ISO27001认证策划与准备阶段涉及的工作
发布时间: 2016-03-13 13:14 点击:
ISO27001认证策划与准备阶段涉及的工作
ISO27001 certification planning and preparation phase of the work involved
ISO27001教育培训
ISO27001 education and training
In order to strengthen the organization's information security awareness, clear the basic requirements of the information security management system, information security management system standard and related knowledge training is very necessary, which is the organization of information security management is one of the key factors to improve.
拟定ISO27001计划
Develop ISO27001 plan
信息安全管理体系的建立和维持是一项复杂的系统工程,包括培训、风险评估、文件编写、运行、审核、纠正和预防措施等大量的工作。为确保体系顺利的建立,组织应进行统筹安排,即制定一个切实可行的工作计划,明确不同时间段的工作任务目标及责任分工,控制工作进度,突出工作重点,例如采用工程进度计划表。总体计划被批准后,就可以针对具体工作项目制定详细计划,例如文件编写计划。在制定计划时,组织应考虑资源需求,例如人员的需求、培训经费、办公设施、聘请咨询公司的费用等,如果寻求体系的第三方认证,还要考虑认证费用,组织最高管理层应确保提供建立体系所必须的人力与财务资源。
The establishment and maintenance of information security management system is a complex system engineering, including training, risk assessment, document preparation, operation, audit, corrective and preventive measures, and so on. In order to ensure the smooth establishment of system, the organization shall make overall arrangements, namely the development of a viable work plan, clear different time segment of the task goals and responsibilities, control the progress of the work, to focus the work, such as the use of project schedule table. After the overall plan is approved, you can make detailed plans for specific work projects, such as document preparation plans. In the plan, the organization should consider the resource requirements, such as personnel needs, training funding, office facilities, hire consulting fees etc., if seeking system of the third party certification, but also consider the cost of certification, organization top management should ensure that would be necessary to set up the system of human and financial resources.
确定信息安全方针与信息安全管理体系范围
Determine the information security policy and the scope of information security management system
信息安全方针是关于在一个组织内,指导如何对资产,包括敏感信息进行管理、保护和分配的规则、指示。这里所谈到的信息安全方针是组织信息安全的总体方针,组织首先应制定信息安全方针,描述信息安全在组织内的重要性,表明管理层的承诺,提出组织管理信息安全的方法,以便为组织的信息安全提供管理方向与支持。
Information security policy is about how to manage, protect and distribute the assets, including the sensitive information in an organization, including the rules and instructions. Here talked about the information security policy is the overall approach to information security of organization, the organization should first develop information security policy and description information security within the organization the importance, showed promise for the management, organization and management of information security is presented, in order to provide management direction and support for information security of an organization.
信息安全现状调查与风险评估
Investigation and risk assessment of information security
组织信息安全管理现状调查与风险评估工作是建立信息安全管理体系的基础与关键,在体系建立的整个过程中,风险评估的工作量占了很大比例,风险评估的工作质量直接影响安全控制的合理选择,因此,组织应责成专门的部门负责此项基础性工作,风险评估人员应理解标准的基本要求,掌握风险评估的方法,熟悉组织商务运作流程与信息系统。风险评估需要不同部门的管理、信息技术、操作人员参与,必要时应获得信息安全专家的支持。风险评估的结果应被确认。
Organization of information security management present situation investigation and risk assessment is set up the basis and key of information security management system, in the system establishment in the whole process, the workload of the risk assessment accounted for a large proportion, risk assessment of the quality of work has a direct impact on the rational choice of security control. Therefore, the organization should instructed the special department is responsible for the basic work and risk assessment personnel should understand the standard basic requirements, grasp the risk assessment method, familiar with the organizational business processes and information systems. Risk assessment requires the management of different departments, information technology, operators involved, when necessary, should receive the support of information security experts. The results of the risk assessment should be confirmed.
信息安全管理体系策划
Information security management system planning
在完成现状调查与风险评估工作之后,组织要根据已确立的信息安全方针的总体要求与信息安全管理体系范围、风险评估的结果,明确组织信息安全结构与职责、选择控制目标与控制方式、编写控制概要、制定业务持续性计划。
After the completion of the investigation and risk assessment, the organization should according to the established information security policy of the general requirements and information security management system, risk assessment results, clear information security of organization structure and responsibilities, select control goal and the control mode, write control profile, the development of business continuity planning.