您好,欢迎访问三七文档
1、IMPLEMENTAÇÃODANORMAISO27001WorldleaderinRiskManagementandCompliancesolutions.Createvalueandminimizeyourrisksthroughouron-demandmanagementsystems.RealISOCorp.626,GlennCurtissUniondale,11556NewYork–USA–PartOneInformativeAspectsGuideObjectives:»GeneralviewofInformationSecurity»Focusonsecuritymanagement»UnderstandinganISMS»UnderstandingRiskAnalysis»StudyofInformationSecuritymanagementprocessesModusOperandiGeneralaspectsofInformationSecurityWhatdoesInformationSecuritymean?»ForeignhackerscapturingCC。
2、numbers»Largecorporationwebsitesbeingdistortedforpoliticalreasons»Virusattacksthatrenderlargecorporationsinactive»Digitalspiescapturingandsellinginformationoncompetitionandhugedatabases»YoungpeopleinvadingsystemsnotknowingthetrueinformationvalueWhatdoesInformationSecuritymean?Old-fashionedview!!!Decision-Taking»ControlInformationDecision-Making»AgooddecisiondependsonthequalityofinformationInformationSecurityFarbeyondfirewall!»SecuritydoesnotdependuponITalone»Assuringsecuritydoesnotmeansimplyensu。
3、ringinformationsecrecy»Properdecisionsdependonaccurateinformation»SecuritymaygenerateperceivablevalueWhatisinformation?»Onpaper:Memos,standards,formulas,designs,strategies.»Ondigitalmedia:Disks,tapes,CDs,transmittedfiles.»Sound:Meetingrecording,messagesleftontelephoneswitchboards,cellphonemailbox.»Image:Documentphotos,identificationphotos,facilitiesphotos,videotapes,digitalvideos.Resources»Processing:Abilitytohandleinformationandgenerateresults»Storage:Abilitytostoreinformation.Doesnotchangeinfo。
4、rmation»Communication:Abilitytotransmitinformation.ShouldnotchangetransmittedinformationLastParadigm:Responsibility»DueDiligence:showsthatthecompanyiscarryingoutsecurityactivitiesonasteadybasis.»DueCare:developmentofinformationsecuritypolicies,riskanalysis,andanISMS.ShowsthatManagementhastakentherequireddecisionsandactionstoprotectthecompany.»Warning:Notcarryingout“DueDiligence”and“DueCare”maycharacterizeadministrativenegligence.BasicPrinciples»Confidentiality:giveninformationthatmaynotbemadeava。
5、ilableordisclosedforpeople,entitiesorprocesseswithoutpermission.Aconcepttoensurethatsensitive,confidentialinformationislimitedtoanappropriategroupofindividualsororganizations.»Integrity:theconditionbywhichinformationorinformationresourcesareprotectedfromunauthorizedchanges.Informationaccuracyandcompleteness.BasicPrinciples»Availability:informationistobedeliveredtotherightpeople,whenneeded.ISO27001FrameworkandImplementationWhatisISO27001?»Astandardwiththerequirementsforacompanytoimplementaninform。
6、ationsecuritymanagementsystem»ItwasoriginatedfromBS7799,createdbyBSI–BritishStandardInstitute»Businessprocess-orientedandnottechnologyinfrastructure-oriented»BasedonPDCAmanagementcycleWhatisISO27001?»DeterminesthatacompanymusthaveanISMS–ISManagementSystem»Maybeappliedtoanycompanytype»EnablesacompanytohaveitsISMScertificated»InlinewithISO9000,ISO14000standardsWhatISO27001isNOT?»Atechnicalstandard»AstandarddevelopedforITarea»Aguideforbestpractices.ForthatISO27002isavailable»Amethodologyforinformat。
7、ionsecuritymanagementISManagementSystem-PDCA»UnderstandingsecurityrequirementsAssessbusinessrisksandrequirements»ImplementingandoperatingcontrolsTechnological,physical,andadministrative»MonitoringandreviewingSystemperformanceIndicatorsandobjectivemetrics»ImprovingonanongoingbasisCorrectiveandpreventiveactionsISO27001ApplicationWhyimplementinganISMS?»TheSystemwasdevelopedwiththeaimofsuitingandprovidingsecuritycontrolsthatproperlyprotectthecompany’sinformationassets,increasingreliabilityofcustomer。
8、sandotherconcernedpartiesISO27001ApplicationBasicRequirements»However,thefollowingitemsmaynotbedisregarded:»4–InformationSecurityManagementSystem»5–ManagementResponsibility»6–InternalISMSAudits»7–ManagementReviewoftheISMS»8–ISMSImprovementInformationSecurityManagementSystemTheSecurityManagementSystemshould:»FollowPDCAmodel»ConsiderbusinesscontextandInformationrisks»Bebusinessprocess-oriented»ComplywiththestandardrequirementsImplementingISMS-StartingPointSystemScopeWhichprocesseswillmysystemactup。
9、on?»Thescopedefineswhichinformationassetsthesystemwillactupon»Itisinterestingtodefinescopethroughbusinessprocessapproach»ScopedefinitionshouldbeclearandallowidentificationoflocationsandassetsinvolvedInformationSecurityPolicyManagementSystemguidelines»Policyshouldreflectthecompany’sphilosophywithregardtoitsinformationsecurity»Itshouldprovidedirectionstoallconcernedparties»ItshouldconsiderbusinessrequirementsandapplicableregulatoryrequirementsInformationSecurityPolicyStrategicLine-up»Whicharethema。
10、incompany’sstrategies?»Howdoesinformationsecurityrelatetothesestrategies?»Whicharethecompany’ssecurityobjectives?RiskAnalysisSecurityRequirementsforaCompany»InformationSecurityrisks»RegulatoryandContractualObligations»Setofprinciples,objectivesandbusinessrequirementsneededforinformationprocessingRiskAnalysisNationalandInternationalStandardsReferences»ISO13335-1andISO13335-2»ISOGuide73–RiskmanagementVocabulary»ASNZS4360WhatareRisks?»R。
本文标题:iso-27001
链接地址:https://www.777doc.com/doc-433357 .html