation, curity management and reasssment.
EXAMPLE 1
A requirement might be that breaches of information curity will not cau rious financial damage to an organization and/or cau embarrassment to the organization.
EXAMPLE 2
An expectation might be that if a rious incident occurs — perhaps hacking of an organization’s eBusiness web site — there should be people with sufficient training in appropriate procedures to minimize the impact.
0.3 与其他管理系统的兼容性
为了增强一致性,并与相关的管理标准整合实施和运作,本国际标准与BS EN ISO 9001:2000 和BSEN ISO 14001:2004相互协调。一个设计合理的管理系统能够满足所有标
准的需求。
表C.1 展示了本国际标准与ISO 9001:2000和ISO 14001:2004之间的关系。
本国际标准设计上就考虑把ISMS与其他相关的管理系统进行整合;0.3 Compatibility with other management systems This International Standard is aligned with ISO 9001:2000 and ISO
怎么撩14001:2004 in order to support consistent and integrated implementation and operation with related management standards. One suitably designed management system can thus satisfy the requirements of all the standards. Table C.1 illustrates the relationship between the claus of this International Standard, ISO 9001:2000 and ISO 14001:2004.
This International Standard is designed to enable an organization to align or integrate its ISMS with related management system requirements.
Plan(establish the ISMS) Establish ISMS policy, objectives, process and procedures relevant
to managing risk and improving information curity to deliver results
in accordance with an organization’s overall policies and objectives.
Do(implement and operate the ISMS) Implement and operate the ISMS policy, controls, process and procedures.
Check(monitor and review the ISMS) Asss and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review.
Act(maintain and improve the ISMS) Take corrective and preventive actions, bad on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.
计划(建立ISMS) 根据组织的整体策略和目标,建立与管理风险相关的ISMS策略、目标、
过程和程序,改进信息安全达到期望的结果。
实施(实施和运行ISMS) 实施和运作ISMS的策略、控制措施和程序。
检查(监控和审核ISMS) 针对于ISMS策略、目标、实践经验进行评估、测量,并报告结果给管
敦煌博物院
理层评审。
改进(维护和改进 ISMS) 根据内部ISMS审核、管理评审的结果及其他相关信息,采取纠正和预
防措施,实现ISMS的持继改进。
1范围 1 Scope童心永在
1.1概要
本国际标准覆盖了所有类型的组织(如业务企业、政府机构、非盈利机构),在组织的整体业务风险环境下,本国际标准定义了建立、实施、运行、监控、评审、维护和改进一个文件化的ISMS。它定义了一个独立组织或组织的一部分实施安全控制的需求。
ISMS的设计提供了充分、适当的安全控制,充分保护信息资产并给与客户和其他利益相关方信心。
注1:在本国际标准中的术语‘business’被认为对于组织存在的目的非常关键的活动。
注2:ISO/IEC 17799为设计控制措施提供实施指南。
1.2应用
本标准规定所有要求是通用的,旨在适用于各种类型、不同规模和不同性质的组织。当组织宣布符合本国际标准,对于条款4,5,6,7和8要求的删减是不能接受。
需证明任何控制的删减满足风险接受的准则,必须证明是正当的并需要提供证据证明相关风险被责任
人适当的接受。当由于组织的性质和业务本标准中的要求不能使用相关控制,要求可以考虑删减,除非删减不影响组织满足风险评估和适用的法律要求的能力和/或责任,否则不能声称符合本标准。
赞美雪景的诗句
注:如果组织已经运行业务管理系统(如ISO9001或ISO14001),那将更容易满足本国际标准的需求。1.1 General
This International Standard covers all types of organizations (e.g. commercial enterpris, government agencies, non-profit organizations). This International Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing,maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of curity controls customized to the needs of individual organizations or parts thereof.
The ISMS is designed to ensure the lection of adequate and proportionate curity controls that protect information asts and give confidence to interested parties.
NOTE 1: References to ‘business’ in this International Standard should be interpreted broadly to mean tho activities that are core to the purpos for the organization’s existence.
NOTE 2: ISO/IEC 17799 provides implementation guidance that can be ud when designing controls.
1.2 Application
The requirements t out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size and nature. Excluding any of the requirements specified in Claus 4, 5, 6, 7, and 8 is not acceptable when an organization claims conformity to this International Standard.
Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be justified and evidence needs to be provided that the associated risks have been accepted by accountable persons. Where any controls are excluded, claims of conformity to this International Standard are not acceptable unless such exclusions do not affect the organization’s ability, and/or responsibility, to provide information curity that meets the curity requirements determined by risk asssment and applicable legal or regulatory requirements.
NOTE: If an organization already has an operative business process management system (e.g. in relation with ISO 9001 or ISO 14001), it is preferable in most cas to satisfy the requirements of thi日常聊天逗女友
s International Standard within this existing management system.
2引用标准
下列标准引用的条文在本标准中同样引用。因为时间的原因,引用标准处于编辑状态。为了更新引用,应考虑参考文档最新版本。
ISO/IEC 17799:2005信息技术—安全技术--信息安全管理实施指南2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17799:2005, Information technology — Security techniques — Code of practice for information curity management
