ISO27001认证 ISO27001与27002的关系
发布时间: 2016-05-17 23:58 点击:
The working relationship between ISO27001 and ISO27002 need to understand very clearly, because ISO27002 has a considerable degree of dependence on ISO27001, in fact, it will need to use ISO27002.
开发信息安全管理的国际标准ISO 27002的原因最初在BSI的网站上的描述如下:
The reason for the development of information security management of the international standard ISO 27002 was originally described in BSI's Web site as follows:
许多组织都表示需要有一个共同的关于信息安全管理最佳实践的标准,他们希望能够部署信息安全控制措施,以满足他们自己的业务需求以及与他们有业务关系的其它机构。这些组织认为有必要分享通用最佳实践的好处,并以此作为一个真正的国际水平,以确保它们能够保护他们的业务流程和活动,以满足业务的需要。
Many organizations have expressed the need for a common best practices for information security management standard, they hope to deploy information security control measures, to meet their business needs and other agencies of the business relationship with them. These organizations think it is necessary to share the benefits of general best practices, and as a real international level to ensure that they are able to protect their business processes and activities to meet the needs of the business.
它并没有提供一个用于获得国际认证的基本方案。认证方案只有BS7799的第二部分和现在的ISO 27001可以做到。
It does not provide a basic solution for international certification. Certification program is only second parts of the BS7799 and now the ISO 27001 can be done.
两个标准之间的对应关系
The correspondence between the two standards
ISO27001:2005的附件A中列出了ISO17799:2005也就是新编号ISO27002中的133个控件,并且遵循相同的编号系统,和使用同样的关于控制措施的语言用词。
Annex ISO27001:2005 of the A lists the ISO17799:2005 that is the 133 control in the new number ISO27002, and follows the same numbering system, and uses the same language with the control measures.
ISO27001的前言中指出:控制目标和控制措施直接来自ISO17799:2005,并且和它保持一致。
The introduction of ISO27001 points out that the control objectives and control measures are directly derived from ISO17799:2005, and are consistent with it.
ISO27001规定:应该从附件A中选择控制目标和控制措施,以满足“风险评估和风险处理过程中确定的控管要求”。
ISO27001 provisions should be from annex a selection control objectives and controls, to meet the "identified in the process of risk assessment and risk management controls".
ISO27002 also provides substantive guidance on how to implement specific control measures. Any ISMS ISO27001 implementation will need to obtain and study ISO27001 and ISO27002 two criteria.
尽管ISO27001强制指定ISO27002作为一个控制措施选择和部署的指导来源,它并不限制该组织对控制措施的选择。序言接着指出:“ISO标准中的控制目标和控制措施可能并不是很详尽,组织可能需要考虑和采取更多的控制目标和控制措施。”
Although ISO27001 mandatory ISO27002 as a control measure to select and deploy the guidance source, it does not limit the organization's choice of control measures. The preamble goes on to say: "the control objectives and control measures in the ISO standards may not be exhaustive, and the organization may need to consider and take more control objectives and control measures."