Practical rules for information security management ISO/IEC27001 was formerly known as the British BS7799 standard, which was proposed by the British standards institute (BSI) in February 1995 and revised in May 1995. BSI revised the standard in 1999. BS7799 is divided into two parts:
Bs7799-1, implementation rules for information security management
Bs7799-2, information security management system specification.
The first part gives Suggestions on information security management for the personnel responsible for starting, implementing or maintaining security in their organization; The second part describes the requirements for the establishment, implementation and documentation of information security management systems (ISMS), and specifies the requirements for the implementation of security controls according to the needs of independent organizations.
In 2000, ISO adopted ISO 17799 on the basis of bs7799-1. Bs7799-2 was also revised by BSI in 2002. ISO revised ISO 17799 again in 2005, and bs7799-2 was adopted as ISO 27001:2005 in 2005.
How to build ISO27001 certification information security management system
The construction of ISO27001 certification system is divided into four stages: implementing security risk assessment, planning system construction program, establishing information security management system, system operation and improvement. It also conforms to PDCA(plan-do-check-action) model and ISO27001 requirements of information security management cycle, that is, effectively protect the security of enterprise information system and ensure the sustainable development of information security.
1. Establish the scope
The first is to establish the scope of the project, from the organization level and system level of two dimensions of the scope division. From the organizational level, internal organizations can be considered: need to cover all departments of the company, including headquarters, business units, manufacturing headquarters, technology headquarters, etc.; External organization: includes external organizations connected to the company's information system, including suppliers, intermediary business partners, and other partners.
From the system level, according to the physical environment: that is, the place supporting the information system, the surrounding environment and the place to ensure the normal operation of the computer system facilities. Including room environment, access control, monitoring, etc. Network system: the line media, equipment and software that constitute the network transmission environment of information system; Server platform system: software platform system including server, network equipment, client and its operating system, database, middleware and Web system supporting all information systems; Application systems: application systems that support business, office and management applications; Data: data transmitted and stored throughout the information system; Safety management: including safety policies, rules and regulations, personnel organization, development safety, project safety management and system management personnel in the daily operation and maintenance process of safety compliance, safety audit.
2. Safety risk assessment
Enterprise information security refers to ensuring that the enterprise business system is not illegally accessed, utilized and tampered with, providing safe and reliable services for the enterprise employees, and ensuring the availability, integrity and confidentiality of the information system.
This safety assessment mainly includes two aspects:
2.1 evaluation of enterprise security management
Through the enterprise security control status survey, interviews, document study and ISO27001 best practice comparison, as well as the industry experience in the "gap analysis", check the enterprise in the security control level of weaknesses, so as to provide a basis for the choice of security measures.
Evaluation content includes ISO27001 covered by 11 aspects related to information security management system, including the information security policy, security organization, asset classification and control, personnel security, physical and environmental security, communications, and operations management, access control, system development and maintenance, security event management, business continuity management, and compliance.
2.2 assessment of enterprise security technology
Based on the classification of asset security level, through the security scanning of information equipment and the configuration of security equipment, the security status and weaknesses of existing network equipment, server system, terminal and network security architecture are inspected and analyzed to provide a basis for security reinforcement.
Conduct security assessments for key applications that are representative of the enterprise. The evaluation method of key applications adopts the method of penetration test. In the application evaluation, the threats and weaknesses of the application system will be identified, and the gap between them and the security objectives of the application system will be analyzed to provide a basis for the later transformation.
When it comes to safety assessment, it's important to have a methodology. We take ISO27001 as the core, and learn from the advantages of several international commonly used evaluation models, at the same time, combined with the characteristics of the enterprise, to establish a risk assessment model:
In the risk assessment model, information assets, weaknesses, threats and risks are mainly included. Each element has its own attribute, the attribute of information assets is the value of the asset, the weakness of the attribute is a weakness in the existing control measures, under the protection of the threatened use of possibility and threatened use of assets after the impact, the severity of the threat of the attribute is the severity of the possibility of threats and its harm, risk attributes of the risk level is high and low. The risk assessment adopts the qualitative risk assessment method and the value is assigned in a hierarchical manner.
3. Construction plan of the planning system
The root causes of enterprise information security problems are distributed in technology, personnel and management, and so on. Only by unified planning and establishment of enterprise information security system, and the final implementation of management measures and technical measures, can information security be ensured.
On the basis of risk assessment, the construction scheme of the planning system puts forward security Suggestions for the security risks in the enterprise to enhance the security of the system and resist aggression.
In the next 1-2 years through the establishment and implementation of information security system system, the establishment of security organizations, the technical security audit, the transformation of internal and external network isolation, the deployment of security products, to achieve process-oriented transformation. In the next 3-5 years, through the improvement of the information security system, the corresponding physical environment transformation and the construction of business continuity projects, the enterprise will be built into an advanced enterprise focusing on management, prevention and prevention.
4. Construction of enterprise information security system
The enterprise information security system is built on the basis of the information security model and enterprise informatization. The establishment of the core of the information security management system can better play the capabilities of six aspects: Warn, Protect, Detect, Response, Recover and counter-attack.
The construction of safety system involves the construction and improvement of safety management system. The second is related to information security technology. Firstly, the security management system involves the general security policy, security technology policy and security management policy of enterprise information system. The general safety policy involves the safety system of safety organization, safety management system, personnel safety management, safety operation and maintenance. The security technology strategy involves the division of information domain, the security level of business application, the security protection idea, the theory, and further unified management, system classification, network interconnection, disaster recovery backup, centralized monitoring and other requirements.
Secondly, information security technology can be divided into physical security technology, network security technology, system security technology, application security technology, and security infrastructure platform according to its information system level. At the same time, according to the functions provided by security technology, it can be divided into three categories: prevention and protection, detection and tracking, and response and recovery.
Basic requirements for applying for ISO27001 certification:
1. The Chinese enterprise holds the business license of enterprise legal person, production license or equivalent documents issued by the administrative department for industry and commerce; A foreign enterprise shall hold the certificate of registration of the relevant institution.
2. The information security management system of the applicant has been established in accordance with the requirements of ISO/IEC 27001:2005 and has been in operation for more than 3 months.
3. Completed at least one internal audit and conducted management review.
4. During the operation of the information security management system and within one year before the establishment of the system, the information security management system was not subject to administrative punishment by the competent authorities.
Documents and materials to be submitted for ISO27001 certification:
1. Organize legal documents, such as copies of business license and annual inspection certificate (with official seal);
2. Copy of organization code certificate and tax registration certificate (with official seal);
3. Certification documents of the effective operation of the information security management system of the organization applying for certification (such as copies of the release control table of system documents and time-marked records);
4. Introduction of the application organization:
4.1. Organization profile (about 1000 words);
4.2 main business processes of the application organization;
4.3 organization chart or functional presentation document;
5. The system documents of the application organization shall include but not be limited to:
5.1 ISMS policy document of information security management system;
5.2 risk assessment procedures;
5.3 statement of applicability;
5.4 risk treatment procedures;
5.5. Document control procedures;
5.6 record control procedures;
5.7. Internal audit procedures;
5.8 management review procedures;
5.9 procedures of corrective and preventive measures;
5.10. Measuring procedures for the effectiveness of control measures;
5.11. Functional role distribution table;
5.12. Document structure and list of the entire system.
6. The document of application organization system should be compared with the document required by GB/ t22080-2008 /ISO/IEC 27001:2005;
7. Application for internal audit and management review;
8. Declaration of confidentiality or sensitivity of the organization's records;
9. Other supplementary information required by the certification authority.