ISO27001认证标准产生的背景 信息安全管理体系认证标准产生的背景
发布时间: 2016-05-17 23:48 点击:
Background information generated by the background information security management system certification standards generated by ISO27001 certification standards
信息作为组织的重要资产,需要得到妥善保护。但随着信息技术的高速发展,特别是Internet的问世及网上交易的启用,许多信息安全的问题也纷纷出现:系统瘫痪、黑客入侵、病毒感染、网页改写、客户资料的流失及公司内部资料的泄露等等。
Information as an important asset of the organization, need to be properly protected. But with the rapid development of information technology, especially the appearance of Internet and online transaction is enabled, many information security problems have appeared: the system paralysis, hacker intrusion, virus infection, rewrite the page, customer data loss and internal information leakage and so on.
这些已给组织的经营管理、生存甚至国家安全都带来严重的影响。 安全问题所带来的损失远大于交易的帐面损失,它可分为三类,包括直接损失、间接损失和法律损失:
These have a serious impact on the organization's management, survival and even national security. Safety problems brought about the loss is much larger than that of the trading book loss, it can be divided into three categories, including direct loss, indirect loss and loss of law:
·直接损失:丢失订单,减少直接收入,损失生产率;
Direct loss: loss of orders, reduction of direct income, loss of productivity;
·间接损失:恢复成本,竞争力受损,品牌、声誉受损,负面的公众影响,失去未来的业务机会,影响股票市值或政治声誉;
Indirect loss: recovery costs, competitiveness damage, brand, reputation damage, the negative impact of the public, the loss of future business opportunities, the impact of stock market value or political reputation;
·法律损失:法律、法规的制裁,带来相关联的诉讼或追索等。
Legal losses: legal, regulatory sanctions, bring the relevant litigation or recourse, etc..
所以,在享用现代信息系统带来的快捷、方便的同时,如何充分防范信息的损坏和泄露,已成为当前企业迫切需要解决的问题。
Therefore, in the enjoyment of modern information systems to bring fast and convenient at the same time, how to fully prevent the damage and leakage of information, has become an urgent need to solve the problem of the current enterprise.
俗话说“三分技术七分管理”。目前组织普遍采用现代通信、计算机、网络技术来构建组织的信息系统。
As the saying goes, "three points technology seven points management". At present, modern communication, computer and network technology are widely used in the organization to construct the information system of the organization.
但大多数组织的最高管理层对信息资产所面临的威胁的严重性认识不足,缺乏明确的信息安全方针、完整的信息安全管理制度、相应的管理措施不到位,如系统的运行、维护、开发等岗位不清,职责不分,存在一人身兼数职的现象。
But most of the organizations of top management of information assets are facing the threat of serious lack of knowledge, lack of clear information security policy, complete information security management system and the corresponding management measures are not in place, such as the system operation, maintenance, development and other position is not clear, duty is not divided, there a man wears several hats.
这些都是造成信息安全事件的重要原因。缺乏系统的管理思想也是一个重要的问题。
These are the important reasons for the information security incidents. Lack of systematic management thought is also an important issue.
所以,我们需要一个系统的、整体规划的信息安全管理体系,从预防控制的角度出发,保障组织的信息系统与业务之安全与正常运作。
Therefore, we need a system, the overall planning of the information security management system, from the perspective of prevention and control, to protect the organization's information systems and business security and normal operation.