ISO 27001

The International Standards Organization is an independent body with the objective of publishing standards for any organization, 无论行业如何, 遵循. As defined on their website, standards are “a formula that describes the best way of doing something.其中包括质量和环境管理标准, 健康和安全标准, 食物安全标准及, 当然, 资讯保安标准. Standards are published in numbered series and each series contains multiple individual documents that pertain to some aspect of the subject matter. 在大多数情况下，每个系列中的“01”文档e.g. 9001、14001、27001是组织可以通过认证的标准. 该系列中的所有其他文档都是认证标准的支持文档.

ISO 27000系列是信息安全管理体系的既定系列.  管理制度就是政策, 程序, 以及用于保密的资源, 完整性, 以及信息的可用性. 27001标准， ISO / IEC 27001:2013 在撰写本文时，是组织可以通过认证的标准. This ISO certification demonstrates to interested parties an organization’s dedication to effectively managing risk and the security of critical information systems.

顺便说一下, IEC 在文档中，标题指的是 国际电工委员会, a similar standards organization that contributes to ISO standards involving technical activities.

While US-based organizations are subject to a number of industry and regulatory frameworks that guide cybersecurity and compliance efforts, ISO 27001是美国以外事实上的信息安全标准. 适用于与美国以外的客户和其他业务关系的组织, ISO certification is commonly expected to demonstrate an organization’s commitment to effective risk management and information security. The core of the ISO standard is the establishment of a formal management structure around the ISMS to ensure its continual effectiveness. 必须证明这种有效性才能获得和保持认证. ISO不是一个“复选框安全性”框架.

Organizations frequently leverage the Information Security Management System established for ISO certification to manage other compliance initiatives such as SOC, PCI, 和HITRUST. 例如, 同时进行年度ISO内部审核, they take the opportunity to validate whether controls are still meeting the requirements of other compliance standards. Then, 作为ISO认证管理评审程序的一部分, 他们利用这个机会审查他们的其他合规计划，以确定范围的变化, 风险或威胁环境的变化, 以及任何相关的内部审计结果. 为寻求高层管理批准的安全管理人员寻求ISO认证, this is an effective tool to justify the resources needed to establish and maintain an ISO compliance program.

ISO标准文档遵循一种通用格式，其中内容分为编号子句. 条款规定了给定标准的范围, 提供其他支持或相关标准的参考, 定义标准中使用的术语和定义, 并建立标准的要求或期望. Standards often include annexes or appendices providing supporting guidelines for requirements and expectations contained in the preceding clauses.

ISO 27001标准由26条条款和114项控制要求组成. The clauses establish the foundational elements of the information security management system (ISMS) that the organization must have in place to manage risk and secure information. 这些要求是ISO 27001标准所独有的. 与其他信息安全遵从性框架不同, 这些条款为ISMS的持续指导和监督建立了要求. 这些包括组织风险评估等活动 and 治疗分析，ISMS定期执行管理评审，每年一次 internal audit of the ISMS, and ongoing monitoring and measurement of the effectiveness of security controls.

标准的后半部分，标题为 Annex A，由ISO 27001控制要求组成. The control requirements will be more familiar to information security practitioners in that they are the tactical requirements to be utilized 按组织划分 to treat security risks and threats. 这包括访问和身份验证, logging, 加密, 事件响应, and other control categories that organizations implement as part of their various security and compliance initiatives. 与某些网络安全框架不同，ISO控制要求不是规定性的. 换句话说, ISO 27001没有建立最低密码设置, 日志保留期, 或加密密钥长度.  相反，ISO建立了必须的控制 被认为是 按组织划分. The organization then determines which controls are applicable to the environment and that sufficiently treat the identified risks. 审计师的角色, therefore, is to determine whether the controls are implemented as defined and whether they sufficiently address the risks for which they are implemented.

ISO 27001是法律要求吗? ISO 27001本身并不是法律要求. 组织可能, however, establish contractual obligations for earning and/or maintaining ISO 27001 certification as part of their business relationships. ISO 27001 certification may be utilized and/or accepted by organizations as a means to demonstrate adherence to industry and regulatory information security requirements.

While an organization’s ISMS addresses the security of multiple aspects of the organization’s hardware, software, 数据资产, ISO 27001标准注重保密性, 完整性, 以及信息的可用性.

1. 机密性是保护信息免受未经授权的访问.
2. 完整性是保护信息免受未经授权的修改.
3. 可用性是指信息在需要时可被访问的保证.

获得ISO 27001认证的最终结果是组织向其客户保证, 业务合作伙伴, and other interested parties that information for which the organization is responsible is at minimal risk of compromise.

ISO / IEC 27001:2013 is one of many standards and supporting documents in the 27000 series for Information Security Management Systems. 虽然在27000系列中有一些相关的指导方针和支持文档, 27001是目前该系列中唯一一个组织可以通过认证的标准.

组织必须由独立的第三方进行审计. 任何审核员都可以颁发认证，但建议聘请一名审核员 认证 由ISO 27001认证机构进行审核. Accredited Certifying Bodies are themselves subject to regular independent audits to validate that they are reputable, 主管, 和值得信赖. 这为组织提供了保证, 任何有兴趣的人, 审计已经进行了, 并根据所有相关的ISO标准颁发证书.

成功通过ISO 27001初始认证审核, 组织必须证明他们的ISMS是完全实施和有效的. 要做到这一点, the organization will need to have implemented all requirements established in the ISO 27001 clauses and Annex A controls. 为了证明这种有效性, ISO审核员通常会寻找PDCA(计划-执行-检查-行动)循环的完整迭代. 对于已经建立了ISMS组件和控制的成熟组织, 这可能只需要四到六个月的时间来准备初始认证. 为他人, a minimum of one year may be necessary to establish the ISMS and associated controls to be ready for their initial certification audit.

由于准备初步审计需要作出重大努力, 许多组织聘请第三方来协助建立他们的ISMS. Third parties may simply oversee and provide guidance while the organization implements their ISMS, 或者他们可能会全部或部分地参与到工作中. 不管他们有多投入, 提供执行协助的第三方不应, 根据一些认证机构, 也不能进行组织的认证审核. 这有助于避免实现和审计实体之间的利益冲突.

明升体育app下载

布莱恩·威利斯, CISSP, CCSK, PCI QSA, ISO 27001高级首席审核员, 是LBMC网络安全部门的高级经理, PC. 可以联系到他 brian.willis@LBMC.com or (615) 309-2607.