1、1 ISO/IEC 27001:2005(E) ISO 标准 IEC 27001:2005 信息安全管理体系 规范与使用指南 Reference number ISO/IEC 27001:2005(E) ISO/IEC 2005 All rights reserved 2 ISO/IEC 27001:2005(E) 0 简介 0.1 总则 本国际标准的目的是提供建立、 实施、 运作、监控、 评审、 维护和改进信息安全管理体系( ISMS)的 模 型 。采 用 ISMS 应是一个组织的战略决定。 组织 ISMS 的 设计和实施受业务需求和目标、 安全需求、 应用的过程及组织的规模、 结构的影响。
2、 上述因素和他们的支持系统预计会随事件而变化。 希望根据组织的需要去扩充 ISMS 的实 施, 如, 简单 的环境是用简单的 ISMS 解决 方案。 本国际标准可以用于内部、 外部评估其符合性。 0.2 过程方 法 本国际标准鼓励采用过程的方法建立、实施、 运作、 监控、 评审、 维 护和改进一个组织的 ISMS 的 有效性。 一个组织必须识别和管理许多活动使其有效地运行。 通过利用资源和管理, 将输入转换为输出的活动,可以被认为是一个过程。通常, 一个过程的输出直接形成了下一个过程的输入。 组织内过程体系的应用, 连同这些过程的识别和相互作用及管理, 可以称之这 “过程的方法” 。 在本国际
3、标准中, 信息安全管理的过程方法鼓励用户强调以下方面的重要性: a) 了解组织信息安全需求和建立信息安全策略和目标的需求; b) 在组织的整体业务风险框架下,通过实施及运作控制措施管理组织的信息安全风险; c) 监控和评审 ISMS 的执行和有 效性; d) 基于客观测量的持续改进。 本国际标准采用了“计划 -实施 -检查 -改进”( PDCA) 模 型 去构架全部 ISMS 流程。 图 1显示 ISMS 如何 输入相关方的信息安全需求和期望, 经过必要的处理, 产生满足需求和期望的产品信息安全输出, 图 1 阐明与条 款4、 5、 6、 7、 8 相关。 采用 PDCA 模 型将影响 OEC
4、D信息系统和网络的安 全治 理 ( 2002)中 陈述的原 则,0 Introduction 0.1 General This International Standard has been prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The adoption of an ISMS should be
5、a strategic decision for an organization. The design and implementation of an organizations ISMS is influenced by their needs and objectives, security requirements, the processes employed and the size and structure of the organization. These and their supporting systems are expected to change over t
6、ime. It is expected that an ISMS implementation will be scaled in accordance with the needs of the organization, e.g. a simple situation requires a simple ISMS solution. This International Standard can be used in order to assess conformance by interested internal and external parties. 0.2 Process ap
7、proach This International Standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organizations ISMS. An organization needs to identify and manage many activities in order to functioneffectively. Any activity using resources a
8、nd managed in order to enable the transformation of inputs into outputs can be considered to be a process. Often the output from one process directly forms the input to the next process. The application of a system of processes within an organization, together with the identification and interaction
9、s of these processes, and their management, can be referred to as a “process approach”. The process approach for information security management presented in this International Standard encourages its users to emphasize the importance of: a) understanding an organizations information security requir
10、ements and the need to establish policy and objectives for information security; b) implementing and operating controls to manage an organizations information security risks in the context of the organizations overall business risks; c) monitoring and reviewing the performance and effectiveness of t
11、he ISMS; and d) continual improvement based on objective measurement. This International Standard adopts the Plan-Do-Check-Act (PDCA) model, which is applied to structure all ISMS processes. Figure 1 illustrates how an ISMS takes as input the information security requirements and expectations of the
12、 interested parties and through the necessary actions and processes produces information security outcomes that meets those requirements and expectations. Figure 1 also illustrates the links in the processes presented in Clauses 4, 5, 6, 7 and 8. The adoption of the PDCA model will also reflect the
13、principles as set out in the ISO/IEC 2005 All rights reserved 3 ISO/IEC 27001:2005(E) 本国际标准提供一个健壮的模型去实施指南中的控制风险评估、 安全设计和实施、 安全管理和再评估的原则。 例 1 要求可以是违背信息安全不会给组织带来严重经济损失或干扰。 例 2 期望可以是指 假设发生了严 重的事件 -可能是组织的电子商务网站遭受了黑客攻击 那么就必须有训练有素的人员通过适当的程序尽量减少其影响。 OECD Guidelines (2002)1) governing the security of inform
14、ation systems and networks. This International Standard provides a robust model for implementing the principles in those guidelines governing risk assessment, security design and implementation, security management and reassessment. EXAMPLE 1 A requirement might be that breaches of information secur
15、ity will not cause serious financial damage to an organization and/or cause embarrassment to the organization. EXAMPLE 2 An expectation might be that if a serious incident occurs perhaps hacking of an organizations eBusiness web site there should be people with sufficient training in appropriate pro
16、cedures to minimize the impact. 0.3 与其他管理系统的兼容性 为了增强一致性, 并与相关的管理标准整合实施和运作,本国际标准与BS EN ISO 9001:2000 和BSEN ISO 14001:2004相互协调。一个设计合理的管理系统能够满足所有标准的需求。 表C.1 展示了本国际标准与ISO 9001:2000和ISO 14001:2004之间的关系。 本国际标准设计上就考虑把 ISMS 与其他相关的管理系统进行整合; 0.3 Compatibility with other management systems This International S
17、tandard is aligned with ISO 9001:2000 and ISO 14001:2004 in order to support consistent and integrated implementation and operation with related management standards. One suitably designed management system can thus satisfy the requirements of all these standards. Table C.1 illustrates the relations
18、hip between the clauses of this International Standard, ISO 9001:2000 and ISO 14001:2004. This International Standard is designed to enable an organization to align or integrate its ISMS with related management system requirements. ISO/IEC 2005 All rights reserved 4 ISO/IEC 27001:2005(E) Plan(establ
19、ish the ISMS) Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organizations overall policies and objectives. Do(implement and operate the ISMS) Implement and operate the ISMS policy, con
20、trols, processes and procedures. Check(monitor and review the ISMS) Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review. Act(maintain and improve the ISMS) Take corrective and preventive ac
21、tions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS. 计划 (建立 ISMS) 根据组织 的整 体策略和 目标 , 建 立与管 理 风险相关 的 ISMS 策略 、 目标、过程和程 序, 改进信息 安全 达到期望 的结 果。 实施 (实施和运行 ISMS) 实施和运 作 ISMS 的策略 、控制措 施和 程序。 检查 (监控和审核 ISMS)
22、针对于 ISMS 策略、目 标、 实践经验 进行 评估、测 量, 并报告结 果给 管理层评审 。 改进 (维护和改进 ISMS) 根据内 部 ISMS 审核、管 理 评审的结 果及 其他相关 信息 ,采取纠 正和 预防措施, 实 现 ISMS 的持 继改进。 ISO/IEC 2005 All rights reserved 5 ISO/IEC 27001:2005(E) 1 范围 1 Scope 1.1 概要 本国际标准覆盖了所有类型的组织 (如业务企业、政 府机构、非盈 利机构) ,在组织的整体业务风险环境下, 本国际标准定义了建立、实施、运行、监控、评审、 维护和改进一个文件化的 ISMS
23、。它定义了一个独立组织或组织的一部分实施安全控制的需求。 ISMS 的设计提 供了充分、适当的安全控制, 充分保护信息资产并给与客户和其他利益相关方信心。 注 1: 在本国际 标准中的术语 business被认为对于组织存在的目的非常关键的活动。 注 2: ISO/IEC 17799 为设计控制措施提供实施指南。 1.2 应用 本标准规定所 有要求是通用 的 ,旨在适用于各种类型、 不同规模和不同性质的组织。 当组织宣布符合本国际标准, 对于条款 4,5,6,7和 8要求的删减 是不能接受。 需证明任何控制的删减满足风险接受的准则, 必须证明是正当的并需要提供证据证明相关风险被责任人适当的接受
24、。 当由于组织的性质和业务本标准中的要求不能使用相关控制, 要求可以考虑删减, 除非删减不影响组织满足风险评估和适用的 法律要求的能 力和 /或责任,否则不能声称符合本标准。 注:如果组织已经运行业务管理系统(如 ISO9001 或 ISO14001) , 那将更容易满足本国际标准的需求。 1.1 General This International Standard covers all types of organizations (e.g. commercialenterprises, government agencies, non-profit organizations). Thi
25、s International Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organizations overall business risks. It specifies requirements for the implementation of security controls cust
26、omized to the needs of individual organizations or parts thereof. The ISMS is designed to ensure the selection of adequate and proportionatesecurity controls that protect information assets and give confidence to interested parties. NOTE 1: References to business in this International Standard shoul
27、d be interpreted broadly to mean those activities that are core to the purposes for the organizations existence. NOTE 2: ISO/IEC 17799 provides implementation guidance that can be usedwhen designing controls. 1.2 Application The requirements set out in this International Standard are generic and are
28、 intended to be applicable to all organizations, regardless of type, size and nature. Excluding any of the requirements specified in Clauses 4, 5, 6, 7, and 8 is not acceptable when an organization claims conformity to this International Standard. Any exclusion of controls found to be necessary to s
29、atisfy the risk acceptance criteria needs to be justified and evidence needs to be provided that the associated risks have been accepted by accountable persons. Where any controls are excluded, claims of conformity to this International Standard are not acceptable unless such exclusions do not affec
30、t the organizations ability, and/or responsibility, to provide information security that meets the security requirements determined by risk assessment and applicable legal or regulatory requirements. NOTE: If an organization already has an operative business process management system (e.g. in relati
31、on with ISO 9001 or ISO 14001), it is preferable in most cases to satisfy the requirements of this International Standard within this existing management system. 2 引用标准 下列标准引用的条文在本标准中同样引用。 因为时间的原因, 引用标准处于编辑状态。 为了更新引用, 应考虑参考文档最新版本。 ISO/IEC 17799:2005 信息技术安全技术 -信息安全管理实施指南 2 Normative references The fo
32、llowing referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 17799:2005, Information technology Security tec
33、hniques Code of practice for information security management ISO/IEC 2005 All rights reserved 6 ISO/IEC 27001:2005(E) 3 名词和定义 从本国际标准的目的出发, 以下名词和定义适用。 3.1 资产 对组织而言具有价值的事物。 BS ISO/IEC 13335-1:2004 3.2 可用性 保证被授权的使用者需要时能够访问信息及相关资产。 BS ISO/IEC 13335-1:2004 3.3 保密性 信息不被未授权的个人、 实体、 流程访问披露。 BS ISO/IEC 13335
34、-1:2004 3.4 信息安全 保护信息的保密性、 完整性、 可用性及其他属性, 如: 真实性、 可 确认性、 不可否认性和可靠性。 BS ISO/IEC 17799:2005 3.5 信息安全事件 系统、 服务或网络状态发生的事件违背了信息安全策略,或使安全措施失效,或以前末知的与安全相关的情况 BS ISO/IEC TR 18044:2004 3.6 信息安全事故 单个或一系列的意外信息安全事件可能严重影响业务运作并威胁信息安全 . BS ISO/IEC TR 18044:2004 3.7 信息安全管理体系( ISMS) 是整个管理体系的一部分, 建立在业务风险的方法上,以开发、实施、运
35、行、评审、维护和改进信息安全。 注: 管理系统包括组织架构、 策略、 策划、职责、实践、程序、流程和资源。 3.8 完整性 保护资产的准确和完整。 BS ISO/IEC 13335-1:2004 3.9 剩余风险 经过风险处理后仍保留的风险。 BS ISO/IEC Guide 73:2002 3.10 风险接受 接受风险的决策。 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 asset anything that has valu
36、e to the organization. ISO/IEC 13335-1:2004 3.2 availability the property of being accessible and usable upon demand by an authorized entity. ISO/IEC 13335-1:2004 3.3 confidentiality the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
37、 ISO/IEC 13335-1:2004 3.4 information security preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved. ISO/IEC 17799:2005 3.5 information security event an id
38、entified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant. ISO/IEC TR 18044:2004 3.6 information security incident a single or a series of unwanted or
39、 unexpected information security events that have a significant probability of compromising business operations and threatening information security. ISO/IEC TR 18044:2004 3.7 information security management system ISMS that part of the overall management system, based on a business risk approach, t
40、o establish, implement, operate, monitor, review, maintain and improve information security. NOTE: The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources. 3.8 integrity the property of safeguarding the
41、accuracy and completeness of assets. ISO/IEC 13335-1:2004 3.9 residual risk the risk remaining after risk treatment. ISO/IEC Guide 73:2002 3.10 risk acceptance decision to accept a risk. ISO/IEC Guide 73:2002 3.11 risk analysis ISO/IEC 2005 All rights reserved 7 ISO/IEC 27001:2005(E) ISO Guide 73:20
42、02 3.11 风险分析 系统化地使用信息识别来源和估计风险。 ISO Guide 73:2002 3.12 风险评估 风险分析和风险评价的整个过程。 ISO Guide 73:2002 3.13 风险评价 比较估计风险与给出的风险标准, 确定风险严重性的过程。 ISO Guide 73:2002 3.14 风险管理 指导和控制组织风险的联合行动。 ISO Guide 73:2002 注: 典型风险管理包括风险评估、 风险处置、风险接受和风险沟通。 3.15 风险处理 选择和实施措施以更改风险处理过程。 ISO Guide 73:2002 注: 本标准中术语 “控制措施” 等同于“措施” 。
43、3.16 适用性声明 描述与使用组织的 ISMS 范围 的控制目标和控制措施。 注: 控制目标和控制措施是建立在风险评估、 风险处理过程、 法律法规 的要求、合同要求、 组织对信息安全要求的结论和结果基础上。 systematic use of information to identify sources and to estimate the risk. ISO/IEC Guide 73:2002 3.12 risk assessment overall process of risk analysis and risk evaluation. ISO/IEC Guide 73:2002
44、3.13 risk evaluation process of comparing the estimated risk against given risk criteria to determine the significance of the risk. ISO/IEC Guide 73:2002 3.14 risk management coordinated activities to direct and control an organization with regard to risk. ISO/IEC Guide 73:2002 3.15 risk treatment p
45、rocess of selection and implementation of measures to modify risk. ISO/IEC Guide 73:2002 NOTE: In this International Standard the term control is used as a synonym for measure.3.16 statement of applicability documented statement describing the control objectives and controls that are relevant and ap
46、plicable to the organizations ISMS. NOTE: Control objectives and controls are based on the results and conclusions of the risk assessment and risk treatment processes, legal or regulatory requirements, contractual obligations and the organizations business requirements for information security. ISO/
47、IEC 2005 All rights reserved 8 ISO/IEC 27001:2005(E) 4 信息安全管理体系 4.1 总要求 组织应在 组织 整体业务 活动 和风险的 环境 下建立、 实施、 运作、 监控、 评审、 维护和改进文件化的 ISMS。 本标准 应用 了图 1 所示 的PDCA 模型。 4.2 建 立 和管理 ISMS 4.2.1 建立 ISMS 组织应: a) 根据业务 的性 质、组织 、位 置、资产和技术定义 ISMS 范围和界限, 以及被排除范围的详细理由; b) 根据组织 的业 务性质、 组织 、位置、资产和技术定义 ISMS 策略,策略应: 1) 包括建立
48、 目标 框架和信 息安 全活动建立整体的方向和原则; 2) 考虑业务 及法 律法规的 要求 ,及合同的安全义务; 3) 建立组织 战略 和风险管 理, 建立和维护信息安全管理体系; 4) 建立风险评价标准;见 4.2.1c 5) 经管理层批准; 注: 根据国际标准的目的, 信息安全管理体系的策略应该包含信息安全策略, 这些策略可在一个文件中描述。 c) 定义组织风险评估的方法; 1) 识别适用于 ISMS 及已识别的信息安全、法律和法规要求的风险评估方法; 2) 开发接受 风险 的准则和 识别 可接受风险水平;见 5.1f 风险评估 方法 的选择应 确保 风险评估 结果 具有可重复性和可比较性
49、。 注: 有许多不同风险评估方法。 风险评估方法的例子详细讨论在 ISO/IEC TR 13335-3, 信息技术-IT 安全管理指南-IT 安全管理技术 。 d) 识别风险; 1) 识别ISMS范围内资产及其责任人2) 2) 识别资产的威胁; 3) 识别可能被威胁利用的脆弱性; 4) 识别资 产保 密 性、完 整性 和 可用性 损失的4 Information security management systems 4.1 General requirements The organization shall establish, implement, operate, monitor, review, maintain and improve a documented ISM
