ISO27001标准中文版

1ISO/IEC27001:2005(E)ISO标准——IEC27001:2005信息安全管理体系——规范与使用指南ReferencenumberISO/IEC27001:2005(E)©ISO/IEC2005–Allrightsreserved2ISO/IEC27001:2005(E)0简介0.1总则本国际标准的目的是提供建立、实施、运作、监控、评审、维护和改进信息安全管理体系（ISMS）的模型。采用ISMS应是一个组织的战略决定。组织ISMS的设计和实施受业务需求和目标、安全需求、应用的过程及组织的规模、结构的影响。上述因素和他们的支持系统预计会随事件而变化。希望根据组织的需要去扩充ISMS的实施，如，简单的环境是用简单的ISMS解决方案。本国际标准可以用于内部、外部评估其符合性。0.2过程方法本国际标准鼓励采用过程的方法建立、实施、运作、监控、评审、维护和改进一个组织的ISMS的有效性。一个组织必须识别和管理许多活动使其有效地运行。通过利用资源和管理，将输入转换为输出的活动，可以被认为是一个过程。通常，一个过程的输出直接形成了下一个过程的输入。组织内过程体系的应用，连同这些过程的识别和相互作用及管理，可以称之这“过程的方法”。在本国际标准中，信息安全管理的过程方法鼓励用户强调以下方面的重要性：a)了解组织信息安全需求和建立信息安全策略和目标的需求；b)在组织的整体业务风险框架下，通过实施及运作控制措施管理组织的信息安全风险；c)监控和评审ISMS的执行和有效性；d)基于客观测量的持续改进。本国际标准采用了“计划-实施-检查-改进”（PDCA）模型去构架全部ISMS流程。图1显示ISMS如何输入相关方的信息安全需求和期望，经过必要的处理，产生满足需求和期望的产品信息安全输出，图1阐明与条款4、5、6、7、8相关。采用PDCA模型将影响OECD《信息系统和网络的安全治理》（2002）中陈述的原则，0Introduction0.1GeneralThisInternationalStandardhasbeenpreparedtoprovideamodelforestablishing,implementing,operating,monitoring,reviewing,maintainingandimprovinganInformationSecurityManagementSystem(ISMS).TheadoptionofanISMSshouldbeastrategicdecisionforanorganization.Thedesignandimplementationofanorganization’sISMSisinfluencedbytheirneedsandobjectives,securityrequirements,theprocessesemployedandthesizeandstructureoftheorganization.Theseandtheirsupportingsystemsareexpectedtochangeovertime.ItisexpectedthatanISMSimplementationwillbescaledinaccordancewiththeneedsoftheorganization,e.g.asimplesituationrequiresasimpleISMSsolution.ThisInternationalStandardcanbeusedinordertoassessconformancebyinterestedinternalandexternalparties.0.2ProcessapproachThisInternationalStandardadoptsaprocessapproachforestablishing,implementing,operating,monitoring,reviewing,maintainingandimprovinganorganization'sISMS.Anorganizationneedstoidentifyandmanagemanyactivitiesinordertofunctioneffectively.Anyactivityusingresourcesandmanagedinordertoenablethetransformationofinputsintooutputscanbeconsideredtobeaprocess.Oftentheoutputfromoneprocessdirectlyformstheinputtothenextprocess.Theapplicationofasystemofprocesseswithinanorganization,togetherwiththeidentificationandinteractionsoftheseprocesses,andtheirmanagement,canbereferredtoasa“processapproach”.TheprocessapproachforinformationsecuritymanagementpresentedinthisInternationalStandardencouragesitsuserstoemphasizetheimportanceof:a)understandinganorganization’sinformationsecurityrequirementsandtheneedtoestablishpolicyandobjectivesforinformationsecurity;b)implementingandoperatingcontrolstomanageanorganization'sinformationsecurityrisksinthecontextoftheorganization’soverallbusinessrisks;c)monitoringandreviewingtheperformanceandeffectivenessoftheISMS;andd)continualimprovementbasedonobjectivemeasurement.ThisInternationalStandardadoptsthePlan-Do-Check-Act(PDCA)model,whichisappliedtostructureallISMSprocesses.Figure1illustrateshowanISMStakesasinputtheinformationsecurityrequirementsandexpectationsoftheinterestedpartiesandthroughthenecessaryactionsandprocessesproducesinformationsecurityoutcomesthatmeetsthoserequirementsandexpectations.Figure1alsoillustratesthelinksintheprocessespresentedinClauses4,5,6,7and8.TheadoptionofthePDCAmodelwillalsoreflecttheprinciplesassetoutinthe©ISO/IEC2005–Allrightsreserved3ISO/IEC27001:2005(E)本国际标准提供一个健壮的模型去实施指南中的控制风险评估、安全设计和实施、安全管理和再评估的原则。例1要求可以是违背信息安全不会给组织带来严重经济损失或干扰。例2期望可以是指假设发生了严重的事件--可能是组织的电子商务网站遭受了黑客攻击—那么就必须有训练有素的人员通过适当的程序尽量减少其影响。OECDGuidelines(2002)1)governingthesecurityofinformationsystemsandnetworks.ThisInternationalStandardprovidesarobustmodelforimplementingtheprinciplesinthoseguidelinesgoverningriskassessment,securitydesignandimplementation,securitymanagementandreassessment.EXAMPLE1Arequirementmightbethatbreachesofinformationsecuritywillnotcauseseriousfinancialdamagetoanorganizationand/orcauseembarrassmenttotheorganization.EXAMPLE2Anexpectationmightbethatifaseriousincidentoccurs—perhapshackingofanorganization’seBusinesswebsite—thereshouldbepeoplewithsufficienttraininginappropriateprocedurestominimizetheimpact.0.3与其他管理系统的兼容性为了增强一致性，并与相关的管理标准整合实施和运作，本国际标准与BSENISO9001：2000和BSENISO14001：2004相互协调。一个设计合理的管理系统能够满足所有标准的需求。表C.1展示了本国际标准与ISO9001：2000和ISO14001：2004之间的关系。本国际标准设计上就考虑把ISMS与其他相关的管理系统进行整合；0.3CompatibilitywithothermanagementsystemsThisInternationalStandardisalignedwithISO9001:2000andISO14001:2004inordertosupportconsistentandintegratedimplementationandoperationwithrelatedmanagementstandards.Onesuitablydesignedmanagementsystemcanthussatisfytherequirementsofallthesestandards.TableC.1illustratestherelationshipbetweentheclausesofthisInternationalStandard,ISO9001:2000andISO14001:2004.ThisInternationalStandardisdesignedtoenableanorganizationtoalignorintegrateitsISMSwithrelatedmanagementsystemrequirements.©ISO/IEC2005–Allrightsreserved4ISO/IEC27001:2005(E)Plan(establishtheISMS)EstablishISMSpolicy,objectives,processesandproceduresrelevanttomanagingriskandimprovinginformationsecuritytodeliverresultsinaccordancewithanorganization’soverallpoliciesandobjectives.Do(implementandoperatetheISMS)ImplementandoperatetheISMSpolicy,controls,processesandprocedures.Check(monitorandreviewtheISMS)A